[Freeipa-users] FreeIPA unresponsive - Causes DOS situations

Petr Spacek pspacek at redhat.com
Fri Nov 7 08:17:03 UTC 2014


On 6.11.2014 16:41, Dmitri Pal wrote:
> On 11/06/2014 10:00 AM, Martin Basti wrote:
>> On 06/11/14 14:58, Walter van Lille wrote:
>>> Hi,
>>>
>>> I need some assistance please.
>>> I've taken over an IPA server to manage a few months ago, and it was
>>> working fine until recently when it started acting up seemingly off its own
>>> accord.
>>> When I do an ipactl status it basically gives an output as shown below:
>>>
>>>
>>> *Directory Service: RUNNING
>>> *
>>> *
>>> *
>>> *Loooooooooooooooooooooooooooooooooooooooooooooooooong pause... (To the
>>> tune of 7 minutes sometimes)*
>>> *
>>> *
>>> *KDC Service: RUNNING*
>>> *KPASSWD Service: RUNNING*
>>> *DNS Service: RUNNING*
>>> *MEMCACHE Service: RUNNING*
>>> *HTTP Service: RUNNING*
>>> *CA Service: RUNNING*
>>> *ADTRUST Service: RUNNING*
>>> *EXTID Service: RUNNING*
>>>
>>> Running top showed that ns-slapd was munching almost all my resources, but
>>> I got that fixed by upping the cache. Unfortunately this did not correct
>>> the issue and it still reacts in the same fashion, although the resources
>>> have been freed up now.
>>> I've noticed that when I run dig on either the local server or a remote
>>> machine that the query basically just times out as shown here:
>>>
>>> *dig freeipa.myexample.sample*
>>> *
>>> *
>>> *; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>>
>>> freeipa.myexample.sample*
>>> *;; global options: +cmd*
>>> *;; connection timed out; no servers could be reached*
>>>
>>> When the KDC service fails to start, then name lookups seem OK, but
>>> authentication fails. otherwise it's dead in the water.
>>>
>>> This also happens:
>>>
>>> *sudo ipactl status*
>>> *Directory Service: RUNNING*
>>> *Unknown error when retrieving list of services from LDAP:*
>>> *
>>> *
>>> My software setup is as follows:
>>>
>>> *CentOS release 6.5 (Final)
>>> *
>>> *389-ds-base.x86_64   1.2.11.15-34.el6_5
>>> *
>>> *bind.x86_64          32:9.8.2-0.23.rc1.el6_5.1
>>> *
>>> *bind-dyndb-ldap.x86_64*
>>> *bind-libs.x86_64     32:9.8.2-0.23.rc1.el6_5.1*
>>> *bind-utils.x86_64    32:9.8.2-0.23.rc1.el6_5.1*
>>> *rpcbind.x86_64       0.2.0-11.el6 @anaconda-CentOS-201311291202.x86_64/6.5*
>>> *samba4-winbind.x86_64*
>>> *krb5-server.x86_64   1.10.3-15.el6_5.1
>>> *
>>> *
>>> *
>>> *Linux 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64
>>> x86_64 x86_64 GNU/Linux
>>> *
>>>
>>> It's not a permanent situation as it sometimes runs 100% for a while, but
>>> 80% of the time it is unusable. If anybody can assist me, please be so kind.
>>>
>>> Regards,
>>>
>>> Walter
>>>
>> Hello please which version of bind-dyndb-ldap do you use?
>> I had similar issue with bind-dyndb-ldap, but it was development version,
>> I'm not sure if this is your case.
>> When named was failing, dirserv was really slow.
>>
>> Can you send journalctl -b -u named log when dig doesn't work??
>>
>> --
>> Martin Basti
>>
>>
> You also want to look at the directory server logs especially at startup and
> see what is it doing.
> Also check the diskspace. May be you do not have much room on the volume and
> it might cause DS to slow down.

One thing to keep in mind:
FreeIPA DNS service is backed by LDAP so can't possibly work if your LDAP 
server is down or is unresponsive.

If you encounter a problem with DNS again please try to follow steps 1-5 
described on page 
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart .

I'm mainly interested in results obtained in step 5 (other steps are just 
prerequisite).  It will tell us if DNS (bind-dyndb-ldap) is broken or if LDAP 
server does not respond and DNS is failing because of the cascade/domino effect.

Good luck!

-- 
Petr^2 Spacek




More information about the Freeipa-users mailing list