<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 09/18/2015 12:24 AM, HECTOR LOPEZ
wrote:<br>
</div>
<blockquote
cite="mid:CAF3C5=ZgCPAeoaX69ymoi=emx5g8kGYeckg=rL-4gF5EYewxyQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>This is rhel 7.1 with ipa version 4.1.0<br>
<br>
</div>
user-show shows the user. However, if the user contains
ipaNTSecurityIdentifier: attribute, user-del hangs with no
response.<br>
<br>
</div>
Meanwhile, the KDC and 389ds stop working. The only way to
recover functionality is to reboot the machine. ipactl
restart does nothing.<br>
</div>
</div>
</blockquote>
If it hangs again, could you get a pstack of the slapd process ? <br>
If you then kill slapd, does ipactl restart work ?<br>
<blockquote
cite="mid:CAF3C5=ZgCPAeoaX69ymoi=emx5g8kGYeckg=rL-4gF5EYewxyQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
In the ldap access log I see this when trying to delete user
sclown:<br>
<br>
[14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101
nentries=0 etime=0<br>
[14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL
dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org"<br>
<div>[14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD
dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"<br>
[14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1
tag=103 nentries=0 etime=0<br>
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"<br>
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32
tag=101 nentries=0 etime=0<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=INVALID)" attrs="objectClass serialno
notBefore notAfter duration extension subjectName
userCertificate version algorithmId signingAlgorithmId
publicKeyData"<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore <br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV
200:0:20150914093009Z 1:0 (0)<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0
tag=101 nentries=0 etime=0<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=VALID)" attrs="objectClass serialno
notBefore notAfter duration extension subjectName
userCertificate version algorithmId signingAlgorithmId
publicKeyData"<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter <br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV
200:0:20150914093009Z 1:10 (0)<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0
tag=101 nentries=1 etime=0<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=REVOKED)" attrs="objectClass revokedOn
serialno revInfo notAfter notBefore duration extension
subjectName userCertificate version algorithmId
signingAlgorithmId publicKeyData"<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV
200:0:20150914093009Z 0:0 (0)<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0
tag=101 nentries=0 etime=0 notes=U<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="description"<br>
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0
tag=101 nentries=1 etime=0<br>
[14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND<br>
<br>
</div>
<div>Then in the ldap error log I see this, which makes me think
there is a problem with the changelog:<br>
<br>
[14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id
for changenumber=91314,cn=changelog from entryrdn index
(-30993)<br>
[14/Sep/2015:09:30:03 -0700] - Operation error fetching
changenumber=91314,cn=changelog (null), error -30993.<br>
[14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an
error occured while adding change number 91314, dn =
changenumber=91314,cn=changelog: Operations error. <br>
[14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob:
operation failure [1]<br>
<br>
</div>
<div>After this both kdc and ldap stop responding. In the
krb5kdc.log I see server errors after the user-del command is
run. The only way to resume normal operations is to restart
the whole machine. ipactl restart doesn't work.<br>
<br>
</div>
Any help would be highly appreciated!</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>