[Freeipa-users] IPA Service Restart causes clients to stop working

[John Moyer]

The /var/log/secure is saying invalid user.   When I do a getent passwd
$USER I can't get any user from IPA until sssd is restarted.  The SSSD
logs are completely empty.   Below is the sssd.conf if that helps. 


Also I just had a server that I fixed (by restarting sssd) break again,
restarting sssd fixed it again though. 




sssd.conf
[domain/digitalreasoning.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = digitalreasoning.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = client.digitalreasoning.com
chpass_provider = ipa
ipa_server = _srv_, server1.digitalreasoning.com
dns_discovery_domain = digitalreasoning.com
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = digitalreasoning.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]


On 7/7/14, 2:19 PM, Jakub Hrozek wrote:
> On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote:
>> Hello All,
>>
>>     Some of the services in IPA stopped responding and I restarted the
>> service (as I couldn't login to the website or via ssh to any registered
>> hosts).   After the restart I could login to the web app, but still no
>> clients.   I currently can login to one client that I restarted sssd on.
>>   Any suggestions how to fix the rest without having to go to all of
>> them to restart sssd?  
> Can you log in as root to the clients and check out /var/log/secure
> and/or the sssd logs?
>
> Do your clients cache credentials?
>
> I suspect that when IPA went down, the clients went offline and still
> haven't re-checked the online status..how long since the IPA server went
> offline?
>




Thanks,
------------------------------------------------------------------------
John Moyer
Director, IT Operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140707/6a87b19a/attachment.htm>