On 04/11/2013 08:44 AM, Stephen Gallagher wrote:
You shouldn't be seeing any delays at all for the local user during
login, unless the initgroups() call for that user is taking a long
time. The PAM stack should not be getting to pam_sss.so at all if it's
properly configured. What version of SSSD are you running, on what
distro? If it's Fedora/RHEL based, can I see /etc/pam.d/password-auth?
That thought had occurred to me (pam stack hierarchy).
I'm experimenting with this on two systems. On my Fedora 18 laptop,
I'm running sssd-1.9.4-7.fc18; on my RHEL 6.4 workstation, it's
sssd-1.9.2-82.4.el6_4. The password-auth file is identical on both
systems with the exception of two lines:
Fedora:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
RHEL 6.4
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Also, try the following experiment:
time id -G <localuser>
and show me the output.
On the Fedora laptop:
real 0m58.014s
user 0m0.001s
sys 0m0.007s
On the RHEL workstation:
real 0m58.012s
user 0m0.001s
sys 0m0.001s
/Harry