[Freeipa-users] user delete command hangs kdc and ldap stop responding

Ludwig Krispenz lkrispen at redhat.com
Fri Sep 18 07:52:11 UTC 2015 

On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote:
> This is rhel 7.1 with ipa version 4.1.0
>
> user-show shows the user. However, if the user contains 
> ipaNTSecurityIdentifier: attribute, user-del hangs with no response.
>
> Meanwhile, the KDC and 389ds stop working. The only way to recover 
> functionality is to reboot the machine.  ipactl restart does nothing.
If it hangs again, could you get a pstack of the slapd process ?
If you then kill slapd, does ipactl restart work ?
>
> In the ldap access log I see this when trying to delete user sclown:
>
> [14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101 
> nentries=0 etime=0
> [14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL 
> dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org"
> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD 
> dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
> [14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103 
> nentries=0 etime=0
> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH 
> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
> filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
> [14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101 
> nentries=0 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH 
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
> filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore 
> notAfter duration extension subjectName userCertificate version 
> algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z 
> 1:0 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101 
> nentries=0 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH 
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
> filter="(certStatus=VALID)" attrs="objectClass serialno notBefore 
> notAfter duration extension subjectName userCertificate version 
> algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z 
> 1:10 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101 
> nentries=1 etime=0
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH 
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
> filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno 
> revInfo notAfter notBefore duration extension subjectName 
> userCertificate version algorithmId signingAlgorithmId publicKeyData"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z 
> 0:0 (0)
> [14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101 
> nentries=0 etime=0 notes=U
> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH 
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
> [14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101 
> nentries=1 etime=0
> [14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND
>
> Then in the ldap error log I see this, which makes me think there is a 
> problem with the changelog:
>
> [14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for 
> changenumber=91314,cn=changelog from entryrdn index (-30993)
> [14/Sep/2015:09:30:03 -0700] - Operation error fetching 
> changenumber=91314,cn=changelog (null), error -30993.
> [14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error 
> occured while adding change number 91314, dn = 
> changenumber=91314,cn=changelog: Operations error.
> [14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob: 
> operation failure [1]
>
> After this both kdc and ldap stop responding. In the krb5kdc.log I see 
> server errors after the user-del command is run. The only way to 
> resume normal operations is to restart the whole machine. ipactl 
> restart doesn't work.
>
> Any help would be highly appreciated!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150918/a1765039/attachment.htm>

More information about the Freeipa-users mailing list