Re: [Freeipa-users] IPA DNS response issue
On Wed, Mar 19, 2014 at 01:57:24PM +0100, Petr Spacek wrote: On 18.3.2014 15:26, David wrote: We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! Note that David (I guess :-) added logs to the ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/131 and I'm looking into it. Actually, that's not me! I don't have anywhere near as much logging... At least I'm not alone... Our failures also seem to happen around log rotation time. The Kerberos ticket expiring is interesting. I'll poke around on my installation and see what I see on this side. If you need any other information, please let me know. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA DNS response issue
On 18.3.2014 15:26, David wrote: Hi all - We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! David About our configuration: OS: CentOS 6.5, x86_64 Packages: bind-9.8.2-0.23.rc1.el6_5.1.x86_64 bind-dyndb-ldap-2.3-5.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 Configuration: bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37. The version of bind is 9.8.2-0.23.rc1 Our dynamic-db section of named.conf is as follows: dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket"; arg "connections 10"; arg "base cn=dns, dc=XXX,dc=XXX"; arg "fake_mname XXX.ipa.hosted.zone."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/XXX.ipa.hosted.zone"; arg "zone_refresh 0"; arg "psearch yes"; arg "serial_autoincrement yes"; arg "verbose_checks yes"; }; We do not have any text based or DLZ zones configured. We do not have any global forwarders configured. We do not have any settings in the global configuration object in LDAP. $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' '(objectClass=idnsConfigObject)' SASL/GSSAPI authentication started ... # dns, XXX.XXX dn: cn=dns,dc=XXX,dc=XXX objectClass: idnsConfigObject objectClass: nsContainer objectClass: top cn: dns # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Note that David (I guess :-) added logs to the ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/131 and I'm looking into it. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA DNS response issue
Hi all - We have an installation of FreeIPA (through CentOS 6.5) that's exhibiting some odd behavior with respect to serving DNS. Periodically (interval at random) named running on a replica will stop serving requests from the LDAP server but continue to respond with recursive requests. This type of failure causes us problems, as you could imagine. (It doesn't fail cleanly so it won't request from another server.) We've adjusted the amount of connections each named makes to 389, but it doesn't seem to make a difference. We're not seeing anything in the logs so troubleshooting this is becoming a bit of a (high-visibility) puzzle to us. I do happen to have a core file that I grabbed last night before sending a SIGKILL to named and restarting. (A SIGTERM has no effect.) Hopefully there's an easy answer here that we can get rolled into the environment quickly. FreeIPA has treated us extraordinarily well so far! David About our configuration: OS: CentOS 6.5, x86_64 Packages: bind-9.8.2-0.23.rc1.el6_5.1.x86_64 bind-dyndb-ldap-2.3-5.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 Configuration: bind-dyndb-ldap is used in conjunction with IPA 3.0.0-37. The version of bind is 9.8.2-0.23.rc1 Our dynamic-db section of named.conf is as follows: dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-XXX-XXX.socket"; arg "connections 10"; arg "base cn=dns, dc=XXX,dc=XXX"; arg "fake_mname XXX.ipa.hosted.zone."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/XXX.ipa.hosted.zone"; arg "zone_refresh 0"; arg "psearch yes"; arg "serial_autoincrement yes"; arg "verbose_checks yes"; }; We do not have any text based or DLZ zones configured. We do not have any global forwarders configured. We do not have any settings in the global configuration object in LDAP. $ ldapsearch -Y GSSAPI -b 'cn=dns,dc=XXX,dc=XXX' '(objectClass=idnsConfigObject)' SASL/GSSAPI authentication started ... # dns, XXX.XXX dn: cn=dns,dc=XXX,dc=XXX objectClass: idnsConfigObject objectClass: nsContainer objectClass: top cn: dns # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users