Re: [Freeipa-users] IPA DNS response issue
On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote: On 18.3.2014 15:26, David wrote: We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! Note that David (I guess :-) added logs to the ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/131 and I'm looking into it. Actually, that's not me! I don't have anywhere near as much logging... At least I'm not alone... Our failures also seem to happen around log rotation time. The Kerberos ticket expiring is interesting. I'll poke around on my installation and see what I see on this side. If you need any other information, please let me know. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA DNS response issue
On 18.3.2014 15:26, David wrote:
Hi all -
We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
odd behavior with respect to serving DNS. Periodically (interval at random)
named running on a replica will stop serving requests from the LDAP server but
continue to respond with recursive requests. This type of failure causes us
problems, as you could imagine. (It doesn't fail cleanly so it won't request
from another server.) We've adjusted the amount of connections each named
makes to 389, but it doesn't seem to make a difference. We're not seeing
anything in the logs so troubleshooting this is becoming a bit of a
(high-visibility) puzzle to us.
I do happen to have a core file that I grabbed last night before sending a
SIGKILL to named and restarting. (A SIGTERM has no effect.)
Hopefully there's an easy answer here that we can get rolled into the
environment quickly. FreeIPA has treated us extraordinarily well so far!
David
About our configuration:
OS: CentOS 6.5, x86_64
Packages:
bind-9.8.2-0.23.rc1.el6_5.1.x86_64
bind-dyndb-ldap-2.3-5.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64
Configuration:
bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37.
The version of bind is 9.8.2-0.23.rc1
Our dynamic-db section of named.conf is as follows:
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket";
arg "connections 10";
arg "base cn=dns, dc=XXX,dc=XXX";
arg "fake_mname XXX.ipa.hosted.zone.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/XXX.ipa.hosted.zone";
arg "zone_refresh 0";
arg "psearch yes";
arg "serial_autoincrement yes";
arg "verbose_checks yes";
};
We do not have any text based or DLZ zones configured.
We do not have any global forwarders configured.
We do not have any settings in the global configuration object in LDAP.
$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX'
'(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started
...
# dns, XXX.XXX
dn: cn=dns,dc=XXX,dc=XXX
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: top
cn: dns
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
Note that David (I guess :-) added logs to the ticket
https://fedorahosted.org/bind-dyndb-ldap/ticket/131
and I'm looking into it.
--
Petr^2 Spacek
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA DNS response issue
Hi all -
We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some
odd behavior with respect to serving DNS. Periodically (interval at random)
named running on a replica will stop serving requests from the LDAP server but
continue to respond with recursive requests. This type of failure causes us
problems, as you could imagine. (It doesn't fail cleanly so it won't request
from another server.) We've adjusted the amount of connections each named
makes to 389, but it doesn't seem to make a difference. We're not seeing
anything in the logs so troubleshooting this is becoming a bit of a
(high-visibility) puzzle to us.
I do happen to have a core file that I grabbed last night before sending a
SIGKILL to named and restarting. (A SIGTERM has no effect.)
Hopefully there's an easy answer here that we can get rolled into the
environment quickly. FreeIPA has treated us extraordinarily well so far!
David
About our configuration:
OS: CentOS 6.5, x86_64
Packages:
bind-9.8.2-0.23.rc1.el6_5.1.x86_64
bind-dyndb-ldap-2.3-5.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64
Configuration:
bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37.
The version of bind is 9.8.2-0.23.rc1
Our dynamic-db section of named.conf is as follows:
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket";
arg "connections 10";
arg "base cn=dns, dc=XXX,dc=XXX";
arg "fake_mname XXX.ipa.hosted.zone.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/XXX.ipa.hosted.zone";
arg "zone_refresh 0";
arg "psearch yes";
arg "serial_autoincrement yes";
arg "verbose_checks yes";
};
We do not have any text based or DLZ zones configured.
We do not have any global forwarders configured.
We do not have any settings in the global configuration object in LDAP.
$ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX'
'(objectClass=idnsConfigObject)'
SASL/GSSAPI authentication started
...
# dns, XXX.XXX
dn: cn=dns,dc=XXX,dc=XXX
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: top
cn: dns
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
