IMHO It's DS bug, can you share DS error log?
pspacek CCed to examine named logs.

Martin^2

On 11/11/14 12:13, Walter van Lille wrote:
Hi Martin, thanks for the reply.
My version: bind-dyndb-ldap-2.3-5.el6.x86_64
The server doesn't have journalctl installed but I have the outputs from the messages and named.run files that I included here:

Messages:

*Nov 11 12:30:13 freeipa named[1481]: error (network unreachable) resolving 'example.example.com.10.123.123.123/A/IN': 2001:500:2f::f#53* *Nov 11 12:30:23 freeipa named[1481]: LDAP query timed out. Try to adjust "timeout" parameter* *Nov 11 12:30:23 freeipa named[1481]: LDAP query timed out. Try to adjust "timeout" parameter* *Nov 11 12:30:33 freeipa named[1481]: LDAP query timed out. Try to adjust "timeout" parameter* *Nov 11 12:30:33 freeipa named[1481]: LDAP query timed out. Try to adjust "timeout" parameter*

Named.run:

*client 10.123.123.123#42639: transfer of 'example.example/IN': AXFR-style IXFR started* *client 10.123.123.123#42639: transfer of ''example.example/IN': AXFR-style IXFR ended* *client 10.123.123.123#46912: transfer of '10.123.123.123.in-addr.arpa/IN': AXFR-style IXFR started* *client 10.123.123.123#46912: transfer of '10.123.123.123.in-addr.arpa/IN': AXFR-style IXFR ended*
*LDAP query timed out. Try to adjust "timeout" parameter*
*LDAP query timed out. Try to adjust "timeout" parameter*
*LDAP query timed out. Try to adjust "timeout" parameter*

I just replaced the IPs and the actual names with something more generic.

Regards,

Walter

On Thu, Nov 6, 2014 at 5:00 PM, Martin Basti <mba...@redhat.com <mailto:mba...@redhat.com>> wrote:

    On 06/11/14 14:58, Walter van Lille wrote:
    Hi,

    I need some assistance please.
    I've taken over an IPA server to manage a few months ago, and it
    was working fine until recently when it started acting up
    seemingly off its own accord.
    When I do an ipactl status it basically gives an output as shown
    below:


    *Directory Service: RUNNING
    *
    *
    *
    *Loooooooooooooooooooooooooooooooooooooooooooooooooong pause...
    (To the tune of 7 minutes sometimes)*
    *
    *
    *KDC Service: RUNNING*
    *KPASSWD Service: RUNNING*
    *DNS Service: RUNNING*
    *MEMCACHE Service: RUNNING*
    *HTTP Service: RUNNING*
    *CA Service: RUNNING*
    *ADTRUST Service: RUNNING*
    *EXTID Service: RUNNING*

    Running top showed that ns-slapd was munching almost all my
    resources, but I got that fixed by upping the cache.
    Unfortunately this did not correct the issue and it still reacts
    in the same fashion, although the resources have been freed up now.
    I've noticed that when I run dig on either the local server or a
    remote machine that the query basically just times out as shown here:

    *dig freeipa.myexample.sample*
    *
    *
    *; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>>
    freeipa.myexample.sample*
    *;; global options: +cmd*
    *;; connection timed out; no servers could be reached*

    When the KDC service fails to start, then name lookups seem OK,
    but authentication fails. otherwise it's dead in the water.

    This also happens:

    *sudo ipactl status*
    *Directory Service: RUNNING*
    *Unknown error when retrieving list of services from LDAP:*
    *
    *
    My software setup is as follows:

    *CentOS release 6.5 (Final)
    *
    *389-ds-base.x86_64   1.2.11.15-34.el6_5
    *
    *bind.x86_64  32:9.8.2-0.23.rc1.el6_5.1
    *
    *bind-dyndb-ldap.x86_64*
    *bind-libs.x86_64 32:9.8.2-0.23.rc1.el6_5.1*
    *bind-utils.x86_64  32:9.8.2-0.23.rc1.el6_5.1*
*rpcbind.x86_64 0.2.0-11.el6 @anaconda-CentOS-201311291202.x86_64/6.5*
    *samba4-winbind.x86_64*
    *krb5-server.x86_64   1.10.3-15.el6_5.1
    *
    *
    *
    *Linux 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC
    2014 x86_64 x86_64 x86_64 GNU/Linux
    *

    It's not a permanent situation as it sometimes runs 100% for a
    while, but 80% of the time it is unusable. If anybody can assist
    me, please be so kind.

    Regards,

    Walter

    Hello please which version of bind-dyndb-ldap do you use?
    I had similar issue with bind-dyndb-ldap, but it was development
    version, I'm not sure if this is your case.
    When named was failing, dirserv was really slow.

    Can you send journalctl -b -u named log when dig doesn't work??

-- Martin Basti




--
Martin Basti

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to