[Freeipa-users] dirsrv hangs, 0% CPU util

Rich Megginson rmeggins at redhat.com
Sun Feb 15 21:37:50 UTC 2015 

On 02/15/2015 01:02 PM, Thomas Raehalme wrote:
> Hi!
>
> Today we started having problems with dirsrv hanging. We have observed 
> the following symptoms (using EXAMPLE.COM <http://EXAMPLE.COM> instead 
> of the real domain):
>
> /var/log/dirsrv/slapd-EXAMPLE-COM/errors:
>
> [15/Feb/2015:21:48:50 +0200] slapd_ldap_sasl_interactive_bind - Error: 
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
> -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint 
> is not connected)
> [15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error: could not 
> perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't 
> contact LDAP server)
>
> /var/log/messages:
>
> Feb 15 21:49:02 ipa named[5545]: LDAP query timed out. Try to adjust 
> "timeout" parameter
> Feb 15 21:49:03 ipa named[5545]: LDAP query timed out. Try to adjust 
> "timeout" parameter
> (repeated)
>
> Trying to access the DS also with ldapsearch just hangs:
>
> ldapsearch -h localhost -x "dc=example,dc=com"

see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs

>
> And Kerberos is unavailable as well:
>
> # KRB5_TRACE=/dev/stdout kinit admin
> [6421] 1424029967.466519: Getting initial credentials for 
> admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>
> [6421] 1424029967.467202: Sending request (172 bytes) to EXAMPLE.COM 
> <http://EXAMPLE.COM>
> [6421] 1424029967.467736: Sending initial UDP request to dgram 
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029968.469031: Initiating TCP connection to stream 
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029968.469205: Sending TCP request to stream 10.1.1.1:88 
> <http://10.1.1.1:88>
> [6421] 1424029971.472024: Sending retry UDP request to dgram 
> 10.1.1.1:88 <http://10.1.1.1:88>
> [6421] 1424029976.477340: Sending retry UDP request to dgram 
> 10.1.1.1:88 <http://10.1.1.1:88>
> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM 
> <http://EXAMPLE.COM>' while getting initial credentials
>
> Strange thing is that there is hardly any CPU utilization when the 
> problem is occurring.
>
> In addition we have started to see the following entries in 
> /var/log/messages:
>
> Feb 15 21:37:27 ipa kernel: possible SYN flooding on port 88. Sending 
> cookies.
> Feb 15 21:39:37 ipa kernel: possible SYN flooding on port 88. Sending 
> cookies.
>
> I'm not sure if this is related, but it's something we haven't seen 
> before.
>
> We are running CentOS release 6.6 (Final) with the latest available 
> packages:
>
> 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
> 389-ds-base-1.2.11.15-48.el6_6.x86_64
> ipa-client-3.0.0-42.el6.centos.x86_64
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
> libipa_hbac-1.11.6-30.el6_6.3.x86_64
> sssd-ipa-1.11.6-30.el6_6.3.x86_64
> ipa-admintools-3.0.0-42.el6.centos.x86_64
> ipa-python-3.0.0-42.el6.centos.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-server-3.0.0-42.el6.centos.x86_64
> libipa_hbac-python-1.11.6-30.el6_6.3.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> krb5-workstation-1.10.3-33.el6.x86_64
> krb5-libs-1.10.3-33.el6.x86_64
> sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
> python-krbV-1.0.90-3.el6.x86_64
> krb5-server-1.10.3-33.el6.x86_64
> sssd-krb5-1.11.6-30.el6_6.3.x86_64
> pam_krb5-2.3.11-9.el6.x86_64
>
> Killing the dirsrv processes and restarting them resolves the issue - 
> until it happens again after about 15 minutes.
>
> Any idea what could have gone wrong? I can e-mail logs, if necessary.
>
> Thank you in advance!
>
> Best regards,
> Thomas
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150215/6e81f30f/attachment.htm>

More information about the Freeipa-users mailing list