[Freeipa-users] errors when one ipa server down

Jakub Hrozek jhrozek at redhat.com
Tue Sep 18 08:03:08 UTC 2012 

On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
> > [root at ipaserver2 ~]ifdown eth0   # NOTE: ipaserver2 is 172.16.112.8
> >
> > [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
> > [sssd_krb5_locator] sssd_krb5_locator_init called
> > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1]
> > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
> > [sssd_krb5_locator] [172.16.112.8] used
> > [sssd_krb5_locator] sssd_krb5_locator_close called
> > [sssd_krb5_locator] sssd_krb5_locator_init called
> > [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
> > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1]
> > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
> > [sssd_krb5_locator] [172.16.112.8] used
> > [sssd_krb5_locator] sssd_krb5_locator_close called
> > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials
> 
> Jakub, does this make sense to you?
> 

As stated elsewhere in this thread, bare kinit does not contact the SSSD
at all. You want to go through the PAM stack (with "su - mike" or "ssh
mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes
the file.

Does using "su - mike" refresh the file?

Michael also said that the IP address 172.16.112.8 is the address of the
server that is down. I assume that at one point the SSSD was using that
server but no request came to the SSSD since the last one, so the SSSD
did not fail over to the other configured server. Your SRV records
indicated that the servers had the same priority fields, so selecting on
over another is pretty much random.

I don't think the SSSD is operating in offline mode completely,
otherwise it would have removed the file to avoid this kind of timeouts.
 
Bottom line, kinit does not contact the SSSD and does not refresh the
address via the locator plugin.

Returning multiple addresses from the locator plugin or creating a
smarter way of interacting between the Kerberos tools and the SSSD is
the scope of https://fedorahosted.org/sssd/ticket/941

More information about the Freeipa-users mailing list