<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 02/15/2015 01:02 PM, Thomas Raehalme
wrote:<br>
</div>
<blockquote
cite="mid:CAPyAMoYph9v_2WFkHTa8taTAvFCXDyo1TA5zJtPQhm0RKh8skQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>Hi!<br>
<br>
</div>
Today we started having problems with dirsrv hanging.
We have observed the following symptoms (using <a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>
instead of the real domain):<br>
<br>
/var/log/dirsrv/slapd-EXAMPLE-COM/errors:<br>
<br>
[15/Feb/2015:21:48:50 +0200]
slapd_ldap_sasl_interactive_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: LDAP
error -1 (Can't contact LDAP server) ((null)) errno
107 (Transport endpoint is not connected)<br>
[15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error:
could not perform interactive bind for id [] mech
[GSSAPI]: error -1 (Can't contact LDAP server)<br>
<br>
</div>
/var/log/messages:<br>
<br>
Feb 15 21:49:02 ipa named[5545]: LDAP query timed out.
Try to adjust "timeout" parameter<br>
Feb 15 21:49:03 ipa named[5545]: LDAP query timed out.
Try to adjust "timeout" parameter<br>
(repeated)<br>
</div>
<br>
</div>
<div>Trying to access the DS also with ldapsearch just
hangs:<br>
<br>
ldapsearch -h localhost -x "dc=example,dc=com"<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
see <a class="moz-txt-link-freetext" href="http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs">http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs</a><br>
<br>
<blockquote
cite="mid:CAPyAMoYph9v_2WFkHTa8taTAvFCXDyo1TA5zJtPQhm0RKh8skQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
<div>And Kerberos is unavailable as well:<br>
<br>
# KRB5_TRACE=/dev/stdout kinit admin<br>
[6421] 1424029967.466519: Getting initial credentials for
<a moz-do-not-send="true" href="mailto:admin@EXAMPLE.COM">admin@EXAMPLE.COM</a><br>
[6421] 1424029967.467202: Sending request (172 bytes) to <a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>
[6421] 1424029967.467736: Sending initial UDP request to
dgram <a moz-do-not-send="true" href="http://10.1.1.1:88">10.1.1.1:88</a><br>
[6421] 1424029968.469031: Initiating TCP connection to
stream <a moz-do-not-send="true"
href="http://10.1.1.1:88">10.1.1.1:88</a><br>
[6421] 1424029968.469205: Sending TCP request to stream <a
moz-do-not-send="true" href="http://10.1.1.1:88">10.1.1.1:88</a><br>
[6421] 1424029971.472024: Sending retry UDP request to
dgram <a moz-do-not-send="true" href="http://10.1.1.1:88">10.1.1.1:88</a><br>
[6421] 1424029976.477340: Sending retry UDP request to
dgram <a moz-do-not-send="true" href="http://10.1.1.1:88">10.1.1.1:88</a><br>
kinit: Cannot contact any KDC for realm '<a
moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>'
while getting initial credentials<br>
<br>
</div>
<div>Strange thing is that there is hardly any CPU
utilization when the problem is occurring.<br>
</div>
<div><br>
</div>
In addition we have started to see the following entries in
/var/log/messages:<br>
<br>
Feb 15 21:37:27 ipa kernel: possible SYN flooding on port
88. Sending cookies.<br>
Feb 15 21:39:37 ipa kernel: possible SYN flooding on port
88. Sending cookies.<br>
<br>
</div>
I'm not sure if this is related, but it's something we haven't
seen before.<br>
<br>
</div>
<div>We are running CentOS release 6.6 (Final) with the latest
available packages:<br>
<br>
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64<br>
389-ds-base-1.2.11.15-48.el6_6.x86_64<br>
ipa-client-3.0.0-42.el6.centos.x86_64<br>
ipa-server-selinux-3.0.0-42.el6.centos.x86_64<br>
libipa_hbac-1.11.6-30.el6_6.3.x86_64<br>
sssd-ipa-1.11.6-30.el6_6.3.x86_64<br>
ipa-admintools-3.0.0-42.el6.centos.x86_64<br>
ipa-python-3.0.0-42.el6.centos.x86_64<br>
ipa-pki-ca-theme-9.0.3-7.el6.noarch<br>
ipa-server-3.0.0-42.el6.centos.x86_64<br>
libipa_hbac-python-1.11.6-30.el6_6.3.x86_64<br>
ipa-pki-common-theme-9.0.3-7.el6.noarch<br>
krb5-workstation-1.10.3-33.el6.x86_64<br>
krb5-libs-1.10.3-33.el6.x86_64<br>
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64<br>
python-krbV-1.0.90-3.el6.x86_64<br>
krb5-server-1.10.3-33.el6.x86_64<br>
sssd-krb5-1.11.6-30.el6_6.3.x86_64<br>
pam_krb5-2.3.11-9.el6.x86_64<br>
<br>
</div>
<div>Killing the dirsrv processes and restarting them resolves
the issue - until it happens again after about 15 minutes.<br>
</div>
<div><br>
</div>
Any idea what could have gone wrong? I can e-mail logs, if
necessary.<br>
<div><br>
</div>
<div>Thank you in advance!<br>
</div>
<div><br>
Best regards,<br>
Thomas<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>