Thanks Lucas for the information.

I tried the selinux line, it did not seem to make a difference.

As I said in my original email, login to the IPA server itself does not exhibit the same behavior, although
every system has the same SSSD configuration and SElinux enabled. I actually tried "setenforce 0"
on a client without any effect either.

I checked all the reference you provided, my feelings is that the events add up still would not account for 5 seconds delay:-(

If anybody would like to have debug information, please let me know (the procedure to produce). Please also let me know if I should file a bug.

Many thanks,
Qing

On Mon, Apr 13, 2015 at 4:22 PM, Lukas Slebodnik <lslebodn@redhat.com> wrote:
On (13/04/15 15:28), Qing Chang wrote:
>OS: CentoOS 7.1
>IPA: 4.1.0-18
>SSSD: 1.12.2-58
>
>With IPA any clients running CentOS7.1 authentication for ssh and sudo
>takes more than 5 seconds _after_ putting in password. If ssh to the IPA
>server itself, it authenticates instantly.
>
>Google did not provide much relevant information. Note that this is not a
>slow ssh session to get to authentication prompt, it always gets to the
>prompt without delay.
>
>Also it is not related to NFS performance, it is equally slow if I login to
>a NFS server (IPA client) locally or login to a server (also a IPA client)
>that has autofs home.
>
>IPA server is a fresh installation with just a couple of users. I had an
>installation previously that has more than a thousand user accounts on
>CentOS 6. Users did not have the slowness problem as with this new
>installation.
>
>Hope this list can provide some pointers.
>
You might hit bug[1].

If you do not use SELinux ser mapping[2] you can try to disable
this feature.

put "selinux_provider = none" into domain section of sssd.conf

If it doesn't help you can tahe a look on sssd<->systemd conversation in mail
thread[3]

LS

[1] https://fedorahosted.org/sssd/ticket/2624
[2] https://www.freeipa.org/page/SELinux_user_mapping
[3] http://lists.freedesktop.org/archives/systemd-devel/2015-April/030496.html
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users