nasir nasir wrote:
Hi,
Further to the ongoing deployment of Linux clients and servers using
FreeIPA, I was able to successfully get all the requirements like,
-- complete centralized authentication and administration
-- NFS home share
-- HBAC
-- FreeIPA acting as Integrated DNS server
Everything was good during the testing period. But when we went to
production since day before yesterday, we are facing a serious issue.
The DNS in IPA is giving out some problems. All of a sudden it becomes
unresponsive. We already noticed this twice in the past 48 hours. Since
this is the name server for the entire network, everything depending on
this for name resolution fails. When I log in to FreeIPA server machine
and tries to see the status of named service(service named status) the
command hangs. Then I need to forcefully kill the named service and
start it again(or alternatively restart ipa service) to get everything
back to normal. I checked all the relevant log files and could see the
following at various point of time in the /var/log/messages(trimmed out
most of the part to show only possible named/sssd/ipa errors)
Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error:
Jul 22 05:57:55 openipa named[10135]:
RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) ==
0) failed
Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in
library)
Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a
regular file with link count 1: Permission denied
Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.
Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.
Jul 22 17:54:33 openipa named[15678]: error (network unreachable)
resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53
Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error
initializing principal host/openipa.hugayet....@hugayet.com in
/etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed')
Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934
(/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump
(37900288 bytes)
Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934'
creation detected
Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of
/var/spool/abrt/ccpp-1307530903-2297)
Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup
of ccpp-1307530903-2297), sending dbus signal
Jul 23 09:10:03 openipa named[21631]: starting BIND
9.7.3-RedHat-9.7.3-2.el6 -u named -4
Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.
Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.
Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from
1024 to 1048576
Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize
credentials using keytab [(null)]: Decrypt integrity check failed.
Unable to create GSSAPI-encrypted LDAP connection.
Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error
initializing principal host/openipa.hugayet....@hugayet.com in
/etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed')
Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error:
Jul 24 06:17:25 openipa named[21631]:
RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) ==
0) failed
Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in
library)
Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631
(/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump
(143396864 bytes)
Also, I could see the following in my krb5kdc.log,
ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit
failed to initialize: No realms configured correctly for pkinit support
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up
network...
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on
fd 9: udp 0.0.0.0.88 (pktinfo)
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: No realms configured correctly for pkinit support - Cannot
request packet info for udp socket address :: port 88
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping
unrecognized local address family 17
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping
unrecognized local address family 17
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on
fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88
krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on
fd 12: tcp 0.0.0.0.88
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on
fd 11: tcp ::.88
Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up 4 sockets
Also, please note the following points,
---- For the DHCP service, I have a cobbler server running the service
which will use the FreeIPA server's DNS servicee.(with
*ddns-update-style interim; *option in the dhcp configuration file)
---- After seeing some permission related issues for named, I have given
/var/named sufficient permission to named daemon for the folder.
---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in
/etc/sysconfig/named)
Thanks indeed for for all the help so far and waiting for your valuable
input on this!
If you can get a backtrace on the named core I think that would be very
helpful. It could be a problem in bind or in the bind-dyndb-ldap plugin
that we use to LDAP as a backend store for bind.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
