[CentOS] Slow authentication on C7

Tue Apr 12 15:28:32 UTC 2016
Scott Robbins <scottro11 at gmail.com>

On Tue, Apr 12, 2016 at 09:45:17AM +0200, Marcin Trendota wrote:
> W dniu 11.04.2016 o 20:07, Scott Robbins pisze:
> >>> Any ideas?
> >> DNS?
> > Is LDAP listed in the /etc/nsswitch.conf?  
> In nsswitch.conf i have:
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> DNS works fine. I think that sssd communicates with LDAP server with
> every authentication - i have tons of following entries in log:
> http://pastebin.com/rZVjk0gW
> And it repeats for same user over and over again. Is this correct behavior?
RedHat never really mastered LDAP, unfortunately.  I have a by now ancient
article, that mentions it.

What I found back then is that if it EVER uses LDAP for anything, upon
boot, it will look for an LDAP server.  It doesn't even have to be one that
the workstation uses--it just wants to know there's one on the network.  

In other words, I have server1 which workstation1 can use for
authentication, and server2, which does, say, address book duty.

The workstation also does authenticate for some things against the server1.
If server1 is off, although there's a local account on workstation, it will
look and hang for awhile, till it gives up and finally logs on the local

However, if server2 is on--that is, as long as there's an LDAP server that
it can see, even though that server isn't used for authentication,
workstation1 will, IIRC, try it, see it can't authenticate, and then use
local authentication. 

Again, this is something that happened a long time ago and I haven't tried
in a long while.   However, that's why I asked if LDAP was involved,
because it might be the issue. 

Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6