On 02/15/2015 01:02 PM, Thomas Raehalme wrote:
Hi!
Today we started having problems with dirsrv hanging. We have observed
the following symptoms (using EXAMPLE.COM <http://EXAMPLE.COM> instead
of the real domain):
/var/log/dirsrv/slapd-EXAMPLE-COM/errors:
[15/Feb/2015:21:48:50 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint
is not connected)
[15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't
contact LDAP server)
/var/log/messages:
Feb 15 21:49:02 ipa named[5545]: LDAP query timed out. Try to adjust
"timeout" parameter
Feb 15 21:49:03 ipa named[5545]: LDAP query timed out. Try to adjust
"timeout" parameter
(repeated)
Trying to access the DS also with ldapsearch just hangs:
ldapsearch -h localhost -x "dc=example,dc=com"
see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
And Kerberos is unavailable as well:
# KRB5_TRACE=/dev/stdout kinit admin
[6421] 1424029967.466519: Getting initial credentials for
ad...@example.com <mailto:ad...@example.com>
[6421] 1424029967.467202: Sending request (172 bytes) to EXAMPLE.COM
<http://EXAMPLE.COM>
[6421] 1424029967.467736: Sending initial UDP request to dgram
10.1.1.1:88 <http://10.1.1.1:88>
[6421] 1424029968.469031: Initiating TCP connection to stream
10.1.1.1:88 <http://10.1.1.1:88>
[6421] 1424029968.469205: Sending TCP request to stream 10.1.1.1:88
<http://10.1.1.1:88>
[6421] 1424029971.472024: Sending retry UDP request to dgram
10.1.1.1:88 <http://10.1.1.1:88>
[6421] 1424029976.477340: Sending retry UDP request to dgram
10.1.1.1:88 <http://10.1.1.1:88>
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM
<http://EXAMPLE.COM>' while getting initial credentials
Strange thing is that there is hardly any CPU utilization when the
problem is occurring.
In addition we have started to see the following entries in
/var/log/messages:
Feb 15 21:37:27 ipa kernel: possible SYN flooding on port 88. Sending
cookies.
Feb 15 21:39:37 ipa kernel: possible SYN flooding on port 88. Sending
cookies.
I'm not sure if this is related, but it's something we haven't seen
before.
We are running CentOS release 6.6 (Final) with the latest available
packages:
389-ds-base-libs-1.2.11.15-48.el6_6.x86_64
389-ds-base-1.2.11.15-48.el6_6.x86_64
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
libipa_hbac-1.11.6-30.el6_6.3.x86_64
sssd-ipa-1.11.6-30.el6_6.3.x86_64
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-42.el6.centos.x86_64
libipa_hbac-python-1.11.6-30.el6_6.3.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
krb5-workstation-1.10.3-33.el6.x86_64
krb5-libs-1.10.3-33.el6.x86_64
sssd-krb5-common-1.11.6-30.el6_6.3.x86_64
python-krbV-1.0.90-3.el6.x86_64
krb5-server-1.10.3-33.el6.x86_64
sssd-krb5-1.11.6-30.el6_6.3.x86_64
pam_krb5-2.3.11-9.el6.x86_64
Killing the dirsrv processes and restarting them resolves the issue -
until it happens again after about 15 minutes.
Any idea what could have gone wrong? I can e-mail logs, if necessary.
Thank you in advance!
Best regards,
Thomas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project