On 06/12/2015 02:10 PM, Martin Kosek wrote:
On 06/12/2015 09:15 PM, William Graboyes wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Here are the outputs of the various commands, cleaned of course:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
This is quite long time. We should check respective dirsrv errors and
access logs snippets.
Also, the command above did not exit successfully, I would recommend
doing at least
# ldapsearch -x -h `hostname` "(uid=admin)"
To eliminate DNS from the equation, use
# time ldapsearch -x -h 127.0.0.1 "(uid=admin)"
time host ipa-server-2.foo.org <-- server with issues
ipa-server-2.foo.org has address 10.0.0.2
time host ipa-server-1.foo.org <-- replicant with no issues
ipa-server-1.foo.org has address 10.0.0.3
kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting
^^^ has been something I have been seeing intermittently
On 6/12/15 12:11 AM, Martin Kosek wrote:
This is a problem that has surfaced after a reboot of this system
in particular. It is being really, really slow. In terms of
hardware usage issues, there are none. It is taking 3-5 minutes
to list users in the gui. Running commands like
ipa-replica-manage list is taking between 30seconds and 3
minutes. Memory usage is low, cpu usage is low, iops are low. I
really have no idea where to start here, there is noting really
damning in the logs. I have tried restarting IPA (ipactl
restart) stopping and starting IPA (ipactl stop wait... ipactl
start), and rebooting the entire server.
The oddest thing is that there have been some krb errors saying
that they cannot contact the krb server.. logging into the gui
saying your session has timed out..
It is just general strangeness.
Any help would be greatly appreciated.
I would recommend starting with simple things, seeing the
performance and then following with more complex stuff:
- Try bare "ldapsearch" against the FreeIPA LDAP server, see the
response rate. If it is also slow, we have the root cause. Before
ringing on DS people doors, see if for example DNS is not slow and
there are no DNS timeouts in play - "host ipa.server.test" will
tell you that
- If DS is OK, try Kerberos - kinit, kvno commands
- If Kerberos is also OK and "ipa-replica-manage list" is still
slow, maybe we should just "strace" it to see what it waits on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project