[Freeipa-users] IPA very very slow
Martin Kosek
mkosek at redhat.com
Fri Jun 12 20:10:59 UTC 2015
On 06/12/2015 09:15 PM, William Graboyes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Martin,
>
> Here are the outputs of the various commands, cleaned of course:
>
> time ldapsearch
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
>
> real 0m32.464s
> user 0m0.385s
> sys 0m0.052s
This is quite long time. We should check respective dirsrv errors and access
logs snippets.
Also, the command above did not exit successfully, I would recommend doing at least
# ldapsearch -x -h `hostname` "(uid=admin)"
>
> time host ipa-server-2.foo.org <-- server with issues
> ipa-server-2.foo.org has address 10.0.0.2
>
> real 0m0.070s
> user 0m0.010s
> sys 0m0.006s
>
> time host ipa-server-1.foo.org <-- replicant with no issues
> ipa-server-1.foo.org has address 10.0.0.3
>
> real 0m0.073s
> user 0m0.012s
> sys 0m0.006s
>
> time kinit
> kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting
> initial credentials
>
> real 0m27.049s
> user 0m0.013s
> sys 0m0.004s
>
> ^^^ has been something I have been seeing intermittently
>
>
>
> On 6/12/15 12:11 AM, Martin Kosek wrote:
>>> Hi List,
>>>
>>> This is a problem that has surfaced after a reboot of this system
>>> in particular. It is being really, really slow. In terms of
>>> hardware usage issues, there are none. It is taking 3-5 minutes
>>> to list users in the gui. Running commands like
>>> ipa-replica-manage list is taking between 30seconds and 3
>>> minutes. Memory usage is low, cpu usage is low, iops are low. I
>>> really have no idea where to start here, there is noting really
>>> damning in the logs. I have tried restarting IPA (ipactl
>>> restart) stopping and starting IPA (ipactl stop wait... ipactl
>>> start), and rebooting the entire server.
>>>
>>> The oddest thing is that there have been some krb errors saying
>>> that they cannot contact the krb server.. logging into the gui
>>> saying your session has timed out..
>>>
>>> It is just general strangeness.
>>>
>>> ipa-server-4.1.0-18.el7.centos.3.x86_64
>>> sssd-ipa-1.12.2-58.el7_1.6.x86_64
>>> krb5-server-1.12.2-14.el7.x86_64
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks, Bill
>>
>> I would recommend starting with simple things, seeing the
>> performance and then following with more complex stuff:
>>
>> - Try bare "ldapsearch" against the FreeIPA LDAP server, see the
>> response rate. If it is also slow, we have the root cause. Before
>> ringing on DS people doors, see if for example DNS is not slow and
>> there are no DNS timeouts in play - "host ipa.server.test" will
>> tell you that
>>
>> - If DS is OK, try Kerberos - kinit, kvno commands
>>
>> - If Kerberos is also OK and "ipa-replica-manage list" is still
>> slow, maybe we should just "strace" it to see what it waits on.
>>
>> HTH, Martin
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2
> Comment: GPGTools - https://gpgtools.org
>
> iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N
> EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N
> 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi
> qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L
> f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p
> QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I
> xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b
> QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C
> GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj
> DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5
> cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0
> rYUBJPLWtHHVLigc6lW7
> =R7vN
> -----END PGP SIGNATURE-----
>
More information about the Freeipa-users
mailing list