[Freeipa-users] Trying to trace why a user cannot login to a client

Tue May 8 21:47:41 UTC 2012

Hi,

Attached is a munin graph of what looks like a memory leak.....I suspect (if you look at the munin monthly month graph) we had no issue until I think we patched......I need to ask my admins if they did patch .......(they are not in yet).....

Looking at the CPU and memory graphs in VMware the change in stability and leak is also most noticable, yet apart from uping the nsslapd-cachememsize: 10485760 to 18900000 I know of no changes to the system......attached is a vmware graph.....

It now looks like I have to set a cronjob to reboot the IPA servers nightly........

So since ipa2 crashed (or rather the memory-killer killed slapd), this isnt why 1/2 the users could login....that workstation points at ipa2 while others point at ipa1....is my best guess.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Jakub Hrozek [jhrozek at redhat.com]
Sent: Wednesday, 9 May 2012 1:03 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Trying to trace why a user cannot login to a client

On Tue, May 01, 2012 at 10:12:48PM +0000, Steven Jones wrote:
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272

The logs only say "[ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule
[desktop-admins-test]". The error must be elsewhere, can you also attach
or paste what does the /var/log/secure and /var/log/sssd/sssd_pam.log
files have to say when the System Error occurs?

Does the System Error occur with both 6.2 and 6.3 packages?

> Does by any chance your sssd.conf include a debug_level directive in the
> [sssd] section and not in the others?
>
> I think that was a case that only worked by accident and we removed it
> in 1.7
>
> The "fix" is to specify debug_level in all the sections you'd like to
> print debug information from. In your case, that would be the [domain/*]
> section and perhaps the [pam] section.
>

Did you have a chance to take a look at the debug logging?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa2-memory-error-month07.jpeg
Type: image/jpeg
Size: 170067 bytes
Desc: ipa2-memory-error-month07.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120508/6538fab8/attachment.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipa2-memory-error-06.jpeg
Type: image/jpeg
Size: 40506 bytes
Desc: ipa2-memory-error-06.jpeg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120508/6538fab8/attachment-0001.jpeg>