-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Martin,
Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real 0m32.464s user 0m0.385s sys 0m0.052s time host ipa-server-2.foo.org <-- server with issues ipa-server-2.foo.org has address 10.0.0.2 real 0m0.070s user 0m0.010s sys 0m0.006s time host ipa-server-1.foo.org <-- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real 0m0.073s user 0m0.012s sys 0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real 0m27.049s user 0m0.013s sys 0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: >> Hi List, >> >> This is a problem that has surfaced after a reboot of this system >> in particular. It is being really, really slow. In terms of >> hardware usage issues, there are none. It is taking 3-5 minutes >> to list users in the gui. Running commands like >> ipa-replica-manage list is taking between 30seconds and 3 >> minutes. Memory usage is low, cpu usage is low, iops are low. I >> really have no idea where to start here, there is noting really >> damning in the logs. I have tried restarting IPA (ipactl >> restart) stopping and starting IPA (ipactl stop wait... ipactl >> start), and rebooting the entire server. >> >> The oddest thing is that there have been some krb errors saying >> that they cannot contact the krb server.. logging into the gui >> saying your session has timed out.. >> >> It is just general strangeness. >> >> ipa-server-4.1.0-18.el7.centos.3.x86_64 >> sssd-ipa-1.12.2-58.el7_1.6.x86_64 >> krb5-server-1.12.2-14.el7.x86_64 >> >> Any help would be greatly appreciated. >> >> Thanks, Bill > > I would recommend starting with simple things, seeing the > performance and then following with more complex stuff: > > - Try bare "ldapsearch" against the FreeIPA LDAP server, see the > response rate. If it is also slow, we have the root cause. Before > ringing on DS people doors, see if for example DNS is not slow and > there are no DNS timeouts in play - "host ipa.server.test" will > tell you that > > - If DS is OK, try Kerberos - kinit, kvno commands > > - If Kerberos is also OK and "ipa-replica-manage list" is still > slow, maybe we should just "strace" it to see what it waits on. > > HTH, Martin > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 rYUBJPLWtHHVLigc6lW7 =R7vN -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project