Hi All,

   We are having an issue where a client is showing sssd eatting up 100%
cpu and cannot log into it via ssh.  IE.. trying to ssh to it just hangs an
never prompts for password.  We have to get to the box from the console at
that point.

Top output on client
  2365 root     -30   0 89600  79m  18m R 124.5  0.0  22:15.22 rmcd
  2627 root      20   0  159m  27m  18m R 100.0  0.0  10:40.98 sssd_be
  92718 root      20   0  159m  11m 2560 R 98.8  0.0   0:13.65 sssd_be

The sssd logs on the client in question is showing:
                                                                                
                     
 tail -f sssd_ssh.log                                                           
                     
 (Wed Nov 4 09:29:30 2015) [sssd[ssh]] [ssh_dp_reconnect_init] (0x0010): Could 
not reconnect to      
 domain.name provider.                                                          
                     
 (Wed Nov 4 09:30:00 2015) [sssd[ssh]] [ssh_dp_reconnect_init] (0x0010): Could 
not reconnect to      
 domain.name provider.                                                          
                     
 (Wed Nov 4 09:30:30 2015) [sssd[ssh]] [ssh_dp_reconnect_init] (0x0010): Could 
not reconnect to      
 domain.name provider.                                                          
                     
 (Wed Nov 4 09:31:30 2015) [sssd[ssh]] [dp_id_callback] (0x0010): The Monitor 
returned an error      
 [org.freedesktop.DBus.Error.NoReply]                                           
                     
                                                                                
                     
 The Client is running:                                                         
                     
 Red Hat Enterprise Linux Server release 6.6 (Santiago)                         
                     
 sssd-ipa-1.11.6-30.el6_6.4.ppc64                                               
                     
 ipa-client-3.0.0-42.el6.ppc64                                                  
                     
                                                                                
                     
                                                                                
                     


I have been looking into the logs on our IPA server and found this but not
sure what to make of it as the dirsrv is on the IPA server and if it is
even related to the client issue.

/var/log/dirsrv/slapd-DOMAIN-LOCAL
slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server)
((null)) errno 107 (Transport endpoint is not connected)

/var/log/dirsrv/slapd-PKI-IPA shows:
 slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't
contact LDAP server) errno 107 (Transport endpoint is not connected)


IPA server is running:
ipa-server-3.0.0-47.el6.x86_64
Red Hat Enterprise Linux Server release 6.7 (Santiago)
sssd-ipa-1.12.4-47.el6.x86_64
ipa-client-3.0.0-47.el6.x86_64

ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING

It seems to be sporadic as the client was working fine under a heavy
application load(application ID is in IPA) and once the load test was over
sssd started causing the DOS.  We have seen this happen a few times over
the past few days and does not always happen after a load test is complete.
I have been shutting down sssd and restarting it to clear it up and allow
ssh logins.  Is the version difference between the ipa client/sssd and
server an issue and any ideas on where to go next?



Sean Hogan
Security Engineer
CISSP, RHSA, CCNA
Watson Security & Risk Assurance
Watson Cloud Technology and Support
email: scho...@us.ibm.com | Tel 919 486 1397





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to