[Freeipa-users] IPA Service Restart causes clients to stop working

Bruno Henrique Barbosa bruno-barbosa at prodesan.com.br
Mon Jul 7 19:09:24 UTC 2014 

I can confirm this, I usually run through this after a power outage on my datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every VM manually. 

----- Mensagem original -----

De: "John Moyer" <john.moyer at digitalreasoning.com> 
Para: "Jakub Hrozek" <jhrozek at redhat.com>, freeipa-users at redhat.com 
Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 
Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop working 


The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. 


Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. 




sssd.conf 
[domain/digitalreasoning.com] 

cache_credentials = True 
krb5_store_password_if_offline = True 
ipa_domain = digitalreasoning.com 
id_provider = ipa 
auth_provider = ipa 
access_provider = ipa 
ldap_tls_cacert = /etc/ipa/ca.crt 
ipa_hostname = client.digitalreasoning.com 
chpass_provider = ipa 
ipa_server = _srv_, server1.digitalreasoning.com 
dns_discovery_domain = digitalreasoning.com 
[sssd] 
services = nss, pam, ssh 
config_file_version = 2 

domains = digitalreasoning.com 
[nss] 

[pam] 

[sudo] 

[autofs] 

[ssh] 

[pac] 


On 7/7/14, 2:19 PM, Jakub Hrozek wrote: 


On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: 
<blockquote>
Hello All,

    Some of the services in IPA stopped responding and I restarted the
service (as I couldn't login to the website or via ssh to any registered
hosts).   After the restart I could login to the web app, but still no
clients.   I currently can login to one client that I restarted sssd on.
  Any suggestions how to fix the rest without having to go to all of
them to restart sssd? 

Can you log in as root to the clients and check out /var/log/secure
and/or the sssd logs?

Do your clients cache credentials?

I suspect that when IPA went down, the clients went offline and still
haven't re-checked the online status..how long since the IPA server went
offline? 
</blockquote>





Thanks, 

John Moyer 
Director, IT Operations 


-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go To http://freeipa.org for more info on the project 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140707/863278c1/attachment.htm>

More information about the Freeipa-users mailing list