[Freeipa-users] krb5kdc process at 100%

Dmitri Pal dpal at redhat.com
Sat Sep 10 01:38:41 UTC 2011 

On 09/09/2011 07:28 PM, Dmitri Pal wrote:
> On 09/09/2011 03:14 PM, Smith, Martin R. [smma0901 at stcloudstate.edu]
> wrote:
>> I have linked a zip the whole directory from abrt. After typing
>> "abrt-cli -l" it outputted:
>> -----
>> Directory:      /var/spool/abrt/ccpp-2011-09-09-13:41:51-972
>> count:          1
>> executable:     /usr/sbin/krb5kdc
>> package:        krb5-server-1.9.1-5.fc15
>> time:           Fri 09 Sep 2011 01:41:51 PM CDT
>> uid:            0
>> -----
>>  
>> Link to _crash.zip_
>> <http://studentweb.stcloudstate.edu/smma0901/crash.zip>
>>  
>> This appears to be my current ldap "openldap-2.4.24-3.fc15.x86_64".
>>  
>
> Can you please file a BZ? https://bugzilla.redhat.com
> I assume it is on Fedora 15 right?

End of day...
Did not notice that the package name has fc15.
I opened it myself: https://bugzilla.redhat.com/show_bug.cgi?id=737224
Feel free to add.


>
>>  
>> -Martin
>>  
>>  
>> -----Original Message-----
>> From: Simo Sorce _[mailto:simo at redhat.com]_
>> <mailto:[mailto:simo at redhat.com]>
>> Sent: Friday, September 09, 2011 12:38 PM
>> To: Smith, Martin R. [smma0901 at stcloudstate.edu]
>> Cc: _freeipa-users at redhat.com_ <mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] krb5kdc process at 100%
>>  
>> If it crashes it is a bug in the KDC.
>> Can you please get us the core dump when it crashes ?
>>  
>> If you have abtrd installed it should be somewhere in /var/cache/abrt
>> (check /var/log/messages) to see where.
>>  
>> Alternatively you can run service krb5kdc stop then as root in a
>> shell run ulimit -c unlimited and manually start /usr/sbin/krb5kdc
>> wait for the crash then take the core file generated.
>>  
>> Please also tell what is the exact version of the krb5-server package
>> and the related ldap driver package.
>>  
>> Simo.
>>  
>> On Fri, 2011-09-09 at 16:27 +0000, Smith, Martin R.
>> [smma0901 at stcloudstate.edu] wrote:
>> > I removed the -w 4 from the config file. Here is what happens now.
>> >
>> > When a user with expired password logs in the krb5kdc process now
>> crashes, instead of running at 100%.
>> > If I attach gdb to the process before it crashes and attempt to
>> login the process doesn't crash. Here are the results of "bt"
>> > ---------
>> > #0  0x00007fe84e0ea1d3 in __select_nocancel ()
>> >     at ../sysdeps/unix/syscall-template.S:82
>> > #1  0x00007fe84f2a8047 in krb5int_cm_call_select (in=<optimized out>,
>> >     out=0x7fe8501d8780, sret=0x7fff421862b4) at sendto_kdc.c:564
>> > #2  0x00007fe84ffd05ee in listen_and_process (handle=0x0,
>> >     prog=0x7fff42187f52 "krb5kdc", reset=0x7fe84ffc6e10
>> <reset_for_hangup>)
>> >     at net-server.c:1835
>> > #3  0x00007fe84ffbcf68 in main (argc=3, argv=<optimized out>) at
>> > main.c:1069
>> > --------
>> >
>> > I have also attached the /var/log/krb5kdc
>> >
>> > -Martin
>> >
>> > -----Original Message-----
>> > From: Simo Sorce _[mailto:simo at redhat.com]_
>> <mailto:[mailto:simo at redhat.com]>
>> > Sent: Friday, September 09, 2011 8:56 AM
>> > To: Smith, Martin R. [smma0901 at stcloudstate.edu]
>> > Cc: _freeipa-users at redhat.com_ <mailto:freeipa-users at redhat.com>
>> > Subject: Re: [Freeipa-users] krb5kdc process at 100%
>> >
>> > On Fri, 2011-09-09 at 05:09 +0000, Smith, Martin R.
>> > [smma0901 at stcloudstate.edu] wrote:
>> > > When I attach gdb to the process, I have tried the main process and
>> > > the four child processes, it provides no output.
>> > > Here are the steps I'm taking:
>> > >      1. On freeipa-server run htop and find the pid (or ps aux)
>> > >              1. Shows one parent PID and four child processes
>> > >                      1. 934 root 20   0 46784  2656   388 S  0.0  0.1
>> > >                          0:00.00  `- /usr/sbin/krb5kdc
>> > >                         -P /var/run/krb5kdc.pid -w 4
>> > >                      2.  1939 root 20   0 78664  4460  2056 S  0.0
>> > >                          0.1  0:00.26  |   `- /usr/sbin/krb5kdc
>> > >                         -P /var/run/krb5kdc.pid -w 4
>> > >                      3.  1938 root 20   0 78664  4460  2056 S  0.0
>> > >                          0.1  0:00.26  |   `- /usr/sbin/krb5kdc
>> > >                         -P /var/run/krb5kdc.pid -w 4
>> > >                      4.  1936 root 20   0 78664  4460  2056 S  0.0
>> > >                          0.1  0:00.26  |   `- /usr/sbin/krb5kdc
>> > >                         -P /var/run/krb5kdc.pid -w 4
>> > >                      5.  1935 root 20   0 78664  4212  1808 S  0.0
>> > >                          0.1  0:00.26  |   `- /usr/sbin/krb5kdc
>> > >                         -P /var/run/krb5kdc.pid -w 4
>> > >              2. run sudo gdb
>> > >                      1. attach 934
>> > >                      2. press "c"
>> > >                      3. Wait for output…
>> > >      2. Attempt to login with user that has an expired password.
>> > >      3. Now the krb5kdc process 934 starts running at 100% and the
>> > >         user is unable to login.
>> > >      4. Only way to get the process back to normal is to type "service
>> > >         ipa restart"
>> >
>> > >
>> > > I've never debugged a program before so if I'm missing a step please
>> > > let me know.
>> >
>> > Ok, let's simplify the problem first.
>> >
>> > apperently you have a quadcore cpu so by default we configured
>> krb5kdc to spawn 4 worker processes. Let's bring it down to not
>> spawning any worker process so we can simplify debugging.
>> >
>> > Go to /etc/sysconfig/krb5kdc and remove the "-w 4" argument from it.
>> >
>> > Then simply do a service krb5kdc restart (no need to restart the
>> whole ipa service for this).
>> >
>> >
>> > If krb5kdc locks up again, gdb the process like you have done before
>> but do not press c, type 'bt' instead and copy the log then you can
>> exit gdb.
>> >
>> > Simo.
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > _Freeipa-users at redhat.com_ <mailto:Freeipa-users at redhat.com>
>> > _https://www.redhat.com/mailman/listinfo/freeipa-users_
>>  
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>  
>>  
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110909/33b1a9b8/attachment.htm>

More information about the Freeipa-users mailing list