Update: It appears to lockup immediately after a user with an expired password 
attempts to login. This happens when a user attempts to login at the 
freeipa-server itself or one of the clients.


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Smith, Martin R. 
[smma0...@stcloudstate.edu]
Sent: Thursday, September 08, 2011 12:49 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] krb5kdc process at 100%

Hello all,
I'm running a fairly new install of Freeipa-server and we are running into a 
problem that is preventing users from logging in. We have two SSH servers that 
authenticate to our freeipa-server and after 15 min to 4 hrs of runtime the 
process Krb5kdc will consume 100% of the processor and the freeipa-server will 
no longer respond to ldap requests from the other machines.

Here are some specs:
The freeipa-server is running as a virtual machine on a Xen 5.6 box
Fedora 15 with all current updates
The /home directory is a NFS mount to a different server, also running 
freeipa-client

I updated the freeipa-server package to the "testing" repo today, the problem 
still exists. The only additional components I've installed are fail2ban, and 
rsyslog.

Some of the error messages include:
(krb5kdc.log)
Sep 08 12:10:23 client1.fake.com krb5kdc[1867](info): AS_REQ (7 etypes {18 17 
16 23 1 3 2}) 199.17.59.5: NEEDED_PREAUTH: 
host/client1.fake....@fake.com<mailto:host/client1.fake....@fake.com> for 
krbtgt/fake....@fake.com<mailto:krbtgt/fake....@fake.com>, Additional 
pre-authentication required

(pki-ca-system-log)
Attached. This log is from the freeipa-server, it appears to be complaining 
that it can't connect to itself.

I can provide more logs to a personal email if needed.

Thanks for your help in resolving this issue.
-Martin Smith

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to