Hi Rob, Thanks indeed for the quick reply! Please see the attached backtrace files. I have generated it with the abrt. Is it OK ? please let me know if you need anything else. Regards,Nasir
--- On Mon, 7/25/11, Rob Crittenden <rcrit...@redhat.com> wrote: From: Rob Crittenden <rcrit...@redhat.com> Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: "nasir nasir" <kollath...@yahoo.com> Cc: freeipa-users@redhat.com Date: Monday, July 25, 2011, 6:16 AM nasir nasir wrote: > Hi, > > Further to the ongoing deployment of Linux clients and servers using > FreeIPA, I was able to successfully get all the requirements like, > > -- complete centralized authentication and administration > -- NFS home share > -- HBAC > -- FreeIPA acting as Integrated DNS server > > Everything was good during the testing period. But when we went to > production since day before yesterday, we are facing a serious issue. > The DNS in IPA is giving out some problems. All of a sudden it becomes > unresponsive. We already noticed this twice in the past 48 hours. Since > this is the name server for the entire network, everything depending on > this for name resolution fails. When I log in to FreeIPA server machine > and tries to see the status of named service(service named status) the > command hangs. Then I need to forcefully kill the named service and > start it again(or alternatively restart ipa service) to get everything > back to normal. I checked all the relevant log files and could see the > following at various point of time in the /var/log/messages(trimmed out > most of the part to show only possible named/sssd/ipa errors) > > Jul 22 05:57:55 openipa named[10135]: semaphore.c:70: fatal error: > Jul 22 05:57:55 openipa named[10135]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 22 05:57:55 openipa named[10135]: exiting (due to fatal error in > library) > Jul 22 05:57:55 openipa abrt[12698]: /var/named/core.10135 is not a > regular file with link count 1: Permission denied > > > Jul 22 14:35:56 openipa [sssd[ldap_child[17070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 22 14:35:56 openipa [sssd[ldap_child[17072]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > > Jul 22 17:54:33 openipa named[15678]: error (network unreachable) > resolving 'snapfiles.com/AAAA/IN': 2001:503:231d::2:30#53 > > > Jul 22 20:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet....@hugayet.com in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > > > Jul 23 09:10:01 openipa abrt[21599]: saved core dump of pid 20934 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311401401-20934.new/coredump > (37900288 bytes) > Jul 23 09:10:01 openipa abrtd: Directory 'ccpp-1311401401-20934' > creation detected > Jul 23 09:10:01 openipa abrtd: Crash is in database already (dup of > /var/spool/abrt/ccpp-1307530903-2297) > Jul 23 09:10:01 openipa abrtd: Deleting crash ccpp-1311401401-20934 (dup > of ccpp-1307530903-2297), sending dbus signal > Jul 23 09:10:03 openipa named[21631]: starting BIND > 9.7.3-RedHat-9.7.3-2.el6 -u named -4 > > > Jul 23 15:35:56 openipa [sssd[ldap_child[22297]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 23 15:35:56 openipa [sssd[ldap_child[22298]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 23 09:10:03 openipa named[21631]: adjusted limit on open files from > 1024 to 1048576 > > > Jul 24 03:16:01 openipa [sssd[ldap_child[22964]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > Jul 24 04:00:02 openipa python: IPA compliance checking failed: Error > initializing principal host/openipa.hugayet....@hugayet.com in > /etc/krb5.keytab: (-1765328353, 'Decrypt integrity check failed') > Jul 24 06:17:25 openipa named[21631]: semaphore.c:70: fatal error: > Jul 24 06:17:25 openipa named[21631]: > RUNTIME_CHECK(((pthread_mutex_destroy((&sem->mutex)) == 0) ? 0 : 34) == > 0) failed > Jul 24 06:17:25 openipa named[21631]: exiting (due to fatal error in > library) > Jul 24 06:17:25 openipa abrt[23220]: saved core dump of pid 21631 > (/usr/sbin/named) to /var/spool/abrt/ccpp-1311477445-21631.new/coredump > (143396864 bytes) > > Also, I could see the following in my krb5kdc.log, > > ul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](Error): preauth pkinit > failed to initialize: No realms configured correctly for pkinit support > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): setting up > network... > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 9: udp 0.0.0.0.88 (pktinfo) > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > krb5kdc: No realms configured correctly for pkinit support - Cannot > request packet info for udp socket address :: port 88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): skipping > unrecognized local address family 17 > krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 10: udp fe80::6ab5:99ff:fec8:160%eth0.88 > krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 12: tcp 0.0.0.0.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): listening on > fd 11: tcp ::.88 > Jul 24 06:20:46 openipa.hugayet.com krb5kdc[23721](info): set up 4 sockets > > Also, please note the following points, > > ---- For the DHCP service, I have a cobbler server running the service > which will use the FreeIPA server's DNS servicee.(with > *ddns-update-style interim; *option in the dhcp configuration file) > ---- After seeing some permission related issues for named, I have given > /var/named sufficient permission to named daemon for the folder. > ---- Disabled ipv6 for named as I don't use it anyway(OPTIONS="-4" in > /etc/sysconfig/named) > > Thanks indeed for for all the help so far and waiting for your valuable > input on this! If you can get a backtrace on the named core I think that would be very helpful. It could be a problem in bind or in the bind-dyndb-ldap plugin that we use to LDAP as a backend store for bind. rob
abrt-report.cRw0D7
Description: Binary data
abrt-report.JOtGx9
Description: Binary data
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
