[Freeipa-users] Slow non-kerberised nfs mounts when ipa started

[Roderick Johnstone]

Hi

I'm not sure this is quite the right place to post this query, but the 
problem is provoked by starting the ipa server so hopefully someone on 
the list might have encountered and resolved the issue already.

This on a fully updated Redhat 7.2 system.

Once I have my ipa server started I'm finding that non-kerberised nfs4 
mounts of a filesystem from a host that is not an ipa client are very 
slow. Typically it takes 4-5 seconds for the mount operation to complete.

The nfs server is exporting the filesystem with the option sec=sys in 
/etc/exports.

I testing the mount speed with the mount command (so no autofs involved) 
and specifying the client address by ipv4 number (so no name lookups).

I can reduce the delay to 2-3 seconds by specifying -o sec=sys on the 
mount line, but this too is very slow.

The following causes mounts to happen at full speed, ie less than 0.1 
sec elapsed:

1) Using mount option -o vers=3 (nfs v3)

2) Turning off the nfs-secure service (stops rpc.gssd)

3) Turning off the ipa server (ipactl stop)

On my Redhat 6.7 testing ipa server the nfsv4 mounts also comlplete in 
under 0.1 sec so this seems to be an RHEL7 change.

In /var/log/messages there are lots of messages like this:
gssproxy: gssproxy[790]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS 
failure.  Minor code may provide more information, No credentials cache 
found

but they come out whether the nfs mounts are slow or quick.

Does anyone else see this or have any ideas on how to speed up the nfs 
v4 mount on Redhat 7 when the ipa server is running?

Thanks

Roderick Johnstone