On 07/24/2015 01:20 AM, Torsten Harenberg wrote:
Dear Rich and all,

thanks to everbody! Really thankful for your support.

The situation really approved.

We:

- enlarged the caches for 389ds until the WARNING messages disappeared
in the log files,
- (just to be sure) re-sync'ed firewalld rules between primary and
secondary server.

Now the server was stable, Kerberos and 389ds are still alive and all
clients can still resolve all users. There is only one issue left (see
bottom).


First let us answer that:

Am 23.07.15 um 18:28 schrieb Rich Megginson:

# ldapsearch -xLLL -D "cn=directory manager" -W -s base -b
"dc=uni-wuppertal,dc=de"

This search should return immediately.  If it hangs, then the problem is
in slapd, and get a stack trace as before.

[root@ipa httpd]# time ldapsearch -xLLL -D "cn=directory manager" -W -s
base -b "dc=pleiades,dc=uni-wuppertal,dc=de"
Enter LDAP Password:
dn: dc=pleiades,dc=uni-wuppertal,dc=de
objectClass: top
objectClass: domain
objectClass: pilotObject
objectClass: domainRelatedObject
objectClass: nisDomainObject
dc: pleiades
info: IPA V2.0
nisDomain: pleiades.uni-wuppertal.de
associatedDomain: pleiades.uni-wuppertal.de


real    0m4.559s
user    0m0.403s
sys     0m0.057s
[root@ipa httpd]#

Looks okay to us, or?

4 seconds?  That seems way too long.

What does the dirsrv access log look like for this sequence of operations? There will be a connection, a BIND, a SRCH, and an UNBIND.


So.. here is the problem which is left over. When logging in as admin
now through th web page or locally:

[Thu Jul 23 21:43:47.340133 2015] [wsgi:error] [pid 1134] ipa: INFO:
[jsonserver_session] wens...@pleiades.uni-wuppertal.de:
radiusproxy_find(None, version=u'2.114'): SUCCESS
[Thu Jul 23 21:43:48.758849 2015] [wsgi:error] [pid 1133] ipa: INFO:
[jsonserver_session] wens...@pleiades.uni-wuppertal.de: user_find(None,
version=u'2.114'): SUCCESS
[Fri Jul 24 07:20:10.198903 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:20:10.198977 2015] [wsgi:error] [pid 1134]
[Fri Jul 24 07:20:18.181715 2015] [wsgi:error] [pid 1133] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:20:18.181809 2015] [wsgi:error] [pid 1133]
[Fri Jul 24 07:21:12.919751 2015] [wsgi:error] [pid 1134] ipa: INFO: 401
Unauthorized: kinit: Clients credentials have been revoked while getting
initial credentials
[Fri Jul 24 07:21:12.919878 2015] [wsgi:error] [pid 1134]
[root@ipa httpd]# kinit admin
kinit: Clients credentials have been revoked while getting initial
credentials
[root@ipa httpd]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@pleiades.uni-wuppertal.de

Valid starting       Expires              Service principal
07/23/2015 11:44:13  07/24/2015 11:44:08
HTTP/ipa.pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
07/23/2015 11:44:11  07/24/2015 11:44:08
krbtgt/pleiades.uni-wuppertal...@pleiades.uni-wuppertal.de
[root@ipa httpd]#


Hope you have an idea about that one as well :).

I do not, sorry.  Maybe one of our kerberos experts will know.


Thanks

  Marisa and Torsten



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to