On ti, 24 maalis 2020, White, David via FreeIPA-users wrote:
> When I ssh, it takes about that long before it even prompts me
for my username.
> Then it takes a few more seconds to authenticate me after I type in my password.
I need to correct myself here.
When I SSH, it prompts for a username immediately.
When I enter the username, it then takes 15-20+ seconds to prompt for the password.
Then it takes a few more seconds before logging me in.
Please see SSSD troubleshooting guide
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to enable
debugging for PAM and domain sections, then check krb5_child.log for the
time period when your login happens.
Most likely there are following issues:
- choosing a DC to talk to takes time, may be choosing wrong DC from a
different site, this would be visible in the domain log between
entering a username and finding KDC to talk to
- timeouts for PAM authentication may be too low in your case
You may want to record network traffic from the client at the login
attempt to see whom the client talks to.
From: "White, David via FreeIPA-users"
<freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Date: Tuesday, March 24, 2020 at 11:09 AM
To: "freeipa-users(a)lists.fedorahosted.org"
<freeipa-users(a)lists.fedorahosted.org>
Cc: "White, David" <whitedm(a)epb.net>
Subject: [Freeipa-users] Getting shell to IdM client via AD credentials takes very long
time
We have a large AD environment, which our IdM / FreeIPA servers authenticate users out
of.
The issue I'm trying to address is that it takes a very long time (upwards of 15-20+
seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed Packages
Name : ipa-server
Arch : x86_64
Version : 4.6.5
Release : 11.el7_7.4
When I ssh, it takes about that long before it even prompts me for my username.
Then it takes a few more seconds to authenticate me after I type in my password.
I have worked through the documents at
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-larg...
and
https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the
same article).
I have implemented the recommended settings onto the IdM servers, namely, the following is
now in the IdM server's sssd.conf file:
[domain/domname]
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
ignore_group_members = True
ldap_purge_cache_timeout = 0
This seems to have fixed the delays I noticed whenever I would run "id
my-user(a)mydomain.com" from any server enrolled in IdM.
The "id" command now seems to be very snappy, and responds almost immediately.
However, it still takes the same 15-20 seconds+ to get a shell on an IdM client.
Reading the above article(s) on what to do with the client, I'm concerned that the
recommended changes won't fix my underlying issue.
The articles recommend adding the following to the client's sssd.conf file:
[pam]
pam_id_timeout = N
[domain/domname]
krb5_auth_timeout = N
I've made the recommended changes to 1 of my clients, but it is still seeing a
significant delay.
So, the issue I'm trying to address is the time it takes to login.
It would seem to me that the above options don't actually address the "time to
login" issue.
Any additional suggestions on this?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland