[Freeipa-users] IPA Service Restart causes clients to stop working

Jakub Hrozek jhrozek at redhat.com
Mon Jul 7 20:28:08 UTC 2014 

On Mon, Jul 07, 2014 at 02:56:18PM -0400, John Moyer wrote:
> The /var/log/secure is saying invalid user.

I wouldn't expect this, I would expect something like "cannot retrieve
authentication info".

> When I do a getent passwd
> $USER I can't get any user from IPA until sssd is restarted.  The SSSD
> logs are completely empty.

Right, by default, we don't log anything. If you can still reproduce, is
it possible to change the level of sssd on the fly using the
sss_debuglevel tool and /then/ check the logs.

> Below is the sssd.conf if that helps. 

Interesting, the client does cache credentials. In this case, the logs
would be quite welcome.

> 
> 
> Also I just had a server that I fixed (by restarting sssd) break again,
> restarting sssd fixed it again though. 
> 
> 
> 
> 
> sssd.conf
> [domain/digitalreasoning.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = digitalreasoning.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = client.digitalreasoning.com
> chpass_provider = ipa
> ipa_server = _srv_, server1.digitalreasoning.com
> dns_discovery_domain = digitalreasoning.com
> [sssd]
> services = nss, pam, ssh
> config_file_version = 2
> 
> domains = digitalreasoning.com
> [nss]
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> 
> On 7/7/14, 2:19 PM, Jakub Hrozek wrote:
> > On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote:
> >> Hello All,
> >>
> >>     Some of the services in IPA stopped responding and I restarted the
> >> service (as I couldn't login to the website or via ssh to any registered
> >> hosts).   After the restart I could login to the web app, but still no
> >> clients.   I currently can login to one client that I restarted sssd on.
> >>   Any suggestions how to fix the rest without having to go to all of
> >> them to restart sssd?  
> > Can you log in as root to the clients and check out /var/log/secure
> > and/or the sssd logs?
> >
> > Do your clients cache credentials?
> >
> > I suspect that when IPA went down, the clients went offline and still
> > haven't re-checked the online status..how long since the IPA server went
> > offline?
> >
> 
> 
> 
> 
> Thanks,
> ------------------------------------------------------------------------
> John Moyer
> Director, IT Operations
>

More information about the Freeipa-users mailing list