[Freeipa-users] strange replica install error (another one)
Rob Crittenden
rcritten at redhat.com
Thu Dec 4 15:40:43 UTC 2014
Dmitri Pal wrote:
> On 12/04/2014 09:41 AM, Rich Megginson wrote:
>> On 12/04/2014 08:39 AM, Rich Megginson wrote:
>>> On 12/04/2014 01:45 AM, Petr Spacek wrote:
>>>> On 4.12.2014 05:02, Janelle wrote:
>>>>> Thanks -- still a bit strange that it did not show up on some
>>>>> servers - vary
>>>>> random and intermittent.
>>>>>
>>>>> BTW - a bit of information others might find useful. If you try to
>>>>> use the
>>>>> "LDAP" portion of IPA for authentication - rather than fulling
>>>>> installing the
>>>>> IPA client and using Kerberos - the servers running ds-389 do not
>>>>> do well in
>>>>> handling the load. In other words - a few hundred hosts trying to
>>>>> authenticate
>>>>> via LDAP only will send CPU through the roof and crashes the slapd
>>>>> process
>>>>> often.
>>>
>>> That should not happen.
>>> For crashes, we would need to look at some stack traces:
>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
>>> For situations when the CPU is through the roof, that is very similar
>>> to debugging hangs:
>>> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>>
>> Sorry, forgot to mention that since this is IPA you'll also need to
>> install the ipa-debuginfo and slapi-nis-debuginfo packages.
>>
>
> I would also add a question about your client configuration.
> For example if you use SSSD with enumerate=true for your clients then
> yes you will get your environment to the knees pretty quickly.
I assumed SSSD wasn't being used at all which begs the question: what
is? nss_ldap? Is nslcd being used?
What is hitting LDAP, only auth or something else (e.g. sudo, automount).
rob
>
>>>
>>>>> Since IPA is supposed to handle all options, I guess I am
>>>>> disappointed.
>>>>>
>>>>> regards
>>>>> ~J
>>>>>
>>>>>
>>>>> On 12/3/14 2:56 PM, Dmitri Pal wrote:
>>>>>> On 12/03/2014 04:40 PM, Janelle wrote:
>>>>>>> Here is a bit of baffling one on 4.0.5:
>>>>>>>
>>>>>>> Replica install p11-kit???
>>>>>> This is a part of the DNSSEC set of packages.
>>>>>>
>>>>>>> Connection from master to replica is OK.
>>>>>>>
>>>>>>> Connection check OK
>>>>>>> p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported
>>>>>>> attribute
>>>>>>> Configuring NTP daemon (ntpd)
>>>>>>> [1/4]: stopping ntpd
>>>>>>> [2/4]: writing configuration
>>>>>>> ...
>>>>>>>
>>>>>>> Your system may be partly configured.
>>>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>>>>
>>>>>>> LDAP error: UNWILLING_TO_PERFORM
>>>>>>> database is read-only
>>>>>>>
>>>>>>>
>>>>>>> Thoughts?
>>>> We need more information about your problem.
>>>>
>>>> As always, please start with information requested on
>>>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>>>>
>>>> /var/log/ipa*.log from affected replica will be invaluable (along
>>>> with exact
>>>> package version numbers [including p11-kit] and repo configuration).
>>>>
>>>
>>
>
>
More information about the Freeipa-users
mailing list