[Freeipa-users] errors when one ipa server down

Michael Mercier mmercier at gmail.com
Tue Sep 18 18:38:13 UTC 2012 

On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:

> On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
>>> [root at ipaserver2 ~]ifdown eth0   # NOTE: ipaserver2 is 172.16.112.8
>>> 
>>> [root at ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL].
>>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1]
>>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1]
>>> [sssd_krb5_locator] [172.16.112.8] used
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials
>> 
>> Jakub, does this make sense to you?
>> 
> 
> As stated elsewhere in this thread, bare kinit does not contact the SSSD
> at all. You want to go through the PAM stack (with "su - mike" or "ssh
> mike at ipaclient") in order to contact the SSSD so that the SSSD refreshes
> the file.
> 
> Does using "su - mike" refresh the file?

When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers.

e.g.

[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout

[root at ipaserver ~]ifdown eth0

[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout

[root at ipaserver ~]ifup eth0

[root at ipaserver2 ~]ifdown eth0

[root at ipaclient sssd]# su - mike
[mike at ipaclient ~]$ exit
logout

[root at ipaserver ~]ifdown eth0

[root at ipaserver2 ~]ifup eth0

[root at ipaclient sssd]# su - mike    # short delay ~2 seconds
[mike at ipaclient ~]$ exit
logout

[root at ipaserver ~]ifup eth0

[root at ipaserver2 ~]ifdown eth0

[root at ipaclient sssd]# su - mike # short delay ~2 seconds
[mike at ipaclient ~]$ exit
logout

I do not seem to have any sssd problems.

Thanks,
Mike

> 
> Michael also said that the IP address 172.16.112.8 is the address of the
> server that is down. I assume that at one point the SSSD was using that
> server but no request came to the SSSD since the last one, so the SSSD
> did not fail over to the other configured server. Your SRV records
> indicated that the servers had the same priority fields, so selecting on
> over another is pretty much random.
> 
> I don't think the SSSD is operating in offline mode completely,
> otherwise it would have removed the file to avoid this kind of timeouts.
> 
> Bottom line, kinit does not contact the SSSD and does not refresh the
> address via the locator plugin.
> 
> Returning multiple addresses from the locator plugin or creating a
> smarter way of interacting between the Kerberos tools and the SSSD is
> the scope of https://fedorahosted.org/sssd/ticket/941
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list