[Freeipa-users] CRON: Authentication service cannot retrieve authentication info

Thu Apr 16 13:01:23 UTC 2015

On 04/16/2015 06:40 AM, Thomas Lau wrote:
> I think the semi-online status cause SSSD confused about what to do
> and causing it to timeout.
>
> So that means no fix for now.
Not for right now.
Please try to capture logs, If you mange to reproduce the issue and 
provide logs we would be able to see what causes it and address it.

>
> On Thu, Apr 16, 2015 at 11:10 AM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 04/15/2015 10:17 PM, Thomas Lau wrote:
>>> Hi,
>>>
>>> I just checked with developer, there is no authentication related code
>>> in the program, we could treat it as normal cron job.
>>>
>>> is that possible to make sssd less contact with FreeIPA? for example,
>>> refresh all user info every 5 minutes, else use cache info.
>>
>> OK, thanks for clarification.
>> Then it is SSSD.
>>
>> It would be hard to understand where the problem is.
>> For authentication SSSD does online if it knows that it is online. Packet
>> loss can cause it to loose connection and time out.
>> It might not failing over to offline mode as it is "semi online" because of
>> the packet loss and retries.
>>
>> The SSSD logs would really be helpful to diagnose the issue.
>> Also https://fedorahosted.org/sssd/ticket/1807 might be what you are looking
>> for. It is being worked on for the next release.
>>
>>
>>> On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>> On 04/13/2015 10:41 PM, Thomas Lau wrote:
>>>>> Hi,
>>>>>
>>>>> It's an in-house program which runs on one kerberos user.
>>>> You need to look what this program is doing.
>>>> I suspect it is doing some sort of kinit itself and does not rely on the
>>>> PAM
>>>> stack, i.e it bypasses SSSD in the given scenario.
>>>> Can this be the case?
>>>>
>>>>
>>>>> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>>> On 04/13/2015 08:23 AM, Thomas Lau wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> These problem appear randomly, sometime it still work even under heavy
>>>>>> packet loss, some times would be like this. So its hard to catch.
>>>>>>
>>>>>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" <jhrozek at redhat.com> wrote:
>>>>>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote:
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> We have cronjob which running on a FreeIPA LDAP user; When connection
>>>>>>>> between IPA server and client having heavy packet loss, following
>>>>>>>> error would occur:
>>>>>>>>
>>>>>>>> CRON[20637]: Authentication service cannot retrieve authentication
>>>>>>>> info
>>>>>>>>
>>>>>>>> I have cache credentials and store password if offline enabled on
>>>>>>>> sssd, how these problem would still happening?
>>>>>>
>>>>>> It might be that the cause of the problem is actually the packet loss
>>>>>> or
>>>>>> some kind of delay.
>>>>>> SSSD might not think that it is offline but cron job itself times out
>>>>>> and
>>>>>> reports failure.
>>>>>> Do you know what operation in the job fails?
>>>>>>
>>>>>>
>>>>>>>> sssd.conf:
>>>>>>>>
>>>>>>>> cache_credentials = True
>>>>>>>> krb5_store_password_if_offline = True
>>>>>>> Did the use log in at least once offline? You can verify if the
>>>>>>> password
>>>>>>> has been cached using the ldbsearch utility. It would be best to catch
>>>>>>> the occurence of the problem in logs.
>>>>>>>
>>>>>>> --
>>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>> Go to http://freeipa.org for more info on the project
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thank you,
>>>>>> Dmitri Pal
>>>>>>
>>>>>> Sr. Engineering Manager IdM portfolio
>>>>>> Red Hat, Inc.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> Go to http://freeipa.org for more info on the project
>>>>>
>>>>>
>>>> --
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager IdM portfolio
>>>> Red Hat, Inc.
>>>>
>>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.