Hi! Today we started having problems with dirsrv hanging. We have observed the following symptoms (using EXAMPLE.COM instead of the real domain):
/var/log/dirsrv/slapd-EXAMPLE-COM/errors: [15/Feb/2015:21:48:50 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [15/Feb/2015:21:48:50 +0200] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) /var/log/messages: Feb 15 21:49:02 ipa named[5545]: LDAP query timed out. Try to adjust "timeout" parameter Feb 15 21:49:03 ipa named[5545]: LDAP query timed out. Try to adjust "timeout" parameter (repeated) Trying to access the DS also with ldapsearch just hangs: ldapsearch -h localhost -x "dc=example,dc=com" And Kerberos is unavailable as well: # KRB5_TRACE=/dev/stdout kinit admin [6421] 1424029967.466519: Getting initial credentials for [email protected] [6421] 1424029967.467202: Sending request (172 bytes) to EXAMPLE.COM [6421] 1424029967.467736: Sending initial UDP request to dgram 10.1.1.1:88 [6421] 1424029968.469031: Initiating TCP connection to stream 10.1.1.1:88 [6421] 1424029968.469205: Sending TCP request to stream 10.1.1.1:88 [6421] 1424029971.472024: Sending retry UDP request to dgram 10.1.1.1:88 [6421] 1424029976.477340: Sending retry UDP request to dgram 10.1.1.1:88 kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials Strange thing is that there is hardly any CPU utilization when the problem is occurring. In addition we have started to see the following entries in /var/log/messages: Feb 15 21:37:27 ipa kernel: possible SYN flooding on port 88. Sending cookies. Feb 15 21:39:37 ipa kernel: possible SYN flooding on port 88. Sending cookies. I'm not sure if this is related, but it's something we haven't seen before. We are running CentOS release 6.6 (Final) with the latest available packages: 389-ds-base-libs-1.2.11.15-48.el6_6.x86_64 389-ds-base-1.2.11.15-48.el6_6.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-selinux-3.0.0-42.el6.centos.x86_64 libipa_hbac-1.11.6-30.el6_6.3.x86_64 sssd-ipa-1.11.6-30.el6_6.3.x86_64 ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-python-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-3.0.0-42.el6.centos.x86_64 libipa_hbac-python-1.11.6-30.el6_6.3.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch krb5-workstation-1.10.3-33.el6.x86_64 krb5-libs-1.10.3-33.el6.x86_64 sssd-krb5-common-1.11.6-30.el6_6.3.x86_64 python-krbV-1.0.90-3.el6.x86_64 krb5-server-1.10.3-33.el6.x86_64 sssd-krb5-1.11.6-30.el6_6.3.x86_64 pam_krb5-2.3.11-9.el6.x86_64 Killing the dirsrv processes and restarting them resolves the issue - until it happens again after about 15 minutes. Any idea what could have gone wrong? I can e-mail logs, if necessary. Thank you in advance! Best regards, Thomas
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
