[Freeipa-users] Timeout (?) issues

KodaK sakodak at gmail.com
Thu Sep 19 23:24:04 UTC 2013 

This is ridiculous, right?

IPA server 1:

# for i in $(ls access*); do echo -n  $i:\  ;grep err=32 $i | wc -l; done
access: 248478
access.20130916-043207: 302774
access.20130916-123642: 272572
access.20130916-201516: 294308
access.20130917-081053: 295060
access.20130917-144559: 284498
access.20130917-231435: 281035
access.20130918-091611: 291165
access.20130918-154945: 275792
access.20130919-014322: 296113

IPA server 2:

access: 4313
access.20130909-200216: 4023
access.20130910-200229: 4161
access.20130911-200239: 4182
access.20130912-200249: 5069
access.20130913-200258: 3833
access.20130914-200313: 4208
access.20130915-200323: 4702
access.20130916-200332: 4532


IPA server 3:

access: 802
access.20130910-080737: 3876
access.20130911-080748: 3902
access.20130912-080802: 3678
access.20130913-080810: 3765
access.20130914-080826: 3524
access.20130915-080907: 4142
access.20130916-080916: 4930
access.20130917-080926: 4769
access.20130918-081005: 2879

IPA server 4:

access: 2812
access.20130910-003051: 4095
access.20130911-003105: 3623
access.20130912-003113: 3606
access.20130913-003125: 3581
access.20130914-003135: 3758
access.20130915-003150: 3935
access.20130916-003159: 4184
access.20130917-003210: 3859
access.20130918-003221: 5110


The vast majority of the err=32 messages are DNS entries.

Here are some samples:

[19/Sep/2013:18:19:51 -0500] conn=9 op=169764 SRCH base="idnsName=xxx.com
,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com" scope=0
filter="(objectClass=idnsRecord)" attrs=ALL
[19/Sep/2013:18:19:51 -0500] conn=9 op=169764 RESULT err=32 tag=101
nentries=0 etime=0

[19/Sep/2013:18:19:51 -0500] conn=9 op=169774 SRCH base="idnsName=
slpoxacl01.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[19/Sep/2013:18:19:51 -0500] conn=9 op=169774 RESULT err=32 tag=101
nentries=0 etime=0

[19/Sep/2013:18:19:51 -0500] conn=9 op=169770 SRCH base="idnsName=
sla400q1.unix.xxx.com,idnsname=unix.xxx.com,cn=dns,dc=unix,dc=xxx,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[19/Sep/2013:18:19:51 -0500] conn=9 op=169770 RESULT err=32 tag=101
nentries=0 etime=0

[19/Sep/2013:18:19:51 -0500] conn=9 op=169772 SRCH base="idnsName=
magellanhealth.com,idnsname=unix.magellanhealth.com,cn=dns,dc=unix,dc=magellanhealth,dc=com"
scope=0 filter="(objectClass=idnsRecord)" attrs=ALL
[19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101
nentries=0 etime=0

So far today there are over half a million of these.  That can't be right.



On Thu, Sep 19, 2013 at 3:05 PM, KodaK <sakodak at gmail.com> wrote:

> I didn't realize that DNS created one connection.  I thought it was one
> connection spanning several days.
>
>
> On Thu, Sep 19, 2013 at 2:51 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>>  On 09/19/2013 12:57 PM, KodaK wrote:
>>
>> Well, this is awkward:
>>
>>  [root at slpidml01 slapd-UNIX-xxx-COM]# grep conn=170902 access* | wc -l
>> 5453936
>> [root at slpidml01 slapd-UNIX-xxx-COM]#
>>
>>
>> Why is it awkward?
>>
>>
>>
>>
>> On Thu, Sep 19, 2013 at 1:48 PM, KodaK <sakodak at gmail.com> wrote:
>>
>>> Thanks.  I've been running that against my logs, and this has to be
>>> abnormal:
>>>
>>>  err=32               129274    No Such Object
>>> err=0                 10952    Successful Operations
>>> err=14                  536    SASL Bind in Progress
>>> err=53                   39    Unwilling To Perform
>>> err=49                    3    Invalid Credentials (Bad Password)
>>>
>>>  I'm still trying to figure out why there are so many error 32s.  Are
>>> there any usual suspects I should know about?  (That's just the current
>>> access log, btw.)
>>>
>>>
>>> On Tue, Sep 17, 2013 at 9:01 AM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>
>>>>   On 09/16/2013 07:57 PM, Dmitri Pal wrote:
>>>>
>>>> On 09/16/2013 12:02 PM, KodaK wrote:
>>>>
>>>> Yet another AIX related problem:
>>>>
>>>>  The AIX LDAP client is called secldapclntd (sure, they could make it
>>>> more awkward, but the budget ran out.)  I'm running into the issue detailed
>>>> here:
>>>>
>>>>  http://www-01.ibm.com/support/docview.wss?uid=isg1IV11344
>>>>
>>>>  "If an LDAP server fails to answer an LDAP query, secldapclntd caches
>>>> the non-answered query negatively. This may happen if the LDAP server
>>>> is down for example. After the LDAP server is back again secldapclntd will
>>>> use the negative cache entry and the application initiating the original
>>>> query will still fail until the cache entry expires."
>>>>
>>>>  IBM is working on porting the fix to our specific TL and SP levels.
>>>>
>>>>  What I'm concerned with here, though, is *why* is it timing out?  I
>>>> don't know what the current timeout values are (AIX sucks, etc.)
>>>>
>>>>  I don't see timeout issues on my Linux boxes, which leads me to
>>>> believe that either the sssd timouts are longer or that sssd is just more
>>>> robust when dealing with timeouts.
>>>>
>>>>  I believe I'm seeing similar behavior with LDAP sudo on AIX as well,
>>>> because I occasionally have to re-run sudo commands because they initially
>>>> fail (and I know I'm using the right passwords.)  However, sudo doesn't
>>>> appear to have a cache (or it handles caching better.)
>>>>
>>>>  Does anyone have any troubleshooting suggestions?  Any general "speed
>>>> things up" suggestions on the IPA side?
>>>>
>>>>  Thanks,
>>>>
>>>>  --Jason
>>>>
>>>>  --
>>>> The government is going to read our mail anyway, might as well make it
>>>> tough for them.  GPG Public key ID:  B6A1A7C6
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>> Is the server FreeIPA?
>>>> Can see in the server logs what is actually happening is it the server
>>>> that really takes time or there is a network connectivity issue or FW is
>>>> dropping packets?
>>>> I would really start with the server side logs.
>>>>
>>>>
>>>>  As far as 389 goes, run logconv.pl against the access logs in
>>>> /var/log/dirsrv/slapd-DOMAIN-COM
>>>>
>>>>
>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager for IdM portfolio
>>>> Red Hat Inc.
>>>>
>>>>
>>>> -------------------------------
>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>>
>>>>  _______________________________________________
>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>>
>>>  --
>>> The government is going to read our mail anyway, might as well make it
>>> tough for them.  GPG Public key ID:  B6A1A7C6
>>>
>>
>>
>>
>>  --
>> The government is going to read our mail anyway, might as well make it
>> tough for them.  GPG Public key ID:  B6A1A7C6
>>
>>
>>
>
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130919/d6b17f2d/attachment.htm>

More information about the Freeipa-users mailing list