On Thu, 2009-10-22 at 16:22 +0100, Andy Singleton wrote: > Hello, > > > > I am trying to solve a mystery. We have 2 replicated FreeIPA servers. > > Today they both stopped receiving requests because the Directory > Server had begun to refuse connections. > > The relevant message is “Not listening for new connections - too many > fds open” > > > > That’s all well and good: I can increase the file descriptor > allowance. > > However, the reason the fds limit was reached was a massive number of > connections from the servers themselves. > > Can someone provide me with an idea for what this might be? > > > > We received 1024 connections in under 1 second: Here is an example > dirsrv access log entry: > > > > [22/Oct/2009:12:29:53 +0200] conn=679021 fd=464 slot=464 connection > from 127.0.0.1 to 127.0.0.1 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 BIND > dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp > > 24,dc=net" method=128 version=3 > > [22/Oct/2009:12:29:53 +0200] conn=679021 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=kdc,cn= > > sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" > > > > > > Some final notes: > > Both servers stopped one after the other. First server A, then 1 > second afterwards, server B. > > > > I’m pretty stuck as to what might have caused this.
Can you check the krb5kdc logs ? dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" is the account used by the kdc (in v1). So it looks like the KDC went crazy trying to connect to the ldap server. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users