[Freeipa-users] Kerberos hanging approx. once a day

Sumit Bose sbose at redhat.com
Thu Jul 23 07:56:06 UTC 2015 

On Thu, Jul 23, 2015 at 09:18:43AM +0200, Torsten Harenberg wrote:
> Hi Sumit,
> 
> 
> > The principal looks strange, I would at least expect the fully-qualified
> > name of the ipa server here. What does the 'hostname' command return? It
> 
> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname
> ipa.pleiades.uni-wuppertal.de
> 
> > is expected that it will return the fully-qualified name. Additionally if
> > you added the ipa server to /etc/hosts please only use the
> > fully-qualified name to be on the safe side (iirc it is ok to have the
> > short name as a second name, but the fully-qualified one should be
> > always first).
> 
> I removed the entries vom /etc/hosts again.
> 
> > 
> > The keytab file /etc/krb5.keytab looks strange here. Later on the right
> > one /etc/dirsrv/ds.keytab is used. Did you try to run the
> > /usr/sbin/ns-slapd binary manually at some time?
> >
> 
> Yes.. once .. after it did not came up.
> 
> After another reboot, the system came up now.
> 
> But what I found is
> 
> https://fedorahosted.org/freeipa/ticket/2739
> 
> and indeed:
> 
> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# grep WARNING *
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: cache too small,
> increasing to 500K bytes
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache
> size 512000B is less than db size 4177920B; We recommend to increase the
> entry cache size nsslapd-cachememsize.
> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache
> size 512000B is less than db size 18096128B; We recommend to increase
> the entry cache size nsslapd-cachememsize.
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache
> size 512000B is less than db size 4218880B; We recommend to increase the
> entry cache size nsslapd-cachememsize.
> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache
> size 512000B is less than db size 27992064B; We recommend to increase
> the entry cache size nsslapd-cachememsize.
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING: cache too small,
> increasing to 500K bytes
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up
> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
> 512000 -- rounding up

I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to
10M and since I didn't do any tuning I would expect that this is some
default.

> 
> 
> And what I see is that nodes occasionaly loose their users. I haven't
> seen that the two month while testing (of course there were no real
> users during that time, so I'm not 100% sure that it did not happen).
> 
> Could that be the cause of the trouble??

The users and groups are delivered to the system via SSSD. If SSSD loses
the connection to the IPA servers, e.g. because the server does not
respond, SSSD cannot lookup new users. Nevertheless SSSD has a cache and
users and groups are delivered from the cache in this case. But system
users which important for the services to run like the users dirsrv,
apache, pkiuser etc are defined in /etc/passwd. So I don't expect this
to bethe casue of the trouble.

bye,
Sumit

> 
> Kind regards,
> 
>   Torsten
> 
> 
> 
> -- 
> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
> <>                                                              <>
> <> Dr. Torsten Harenberg     harenberg at physik.uni-wuppertal.de  <>
> <> Bergische Universitaet                                       <>
> <> FB C - Physik             Tel.: +49 (0)202 439-3521          <>
> <> Gaussstr. 20              Fax : +49 (0)202 439-2811          <>
> <> 42097 Wuppertal                                              <>
> <>                                                              <>
> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>

More information about the Freeipa-users mailing list