[Freeipa-users] FreeIPA unresponsive - Causes DOS situations

Martin Basti mbasti at redhat.com
Thu Nov 6 15:00:21 UTC 2014 

On 06/11/14 14:58, Walter van Lille wrote:
> Hi,
>
> I need some assistance please.
> I've taken over an IPA server to manage a few months ago, and it was 
> working fine until recently when it started acting up seemingly off 
> its own accord.
> When I do an ipactl status it basically gives an output as shown below:
>
>
> *Directory Service: RUNNING
> *
> *
> *
> *Loooooooooooooooooooooooooooooooooooooooooooooooooong pause... (To 
> the tune of 7 minutes sometimes)*
> *
> *
> *KDC Service: RUNNING*
> *KPASSWD Service: RUNNING*
> *DNS Service: RUNNING*
> *MEMCACHE Service: RUNNING*
> *HTTP Service: RUNNING*
> *CA Service: RUNNING*
> *ADTRUST Service: RUNNING*
> *EXTID Service: RUNNING*
>
> Running top showed that ns-slapd was munching almost all my resources, 
> but I got that fixed by upping the cache. Unfortunately this did not 
> correct the issue and it still reacts in the same fashion, although 
> the resources have been freed up now.
> I've noticed that when I run dig on either the local server or a 
> remote machine that the query basically just times out as shown here:
>
> *dig freeipa.myexample.sample*
> *
> *
> *; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> 
> freeipa.myexample.sample*
> *;; global options: +cmd*
> *;; connection timed out; no servers could be reached*
>
> When the KDC service fails to start, then name lookups seem OK, but 
> authentication fails. otherwise it's dead in the water.
>
> This also happens:
>
> *sudo ipactl status*
> *Directory Service: RUNNING*
> *Unknown error when retrieving list of services from LDAP:*
> *
> *
> My software setup is as follows:
>
> *CentOS release 6.5 (Final)
> *
> *389-ds-base.x86_64   1.2.11.15-34.el6_5
> *
> *bind.x86_64          32:9.8.2-0.23.rc1.el6_5.1
> *
> *bind-dyndb-ldap.x86_64*
> *bind-libs.x86_64     32:9.8.2-0.23.rc1.el6_5.1*
> *bind-utils.x86_64    32:9.8.2-0.23.rc1.el6_5.1*
> *rpcbind.x86_64       0.2.0-11.el6 
> @anaconda-CentOS-201311291202.x86_64/6.5*
> *samba4-winbind.x86_64*
> *krb5-server.x86_64   1.10.3-15.el6_5.1
> *
> *
> *
> *Linux 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 
> x86_64 x86_64 x86_64 GNU/Linux
> *
>
> It's not a permanent situation as it sometimes runs 100% for a while, 
> but 80% of the time it is unusable. If anybody can assist me, please 
> be so kind.
>
> Regards,
>
> Walter
>
Hello please which version of bind-dyndb-ldap do you use?
I had similar issue with bind-dyndb-ldap, but it was development 
version, I'm not sure if this is your case.
When named was failing, dirserv was really slow.

Can you send journalctl -b -u named log when dig doesn't work??

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/0fbd812d/attachment.htm>

More information about the Freeipa-users mailing list