This is a problem that has surfaced after a reboot of this system in
particular. It is being really, really slow. In terms of hardware
usage issues, there are none. It is taking 3-5 minutes to list users
in the gui. Running commands like ipa-replica-manage list is taking
between 30seconds and 3 minutes. Memory usage is low, cpu usage is
low, iops are low. I really have no idea where to start here, there
is noting really damning in the logs. I have tried restarting IPA
(ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl
start), and rebooting the entire server.
The oddest thing is that there have been some krb errors saying that
they cannot contact the krb server.. logging into the gui saying your
session has timed out..
It is just general strangeness.
Any help would be greatly appreciated.
I would recommend starting with simple things, seeing the performance and then
following with more complex stuff:
- Try bare "ldapsearch" against the FreeIPA LDAP server, see the response rate.
If it is also slow, we have the root cause. Before ringing on DS people doors,
see if for example DNS is not slow and there are no DNS timeouts in play -
"host ipa.server.test" will tell you that
- If DS is OK, try Kerberos - kinit, kvno commands
- If Kerberos is also OK and "ipa-replica-manage list" is still slow, maybe we
should just "strace" it to see what it waits on.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project