[Freeipa-users] krb5kdc process at 100%

Simo Sorce simo at redhat.com
Thu Sep 8 18:24:51 UTC 2011 

Also any chance you can attach gdb to the krb5kdc process and take a
backtrace ?

Hopefully we will find out where it is hanging.

Simo.

On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote:
> Is the ns-slapd instance for the ipa domain running when this happens ?
> 
> Simo.
> 
> On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R.
> [smma0901 at stcloudstate.edu] wrote:
> > Update: It appears to lockup immediately after a user with an expired
> > password attempts to login. This happens when a user attempts to login
> > at the freeipa-server itself or one of the clients. 
> > 
> >  
> > 
> >  
> > 
> > From: freeipa-users-bounces at redhat.com
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin
> > R. [smma0901 at stcloudstate.edu]
> > Sent: Thursday, September 08, 2011 12:49 PM
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] krb5kdc process at 100%
> > 
> > 
> >  
> > 
> > Hello all,
> > 
> > I’m running a fairly new install of Freeipa-server and we are running
> > into a problem that is preventing users from logging in. We have two
> > SSH servers that authenticate to our freeipa-server and after 15 min
> > to 4 hrs of runtime the process Krb5kdc will consume 100% of the
> > processor and the freeipa-server will no longer respond to ldap
> > requests from the other machines. 
> > 
> >  
> > 
> > Here are some specs:
> > 
> > The freeipa-server is running as a virtual machine on a Xen 5.6 box
> > 
> > Fedora 15 with all current updates
> > 
> > The /home directory is a NFS mount to a different server, also running
> > freeipa-client
> > 
> >  
> > 
> > I updated the freeipa-server package to the “testing” repo today, the
> > problem still exists. The only additional components I’ve installed
> > are fail2ban, and rsyslog. 
> > 
> >  
> > 
> > Some of the error messages include:
> > 
> > (krb5kdc.log)
> > 
> > Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH:
> > host/client1.fake.com at fake.com for krbtgt/fake.com at fake.com,
> > Additional pre-authentication required
> > 
> >  
> > 
> > (pki-ca-system-log)
> > 
> > Attached. This log is from the freeipa-server, it appears to be
> > complaining that it can’t connect to itself. 
> > 
> >  
> > 
> > I can provide more logs to a personal email if needed. 
> > 
> >  
> > 
> > Thanks for your help in resolving this issue. 
> > 
> > -Martin Smith
> > 
> >  
> > 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list