[Freeipa-users] dirsrv hangs, 0% CPU util
Rich Megginson
rmeggins at redhat.com
Sun Feb 15 21:37:50 UTC 2015
On 02/15/2015 01:02 PM, Thomas Raehalme wrote:
> Hi!
>
> Today we started having problems with dirsrv hanging. We have observed
> the following symptoms (using EXAMPLE.COM <http://EXAMPLE.COM> instead
> of the real domain):
>
> /var/log/dirsrv/slapd-EXAMPLE-COM/errors:
>
> [15/Feb/2015:21:48:50 +0200] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
> is not connected)
> [15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't
> contact LDAP server)
>
> /var/log/messages:
>
> Feb 15 21:49:02 ipa named[5545]: LDAP query timed out. Try to adjust
> "timeout" parameter
> Feb 15 21:49:03 ipa named[5545]: LDAP query timed out. Try to adjust
> "timeout" parameter
> (repeated)
>
> Trying to access the DS also with ldapsearch just hangs:
>
> ldapsearch -h localhost -x "dc=example,dc=com"
see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
>
> And Kerberos is unavailable as well:
>
> # KRB5_TRACE=/dev/stdout kinit admin
> [6421] 1424029967.466519: Getting initial credentials for
> admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>
> [6421] 1424029967.467202: Sending request (172 bytes) to EXAMPLE.COM
> <http://EXAMPLE.COM>
> [6421] 1424029967.467736: Sending initial UDP request to dgram
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029968.469031: Initiating TCP connection to stream
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029968.469205: Sending TCP request to stream 10.1.1.1:88
> <http://10.1.1.1:88>
> [6421] 1424029971.472024: Sending retry UDP request to dgram
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029976.477340: Sending retry UDP request to dgram
> 10.1.1.1:88 <http://10.1.1.1:88>
> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM
> <http://EXAMPLE.COM>' while getting initial credentials
>
> Strange thing is that there is hardly any CPU utilization when the
> problem is occurring.
>
> In addition we have started to see the following entries in
> /var/log/messages:
>
> Feb 15 21:37:27 ipa kernel: possible SYN flooding on port 88. Sending
> cookies.
> Feb 15 21:39:37 ipa kernel: possible SYN flooding on port 88. Sending
> cookies.
>
> I'm not sure if this is related, but it's something we haven't seen
> before.
>
> We are running CentOS release 6.6 (Final) with the latest available
> packages:
>
> 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
> 389-ds-base-1.2.11.15-48.el6_6.x86_64
> ipa-client-3.0.0-42.el6.centos.x86_64
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
> libipa_hbac-1.11.6-30.el6_6.3.x86_64
> sssd-ipa-1.11.6-30.el6_6.3.x86_64
> ipa-admintools-3.0.0-42.el6.centos.x86_64
> ipa-python-3.0.0-42.el6.centos.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-3.0.0-42.el6.centos.x86_64
> libipa_hbac-python-1.11.6-30.el6_6.3.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> krb5-workstation-1.10.3-33.el6.x86_64
> krb5-libs-1.10.3-33.el6.x86_64
> sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
> python-krbV-1.0.90-3.el6.x86_64
> krb5-server-1.10.3-33.el6.x86_64
> sssd-krb5-1.11.6-30.el6_6.3.x86_64
> pam_krb5-2.3.11-9.el6.x86_64
>
> Killing the dirsrv processes and restarting them resolves the issue -
> until it happens again after about 15 minutes.
>
> Any idea what could have gone wrong? I can e-mail logs, if necessary.
>
> Thank you in advance!
>
> Best regards,
> Thomas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150215/6e81f30f/attachment.htm>
More information about the Freeipa-users
mailing list