On 09/18/2015 12:24 AM, HECTOR LOPEZ wrote:
This is rhel 7.1 with ipa version 4.1.0
user-show shows the user. However, if the user contains
ipaNTSecurityIdentifier: attribute, user-del hangs with no response.
Meanwhile, the KDC and 389ds stop working. The only way to recover
functionality is to reboot the machine. ipactl restart does nothing.
If it hangs again, could you get a pstack of the slapd process ?
If you then kill slapd, does ipactl restart work ?
In the ldap access log I see this when trying to delete user sclown:
[14/Sep/2015:09:28:27 -0700] conn=326 op=18 RESULT err=0 tag=101
nentries=0 etime=0
[14/Sep/2015:09:28:27 -0700] conn=326 op=19 DEL
dn="uid=sclown,cn=users,cn=accounts,dc=some,dc=domain,dc=org"
[14/Sep/2015:09:30:03 -0700] conn=12 op=442 MOD
dn="cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca"
[14/Sep/2015:09:30:03 -0700] conn=12 op=442 RESULT err=1 tag=103
nentries=0 etime=0
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 SRCH
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[14/Sep/2015:09:30:06 -0700] conn=20 op=288 RESULT err=32 tag=101
nentries=0 etime=0
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore
notAfter duration extension subjectName userCertificate version
algorithmId signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 SORT notBefore
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 VLV 200:0:20150914093009Z
1:0 (0)
[14/Sep/2015:09:30:08 -0700] conn=12 op=444 RESULT err=0 tag=101
nentries=0 etime=0
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=VALID)" attrs="objectClass serialno notBefore
notAfter duration extension subjectName userCertificate version
algorithmId signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 SORT notAfter
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 VLV 200:0:20150914093009Z
1:10 (0)
[14/Sep/2015:09:30:08 -0700] conn=12 op=445 RESULT err=0 tag=101
nentries=1 etime=0
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1
filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno
revInfo notAfter notBefore duration extension subjectName
userCertificate version algorithmId signingAlgorithmId publicKeyData"
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 VLV 200:0:20150914093009Z
0:0 (0)
[14/Sep/2015:09:30:08 -0700] conn=12 op=446 RESULT err=0 tag=101
nentries=0 etime=0 notes=U
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 SRCH
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[14/Sep/2015:09:30:08 -0700] conn=12 op=447 RESULT err=0 tag=101
nentries=1 etime=0
[14/Sep/2015:09:30:19 -0700] conn=322 op=6 UNBIND
Then in the ldap error log I see this, which makes me think there is a
problem with the changelog:
[14/Sep/2015:09:30:03 -0700] - dn2entry_ext: Failed to get id for
changenumber=91314,cn=changelog from entryrdn index (-30993)
[14/Sep/2015:09:30:03 -0700] - Operation error fetching
changenumber=91314,cn=changelog (null), error -30993.
[14/Sep/2015:09:30:03 -0700] DSRetroclPlugin - replog: an error
occured while adding change number 91314, dn =
changenumber=91314,cn=changelog: Operations error.
[14/Sep/2015:09:30:03 -0700] retrocl-plugin - retrocl_postob:
operation failure [1]
After this both kdc and ldap stop responding. In the krb5kdc.log I see
server errors after the user-del command is run. The only way to
resume normal operations is to restart the whole machine. ipactl
restart doesn't work.
Any help would be highly appreciated!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project