[Freeipa-users] Kerberos hanging approx. once a day

Rich Megginson rmeggins at redhat.com
Tue Jul 28 17:08:49 UTC 2015 

On 07/24/2015 01:20 AM, Torsten Harenberg wrote:
> Dear Rich and all,
>
> thanks to everbody! Really thankful for your support.
>
> The situation really approved.
>
> We:
>
> - enlarged the caches for 389ds until the WARNING messages disappeared
> in the log files,
> - (just to be sure) re-sync'ed firewalld rules between primary and
> secondary server.
>
> Now the server was stable, Kerberos and 389ds are still alive and all
> clients can still resolve all users. There is only one issue left (see
> bottom).
>
>
> First let us answer that:
>
> Am 23.07.15 um 18:28 schrieb Rich Megginson:
>
>> # ldapsearch -xLLL -D "cn=directory manager" -W -s base -b
>> "dc=uni-wuppertal,dc=de"
>>
>> This search should return immediately.  If it hangs, then the problem is
>> in slapd, and get a stack trace as before.
>>
> [root at ipa httpd]# time ldapsearch -xLLL -D "cn=directory manager" -W -s
> base -b "dc=pleiades,dc=uni-wuppertal,dc=de"
> Enter LDAP Password:
> dn: dc=pleiades,dc=uni-wuppertal,dc=de
> objectClass: top
> objectClass: domain
> objectClass: pilotObject
> objectClass: domainRelatedObject
> objectClass: nisDomainObject
> dc: pleiades
> info: IPA V2.0
> nisDomain: pleiades.uni-wuppertal.de
> associatedDomain: pleiades.uni-wuppertal.de
>
>
> real    0m4.559s
> user    0m0.403s
> sys     0m0.057s
> [root at ipa httpd]#
>
> Looks okay to us, or?

4 seconds?  That seems way too long.

What does the dirsrv access log look like for this sequence of 
operations?  There will be a connection, a BIND, a SRCH, and an UNBIND.

>
> So.. here is the problem which is left over. When logging in as admin
> now through th web page or locally:
>
> [Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO:
> [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE:
> radiusproxy_find(None, version=u'2.114'): SUCCESS
> [Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO:
> [jsonserver_session] wensing at PLEIADES.UNI-WUPPERTAL.DE: user_find(None,
> version=u'2.114'): SUCCESS
> [Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
> Unauthorized: kinit: Clients credentials have been revoked while getting
> initial credentials
> [Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134]
> [Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401
> Unauthorized: kinit: Clients credentials have been revoked while getting
> initial credentials
> [Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133]
> [Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
> Unauthorized: kinit: Clients credentials have been revoked while getting
> initial credentials
> [Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134]
> [root at ipa httpd]# kinit admin
> kinit: Clients credentials have been revoked while getting initial
> credentials
> [root at ipa httpd]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: admin at PLEIADES.UNI-WUPPERTAL.DE
>
> Valid starting       Expires              Service principal
> 07/23/2015 11:44:13  07/24/2015 11:44:08
> HTTP/ipa.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE
> 07/23/2015 11:44:11  07/24/2015 11:44:08
> krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE
> [root at ipa httpd]#
>
>
> Hope you have an idea about that one as well :).

I do not, sorry.  Maybe one of our kerberos experts will know.

>
> Thanks
>
>   Marisa and Torsten
>
>

More information about the Freeipa-users mailing list