Well I feel silly for not checking this earlier. You were correct. 
Sep 18 01:09:35 freeipa1 kernel: : ns-slapd[16553]: segfault at 4 ip 
000000000041227a sp 00007fb9d15edc68 error 4 in ns-slapd[400000+53000]
I am installing the 389-ds-base-debuginfo and accompanying packages now, 
restarting ipa, enabling core dumps in the kernel and changing core file size 
to unlimited.

Will see what happens next! Thanks!


-----Original Message-----
From: "Rob Crittenden" <rcrit...@redhat.com>
Sent: Monday, September 30, 2013 1:13pm
To: "Andrew Tranquada" <andrew.tranqu...@rackspace.com>, "Alexander Bokovoy" 
<aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Server randomly will stop accepting krb requests

Andrew Tranquada wrote:
> Thanks for the response
> I did look in /var/log/slapd-PKI* or slapd-<DOMAIN> (I guess I was not too 
> clear I did that in my email)
> in those logs the last thing in that log is from Sep 18
>
>>From /var/log/dirsrv/slapd-EXAMPLE-COM/errors:
>
> [18/Sep/2013:01:09:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
> Minor code may provide more information (KDC returned error string: 
> PROCESS_TGS)) errno 2 (No such file or directory)
>
> That is all, the items before that time are addition/deletion of entries 
> which is normal.
>
> -----Original Message-----
> From: "Alexander Bokovoy" <aboko...@redhat.com>
> Sent: Monday, September 30, 2013 12:47pm
> To: "Andrew Tranquada" <andrew.tranqu...@rackspace.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Server randomly will stop accepting krb requests
>
> On Mon, 30 Sep 2013, Andrew Tranquada wrote:
>> I have 6 servers setup as freeipa replicas.
>> 5 are working great, no problems.
>> They are all running ipa-server-3.0.0-26.el6_4.4.x86_64
>> However, the same one will randomly stop working. By stop working I mean the 
>> following:
>> (domain name and ips have been redacted)
>>
>> I cannot kinit as any user on that machine:
>> [root@badserver ~]# kinit admin
>> kinit: Generic error (see e-text) while getting initial credentials
>>
>> I cannot connect on 389 or 636 to that server:
>>
>> telnet badserver 636
>>
>> telnet: Unable to connect to remote host: Connection refused
>>
>> slapd is running and listening on port 389 according to netstat:
>> [root@badserver ~]# netstat -lpn | grep 389
>> tcp        0      0 :::7389                     :::*                        
>> LISTEN      16419/ns-slapd
> This is port 7389, for CA LDAP instance, not port 389 which is main LDAP
> instance.
>
>> but nothing is returned for port 636
> Because port 636 is served by the same main dirsrv instance that is
> down.
>
>>
>> in the /var/log/slapd-PKI* or slapd-<DOMAIN> error files, the last error is 
>> from over a week ago, actually the last entry period is from there.
>>
>> [18/Sep/2013:01:09:34 -0400] slapd_ldap_sasl_interactive_bind - Error: could 
>> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
>> error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
>> Minor code may provide more information (KDC returned error string: 
>> PROCESS_TGS)) errno 2 (No such file or directory)
>>
>>
>> /var/log/krb5kdc.log shows
>> Sep 30 12:22:24 badserver krb5kdc[32063](info): AS_REQ (4 etypes {18 17 16 
>> 23}) <ip>: LOOKING_UP_CLIENT: ad...@example.com for 
>> krbtgt/example....@example.com, Server error
>>
>> a service ipa restart ALWAYS fixes it.
> Directory server instance is down, so LDAP server is not accessible, so
> Kerberos KDC cannot read the data which is only in LDAP, so it denies
> access.
>
>> Any guidance/advice/docs to read would be greatly appreciated! The fact
>> that it seems to be so random and the other 5 ipa servers are working
>> great makes it even more frustrating!
> Look at directory server's logs to see what was the reason for refusing
> starting up in /var/log/dirsrv/slapd-<DOMAIN>/errors.

I'd look for evidence in /var/log/messages of ns-slapd core dumping.

rob




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to