When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password.
I need to correct myself here. When I SSH, it prompts for a username immediately.
When I enter the username, it then takes 15-20+ seconds to prompt for the password. Then it takes a few more seconds before logging me in.
From: "White, David via FreeIPA-users" freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Tuesday, March 24, 2020 at 11:09 AM To: "freeipa-users@lists.fedorahosted.org" freeipa-users@lists.fedorahosted.org Cc: "White, David" whitedm@epb.net Subject: [Freeipa-users] Getting shell to IdM client via AD credentials takes very long time
We have a large AD environment, which our IdM / FreeIPA servers authenticate users out of. The issue I'm trying to address is that it takes a very long time (upwards of 15-20+ seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed Packages Name : ipa-server Arch : x86_64 Version : 4.6.5 Release : 11.el7_7.4
When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password.
I have worked through the documents at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... and https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the same article).
I have implemented the recommended settings onto the IdM servers, namely, the following is now in the IdM server's sssd.conf file:
[domain/domname] subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0
This seems to have fixed the delays I noticed whenever I would run "id my-user@mydomain.com" from any server enrolled in IdM. The "id" command now seems to be very snappy, and responds almost immediately.
However, it still takes the same 15-20 seconds+ to get a shell on an IdM client. Reading the above article(s) on what to do with the client, I'm concerned that the recommended changes won't fix my underlying issue.
The articles recommend adding the following to the client's sssd.conf file:
[pam] pam_id_timeout = N
[domain/domname] krb5_auth_timeout = N
I've made the recommended changes to 1 of my clients, but it is still seeing a significant delay.
So, the issue I'm trying to address is the time it takes to login. It would seem to me that the above options don't actually address the "time to login" issue.
Any additional suggestions on this?
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ti, 24 maalis 2020, White, David via FreeIPA-users wrote:
When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password.
I need to correct myself here. When I SSH, it prompts for a username immediately.
When I enter the username, it then takes 15-20+ seconds to prompt for the password. Then it takes a few more seconds before logging me in.
Please see SSSD troubleshooting guide https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to enable debugging for PAM and domain sections, then check krb5_child.log for the time period when your login happens.
Most likely there are following issues: - choosing a DC to talk to takes time, may be choosing wrong DC from a different site, this would be visible in the domain log between entering a username and finding KDC to talk to - timeouts for PAM authentication may be too low in your case
You may want to record network traffic from the client at the login attempt to see whom the client talks to.
From: "White, David via FreeIPA-users" freeipa-users@lists.fedorahosted.org Reply-To: FreeIPA users list freeipa-users@lists.fedorahosted.org Date: Tuesday, March 24, 2020 at 11:09 AM To: "freeipa-users@lists.fedorahosted.org" freeipa-users@lists.fedorahosted.org Cc: "White, David" whitedm@epb.net Subject: [Freeipa-users] Getting shell to IdM client via AD credentials takes very long time
We have a large AD environment, which our IdM / FreeIPA servers authenticate users out of. The issue I'm trying to address is that it takes a very long time (upwards of 15-20+ seconds) to get a shell on any IdM client server.
Our IdM servers are RHEL 7 boxes, using RHEL repositories:
Installed Packages Name : ipa-server Arch : x86_64 Version : 4.6.5 Release : 11.el7_7.4
When I ssh, it takes about that long before it even prompts me for my username. Then it takes a few more seconds to authenticate me after I type in my password.
I have worked through the documents at https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-i... and https://access.redhat.com/articles/2133801 (which seem to be mostly word-for-word the same article).
I have implemented the recommended settings onto the IdM servers, namely, the following is now in the IdM server's sssd.conf file:
[domain/domname] subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout ignore_group_members = True ldap_purge_cache_timeout = 0
This seems to have fixed the delays I noticed whenever I would run "id my-user@mydomain.com" from any server enrolled in IdM. The "id" command now seems to be very snappy, and responds almost immediately.
However, it still takes the same 15-20 seconds+ to get a shell on an IdM client. Reading the above article(s) on what to do with the client, I'm concerned that the recommended changes won't fix my underlying issue.
The articles recommend adding the following to the client's sssd.conf file:
[pam] pam_id_timeout = N
[domain/domname] krb5_auth_timeout = N
I've made the recommended changes to 1 of my clients, but it is still seeing a significant delay.
So, the issue I'm trying to address is the time it takes to login. It would seem to me that the above options don't actually address the "time to login" issue.
Any additional suggestions on this?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org