[Freeipa-users] dirsrv hangs, 0% CPU util

Thomas Raehalme thomas.raehalme at codecenter.fi
Sun Feb 15 20:02:09 UTC 2015 

Hi!

Today we started having problems with dirsrv hanging. We have observed the
following symptoms (using EXAMPLE.COM instead of the real domain):

/var/log/dirsrv/slapd-EXAMPLE-COM/errors:

[15/Feb/2015:21:48:50 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1
(Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)
[15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP
server)

/var/log/messages:

Feb 15 21:49:02 ipa named[5545]: LDAP query timed out. Try to adjust
"timeout" parameter
Feb 15 21:49:03 ipa named[5545]: LDAP query timed out. Try to adjust
"timeout" parameter
(repeated)

Trying to access the DS also with ldapsearch just hangs:

ldapsearch -h localhost -x "dc=example,dc=com"

And Kerberos is unavailable as well:

# KRB5_TRACE=/dev/stdout kinit admin
[6421] 1424029967.466519: Getting initial credentials for admin at EXAMPLE.COM
[6421] 1424029967.467202: Sending request (172 bytes) to EXAMPLE.COM
[6421] 1424029967.467736: Sending initial UDP request to dgram 10.1.1.1:88
[6421] 1424029968.469031: Initiating TCP connection to stream 10.1.1.1:88
[6421] 1424029968.469205: Sending TCP request to stream 10.1.1.1:88
[6421] 1424029971.472024: Sending retry UDP request to dgram 10.1.1.1:88
[6421] 1424029976.477340: Sending retry UDP request to dgram 10.1.1.1:88
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial
credentials

Strange thing is that there is hardly any CPU utilization when the problem
is occurring.

In addition we have started to see the following entries in
/var/log/messages:

Feb 15 21:37:27 ipa kernel: possible SYN flooding on port 88. Sending
cookies.
Feb 15 21:39:37 ipa kernel: possible SYN flooding on port 88. Sending
cookies.

I'm not sure if this is related, but it's something we haven't seen before.

We are running CentOS release 6.6 (Final) with the latest available
packages:

389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
389-ds-base-1.2.11.15-48.el6_6.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
libipa_hbac-1.11.6-30.el6_6.3.x86_64
sssd-ipa-1.11.6-30.el6_6.3.x86_64
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-42.el6.centos.x86_64
libipa_hbac-python-1.11.6-30.el6_6.3.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
krb5-workstation-1.10.3-33.el6.x86_64
krb5-libs-1.10.3-33.el6.x86_64
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
python-krbV-1.0.90-3.el6.x86_64
krb5-server-1.10.3-33.el6.x86_64
sssd-krb5-1.11.6-30.el6_6.3.x86_64
pam_krb5-2.3.11-9.el6.x86_64

Killing the dirsrv processes and restarting them resolves the issue - until
it happens again after about 15 minutes.

Any idea what could have gone wrong? I can e-mail logs, if necessary.

Thank you in advance!

Best regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150215/f2778b81/attachment.htm>

More information about the Freeipa-users mailing list