<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/22/2014 11:16 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:537E14E9.5060506@damascusgrp.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
It doesn't seem to have helped -- we're still pretty slow even
with IP addresses in sssd.conf.<br>
</blockquote>
<br>
Then we need debug logs to see where the delays are. Put high debug
level and zip the logs somewhere we can take a look at.<br>
Jakub is your guy.<br>
<br>
<blockquote cite="mid:537E14E9.5060506@damascusgrp.com" type="cite">
<br>
<div class="moz-cite-prefix">On 05/22/2014 11:07 AM, Dmitri Pal
wrote:<br>
</div>
<blockquote cite="mid:537E129F.1020005@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/22/2014 10:36 AM, Bret
Wortman wrote:<br>
</div>
<blockquote cite="mid:537E0B7D.4030006@damascusgrp.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
I found that our slower system was using FQDNs for the list of
IPA servers; our faster system was using IPs. I'm switching
now, letting Puppet distribute the update and will see if it
helps.<br>
<br>
</blockquote>
<br>
That means you have problems with DNS that are worth looking
into.<br>
<br>
<blockquote cite="mid:537E0B7D.4030006@damascusgrp.com"
type="cite"> By enumeration, do you mean are we spelling out
our IPA servers? Yes. We only have 3 and they look something
like this:<br>
</blockquote>
<br>
No. I mean the ability of sssd to download everything when
enumerate = true<br>
This causes a lot of traffic and overhead and a usual reason for
low performance.<br>
We were unfortunate to include this setting into one of the
early sssd.conf examples and people have been copying it around
ever since though we strongly recommend against enabling it.<br>
<br>
<blockquote cite="mid:537E0B7D.4030006@damascusgrp.com"
type="cite"> <tt><br>
</tt><tt>[domain/foo.net]</tt><tt><br>
</tt><tt><br>
</tt><tt>cache_credentials = True</tt><tt><br>
</tt><tt>krb5_store_password_if_offline = True</tt><tt><br>
</tt><tt>ipa_domain = foo.net</tt><tt><br>
</tt><tt>id_provider = ipa</tt><tt><br>
</tt><tt>auth_provider = ipa</tt><tt><br>
</tt><tt>access_provider = ipa</tt><tt><br>
</tt><tt>ipa_hostname = rm266ws-a.foo.net</tt><tt><br>
</tt><tt>chpass_provider = ipa</tt><tt><br>
</tt><tt>ipa_dyndns_update = True</tt><tt><br>
</tt><tt>ipa_server = _srv_, 192.168.2.61, 192.168.2.62,
192.168.2.63</tt><tt><br>
</tt><tt>ldap_netgroup_search_base =
cn=ng,cn=compat,dc=foo,dc=net</tt><tt><br>
</tt><tt>ldap_tls_cacert = /etc/ipa/ca.crt</tt><tt><br>
</tt><tt>[sssd]</tt><tt><br>
</tt><tt>services = nss, pam, ssh</tt><tt><br>
</tt><tt>config_file_version = 2</tt><tt><br>
</tt><tt><br>
</tt><tt>domains = foo.net</tt><tt><br>
</tt><tt>[nss]</tt><tt><br>
</tt><tt><br>
</tt><tt>[pam]</tt><tt><br>
</tt><tt><br>
</tt><tt>[sudo]</tt><tt><br>
</tt><tt><br>
</tt><tt>[autofs]</tt><tt><br>
</tt><tt><br>
</tt><tt>[ssh]</tt><tt><br>
</tt><tt><br>
</tt><tt>[pac]</tt><tt><br>
</tt><br>
On the other hand, if you meant something else, then I hope
the answer's in the file. ;-)<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/22/2014 10:15 AM, Dmitri
Pal wrote:<br>
</div>
<blockquote cite="mid:537E066E.3010301@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 05/22/2014 09:43 AM, Bret
Wortman wrote:<br>
</div>
<blockquote cite="mid:537DFEF2.5020602@damascusgrp.com"
type="cite">What we're seeing is slow GDM logins, ssh
authentications, and "sudo -i" responses on this network.
On our other, these things are all blazing fast. Here,
they're on the order of 5-10 seconds. And it doesn't seem
to improve (much) with age or time, except perhaps
anecdotally. At best, a second connection might be a
second faster, but will revert within an hour or so. <br>
<br>
</blockquote>
<br>
Have you compared sssd.conf from clients in these two
networks?<br>
Do you use enumeration?<br>
<br>
Increasing debug level and looking at the logs will help you
to understand what part takes most time. These logs will be
helpful for you/us to see if/what the problem is/are.<br>
<br>
<blockquote cite="mid:537DFEF2.5020602@damascusgrp.com"
type="cite"> <br>
On 05/22/2014 09:36 AM, Rob Crittenden wrote: <br>
<blockquote type="cite">Bret Wortman wrote: <br>
<blockquote type="cite">Where should my clients be
getting the contents of /etc/openldap/certs from? <br>
<br>
I've got one network where my IPA authentications are
blazing fast and <br>
one where they're ... not. On the slower one, clients'
<br>
/etc/openldap/certs directories are either missing or
empty; on the <br>
faster network, clients have certs in these
directories. <br>
<br>
Is this important, and if so what could be going wrong
on my slower <br>
network that might cause the certs to not get
distributed or created <br>
properly? <br>
</blockquote>
These are not the droids you are looking for... <br>
<br>
Can you clarify what you mean by IPA authentications?
sssd should be <br>
handling that, and while a first auth over a slow link
might be slow <br>
subsequent usage should be quite fast. <br>
<br>
rob <br>
</blockquote>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>