Hi Daryl,
As soon as initialized with +150000 users, DS instance starts in more
than a minute.
I guess a plugin startup may delay the DS startup itself and some pstack
during that minute will give us some info.
Regarding the krb authentication this is difficult to say if they are
delayed by the number of users. You may issue something like 'ipa
user-find <xxx>' and the access log should show if the authentication
phase is really slow.
thanks
theirry
On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote:
On 03/11/16 02:40, thierry bordaz wrote:
Hello Deryl,
My understanding is that ns-slapd is first slow to startup. Then
when krb5kdc is starting it may load ns-slapd.
We identified krb5kdc may be impacted by the number of users
accounts.
From the ns-slapd errors log it is not clear why it is so slow to
start.
Would you provide the ns-slapd access logs from that period.
I provided the one from the instance at the link below because it was
too large to attach to the e-mail. Or is their some other log showing
what's needed? Or some debug option I need to turn up?
Also in order to know where ns-slapd is spending time, it would
really help if you can get regular (each 5s) pstacks (with
389-ds-debuginfo), during DS startup and then later during
krb5kdc startup.
Will do but it will be next week before I can get it. I have an
all-day first aid and safety training course today.
best regards
thierry
On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote:
Environment:
RHEL 7.2
IPA 4.2.0-15
nss 3.19.1-19
389-ds-base 1.3.4.0-26
sssd 1.13.0-40
I've encountered this problem in IPA 3.0.0 but hoped it was
addressed in 4.2.0.
Trying to set up a replica of a master with 150,000+ user accounts,
NIS and Schema Compatability enabled on the master.
During ipa-replica-install it attempts to start IPA. dirsrv starts,
krb5kdc starts, but then kadmind fails because krb5kdc has gone
missing.
This happens during restart of IPA in version 3.0.0 too. There it
can be overcome by manually starting each component of IPA _but_
waiting until ns-slapd-<instance> has settled down (as seen from
top) before starting krb5kdc. I also think that the startup of
krb5kdc loads the LDAP instance quite a bit.
There is a problem in the startup logic where dirsrv is so busy that
even though krb5kdc successfully starts and allows the kadmin to
begin kdb5kdc is not really able to do its duties.
I'm reporting this since there must be some way to delay the start
of krb5kdc and then kadmind until ns-slapd-<instance> is really open
for business.
# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)
Active: inactive (dead)
Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5
KDC.
Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos
5 KDC...
Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5
KDC.
# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service;
disabled; vendor preset: disabled)
Active: inactive (dead)
Mar 10 14:19:13 jutta.cc.umanitoba.ca systemd[1]: Stopped Kerberos 5
KDC.
Mar 10 14:20:36 jutta.cc.umanitoba.ca systemd[1]: Starting Kerberos
5 KDC...
Mar 10 14:20:39 jutta.cc.umanitoba.ca systemd[1]: Started Kerberos 5
KDC.
journalctl -xe was stale by the time I got to it so I've attached
/var/log/messages instead.
The log from ipa-replica-install (with -d) is at
http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log
The console script (mostly the same as the log but with my entries)
is at
http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console
The /var/log/dirsrv/ns-slapd-<instance> access log is at
http://home.cc.umanitoba.ca/~fonsecah/ipa/access
Regards, Daryl
--
--
Daryl Fonseca-Holt
IST/CNS/Unix Server Team
University of Manitoba
204.480.1079
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
