[Freeipa-users] user delete command hangs kdc and ldap stop responding
Ludwig Krispenz
lkrispen at redhat.com
Fri Sep 18 07:52:11 UTC 2015
On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote:
> This is rhel 7.1 with ipa version 4.1.0
>
> user-show shows the user. However, if the user contains
> ipaNTSecurityIdentifier: attribute, user-del hangs with no response.
>
> Meanwhile, the KDC and 389ds stop working. The only way to recover
> functionality is to reboot the machine. ipactl restart does nothing.
If it hangs again, could you get a pstack of the slapd process ?
If you then kill slapd, does ipactl restart work ?
>
> In the ldap access log I see this when trying to delete user sclown:
>
> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101
> nentries=0 etime=0
> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL
> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org"
> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD
> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103
> nentries=0 etime=0
> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH
> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
> filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101
> nentries=0 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
> filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore
> notAfter duration extension subjectName userCertificate version
> algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z
> 1:0 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101
> nentries=0 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
> filter="(certStatus=VALID)" attrs="objectClass serialno notBefore
> notAfter duration extension subjectName userCertificate version
> algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z
> 1:10 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101
> nentries=1 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno
> revInfo notAfter notBefore duration extension subjectName
> userCertificate version algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z
> 0:0 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101
> nentries=0 etime=0 notes=U
> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101
> nentries=1 etime=0
> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND
>
> Then in the ldap error log I see this, which makes me think there is a
> problem with the changelog:
>
> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for
> changenumber=91314,cn=changelog from entryrdn index (-30993)
> [14/Sep/2015:09:30:03 -0700] - Operation error fetching
> changenumber=91314,cn=changelog (null), error -30993.
> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error
> occured while adding change number 91314, dn =
> changenumber=91314,cn=changelog: Operations error.
> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob:
> operation failure [1]
>
> After this both kdc and ldap stop responding. In the krb5kdc.log I see
> server errors after the user-del command is run. The only way to
> resume normal operations is to restart the whole machine. ipactl
> restart doesn't work.
>
> Any help would be highly appreciated!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150918/a1765039/attachment.htm>
More information about the Freeipa-users
mailing list