Slow authentication with IPA failover

Issues related to applications and software problems
Post Reply
andsal
Posts: 1
Joined: 2021/02/04 08:32:43

Slow authentication with IPA failover

Post by andsal » 2021/02/04 09:49:32

Hello.
I'm setting up an IPA replica server. I followed the Red Hat documentation and, on the clients, I set the address of both servers as DNS.

It mostly works but, if I shout down one of the two IPAs (let's say the primary), both SSH login and IPA commands becomes very slow. As an example, in the case of SSH, the system takes 8 seconds to show the "Password:" prompt and about 50 seconds to login after inserting the password. After some investigation, it seems that the problem is related to some DNS timeout setting. In fact, if I set the survived server as primary DNS there are no delays.

I tried to lower the values of dns_resolver_server_timeout, dns_resolver_op_timeout and dns_resolver_timeout in the domain section of the clients' /etc/sssd/sssd.conf file (and to restart the sssd daemon), but there were no notable differences. Actually, the IPA settings of the sssd.conf file seems to be completely ignored. As an example, if I remove "_srv_" from "ipa_server" and set it to some non-existing hostname, auto-discovery still works and users get authenticated.

The only (partial) solution I found is to set "options timeout:1" in /etc/resolv.conf. By doing so, the system takes 3 seconds to show the "Password:" prompt and 17 seconds to login after inserting the password.

Do you have some suggestion on how can further speed up the DNS timeout?
Thanks

Post Reply

Return to “CentOS 7 - Software Support”