On 06/12/2015 02:10 PM, Martin Kosek wrote:
On 06/12/2015 09:15 PM, William Graboyes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Martin,

Here are the outputs of the various commands, cleaned of course:

time ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:

real    0m32.464s
user    0m0.385s
sys    0m0.052s

This is quite long time. We should check respective dirsrv errors and access logs snippets.

Also, the command above did not exit successfully, I would recommend doing at least

# ldapsearch -x -h `hostname` "(uid=admin)"

To eliminate DNS from the equation, use

# time ldapsearch -x -h 127.0.0.1 "(uid=admin)"



time host ipa-server-2.foo.org <-- server with issues
ipa-server-2.foo.org has address 10.0.0.2

real    0m0.070s
user    0m0.010s
sys    0m0.006s

time host ipa-server-1.foo.org <-- replicant with no issues
ipa-server-1.foo.org has address 10.0.0.3

real    0m0.073s
user    0m0.012s
sys    0m0.006s

time kinit
kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting
initial credentials

real    0m27.049s
user    0m0.013s
sys    0m0.004s

^^^ has been something I have been seeing intermittently



On 6/12/15 12:11 AM, Martin Kosek wrote:
Hi List,

This is a problem that has surfaced after a reboot of this system
in particular. It is being really, really slow.  In terms of
hardware usage issues, there are none.  It is taking 3-5 minutes
to list users in the gui. Running commands like
ipa-replica-manage list is taking between 30seconds and 3
minutes.  Memory usage is low, cpu usage is low, iops are low.  I
really have no idea where to start here, there is noting really
damning in the logs.  I have tried restarting IPA (ipactl
restart) stopping and starting IPA (ipactl stop wait... ipactl
start), and rebooting the entire server.

The oddest thing is that there have been some krb errors saying
that they cannot contact the krb server.. logging into the gui
saying your session has timed out..

It is just general strangeness.

ipa-server-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
krb5-server-1.12.2-14.el7.x86_64

Any help would be greatly appreciated.

Thanks, Bill

I would recommend starting with simple things, seeing the
performance and then following with more complex stuff:

- Try bare "ldapsearch" against the FreeIPA LDAP server, see the
response rate. If it is also slow, we have the root cause. Before
ringing on DS people doors, see if for example DNS is not slow and
there are no DNS timeouts in play - "host ipa.server.test" will
tell you that

- If DS is OK, try Kerberos - kinit, kvno commands

- If Kerberos is also OK and "ipa-replica-manage list" is still
slow, maybe we should just "strace" it to see what it waits on.

HTH, Martin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N
EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N
3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi
qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L
f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p
QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I
xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b
QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C
GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj
DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5
cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0
rYUBJPLWtHHVLigc6lW7
=R7vN
-----END PGP SIGNATURE-----



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to