[Freeipa-users] Servers intermittently losing connection to IPA

Jeff Hallyburton jeff.hallyburton at bloomip.com
Thu Apr 21 13:44:47 UTC 2016 

Sumit,

We found a resolution for this and I'm dropping it here for posterity.
After some digging, it turns out that our ipa server and ipa replica were
returning different IPs for systems in the environment in DNS requests (one
returned internal results, one returned external results).

After resolving this our intermittent connectivity issue went away.  So it
seems that in some cases, the incorrect IP was being returned for LDAP
requests.

One additional item found here, it seems that the timeout to resolve an
address (from the sssd logs) is 6 seconds.  Can this be raised?

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>

On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> > Sumit,
> >
> > Raised the debug level to 10 and let it run for about 24 hours.
> Uploading
> > the last 2000~ lines of the sssd_domain.com.log.  Thanks for your help!
>
> Can you send the related krb5_child log file as well?
>
> bye,
> Sumit
>
> >
> > https://pastebin.com/MD6N1Dj7
> >
> > Jeff Hallyburton
> > Strategic Systems Engineer
> > Bloomip Inc.
> > Web: http://www.bloomip.com
> >
> > Engineering Support: support at bloomip.com
> > Billing Support: billing at bloomip.com
> > Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/
> >
> >
> > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> > jeff.hallyburton at bloomip.com> wrote:
> >
> > > Sumit,
> > >
> > > Raised the debug level to 10 and let it run for about 24 hours.
> Uploading
> > > the full sssd_domain.com.log.  Thanks for your help!
> > >
> > > Jeff
> > >
> > > Jeff Hallyburton
> > > Strategic Systems Engineer
> > > Bloomip Inc.
> > > Web: http://www.bloomip.com
> > >
> > > Engineering Support: support at bloomip.com
> > > Billing Support: billing at bloomip.com
> > > Customer Support Portal:  https://my.bloomip.com <
> http://my.bloomip.com/>
> > >
> > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sbose at redhat.com> wrote:
> > >
> > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> > >> > After setting debug_level=8, this is what I see in the
> sssd_domain_log:
> > >>
> > >> Unfortunately the domain log and the krb5_child log do not relate to
> > >> each other.
> > >>
> > >> >
> > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> > >> [child_handler_setup]
> > >> > (0x2000): Setting up signal handler up for pid [32382]
> > >> >
> > >>
> > >> ....
> > >>
> > >> >
> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
> [k5c_setup_fast]
> > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > >> > jump02.west-2.production.example.com at EXAMPLE.COM]
> > >> >
> > >>
> > >> ...
> > >>
> > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
> > >> [get_and_save_tgt]
> > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> > >> > pre-auth.
> > >> >
> > >> >
> > >> > Can you shed any light on this?
> > >> >
> > >>
> > >> In the domain log the child with the pid 32382 is started to run a
> > >> pre-authentication request. The request is needed to find out which
> kind
> > >> of authentication types are available for the user, e.g. password or
> > >> 2-factor authentication with the OTP token. The request in the child
> > >> with the PID 32731 looks like a real authentication request with
> returns
> > >> with an error code -1765328324 which just means 'Generic error' but
> > >> might have cause SSSD to go offline.
> > >>
> > >> I would like to ask you to run the test again with debug_level=10 in
> the
> > >> [domain/...] section of sssd.conf which would enable some low level
> > >> Kerberos tracing messages which might help to understand what kind of
> > >> 'Generic error' was hit here. Additionally I would like ask you to
> send
> > >> the full log files as attachment or in an archive which would hep be
> to
> > >> better navigate through them.
> > >>
> > >> bye,
> > >> Sumit
> > >>
> > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160421/e8467675/attachment.htm>

More information about the Freeipa-users mailing list