We are experiencing slow logins on all client machines. At present this is
only two machines but have experienced the same issue with prior
installations. We have migrated the entirety of our ancient OpenLDAP
install to FreeIPA. Our environment is:
1 x IPA Server
3 x IPA Replicas
All of these have the following specs:
CPU: 6 Cores
When a client has its cache cleared or it has expired, such as not being
logged into overnight, we have seen quite a delay logging in, especially
compared to our antiquated OpenLDAP install. In a test this morning the two
clients took ~30 seconds for the first login of the day. Once this delay is
seen it is not seen again for a while (I haven't timed it at this point).
In the logs I see the following:
21k instance of:
[sssd[be[example.com]]] [sdap_process_ghost_members] (0x0400): Adding ghost
member for group [user286(a)example.com]
32k instances of:
[sssd[be[example.com]]] [sdap_get_primary_name] (0x0400): Processing object
151 instances of (the only result for grepping the log for "fail")
[sssd[be[example.com]]] [sdap_save_grpmem] (0x0400): Failed to get group sid
148 instances of (the only result for grepping the log for "warn"):
[sssd[be[example.com]]] [sdap_get_generic_ext_send] (0x0400): WARNING:
Disabling paging because scope is set to base.
These cover multiple users and multiple groups. I can provide logs but a
clean log and a single login at log level 6 generated a 7.2 MiB log file.
It looks like it's doing some sort of enumeration but I don't know enough
to know what exactly is going on.
The load on the IPA server and replicas isn't remotely high at any point.
We will end up with > 8k machines authenticating to this cluster so ~30
seconds to login to any given machine for jobs is a lot of lost time.
cache_credentials = True
debug_level = 6
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client0001.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa0001.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = local-map
services = nss, sudo, pam, autofs, ssh
domains = example.com
homedir_substring = /home
Any help would be appreciated!
Senior Linux Administrator