[Freeipa-users] FreeIPA unresponsive - Causes DOS situations

Dmitri Pal dpal at redhat.com
Thu Nov 6 15:41:01 UTC 2014


On 11/06/2014 10:00 AM, Martin Basti wrote:
> On 06/11/14 14:58, Walter van Lille wrote:
>> Hi,
>>
>> I need some assistance please.
>> I've taken over an IPA server to manage a few months ago, and it was 
>> working fine until recently when it started acting up seemingly off 
>> its own accord.
>> When I do an ipactl status it basically gives an output as shown below:
>>
>>
>> *Directory Service: RUNNING
>> *
>> *
>> *
>> *Loooooooooooooooooooooooooooooooooooooooooooooooooong pause... (To 
>> the tune of 7 minutes sometimes)*
>> *
>> *
>> *KDC Service: RUNNING*
>> *KPASSWD Service: RUNNING*
>> *DNS Service: RUNNING*
>> *MEMCACHE Service: RUNNING*
>> *HTTP Service: RUNNING*
>> *CA Service: RUNNING*
>> *ADTRUST Service: RUNNING*
>> *EXTID Service: RUNNING*
>>
>> Running top showed that ns-slapd was munching almost all my 
>> resources, but I got that fixed by upping the cache. Unfortunately 
>> this did not correct the issue and it still reacts in the same 
>> fashion, although the resources have been freed up now.
>> I've noticed that when I run dig on either the local server or a 
>> remote machine that the query basically just times out as shown here:
>>
>> *dig freeipa.myexample.sample*
>> *
>> *
>> *; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> 
>> freeipa.myexample.sample*
>> *;; global options: +cmd*
>> *;; connection timed out; no servers could be reached*
>>
>> When the KDC service fails to start, then name lookups seem OK, but 
>> authentication fails. otherwise it's dead in the water.
>>
>> This also happens:
>>
>> *sudo ipactl status*
>> *Directory Service: RUNNING*
>> *Unknown error when retrieving list of services from LDAP:*
>> *
>> *
>> My software setup is as follows:
>>
>> *CentOS release 6.5 (Final)
>> *
>> *389-ds-base.x86_64   1.2.11.15-34.el6_5
>> *
>> *bind.x86_64          32:9.8.2-0.23.rc1.el6_5.1
>> *
>> *bind-dyndb-ldap.x86_64*
>> *bind-libs.x86_64     32:9.8.2-0.23.rc1.el6_5.1*
>> *bind-utils.x86_64    32:9.8.2-0.23.rc1.el6_5.1*
>> *rpcbind.x86_64       0.2.0-11.el6 
>> @anaconda-CentOS-201311291202.x86_64/6.5*
>> *samba4-winbind.x86_64*
>> *krb5-server.x86_64   1.10.3-15.el6_5.1
>> *
>> *
>> *
>> *Linux 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 
>> x86_64 x86_64 x86_64 GNU/Linux
>> *
>>
>> It's not a permanent situation as it sometimes runs 100% for a while, 
>> but 80% of the time it is unusable. If anybody can assist me, please 
>> be so kind.
>>
>> Regards,
>>
>> Walter
>>
> Hello please which version of bind-dyndb-ldap do you use?
> I had similar issue with bind-dyndb-ldap, but it was development 
> version, I'm not sure if this is your case.
> When named was failing, dirserv was really slow.
>
> Can you send journalctl -b -u named log when dig doesn't work??
>
> -- 
> Martin Basti
>
>
You also want to look at the directory server logs especially at startup 
and see what is it doing.
Also check the diskspace. May be you do not have much room on the volume 
and it might cause DS to slow down.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141106/d1d20a17/attachment.htm>


More information about the Freeipa-users mailing list