Re: [Freeipa-users] Which client is noisy?
On 06/01/2015 05:10 PM, Innes, Duncan wrote: Petr, We're using a different domain for IPA thankfully (unix.example.com), but the AD guys control DNS and don't want to touch anything in the DNS that might affect their example.com records. Everything is on the same VLANs, so I didn't want to press with any configuration request that might have broken things. Thierry, Looking at the logconv output, rebooting the noisiest IPA server, looking at the data again - it's becoming more clear that the failover of the clients is moving to the next system in the list, but then remaining there until it's forced to by that one going offline too. I knew this might happen when we designed the system, but as I said above, we didn't meet a very flexible AD team. Hello Innes, The routing of the ldap client resquest is usually done by a proxy or something acting like a proxy. It is sometime preferable that after a failover to a backup server the ldap client stick to the backup server as we do not know exactly when the principal server will be able to handle the load. thanks thierry Cheers all, Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: 01 June 2015 15:40 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Which client is noisy? On 1.6.2015 10:56, Innes, Duncan wrote: We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Which client is noisy?
Hello, From a DS point of view, you may use logconv.pl to get a rapid summary of the received activity (DS access logs). You may take the same period of time on each server and compare the results. It will give hints to know if the difference comes from bind, connections, replication session, or ... thanks theirry On 06/01/2015 10:56 AM, Innes, Duncan wrote: I've got an IPA installation with 8 servers replicating between each other across various parts of our network. Recently I've started pushing the dirsrv logs to a remote log collector from 4 of these machines and see a huge disparity in the number of entries being sent. ipa01 - ~42,000 logs per hour ipa02 - ~13,000 logs per hour ipa03 - ~80,000 logs per hour ipa04 - ~20,000 logs per hour ipa01 02 are used as a failover pair for clients in one datacentre. ipa03 04 are used as a failover pair for clients in another datacentre. From the logs, is there a way to see if I've got an imbalance of clients connecting to each IPA server? Or a completely different log message scenario? We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the ipa_server line in /etc/sssd/sssd.conf, the kdc line in /etc/krb5.conf, and the URI line in /etc/openldap/ldap.conf. As such, it's reasonable to suggest that our randomised script for allocating primary/secondary on a client isn't as random as we think. Might it also be possible that due to the hard coding option we had to take, our clients end up failing over to a certain server, but then never failing back when the primary returns? Under maintenance we generally patch and reboot the odd numbered servers, followed by the even servers once the odd servers are back. Thanks Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Which client is noisy?
Petr, We're using a different domain for IPA thankfully (unix.example.com), but the AD guys control DNS and don't want to touch anything in the DNS that might affect their example.com records. Everything is on the same VLANs, so I didn't want to press with any configuration request that might have broken things. Thierry, Looking at the logconv output, rebooting the noisiest IPA server, looking at the data again - it's becoming more clear that the failover of the clients is moving to the next system in the list, but then remaining there until it's forced to by that one going offline too. I knew this might happen when we designed the system, but as I said above, we didn't meet a very flexible AD team. Cheers all, Duncan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: 01 June 2015 15:40 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Which client is noisy? On 1.6.2015 10:56, Innes, Duncan wrote: We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Which client is noisy?
On 1.6.2015 10:56, Innes, Duncan wrote: We don't have access to the _SRV_ records as the AD domain controls that, so we had to hard code the main and failover servers on the Side note: It sounds that your FreeIPA setup is using the same domain name as AD realm. This is directly against http://www.freeipa.org/page/Deployment_Recommendations#DNS and will cause pain moving forward as AD Trusts and DNSSEC validation will be impossible. Please follow http://www.freeipa.org/page/Deployment_Recommendations for the next deployment :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
