Re: [Freeipa-users] named's LDAP connection hangs
Hello,
we are still debugging it, I can't reproduce the problem locally.
If you are willing to help with it please modify named.conf and the script
which reloads named periodically (logrotate or something like that):
- If you don't have rndc configured, please configure it first:
$ rndc-confgen -a
$ chown named: /etc/rndc.key
- named.conf should contain logging section like this:
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
print-time yes;
};
};
// (please note line "print-time")
After named.conf modification please don't forget to reload it.
- As a last step, please modify logrotate/(your own reload script) to call
'rndc trace 4' right before named reload (SIGHUP signal). This will force
named to log more information about reload to /var/named/data/named.run.
Then we need to wait until it happens again. After that, please send me log
lines related to the problem (let's say 10 minutes before and after named reload).
I'm particularly interested in:
/var/named/data/named.run
/var/log/krb5kdc.log
Also, please attach information what timezone is configured on the server
which exhibits the problem and attach output from command "ipa krbtpolicy-show".
Feel free to send me logs privately.
Have a nice day!
Petr^2 Spacek
On 25.6.2014 15:30, Andrew Tranquada wrote:
If there is a resolution to this, we would love to know. We have been
experiencing the same issues.
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Thomas Raehalme [thomas.raeha...@codecenter.fi]
Sent: Sunday, June 22, 2014 8:29 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] named's LDAP connection hangs
Hi!
Today it finally happened again - named is not resolving names under the IPA
domain, pvnet.cc. Killing the named process and restarting it solves the
problem (until it happens again).
Petr, I'll send you the logs directly so I don't have to leave anything out. I
hope that's okay.
Thank you for the help!
Best regards,
Thomas
On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek
mailto:pspa...@redhat.com>> wrote:
On 16.6.2014 09:41, Thomas Raehalme wrote:
Hi,
We have a problem with IPA going out of service every now and then. There
seems to be two kinds of situations:
1) The connection between named and dirsrv fails. Named can resolve
external names but the domain managed by IPA does not resolve any names.
named cannot be stopped. After killing the process and restarting the issue
is resolved.
2) Sometimes the situation is more severe and also dirsrv is unresponsive.
The solution then seems to be restarting both named and dirsrv
(individually or through the 'ipa' service).
Regarding #1 the file /var/log/messages contains the following:
Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload'
Jun 16 03:22:23 ipa named[7295]: loading configuration from
'/etc/named.conf'
Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024,
65535]
Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024,
65535]
Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones
Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Ticket expired)
Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error
The reload is triggered by logrotate. For some reason authentication fails,
and the IPA domain is no longer resolvable.
I haven't discovered a pattern how often these problems occur. Maybe once a
week or two.
FreeIPA master running on CentOS 6.5 has been configured with the default
settings. In addition a single replica has been added.
Any ideas where I should look for the source of the problem?
I have heard about this problem but nobody managed to reproduce the problem.
Please:
- configure KRB5_TRACE variable as described on
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms
- restart named
- send me logs when it happens again.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] named's LDAP connection hangs
If there is a resolution to this, we would love to know. We have been experiencing the same issues. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Thomas Raehalme [thomas.raeha...@codecenter.fi] Sent: Sunday, June 22, 2014 8:29 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] named's LDAP connection hangs Hi! Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek mailto:pspa...@redhat.com>> wrote: On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thomas Raehalme CTO, teknologiajohtaja Mobile +358 40 545 0605 Codecenter Oy Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi<http://www.codecenter.fi> Codecenter - Tietojärjestelmiä ymmärrettävästi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] named's LDAP connection hangs
Hi! Today it finally happened again - named is not resolving names under the IPA domain, pvnet.cc. Killing the named process and restarting it solves the problem (until it happens again). Petr, I'll send you the logs directly so I don't have to leave anything out. I hope that's okay. Thank you for the help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek wrote: > On 16.6.2014 09:41, Thomas Raehalme wrote: > >> Hi, >> >> We have a problem with IPA going out of service every now and then. There >> seems to be two kinds of situations: >> >> 1) The connection between named and dirsrv fails. Named can resolve >> external names but the domain managed by IPA does not resolve any names. >> named cannot be stopped. After killing the process and restarting the >> issue >> is resolved. >> >> 2) Sometimes the situation is more severe and also dirsrv is unresponsive. >> The solution then seems to be restarting both named and dirsrv >> (individually or through the 'ipa' service). >> >> Regarding #1 the file /var/log/messages contains the following: >> >> Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' >> Jun 16 03:22:23 ipa named[7295]: loading configuration from >> '/etc/named.conf' >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones >> Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error >> >> The reload is triggered by logrotate. For some reason authentication >> fails, >> and the IPA domain is no longer resolvable. >> >> I haven't discovered a pattern how often these problems occur. Maybe once >> a >> week or two. >> >> FreeIPA master running on CentOS 6.5 has been configured with the default >> settings. In addition a single replica has been added. >> >> Any ideas where I should look for the source of the problem? >> > > I have heard about this problem but nobody managed to reproduce the > problem. > > Please: > - configure KRB5_TRACE variable as described on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1. > Gathersymptoms > - restart named > - send me logs when it happens again. > > Thank you! > > -- > Petr^2 Spacek > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *Thomas Raehalme* *CTO, teknologiajohtaja* Mobile +358 40 545 0605 *Codecenter Oy* Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi *Codecenter - Tietojärjestelmiä ymmärrettävästi* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] named's LDAP connection hangs
Hi! Thanks for the instructions. I have configured KRB5_TRACE as described. I will send logs as soon as we encounter the problem again. Could take a week or two though. Thank you for your help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek wrote: > On 16.6.2014 09:41, Thomas Raehalme wrote: > >> Hi, >> >> We have a problem with IPA going out of service every now and then. There >> seems to be two kinds of situations: >> >> 1) The connection between named and dirsrv fails. Named can resolve >> external names but the domain managed by IPA does not resolve any names. >> named cannot be stopped. After killing the process and restarting the >> issue >> is resolved. >> >> 2) Sometimes the situation is more severe and also dirsrv is unresponsive. >> The solution then seems to be restarting both named and dirsrv >> (individually or through the 'ipa' service). >> >> Regarding #1 the file /var/log/messages contains the following: >> >> Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' >> Jun 16 03:22:23 ipa named[7295]: loading configuration from >> '/etc/named.conf' >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, >> 65535] >> Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones >> Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (Ticket expired) >> Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error >> >> The reload is triggered by logrotate. For some reason authentication >> fails, >> and the IPA domain is no longer resolvable. >> >> I haven't discovered a pattern how often these problems occur. Maybe once >> a >> week or two. >> >> FreeIPA master running on CentOS 6.5 has been configured with the default >> settings. In addition a single replica has been added. >> >> Any ideas where I should look for the source of the problem? >> > > I have heard about this problem but nobody managed to reproduce the > problem. > > Please: > - configure KRB5_TRACE variable as described on > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1. > Gathersymptoms > - restart named > - send me logs when it happens again. > > Thank you! > > -- > Petr^2 Spacek > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *Thomas Raehalme* *CTO, teknologiajohtaja* Mobile +358 40 545 0605 *Codecenter Oy* Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi *Codecenter - Tietojärjestelmiä ymmärrettävästi* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named's LDAP connection hangs
On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
