[Freeipa-users] krb5kdc process at 100%

Smith, Martin R. [smma0901@stcloudstate.edu] smma0901 at stcloudstate.edu
Fri Sep 9 05:09:26 UTC 2011 

When I attach gdb to the process, I have tried the main process and the four child processes, it provides no output.
Here are the steps I'm taking:

  1.  On freeipa-server run htop and find the pid (or ps aux)
     *   Shows one parent PID and four child processes
        *   934 root 20   0 46784  2656   388 S  0.0  0.1  0:00.00  `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
        *    1939 root 20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
        *    1938 root 20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
        *    1936 root 20   0 78664  4460  2056 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
        *    1935 root 20   0 78664  4212  1808 S  0.0  0.1  0:00.26  |   `- /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
     *   run sudo gdb
        *   attach 934
        *   press "c"
        *   Wait for output…
  2.  Attempt to login with user that has an expired password.
  3.  Now the krb5kdc process 934 starts running at 100% and the user is unable to login.
  4.  Only way to get the process back to normal is to type "service ipa restart"

I've never debugged a program before so if I'm missing a step please let me know.

-Martin

On Sep 8, 2011, at 1:24 PM, Simo Sorce wrote:

Also any chance you can attach gdb to the krb5kdc process and take a
backtrace ?

Hopefully we will find out where it is hanging.

Simo.

On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote:
Is the ns-slapd instance for the ipa domain running when this happens ?

Simo.

On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R.
[smma0901 at stcloudstate.edu<mailto:smma0901 at stcloudstate.edu>] wrote:
Update: It appears to lockup immediately after a user with an expired
password attempts to login. This happens when a user attempts to login
at the freeipa-server itself or one of the clients.





From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Smith, Martin
R. [smma0901 at stcloudstate.edu<mailto:smma0901 at stcloudstate.edu>]
Sent: Thursday, September 08, 2011 12:49 PM
To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
Subject: [Freeipa-users] krb5kdc process at 100%




Hello all,

I’m running a fairly new install of Freeipa-server and we are running
into a problem that is preventing users from logging in. We have two
SSH servers that authenticate to our freeipa-server and after 15 min
to 4 hrs of runtime the process Krb5kdc will consume 100% of the
processor and the freeipa-server will no longer respond to ldap
requests from the other machines.



Here are some specs:

The freeipa-server is running as a virtual machine on a Xen 5.6 box

Fedora 15 with all current updates

The /home directory is a NFS mount to a different server, also running
freeipa-client



I updated the freeipa-server package to the “testing” repo today, the
problem still exists. The only additional components I’ve installed
are fail2ban, and rsyslog.



Some of the error messages include:

(krb5kdc.log)

Sep 08 12:10:23 client1.fake.com<http://client1.fake.com> krb5kdc[1867](info): AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH:
host/client1.fake.com at fake.com<mailto:host/client1.fake.com at fake.com> for krbtgt/fake.com at fake.com<mailto:krbtgt/fake.com at fake.com>,
Additional pre-authentication required



(pki-ca-system-log)

Attached. This log is from the freeipa-server, it appears to be
complaining that it can’t connect to itself.



I can provide more logs to a personal email if needed.



Thanks for your help in resolving this issue.

-Martin Smith




_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

--
Simo Sorce * Red Hat, Inc * New York


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110909/b289ec49/attachment.htm>

More information about the Freeipa-users mailing list