[Freeipa-users] errors when one ipa server down
Michael Mercier
mmercier at gmail.com
Tue Sep 18 18:38:13 UTC 2012
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:
> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
>>> [root at ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8
>>>
>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials
>>
>> Jakub, does this make sense to you?
>>
>
> As stated elsewhere in this thread, bare kinit does not contact the SSSD
> at all. You want to go through the PAM stack (with "su - mike" or "ssh
> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes
> the file.
>
> Does using "su - mike" refresh the file?
When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers.
e.g.
[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout
[root at ipaserver ~]ifdown eth0
[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout
[root at ipaserver ~]ifup eth0
[root at ipaserver2 ~]ifdown eth0
[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout
[root at ipaserver ~]ifdown eth0
[root at ipaserver2 ~]ifup eth0
[root at ipaclient sssd]# su - mike # short delay ~2 seconds
[mike at ipaclient ~]$ exit
logout
[root at ipaserver ~]ifup eth0
[root at ipaserver2 ~]ifdown eth0
[root at ipaclient sssd]# su - mike # short delay ~2 seconds
[mike at ipaclient ~]$ exit
logout
I do not seem to have any sssd problems.
Thanks,
Mike
>
> Michael also said that the IP address 172.16.112.8 is the address of the
> server that is down. I assume that at one point the SSSD was using that
> server but no request came to the SSSD since the last one, so the SSSD
> did not fail over to the other configured server. Your SRV records
> indicated that the servers had the same priority fields, so selecting on
> over another is pretty much random.
>
> I don't think the SSSD is operating in offline mode completely,
> otherwise it would have removed the file to avoid this kind of timeouts.
>
> Bottom line, kinit does not contact the SSSD and does not refresh the
> address via the locator plugin.
>
> Returning multiple addresses from the locator plugin or creating a
> smarter way of interacting between the Kerberos tools and the SSSD is
> the scope of https://fedorahosted.org/sssd/ticket/941
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list