Red Hat Bugzilla – Bug 1285066
pam_sss.so event causing delayed response after received result from idm server.
Last modified: 2016-08-10 08:21:00 EDT
Description of problem:
Delay issues on pam_sss.so.
"Postgresql is calling pam_sss.so via pam stack. Sometimes, response time is longer than 3s. It happened randomly. But happened on both RHEL5 and RHEL6. On both OS, we are using service record for load balancing.
Verified in logs on idm server side, server returns result in subsecond.
Something happened inside pam_sss.so that delayed response after received result from idm server"
Version-Release number of selected component (if applicable):
RHEL5 and RHEL6
- It appears it is reproducible on the customer side. On the Red Hat side, per comment #31 in the case (Justin Stephenson (11/17/2015 2:29 PM))
Steps to Reproduce:
We're attempting to debug pam_sss callouts at a granular level. Something like this, it could benefit to have something like a stap script in place. But that's likely the next step is to look at the callouts coming from the pam libraries and seeing where the delays are counted at.
Could you provide log files from sssd?
We would need to increase debug_level in domain and pam section.
Could you also provide log file /var/log/secure?
You might also use tips for trubleshooting authentication.
When you attach those logs, please also make sure they are from a RHEL-6 machine because a) this is a performance issue and in RHEL-5 we no longer fix those and b) RHEL-6 would have Kerberos tracing info in krb5_child.logs.
Created attachment 1103387 [details]