[Freeipa-users] Servers intermittently losing connection to IPA
Jeff Hallyburton
jeff.hallyburton at bloomip.com
Wed Apr 20 18:18:28 UTC 2016
Sumit,
Raised the debug level to 10 and let it run for about 24 hours. Uploading
the last 2000~ lines of the sssd_domain.com.log. Thanks for your help!
https://pastebin.com/MD6N1Dj7
Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com
Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/>
On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
jeff.hallyburton at bloomip.com> wrote:
> Sumit,
>
> Raised the debug level to 10 and let it run for about 24 hours. Uploading
> the full sssd_domain.com.log. Thanks for your help!
>
> Jeff
>
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
>
> Engineering Support: support at bloomip.com
> Billing Support: billing at bloomip.com
> Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/>
>
> On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sbose at redhat.com> wrote:
>
>> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
>> > After setting debug_level=8, this is what I see in the sssd_domain_log:
>>
>> Unfortunately the domain log and the krb5_child log do not relate to
>> each other.
>>
>> >
>> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
>> [child_handler_setup]
>> > (0x2000): Setting up signal handler up for pid [32382]
>> >
>>
>> ....
>>
>> >
>> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] [k5c_setup_fast]
>> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
>> > jump02.west-2.production.example.com at EXAMPLE.COM]
>> >
>>
>> ...
>>
>> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
>> [get_and_save_tgt]
>> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
>> > pre-auth.
>> >
>> >
>> > Can you shed any light on this?
>> >
>>
>> In the domain log the child with the pid 32382 is started to run a
>> pre-authentication request. The request is needed to find out which kind
>> of authentication types are available for the user, e.g. password or
>> 2-factor authentication with the OTP token. The request in the child
>> with the PID 32731 looks like a real authentication request with returns
>> with an error code -1765328324 which just means 'Generic error' but
>> might have cause SSSD to go offline.
>>
>> I would like to ask you to run the test again with debug_level=10 in the
>> [domain/...] section of sssd.conf which would enable some low level
>> Kerberos tracing messages which might help to understand what kind of
>> 'Generic error' was hit here. Additionally I would like ask you to send
>> the full log files as attachment or in an archive which would hep be to
>> better navigate through them.
>>
>> bye,
>> Sumit
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160420/a1ae87e3/attachment.htm>
More information about the Freeipa-users
mailing list