Hi all,
After all, no issues at all with FreeIPA. The reboot of the Cable modem
caused changing the IPv6 Prefix Delegation, more or less destroying my
IPv6 setup.
After fixing IPv6 (enabled on IPA also :) ) all is going blazing fast again.
Winfried
Op 11-02-2020 om 16:01 schreef Winfried de Heiden via FreeIPA-users:
Hi all,
Got rid of the dropped packages by simply restarting the Cable
modem/router...
Anyway, this wasn't the problem. Still cannot find the reason why
sss_ssh_authorizedkeys slow on IPA-server is so slow, ONLY on the
IPA-server...
Winfried
Op 10-02-2020 om 13:44 schreef Winfried de Heiden via FreeIPA-users:
> Hi all,
>
> sssd 2.20 is being used.
>
> I cannot figure out why the network might cause problems since the
> "good clients" are running on the same network, switches etc.
>
> I dived into it anyway, finding a rather large and increasing number
> of dropped packages and dive into that first. Nevertheless, this
> hardly cannot be the cause since the issue only happens on the
> IPA-server itself...
>
> Winfried
>
> Sumit Bose via FreeIPA-users schreef op 10-02-2020 10:46:
>> On Mon, Feb 10, 2020 at 09:54:04AM +0100, Winfried de Heiden via
>> FreeIPA-users wrote:
>>> Hi all,
>>>
>>> Yep, I do use user-certs for authentication and it seems ocsp takes
>>> time;
>>> but only on the IPA-server. Even on a Rapsberry Pi 3 as an
>>> IPA-client, using
>>> the same IPA-server, it is 4 times faster...
>>>
>>> Hence; something seems going wrong in oscp, but what could be
>>> causing the
>>> problem?
>>
>> Hi,
>>
>> which versions of SSSD are using one the client and the server? Older
>> version of SSSD might use NSS and do the certificate validation in the
>> ssh responder process, newer version might use OpenSSL and do the
>> validation with the help of p11_child. Not sure if any of this might be
>> a reason.
>>
>> Maybe you can take network trace of the communication with the OCSP
>> responder to see if the delay happens on the network?
>>
>> bye,
>> Sumit
>>
>>>
>>> Winfried
>>>
>>> Op 09-02-2020 om 22:06 schreef Alexander Bokovoy:
>>> > On su, 09 helmi 2020, Winfried de Heiden via FreeIPA-users wrote:
>>> > > Hi all,
>>> > > For some reason, for a particular user, sss_ssh_authorizedkeys is
>>> > > extremely slow on the IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m9.520suser
>>> > > 0m0.022ssys 0m0.018s
>>> > > It will return all the public keys, but is is slow, causing
>>> > > SSH-login delays using a ssh-keys.
>>> > > On another CentOS Stream (8.1) IPA-client, using the same
>>> IPA-server:
>>> > > time /usr/bin/sss_ssh_authorizedkeys <username>~real
0m0.020suser
>>> > > 0m0.005ssys 0m0.003s
>>> > > Some difference...Adding "certificate_verification =
no_ocsp" to
>>> > > sssd.conf on the IPA-server will bring back performance, but sound
>>> > > like a poor workaround.
>>> > > Any idea what is happening here?
>>> >
>>> > SSSD picks up certificates associated with the user entry for use
>>> as SSH
>>> > keys as well. I guess verification of those certificates via OCSP
>>> takes
>>> > time and that's why switching off the verification helps.
>>> >
>>> >
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...