[Freeipa-users] Slow logins on one ipa client- due to SSS_PAM_ACCT_MGMT
Jakub Hrozek
jhrozek at redhat.com
Fri Mar 17 08:40:18 UTC 2017
On Thu, Mar 16, 2017 at 08:24:42PM +0000, Kilborn, Jim wrote:
> Greetings,
>
> My first post to the forum.
>
> We are running centos7 with freeipa. Syncing from AD, with one linux replica.
> The ipa clients are getting installed by puppet. All the clients are performing fine, except one. I am getting slow ssh logins to one host, as well as slow 'id' and 'who', etc.
>
> I turned up the sss-debuglevel to 6, and compared the slow client to another, and I am seeing a section in the logs that is unique to the slow system, basically its doing a SSS_PAM_ACCT_MGMT, and I don't have any clue why. Same user logging in to both clients, one client does the SSS_PAM_ACCT_MGMT, followed by the SSS_PAM_OPEN_SESSION. While the other client only does SSS_PAM_OPEN_SESSION, and is much faster. (1 second vs 2-8 seconds)
> It seems the SSS_PAM_ACCT_MGMT is the slow culprit, and I don't know why its running.
>
> Any idea what would cause this or where I should look?
The timestamps from the logs are missing, so it's not clear which call
is taking long. No server lookups should be performed in the account
phase, though, so I can only think of the selinux label setting in
libselinux, which is also done in the account phase to be taking long.
can you try to disable the selinux provider for a test?
selinux_provider=none
btw why is the 'fast' client not running the account phase at all? Is
pam_sss in the account stack in the PAM configuration? Is the
access_provider set to anything else than IPA in the sssd.conf file?
More information about the Freeipa-users
mailing list