After a lot of reading, adding "ignore_group_members = True" to sssd.conf vastly dropped the login time. From a completely blank cache taking > 25 seconds to login to ~1 second to login. 



On Wed, Jan 6, 2021 at 1:59 PM Mark Potter <markp@dug.com> wrote:
We are experiencing slow logins on all client machines. At present this is only two machines but have experienced the same issue with prior installations. We have migrated the entirety of our ancient OpenLDAP install to FreeIPA. Our environment is:

1 x IPA Server
3 x IPA Replicas

All of these have the following specs:

Memory: 16GiB
CPU: 6 Cores
Disk: 64GiB

When a client has its cache cleared or it has expired, such as not being logged into overnight, we have seen quite a delay logging in, especially compared to our antiquated OpenLDAP install. In a test this morning the two clients took ~30 seconds for the first login of the day. Once this delay is seen it is not seen again for a while (I haven't timed it at this point). 

In the logs I see the following:

21k instance of:

[sssd[be[example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost member for group [user286@example.com]

32k instances of:

[sssd[be[example.com]]] [sdap_get_primary_name] (0x0400): Processing object user767

151 instances of (the only result for grepping the log for "fail")

[sssd[be[example.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid

148 instances of (the only result for grepping the log for "warn"): 

[sssd[be[example.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base.

These cover multiple users and multiple groups. I can provide logs but a clean log and a single login at log level 6 generated a 7.2 MiB log file. It looks like it's doing some sort of enumeration but I don't know enough to know what exactly is going on. 

The load on the IPA server and replicas isn't remotely high at any point. We will end up with > 8k machines authenticating to this cluster so ~30 seconds to login to any given machine for jobs is a lot of lost time.

---sssd.conf---
[domain/dug.com]

cache_credentials = True
debug_level = 6
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client0001.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa0001.example.com, ipa0002.example.com, ipa0003.example.com, ipa0004.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = local-map
[sssd]
services = nss, sudo, pam, autofs, ssh

domains = example.com
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]
---sssd.conf---

Any help would be appreciated!

--

Mark Potter

Senior Linux Administrator



--

Mark Potter

Senior Linux Administrator

 

 

 

DownUnder GeoSolutions

 

16200 Park Row Drive, Suite 100

Houston TX 77084, USA

tel +1 832 582 3221

markp@dug.com

www.dug.com