Ronald,
What is your experience regarding SSH logins or lookups (getent)?
How
long do they take in your setup? Uncached SSH logins with AD users do
take up to 30 seconds or more at our site.
I wasn't sure if this question was directed at me or not, but for our
site please see the following figures from an empty client cache:
# systemctl stop sssd.service; rm -rf /var/lib/sss/{db,mc}/*;
systemctl start sssd.service; time getent passwd admin(a)IPA.DOMAIN;
time getent passwd ADUSER
admin:*:UID:GID:Administrator:/home/admin:/bin/bash
real 0m2.049s
user 0m0.000s
sys 0m0.002s
ADUSER:*:UID:GID:AD USER [ADUSER]:/home/a/ADUSER:/bin/bash
real 0m4.673s
user 0m0.001s
sys 0m0.000s
$ time ssh ADUSER@COMPUTE-HOST uptime
ADUSER@COMPUTE-HOST's password:
08:37:12 up 135 days, 23:08, 1 user, load average: 0.18, 0.08, 0.06
real 0m8.899s
user 0m0.011s
sys 0m0.005s
Our trust is POSIX since our AD schema supports it. All AD users
permitted to access our IPA domain belong to external groups which are
then mapped into POSIX groups.
HTH,
John DeSantis
Il giorno gio 9 dic 2021 alle ore 04:49 Ronald Wimmer via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> On 07.12.21 19:45, John Desantis via FreeIPA-users wrote:
> > Georg,
> >
> >> In order to analyze our setup, we pinned one random IPA client onto one IPA
Server in sssd.conf and started with debug_level=6 in all config sections.
> >
> > When we were investigating performance issues, we actually changed the
> > debug_level to 9 on both the IPA server and client for the duration of
> > testing.
> >
> >> After deleting the cache on both machines and restarting the sssd service,
the login with our AD-User on the IPA server works right away. Whereas, the client takes
up to ~10 minutes before the login with our AD Account works at all.
> >
> > What I'd recommend as a start is:
> >
> > 1.) Stop the client.
> > 2.) Remove the cache (/var/lib/sss/db/).
> > 3.) Remove all SSSD logs.
> > 4.) Set the debug_level to 9 in the [domain], [sssd], [nss], and
> > [pam] sections. It may be superfluous, but at least you'll know
> > you're capturing all of the logs.
> > 5.) Start the client.
> > 6.) Attempt a login to the client and continue until you've noticed a
> > significant delay.
> >
> > You can then search for the user(s) in question within the SSSD logs.
> > Look for any obvious errors and timeouts, then search for all lookups
> > from the client to the server (user, groups, HBAC, etc.).
> >
> > I'd also run a time `getent passwd ADUSER` against a _fresh_ cache
> > (step #2 above) to see how quickly a result is returned, if at all.
> > Depending on how the client is configured, perhaps the delay is due to
> > multiple, initial lookup failures.
> >
> > HTH,
> > John DeSantis
>
What is your experience regarding SSH logins or lookups (getent)?
How
long do they take in your setup? Uncached SSH logins with AD users do
take up to 30 seconds or more at our site.
>
> Cheers,
> Ronald
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure