Also any chance you can attach gdb to the krb5kdc process and take a backtrace ?
Hopefully we will find out where it is hanging. Simo. On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote: > Is the ns-slapd instance for the ipa domain running when this happens ? > > Simo. > > On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R. > [[email protected]] wrote: > > Update: It appears to lockup immediately after a user with an expired > > password attempts to login. This happens when a user attempts to login > > at the freeipa-server itself or one of the clients. > > > > > > > > > > > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Smith, Martin > > R. [[email protected]] > > Sent: Thursday, September 08, 2011 12:49 PM > > To: [email protected] > > Subject: [Freeipa-users] krb5kdc process at 100% > > > > > > > > > > Hello all, > > > > I’m running a fairly new install of Freeipa-server and we are running > > into a problem that is preventing users from logging in. We have two > > SSH servers that authenticate to our freeipa-server and after 15 min > > to 4 hrs of runtime the process Krb5kdc will consume 100% of the > > processor and the freeipa-server will no longer respond to ldap > > requests from the other machines. > > > > > > > > Here are some specs: > > > > The freeipa-server is running as a virtual machine on a Xen 5.6 box > > > > Fedora 15 with all current updates > > > > The /home directory is a NFS mount to a different server, also running > > freeipa-client > > > > > > > > I updated the freeipa-server package to the “testing” repo today, the > > problem still exists. The only additional components I’ve installed > > are fail2ban, and rsyslog. > > > > > > > > Some of the error messages include: > > > > (krb5kdc.log) > > > > Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes > > {18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: > > host/[email protected] for krbtgt/[email protected], > > Additional pre-authentication required > > > > > > > > (pki-ca-system-log) > > > > Attached. This log is from the freeipa-server, it appears to be > > complaining that it can’t connect to itself. > > > > > > > > I can provide more logs to a personal email if needed. > > > > > > > > Thanks for your help in resolving this issue. > > > > -Martin Smith > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
