[Freeipa-users] Slow SSH login for IPA users only
Sumit Bose
sbose at redhat.com
Fri Oct 9 12:06:14 UTC 2015
On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote:
> Sumit,
>
> Thanks for you reply.
>
> Ues, I have debug enabled: With level 5 I see that here is where it spends
> most of its time:
>
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x3][1][name=testuser]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct 7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
>
> Note that I removed the real domain name, also to make it a short line.
>
>
> After reading in this pots:
>
> https://www.centos.org/forums/viewtopic.php?f=47&t=53652
>
> I actually saw that setting selinux_provider = none improved things quite a
> lot.
Which SSSD version are you using, this issue was tracked by
https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent
versions of SSSD.
>
> Still, what is this message:
>
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)
Those are harmless. If you have trust enabled with with AD we have to
figure out if the POSIX UID for a user should be calculated based in the
SID or taken from a suitable LDAP attribute from AD. Since this happen
in the common code for user lookup it is executed for IPA users as well.
But I agree that this message is annoying and created
https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.
bye,
Sumit
>
> ?
>
> Regards,
>
> Guillem
>
> On 7 October 2015 at 12:35, Sumit Bose <sbose at redhat.com> wrote:
>
> > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > > All,
> > >
> > > I have an IPA 4.1 installation that works perfectly. We just suffer from
> > > slow logins ( this is also slow in other operations such invoking SUDO )
> > >
> > > IPA user:
> > >
> > > 1st. login: 30 seconds
> > > 2nd login: 8 seconds
> > > 3rd login: 6.5 seconds
> > > 4rth login: 20 seconds
> > >
> > > Local user:
> > >
> > > Consistently under 2 seconds
> > >
> > > In SSH have tried:
> > >
> > > Setting UseDNS to no
> > > Setting GSSAPIAuthentication to no
> > >
> > > I have tried various things that would work on an slow SSH, with no
> > effect.
> > > In fact, local users have no problem.
> > >
> > > DNS both forward and reverse works well, works fast and gives consistent
> > > results. That is no the issue.
> > >
> > > While trying to find out more about the issue, I see that after the
> > client
> > > has connected, it spends most of the time here:
> > >
> > > [...]
> > > debug2: input_userauth_pk_ok: fp
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug3: sign_and_send_pubkey: RSA
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug1: Authentication succeeded (publickey).
> > > [...]
> > >
> > > At first I though it might be the key retrival from the IPA service, but
> > it
> > > is actually quite fast:
> > >
> > > time /usr/bin/sss_ssh_authorizedkeys testuser
> > > real 0m0.209s
> > >
> > > We have all the configration files just as they were after installing the
> > > ipa-client. The only modification was made to sshd_config as these two
> > > lines:
> > >
> > > AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> > > AuthorizedKeysCommandUser nobody
> > >
> > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> > > that did not make any difference either.
> > >
> > > So, in brief:
> > >
> > > - SSH is fast for local users
> > > - authorized keys get retrieved quickly
> > > - no DNS issues.
> > > - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> > > invocations)
> > > - While watching ssh logins, for ipa users, it takes a long time to pass
> > > these two:
> > >
> > > - input_userauth_pk_ok
> > > - sign_and_send_pubkey
> > >
> > > Could someone give me an idea of what to try next?
> >
> > Please check the SSSD logs especailly the ones for the domain. You might
> > need to increase the debug_level, please see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks!
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> >
More information about the Freeipa-users
mailing list