[Freeipa-users] IPA very very slow

William Graboyes wgraboyes at cenic.org
Fri Jun 12 19:15:03 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Martin,

Here are the outputs of the various commands, cleaned of course:

time ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available:

real	0m32.464s
user	0m0.385s
sys	0m0.052s

time host ipa-server-2.foo.org <-- server with issues
ipa-server-2.foo.org has address 10.0.0.2

real	0m0.070s
user	0m0.010s
sys	0m0.006s

time host ipa-server-1.foo.org <-- replicant with no issues
ipa-server-1.foo.org has address 10.0.0.3

real	0m0.073s
user	0m0.012s
sys	0m0.006s

time kinit
kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting
initial credentials

real	0m27.049s
user	0m0.013s
sys	0m0.004s

^^^ has been something I have been seeing intermittently



On 6/12/15 12:11 AM, Martin Kosek wrote:
>> Hi List,
>> 
>> This is a problem that has surfaced after a reboot of this system
>> in particular. It is being really, really slow.  In terms of
>> hardware usage issues, there are none.  It is taking 3-5 minutes
>> to list users in the gui. Running commands like
>> ipa-replica-manage list is taking between 30seconds and 3
>> minutes.  Memory usage is low, cpu usage is low, iops are low.  I
>> really have no idea where to start here, there is noting really
>> damning in the logs.  I have tried restarting IPA (ipactl
>> restart) stopping and starting IPA (ipactl stop wait... ipactl 
>> start), and rebooting the entire server.
>> 
>> The oddest thing is that there have been some krb errors saying
>> that they cannot contact the krb server.. logging into the gui
>> saying your session has timed out..
>> 
>> It is just general strangeness.
>> 
>> ipa-server-4.1.0-18.el7.centos.3.x86_64 
>> sssd-ipa-1.12.2-58.el7_1.6.x86_64 
>> krb5-server-1.12.2-14.el7.x86_64
>> 
>> Any help would be greatly appreciated.
>> 
>> Thanks, Bill
> 
> I would recommend starting with simple things, seeing the
> performance and then following with more complex stuff:
> 
> - Try bare "ldapsearch" against the FreeIPA LDAP server, see the 
> response rate. If it is also slow, we have the root cause. Before 
> ringing on DS people doors, see if for example DNS is not slow and
> there are no DNS timeouts in play - "host ipa.server.test" will
> tell you that
> 
> - If DS is OK, try Kerberos - kinit, kvno commands
> 
> - If Kerberos is also OK and "ipa-replica-manage list" is still
> slow, maybe we should just "strace" it to see what it waits on.
> 
> HTH, Martin
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N
EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N
3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi
qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L
f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p
QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I
xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b
QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C
GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj
DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5
cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0
rYUBJPLWtHHVLigc6lW7
=R7vN
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list