[Freeipa-users] strange replica install error (another one)

Dmitri Pal dpal at redhat.com
Thu Dec 4 15:38:13 UTC 2014 

On 12/04/2014 09:41 AM, Rich Megginson wrote:
> On 12/04/2014 08:39 AM, Rich Megginson wrote:
>> On 12/04/2014 01:45 AM, Petr Spacek wrote:
>>> On 4.12.2014 05:02, Janelle wrote:
>>>> Thanks -- still a bit strange that it did not show up on some 
>>>> servers - vary
>>>> random and intermittent.
>>>>
>>>> BTW - a bit of information others might find useful.  If you try to 
>>>> use the
>>>> "LDAP" portion of IPA for authentication - rather than fulling 
>>>> installing the
>>>> IPA client and using Kerberos - the servers running ds-389 do not 
>>>> do well in
>>>> handling the load. In other words - a few hundred hosts trying to 
>>>> authenticate
>>>> via LDAP only will send CPU through the roof and crashes the slapd 
>>>> process
>>>> often.
>>
>> That should not happen.
>> For crashes, we would need to look at some stack traces: 
>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>> For situations when the CPU is through the roof, that is very similar 
>> to debugging hangs: 
>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>
> Sorry, forgot to mention that since this is IPA you'll also need to 
> install the ipa-debuginfo and slapi-nis-debuginfo packages.
>

I would also add a question about your client configuration.
For example if you use SSSD with enumerate=true for your clients then 
yes you will get your environment to the knees pretty quickly.

>>
>>>> Since IPA is supposed to handle all options, I guess I am 
>>>> disappointed.
>>>>
>>>> regards
>>>> ~J
>>>>
>>>>
>>>> On 12/3/14 2:56 PM, Dmitri Pal wrote:
>>>>> On 12/03/2014 04:40 PM, Janelle wrote:
>>>>>> Here is a bit of baffling one on 4.0.5:
>>>>>>
>>>>>> Replica install p11-kit???
>>>>> This is a part of the DNSSEC set of packages.
>>>>>
>>>>>> Connection from master to replica is OK.
>>>>>>
>>>>>> Connection check OK
>>>>>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported 
>>>>>> attribute
>>>>>> Configuring NTP daemon (ntpd)
>>>>>>    [1/4]: stopping ntpd
>>>>>>    [2/4]: writing configuration
>>>>>> ...
>>>>>>
>>>>>> Your system may be partly configured.
>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>
>>>>>> LDAP error: UNWILLING_TO_PERFORM
>>>>>> database is read-only
>>>>>>
>>>>>>
>>>>>> Thoughts?
>>> We need more information about your problem.
>>>
>>> As always, please start with information requested on
>>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>>>
>>> /var/log/ipa*.log from affected replica will be invaluable (along 
>>> with exact
>>> package version numbers [including p11-kit] and repo configuration).
>>>
>>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list