Georg,
In order to analyze our setup, we pinned one random IPA client onto
one IPA Server in sssd.conf and started with debug_level=6 in all config sections.
When we were investigating performance issues, we actually changed the
debug_level to 9 on both the IPA server and client for the duration of
testing.
After deleting the cache on both machines and restarting the sssd
service, the login with our AD-User on the IPA server works right away. Whereas, the
client takes up to ~10 minutes before the login with our AD Account works at all.
What I'd recommend as a start is:
1.) Stop the client.
2.) Remove the cache (/var/lib/sss/db/).
3.) Remove all SSSD logs.
4.) Set the debug_level to 9 in the [domain], [sssd], [nss], and
[pam] sections. It may be superfluous, but at least you'll know
you're capturing all of the logs.
5.) Start the client.
6.) Attempt a login to the client and continue until you've noticed a
significant delay.
You can then search for the user(s) in question within the SSSD logs.
Look for any obvious errors and timeouts, then search for all lookups
from the client to the server (user, groups, HBAC, etc.).
I'd also run a time `getent passwd ADUSER` against a _fresh_ cache
(step #2 above) to see how quickly a result is returned, if at all.
Depending on how the client is configured, perhaps the delay is due to
multiple, initial lookup failures.
HTH,
John DeSantis
Il giorno mar 7 dic 2021 alle ore 08:05 Georg Seyerl via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> Hello,
> the IPA Infrastrucure at my company is quite big and the performance of the login
varies from acceptable to unacceptable. We are aware of the performance tuning guide by
jhrozek, but it did not improve the performance in our case.
In order to analyze our setup, we pinned one random IPA client onto
one IPA Server in sssd.conf and started with debug_level=6 in all config sections.
> After deleting the cache on both machines and restarting the sssd service, the
login with our AD-User on the IPA server works right away. Whereas, the client takes up to
~10 minutes before the login with our AD Account works at all. How long does it take the
IPA Server on average to start up and serve client requests ?
>
> After a successful login on the client, the performance is acceptable (~2s) for some
time. On the next day the performace of the first login becomes quite slow again (up to
30s and more).
>
> As IPA beginner I am to some extent overwhelmed by the sheer mass of logs and I'd
be glad if you point me towards the right direction.
>
> Thanks
> Georg
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure