[Freeipa-users] strange replica install error (another one)
Dmitri Pal
dpal at redhat.com
Thu Dec 4 15:38:13 UTC 2014
On 12/04/2014 09:41 AM, Rich Megginson wrote:
> On 12/04/2014 08:39 AM, Rich Megginson wrote:
>> On 12/04/2014 01:45 AM, Petr Spacek wrote:
>>> On 4.12.2014 05:02, Janelle wrote:
>>>> Thanks -- still a bit strange that it did not show up on some
>>>> servers - vary
>>>> random and intermittent.
>>>>
>>>> BTW - a bit of information others might find useful. If you try to
>>>> use the
>>>> "LDAP" portion of IPA for authentication - rather than fulling
>>>> installing the
>>>> IPA client and using Kerberos - the servers running ds-389 do not
>>>> do well in
>>>> handling the load. In other words - a few hundred hosts trying to
>>>> authenticate
>>>> via LDAP only will send CPU through the roof and crashes the slapd
>>>> process
>>>> often.
>>
>> That should not happen.
>> For crashes, we would need to look at some stack traces:
>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>> For situations when the CPU is through the roof, that is very similar
>> to debugging hangs:
>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>
> Sorry, forgot to mention that since this is IPA you'll also need to
> install the ipa-debuginfo and slapi-nis-debuginfo packages.
>
I would also add a question about your client configuration.
For example if you use SSSD with enumerate=true for your clients then
yes you will get your environment to the knees pretty quickly.
>>
>>>> Since IPA is supposed to handle all options, I guess I am
>>>> disappointed.
>>>>
>>>> regards
>>>> ~J
>>>>
>>>>
>>>> On 12/3/14 2:56 PM, Dmitri Pal wrote:
>>>>> On 12/03/2014 04:40 PM, Janelle wrote:
>>>>>> Here is a bit of baffling one on 4.0.5:
>>>>>>
>>>>>> Replica install p11-kit???
>>>>> This is a part of the DNSSEC set of packages.
>>>>>
>>>>>> Connection from master to replica is OK.
>>>>>>
>>>>>> Connection check OK
>>>>>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported
>>>>>> attribute
>>>>>> Configuring NTP daemon (ntpd)
>>>>>> [1/4]: stopping ntpd
>>>>>> [2/4]: writing configuration
>>>>>> ...
>>>>>>
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>
>>>>>> LDAP error: UNWILLING_TO_PERFORM
>>>>>> database is read-only
>>>>>>
>>>>>>
>>>>>> Thoughts?
>>> We need more information about your problem.
>>>
>>> As always, please start with information requested on
>>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>>>
>>> /var/log/ipa*.log from affected replica will be invaluable (along
>>> with exact
>>> package version numbers [including p11-kit] and repo configuration).
>>>
>>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list