[Freeipa-users] Slow SSH login for IPA users only

Sumit Bose sbose at redhat.com
Fri Oct 9 12:06:14 UTC 2015 

On Wed, Oct 07, 2015 at 01:23:06PM +0200, Guillem Liarte wrote:
> Sumit,
> 
> Thanks for you reply.
> 
> Ues, I have debug enabled: With level 5 I see that here is where it spends
> most of its time:
> 
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x1][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info]
> (0x0200): Got request for [0x3][1][name=testuser]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:17 2015) [sssd[be[#.com]]]
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)]
> (Wed Oct  7 13:14:18 2015) [sssd[be[#.com]]] [acctinfo_callback] (0x0100):
> Request processed. Returned 0,0,Success
> 
> Note that I removed the real domain name, also to make it a short line.
> 
> 
> After  reading in this pots:
> 
> https://www.centos.org/forums/viewtopic.php?f=47&t=53652
> 
> I actually saw that setting selinux_provider = none improved things quite a
> lot.

Which SSSD version are you using, this issue was tracked by
https://fedorahosted.org/sssd/ticket/2624 and should be fixed in recent
versions of SSSD.

> 
> Still, what is this message:
> 
> [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
> domain SID from [(null)

Those are harmless. If you have trust enabled with with AD we have to
figure out if the POSIX UID for a user should be calculated based in the
SID or taken from a suitable LDAP attribute from AD. Since this happen
in the common code for user lookup it is executed for IPA users as well.
But I agree that this message is annoying and created
https://fedorahosted.org/sssd/ticket/2830 to suppress it for IPA users.

bye,
Sumit

> 
> ?
> 
> Regards,
> 
> Guillem
> 
> On 7 October 2015 at 12:35, Sumit Bose <sbose at redhat.com> wrote:
> 
> > On Wed, Oct 07, 2015 at 12:07:08PM +0200, Guillem Liarte wrote:
> > > All,
> > >
> > > I have an IPA 4.1 installation that works perfectly. We just suffer from
> > > slow logins ( this is also slow in other operations such invoking SUDO )
> > >
> > > IPA user:
> > >
> > > 1st. login: 30 seconds
> > > 2nd login: 8 seconds
> > > 3rd  login: 6.5 seconds
> > > 4rth login: 20 seconds
> > >
> > > Local user:
> > >
> > > Consistently under 2  seconds
> > >
> > > In SSH have tried:
> > >
> > > Setting UseDNS to no
> > > Setting GSSAPIAuthentication to no
> > >
> > > I have tried various things that would work on an slow SSH, with no
> > effect.
> > > In fact, local users have no problem.
> > >
> > > DNS both forward and reverse works well, works fast and gives consistent
> > > results. That is no the issue.
> > >
> > > While trying to find out more about the issue, I see that after the
> > client
> > > has connected, it spends most of the time here:
> > >
> > > [...]
> > > debug2: input_userauth_pk_ok: fp
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug3: sign_and_send_pubkey: RSA
> > > e9:45:2d:52:97:f7:16:5b:2d:83:2f:2e:d9:xx:xx:xx
> > > debug1: Authentication succeeded (publickey).
> > > [...]
> > >
> > > At first I though it might be the key retrival from the IPA service, but
> > it
> > > is actually quite fast:
> > >
> > > time /usr/bin/sss_ssh_authorizedkeys testuser
> > > real    0m0.209s
> > >
> > > We have all the configration files just as they were after installing the
> > > ipa-client. The only modification was made to sshd_config as  these two
> > > lines:
> > >
> > > AuthorizedKeysCommand  /usr/bin/sss_ssh_authorizedkeys
> > > AuthorizedKeysCommandUser nobody
> > >
> > > I also tried removing the _srv_ in the ipa server line in sssd.conf, but
> > > that did not make any difference either.
> > >
> > > So, in brief:
> > >
> > > - SSH is fast for local users
> > > - authorized keys get retrieved quickly
> > > - no DNS issues.
> > > - IPA users take from 6 to 30 seconds to login (and also to perform sudo
> > > invocations)
> > > - While watching ssh logins, for  ipa users, it takes a long time to pass
> > > these two:
> > >
> > >    - input_userauth_pk_ok
> > >    - sign_and_send_pubkey
> > >
> > > Could someone give me an idea of what to try next?
> >
> > Please check the SSSD logs especailly the ones for the domain. You might
> > need to increase the debug_level, please see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks!
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> >

More information about the Freeipa-users mailing list