We have a large AD environment, which our IdM / FreeIPA servers authenticate users out of. The issue I'm trying to address is that it takes a very long time (upwards of 15-20+ seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed Packages Name : ipa-server Arch : x86_64 Version : 4.6.5 Release : 11.el7_7.4
When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password.
I have worked through the documents at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... and https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the same article).
I have implemented the recommended settings onto the IdM servers, namely, the following is now in the IdM server's sssd.conf file:
[domain/domname] subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0
This seems to have fixed the delays I noticed whenever I would run "id my-user@mydomain.com" from any server enrolled in IdM. The "id" command now seems to be very snappy, and responds almost immediately.
However, it still takes the same 15-20 seconds+ to get a shell on an IdM client. Reading the above article(s) on what to do with the client, I'm concerned that the recommended changes won't fix my underlying issue.
The articles recommend adding the following to the client's sssd.conf file:
[pam] pam_id_timeout = N
[domain/domname] krb5_auth_timeout = N
I've made the recommended changes to 1 of my clients, but it is still seeing a significant delay.
So, the issue I'm trying to address is the time it takes to login. It would seem to me that the above options don't actually address the "time to login" issue.
Any additional suggestions on this?
freeipa-users@lists.fedorahosted.org