<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
<div>When I attach gdb to the process, I have tried the main process and the four child processes, it provides no output. </div>
<div>Here are the steps I'm taking:</div>
<div>
<ol class="MailOutline">
<li>On freeipa-server run htop and find the pid (or ps aux)
<ol>
<li>Shows one parent PID and four child processes
<ol>
<li>934 root<span class="Apple-tab-span" style="white-space:pre"> </span>20   0 46784  2656   388 S  0.0  0.1  0:00.00  `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4</li><li> 1939 root<span class="Apple-tab-span" style="white-space:pre"> </span>20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4</li><li> 1938 root<span class="Apple-tab-span" style="white-space:pre"> </span>20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4</li><li> 1936 root<span class="Apple-tab-span" style="white-space:pre"> </span>20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4</li><li> 1935 root<span class="Apple-tab-span" style="white-space:pre"> </span>20   0 78664  4212  1808 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4</li></ol>
</li><li>run sudo gdb
<ol>
<li>attach 934</li><li>press "c"</li><li>Wait for output… </li></ol>
</li></ol>
</li><li>Attempt to login with user that has an expired password.</li><li>Now the krb5kdc process 934 starts running at 100% and the user is unable to login. </li><li>Only way to get the process back to normal is to type "service ipa restart"</li></ol>
<div><br>
</div>
</div>
<div>I've never debugged a program before so if I'm missing a step please let me know. </div>
<div><br>
</div>
<div>-Martin</div>
<br>
<div>
<div>On Sep 8, 2011, at 1:24 PM, Simo Sorce wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>Also any chance you can attach gdb to the krb5kdc process and take a<br>
backtrace ?<br>
<br>
Hopefully we will find out where it is hanging.<br>
<br>
Simo.<br>
<br>
On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote:<br>
<blockquote type="cite">Is the ns-slapd instance for the ipa domain running when this happens ?<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">Simo.<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R.<br>
</blockquote>
<blockquote type="cite">[<a href="mailto:smma0901@stcloudstate.edu">smma0901@stcloudstate.edu</a>] wrote:<br>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Update: It appears to lockup immediately after a user with an expired<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">password attempts to login. This happens when a user attempts to login<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">at the freeipa-server itself or one of the clients. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">From: <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">[mailto:freeipa-users-bounces@redhat.com] On Behalf Of Smith, Martin<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">R. [<a href="mailto:smma0901@stcloudstate.edu">smma0901@stcloudstate.edu</a>]<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Sent: Thursday, September 08, 2011 12:49 PM<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">To: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Subject: [Freeipa-users] krb5kdc process at 100%<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Hello all,<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">I’m running a fairly new install of Freeipa-server and we are running<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">into a problem that is preventing users from logging in. We have two<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">SSH servers that authenticate to our freeipa-server and after 15 min<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">to 4 hrs of runtime the process Krb5kdc will consume 100% of the<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">processor and the freeipa-server will no longer respond to ldap<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">requests from the other machines. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Here are some specs:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">The freeipa-server is running as a virtual machine on a Xen 5.6 box<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Fedora 15 with all current updates<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">The /home directory is a NFS mount to a different server, also running<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">freeipa-client<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">I updated the freeipa-server package to the “testing” repo today, the<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">problem still exists. The only additional components I’ve installed<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">are fail2ban, and rsyslog. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Some of the error messages include:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">(krb5kdc.log)<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Sep 08 12:10:23 <a href="http://client1.fake.com">client1.fake.com</a> krb5kdc[1867](info): AS_REQ (7 etypes<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">{18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH:<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a href="mailto:host/client1.fake.com@fake.com">host/client1.fake.com@fake.com</a> for
<a href="mailto:krbtgt/fake.com@fake.com">krbtgt/fake.com@fake.com</a>,<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Additional pre-authentication required<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">(pki-ca-system-log)<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Attached. This log is from the freeipa-server, it appears to be<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">complaining that it can’t connect to itself. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">I can provide more logs to a personal email if needed. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Thanks for your help in resolving this issue. <br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">-Martin Smith<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">_______________________________________________<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite">Freeipa-users mailing list<br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
</blockquote>
</blockquote>
<blockquote type="cite">
<blockquote type="cite"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">-- <br>
</blockquote>
<blockquote type="cite">Simo Sorce * Red Hat, Inc * New York<br>
</blockquote>
<blockquote type="cite"><br>
</blockquote>
<blockquote type="cite">_______________________________________________<br>
</blockquote>
<blockquote type="cite">Freeipa-users mailing list<br>
</blockquote>
<blockquote type="cite"><a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
</blockquote>
<blockquote type="cite"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
<br>
-- <br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div>
</blockquote>
</div>
<br>
</body>
</html>