[Freeipa-users] Kerberos hanging approx. once a day

Ludwig Krispenz lkrispen at redhat.com
Thu Jul 23 08:17:38 UTC 2015 

On 07/23/2015 09:56 AM, Sumit Bose wrote:
> On Thu, Jul 23, 2015 at 09:18:43AM +0200, Torsten Harenberg wrote:
>> Hi Sumit,
>>
>>
>>> The principal looks strange, I would at least expect the fully-qualified
>>> name of the ipa server here. What does the 'hostname' command return? It
>> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# hostname
>> ipa.pleiades.uni-wuppertal.de
>>
>>> is expected that it will return the fully-qualified name. Additionally if
>>> you added the ipa server to /etc/hosts please only use the
>>> fully-qualified name to be on the safe side (iirc it is ok to have the
>>> short name as a second name, but the fully-qualified one should be
>>> always first).
>> I removed the entries vom /etc/hosts again.
>>
>>> The keytab file /etc/krb5.keytab looks strange here. Later on the right
>>> one /etc/dirsrv/ds.keytab is used. Did you try to run the
>>> /usr/sbin/ns-slapd binary manually at some time?
>>>
>> Yes.. once .. after it did not came up.
>>
>> After another reboot, the system came up now.
>>
>> But what I found is
>>
>> https://fedorahosted.org/freeipa/ticket/2739
>>
>> and indeed:
>>
>> [root at ipa slapd-PLEIADES-UNI-WUPPERTAL-DE]# grep WARNING *
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: cache too small,
>> increasing to 500K bytes
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: userRoot: entry cache
>> size 512000B is less than db size 4177920B; We recommend to increase the
>> entry cache size nsslapd-cachememsize.
>> errors:[21/Jul/2015:17:15:21 +0200] - WARNING: changelog: entry cache
>> size 512000B is less than db size 18096128B; We recommend to increase
>> the entry cache size nsslapd-cachememsize.
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: userRoot: entry cache
>> size 512000B is less than db size 4218880B; We recommend to increase the
>> entry cache size nsslapd-cachememsize.
>> errors:[22/Jul/2015:11:03:31 +0200] - WARNING: changelog: entry cache
>> size 512000B is less than db size 27992064B; We recommend to increase
>> the entry cache size nsslapd-cachememsize.
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING: cache too small,
>> increasing to 500K bytes
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
>> errors:[23/Jul/2015:07:33:09 +0200] - WARNING -- Minimum cache size is
>> 512000 -- rounding up
> I'm not a 389ds expert but in my setup nsslapd-cachememsize is set to
> 10M and since I didn't do any tuning I would expect that this is some
> default.
yes, 10M should be the default. and OOM would be triggered by a memleak, 
not by the cache size.
Also the server seems to stop and start cleanly, and is not killed by oom
>
>>
>> And what I see is that nodes occasionaly loose their users. I haven't
>> seen that the two month while testing (of course there were no real
>> users during that time, so I'm not 100% sure that it did not happen).
>>
>> Could that be the cause of the trouble??
> The users and groups are delivered to the system via SSSD. If SSSD loses
> the connection to the IPA servers, e.g. because the server does not
> respond, SSSD cannot lookup new users. Nevertheless SSSD has a cache and
> users and groups are delivered from the cache in this case. But system
> users which important for the services to run like the users dirsrv,
> apache, pkiuser etc are defined in /etc/passwd. So I don't expect this
> to bethe casue of the trouble.
>
> bye,
> Sumit
>
>> Kind regards,
>>
>>    Torsten
>>
>>
>>
>> -- 
>> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
>> <>                                                              <>
>> <> Dr. Torsten Harenberg     harenberg at physik.uni-wuppertal.de  <>
>> <> Bergische Universitaet                                       <>
>> <> FB C - Physik             Tel.: +49 (0)202 439-3521          <>
>> <> Gaussstr. 20              Fax : +49 (0)202 439-2811          <>
>> <> 42097 Wuppertal                                              <>
>> <>                                                              <>
>> <><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>

More information about the Freeipa-users mailing list