Discussion:
[Freeipa-users] SSSD hangs on IPA master
Ronald Wimmer
2017-04-04 07:51:04 UTC
Permalink
Hi,

my IPA master has an AD trust (several thousand users). Since the trust
has been set up I am experiencing that I cannot login on the web
interface. Even connecting via SSH does not work or takes extremely
long. When I managed to log in as root via SSH (after waiting and trying
several times or rebooting the machine) I could not restart SSSD
(systemctl restart sssd). I had to kill the SSSD processes manually and
then everything seemed to work fine again.

What could be going on? Could the SSSD cache be to big (122M)? Where
should I take a deeper look?

Any hints are highly appreciated!

Regards,
Ronald
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Jakub Hrozek
2017-04-04 09:19:04 UTC
Permalink
Hi,
my IPA master has an AD trust (several thousand users). Since the trust has
been set up I am experiencing that I cannot login on the web interface. Even
connecting via SSH does not work or takes extremely long. When I managed to
log in as root via SSH (after waiting and trying several times or rebooting
the machine) I could not restart SSSD (systemctl restart sssd). I had to
kill the SSSD processes manually and then everything seemed to work fine
again.
What could be going on? Could the SSSD cache be to big (122M)? Where should
I take a deeper look?
Any hints are highly appreciated!
SSSD logs that capture the problem are always a good start.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Ronald Wimmer
2017-04-06 09:06:50 UTC
Permalink
Post by Jakub Hrozek
Hi,
my IPA master has an AD trust (several thousand users). Since the trust has
been set up I am experiencing that I cannot login on the web interface. Even
connecting via SSH does not work or takes extremely long. When I managed to
log in as root via SSH (after waiting and trying several times or rebooting
the machine) I could not restart SSSD (systemctl restart sssd). I had to
kill the SSSD processes manually and then everything seemed to work fine
again.
What could be going on? Could the SSSD cache be to big (122M)? Where should
I take a deeper look?
Any hints are highly appreciated!
SSSD logs that capture the problem are always a good start.
I found out that the CPU was quite busy (sssd_be process) and that there
was a lot I/O in the cache directory. So I upgraded from 1 to 4 virtual
CPUs and followed your recommendations regarding large deployments:
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

No problems so far...

Regards,
Ronald
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Lukas Slebodnik
2017-04-08 10:49:30 UTC
Permalink
Post by Jakub Hrozek
Hi,
my IPA master has an AD trust (several thousand users). Since the trust has
been set up I am experiencing that I cannot login on the web interface. Even
connecting via SSH does not work or takes extremely long. When I managed to
log in as root via SSH (after waiting and trying several times or rebooting
the machine) I could not restart SSSD (systemctl restart sssd). I had to
kill the SSSD processes manually and then everything seemed to work fine
again.
What could be going on? Could the SSSD cache be to big (122M)? Where should
I take a deeper look?
Any hints are highly appreciated!
SSSD logs that capture the problem are always a good start.
I found out that the CPU was quite busy (sssd_be process) and that there was
a lot I/O in the cache directory. So I upgraded from 1 to 4 virtual CPUs and
followed your recommendations regarding large deployments: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
No problems so far...
May I ask which version of sssd do you use?

LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Ronald Wimmer
2017-04-08 15:39:42 UTC
Permalink
Post by Lukas Slebodnik
[...]
May I ask which version of sssd do you use?
SSSD 1.14
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...