<div dir="ltr"><div><div><div><div><div><div><div><div>Sumit, </div>Thanks for you reply. </div>Ues, I have debug enabled: With level 5 I see that here is where it spends most of its time: (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success </div>Note that I removed the real domain name, also to make it a short line. </div>After reading in this pots: <a href="https://www.centos.org/forums/viewtopic.php?f=47&t=53652">https://www.centos.org/forums/viewtopic.php?f=47&t=53652</a> </div>I actually saw that setting selinux_provider = none improved things quite a lot. </div>Still, what is this message: [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null) ? </div>Regards, </div> Guillem </div><div class="gmail_extra"> <div class="gmail_quote">On 7 October 2015 at 12:35, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > All, > > I have an IPA 4.1 installation that works perfectly. We just suffer from > slow logins ( this is also slow in other operations such invoking SUDO ) > > IPA user: > > 1st. login: 30 seconds > 2nd login: 8 seconds > 3rd login: 6.5 seconds > 4rth login: 20 seconds > > Local user: > > Consistently under 2 seconds > > In SSH have tried: > > Setting UseDNS to no > Setting GSSAPIAuthentication to no > > I have tried various things that would work on an slow SSH, with no effect. > In fact, local users have no problem. > > DNS both forward and reverse works well, works fast and gives consistent > results. That is no the issue. > > While trying to find out more about the issue, I see that after the client > has connected, it spends most of the time here: > > [...] > debug2: input_userauth_pk_ok: fp > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug3: sign_and_send_pubkey: RSA > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > debug1: Authentication succeeded (publickey). > [...] > > At first I though it might be the key retrival from the IPA service, but it > is actually quite fast: > > time /usr/bin/sss_ssh_authorizedkeys testuser > real 0m0.209s > > We have all the configration files just as they were after installing the > ipa-client. The only modification was made to sshd_config as these two > lines: > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > AuthorizedKeysCommandUser nobody > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > that did not make any difference either. > > So, in brief: > > - SSH is fast for local users > - authorized keys get retrieved quickly > - no DNS issues. > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > invocations) > - While watching ssh logins, for ipa users, it takes a long time to pass > these two: > </div></div>> - input_userauth_pk_ok > - sign_and_send_pubkey > > Could someone give me an idea of what to try next? Please check the SSSD logs especailly the ones for the domain. You might need to increase the debug_level, please see <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a> for details. bye, Sumit > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote></div> </div>