<div dir="ltr"><div><div><div><div>Thanks Sumit. </div>The version of sssd is 1.12.2-58.el7_1.17 </div>I do not have any AD trusts defined, I suppose I should not see those messages. </div>Thanks again. </div>Guillem </div><div class="gmail_extra"> <div class="gmail_quote">On 9 October 2015 at 14:06, Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote: > Sumit, > > Thanks for you reply. > > Ues, I have debug enabled: With level 5 I see that here is where it spends > most of its time: > > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x1][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x1][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] > (0x0200): Got request for [0x3][1][name=testuser] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null)] > (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > > Note that I removed the real domain name, also to make it a short line. > > > After reading in this pots: > > <a href="https://www.centos.org/forums/viewtopic.php?f=47&t=53652" rel="noreferrer" target="_blank">https://www.centos.org/forums/viewtopic.php?f=47&t=53652</a> > > I actually saw that setting selinux_provider = none improved things quite a > lot. </div></div>Which SSSD version are you using, this issue was tracked by <a href="https://fedorahosted.org/sssd/ticket/2624" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/ticket/2624</a> and should be fixed in recent versions of SSSD. > > Still, what is this message: > > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > domain SID from [(null) Those are harmless. If you have trust enabled with with AD we have to figure out if the POSIX UID for a user should be calculated based in the SID or taken from a suitable LDAP attribute from AD. Since this happen in the common code for user lookup it is executed for IPA users as well. But I agree that this message is annoying and created <a href="https://fedorahosted.org/sssd/ticket/2830" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/ticket/2830</a> to suppress it for IPA users. bye, Sumit <div class="HOEnZb"><div class="h5"> > > ? > > Regards, > > Guillem > > On 7 October 2015 at 12:35, Sumit Bose <<a href="mailto:sbose@redhat.com">sbose@redhat.com</a>> wrote: > > > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote: > > > All, > > > > > > I have an IPA 4.1 installation that works perfectly. We just suffer from > > > slow logins ( this is also slow in other operations such invoking SUDO ) > > > > > > IPA user: > > > > > > 1st. login: 30 seconds > > > 2nd login: 8 seconds > > > 3rd login: 6.5 seconds > > > 4rth login: 20 seconds > > > > > > Local user: > > > > > > Consistently under 2 seconds > > > > > > In SSH have tried: > > > > > > Setting UseDNS to no > > > Setting GSSAPIAuthentication to no > > > > > > I have tried various things that would work on an slow SSH, with no > > effect. > > > In fact, local users have no problem. > > > > > > DNS both forward and reverse works well, works fast and gives consistent > > > results. That is no the issue. > > > > > > While trying to find out more about the issue, I see that after the > > client > > > has connected, it spends most of the time here: > > > > > > [...] > > > debug2: input_userauth_pk_ok: fp > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > debug3: sign_and_send_pubkey: RSA > > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx > > > debug1: Authentication succeeded (publickey). > > > [...] > > > > > > At first I though it might be the key retrival from the IPA service, but > > it > > > is actually quite fast: > > > > > > time /usr/bin/sss_ssh_authorizedkeys testuser > > > real 0m0.209s > > > > > > We have all the configration files just as they were after installing the > > > ipa-client. The only modification was made to sshd_config as these two > > > lines: > > > > > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > > > AuthorizedKeysCommandUser nobody > > > > > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but > > > that did not make any difference either. > > > > > > So, in brief: > > > > > > - SSH is fast for local users > > > - authorized keys get retrieved quickly > > > - no DNS issues. > > > - IPA users take from 6 to 30 seconds to login (and also to perform sudo > > > invocations) > > > - While watching ssh logins, for ipa users, it takes a long time to pass > > > these two: > > > > > > - input_userauth_pk_ok > > > - sign_and_send_pubkey > > > > > > Could someone give me an idea of what to try next? > > > > Please check the SSSD logs especailly the ones for the domain. You might > > need to increase the debug_level, please see > > <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a> for details. > > > > bye, > > Sumit > > > > > > > > Thanks! > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project > > > > </div></div></blockquote></div> </div>