When I attach gdb to the process, I have tried the main process and the four
child processes, it provides no output.
Here are the steps I'm taking:
1. On freeipa-server run htop and find the pid (or ps aux)
* Shows one parent PID and four child processes
* 934 root 20 0 46784 2656 388 S 0.0 0.1 0:00.00 `-
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
* 1939 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `-
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
* 1938 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `-
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
* 1936 root 20 0 78664 4460 2056 S 0.0 0.1 0:00.26 | `-
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
* 1935 root 20 0 78664 4212 1808 S 0.0 0.1 0:00.26 | `-
/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 4
* run sudo gdb
* attach 934
* press "c"
* Wait for output…
2. Attempt to login with user that has an expired password.
3. Now the krb5kdc process 934 starts running at 100% and the user is unable
to login.
4. Only way to get the process back to normal is to type "service ipa
restart"
I've never debugged a program before so if I'm missing a step please let me
know.
-Martin
On Sep 8, 2011, at 1:24 PM, Simo Sorce wrote:
Also any chance you can attach gdb to the krb5kdc process and take a
backtrace ?
Hopefully we will find out where it is hanging.
Simo.
On Thu, 2011-09-08 at 14:04 -0400, Simo Sorce wrote:
Is the ns-slapd instance for the ipa domain running when this happens ?
Simo.
On Thu, 2011-09-08 at 17:56 +0000, Smith, Martin R.
[[email protected]<mailto:[email protected]>] wrote:
Update: It appears to lockup immediately after a user with an expired
password attempts to login. This happens when a user attempts to login
at the freeipa-server itself or one of the clients.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Smith, Martin
R. [[email protected]<mailto:[email protected]>]
Sent: Thursday, September 08, 2011 12:49 PM
To: [email protected]<mailto:[email protected]>
Subject: [Freeipa-users] krb5kdc process at 100%
Hello all,
I’m running a fairly new install of Freeipa-server and we are running
into a problem that is preventing users from logging in. We have two
SSH servers that authenticate to our freeipa-server and after 15 min
to 4 hrs of runtime the process Krb5kdc will consume 100% of the
processor and the freeipa-server will no longer respond to ldap
requests from the other machines.
Here are some specs:
The freeipa-server is running as a virtual machine on a Xen 5.6 box
Fedora 15 with all current updates
The /home directory is a NFS mount to a different server, also running
freeipa-client
I updated the freeipa-server package to the “testing” repo today, the
problem still exists. The only additional components I’ve installed
are fail2ban, and rsyslog.
Some of the error messages include:
(krb5kdc.log)
Sep 08 12:10:23 client1.fake.com<http://client1.fake.com> krb5kdc[1867](info):
AS_REQ (7 etypes
{18 17 16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH:
host/[email protected]<mailto:host/[email protected]> for
krbtgt/[email protected]<mailto:krbtgt/[email protected]>,
Additional pre-authentication required
(pki-ca-system-log)
Attached. This log is from the freeipa-server, it appears to be
complaining that it can’t connect to itself.
I can provide more logs to a personal email if needed.
Thanks for your help in resolving this issue.
-Martin Smith
_______________________________________________
Freeipa-users mailing list
[email protected]<mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
[email protected]<mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
