[Freeipa-users] errors when one ipa server down
Simo Sorce
simo at redhat.com
Mon Sep 10 15:43:16 UTC 2012
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote:
> >> What about defining a task in the SSSD krb5 provider instead of
> >> pinging
> >> it from the locator plugin. The task can run at a configurable
> >> interval
> >> or never and checks if the current KDC is available. If not it tries
> >> the
> >> next until it goes offline if no reachable KDC can be found and
> >> updates
> >> or deletes the info file for the locator plugin..
> >>
> >> This leave us with the question how to ping a KDC properly, but this
> >> we
> >> have to find out for either case.
> >>
> > I am not a fan of generating load for the KDC unnecessarily.
> >
> > Simo.
> >
>
> I tend to agree but this can be a real pain to debug because depending
> on the current state of sssd you have to either check krb5.conf or the
> sssd locator to see what KDC is configured.
[moving to freeipa-devel]
Yes but the solution is to do on-demand requests when something doesn't
work.
Because otherwise you still get the odd failure.
Assume you check in 5 min intervals, and the KDC goes off 1 sec after
the check, for 5 minutes you still have a wrong KDC in the locator and
still get failures.
So you loaded the KDC with ~300 request per day per client, and you
still have high odds that on failure your locator file will still be
'wrong'.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list