Re: [Freeipa-users] Kerberos hanging approx. once a day

Wed, 22 Jul 2015 02:26:22 -0700 

On Wed, 22 Jul 2015, Torsten Harenberg wrote:

Dear community,

we just moved our infrastructure (about 200 node cluster plus about 30
workstations) from NIS to FreeIPA (version 4.1.4 on FC 21).

We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on
Xen4).

Approx once a day, the Kerberos service on the primary server suddenly
stops working and I am unable to re-start the service. Only a "full"
reboot helps and during that, the Kerberos shutdown takes about 2
minutes (unsure if it really finishes or if it's the final timeout of
the shutdown script).

Trying to collect as many log messages as possible:


Jul 22 10:52:06 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info):
AS_REQ (4 etypes {18 17 16 23}) 132.195.124.213: LOOKING_UP_CLIENT:
host/proton.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de, Server error
Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info):
AS_REQ (4 etypes {18 17 16 23}) 132.195.125.171: LOOKING_UP_CLIENT:
host/wn161.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de for
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de, Server error

Looking at the Kerberos KDC code I see that LOOKING_UP_CLIENT is shown
when DAL driver returns something different than 'entry does not exist':

   errcode = krb5_db_get_principal(kdc_context, state->request->client,
                                   state->c_flags, &state->client);
   if (errcode == KRB5_KDB_CANTLOCK_DB)
       errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
   if (errcode == KRB5_KDB_NOENTRY) {
       state->status = "CLIENT_NOT_FOUND";
       if (vague_errors)
           errcode = KRB5KRB_ERR_GENERIC;
       else
           errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
       goto errout;
   } else if (errcode) {
       state->status = "LOOKING_UP_CLIENT";
       goto errout;
   }

Our DAL driver may return KRB5_KDB_DBNOTINITED, KRB5_KDB_SERVER_INTERNAL_ERR,
or KRB5_KDB_INTERNAL_ERROR which all may point towards 389-ds failures.

Do you have 389-ds actually operating? If you would install debuginfo
packages, what does 'pstack <pid of ns-slapd>' print?

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to