On 12/04/2014 09:41 AM, Rich Megginson wrote:
On 12/04/2014 08:39 AM, Rich Megginson wrote:
On 12/04/2014 01:45 AM, Petr Spacek wrote:
On 4.12.2014 05:02, Janelle wrote:
Thanks -- still a bit strange that it did not show up on some servers - vary
random and intermittent.

BTW - a bit of information others might find useful. If you try to use the "LDAP" portion of IPA for authentication - rather than fulling installing the IPA client and using Kerberos - the servers running ds-389 do not do well in handling the load. In other words - a few hundred hosts trying to authenticate via LDAP only will send CPU through the roof and crashes the slapd process
often.

That should not happen.
For crashes, we would need to look at some stack traces: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes For situations when the CPU is through the roof, that is very similar to debugging hangs: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs

Sorry, forgot to mention that since this is IPA you'll also need to install the ipa-debuginfo and slapi-nis-debuginfo packages.


I would also add a question about your client configuration.
For example if you use SSSD with enumerate=true for your clients then yes you will get your environment to the knees pretty quickly.


Since IPA is supposed to handle all options, I guess I am disappointed.

regards
~J


On 12/3/14 2:56 PM, Dmitri Pal wrote:
On 12/03/2014 04:40 PM, Janelle wrote:
Here is a bit of baffling one on 4.0.5:

Replica install p11-kit???
This is a part of the DNSSEC set of packages.

Connection from master to replica is OK.

Connection check OK
p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute
Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
...

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

LDAP error: UNWILLING_TO_PERFORM
database is read-only


Thoughts?
We need more information about your problem.

As always, please start with information requested on
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs

/var/log/ipa*.log from affected replica will be invaluable (along with exact
package version numbers [including p11-kit] and repo configuration).





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to