[Freeipa-users] Servers intermittently losing connection to IPA
Sumit Bose
sbose at redhat.com
Thu Apr 21 15:17:18 UTC 2016
On Thu, Apr 21, 2016 at 09:44:47AM -0400, Jeff Hallyburton wrote:
> Sumit,
>
> We found a resolution for this and I'm dropping it here for posterity.
> After some digging, it turns out that our ipa server and ipa replica were
> returning different IPs for systems in the environment in DNS requests (one
> returned internal results, one returned external results).
>
> After resolving this our intermittent connectivity issue went away. So it
> seems that in some cases, the incorrect IP was being returned for LDAP
> requests.
Thank you for the feedback.
bye,
Sumit
>
> One additional item found here, it seems that the timeout to resolve an
> address (from the sssd logs) is 6 seconds. Can this be raised?
>
> Thanks,
>
> Jeff
>
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
>
> Engineering Support: support at bloomip.com
> Billing Support: billing at bloomip.com
> Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/>
>
> On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sbose at redhat.com> wrote:
>
> > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote:
> > > Sumit,
> > >
> > > Raised the debug level to 10 and let it run for about 24 hours.
> > Uploading
> > > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help!
> >
> > Can you send the related krb5_child log file as well?
> >
> > bye,
> > Sumit
> >
> > >
> > > https://pastebin.com/MD6N1Dj7
> > >
> > > Jeff Hallyburton
> > > Strategic Systems Engineer
> > > Bloomip Inc.
> > > Web: http://www.bloomip.com
> > >
> > > Engineering Support: support at bloomip.com
> > > Billing Support: billing at bloomip.com
> > > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/
> > >
> > >
> > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton <
> > > jeff.hallyburton at bloomip.com> wrote:
> > >
> > > > Sumit,
> > > >
> > > > Raised the debug level to 10 and let it run for about 24 hours.
> > Uploading
> > > > the full sssd_domain.com.log. Thanks for your help!
> > > >
> > > > Jeff
> > > >
> > > > Jeff Hallyburton
> > > > Strategic Systems Engineer
> > > > Bloomip Inc.
> > > > Web: http://www.bloomip.com
> > > >
> > > > Engineering Support: support at bloomip.com
> > > > Billing Support: billing at bloomip.com
> > > > Customer Support Portal: https://my.bloomip.com <
> > http://my.bloomip.com/>
> > > >
> > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sbose at redhat.com> wrote:
> > > >
> > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote:
> > > >> > After setting debug_level=8, this is what I see in the
> > sssd_domain_log:
> > > >>
> > > >> Unfortunately the domain log and the krb5_child log do not relate to
> > > >> each other.
> > > >>
> > > >> >
> > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]]
> > > >> [child_handler_setup]
> > > >> > (0x2000): Setting up signal handler up for pid [32382]
> > > >> >
> > > >>
> > > >> ....
> > > >>
> > > >> >
> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
> > [k5c_setup_fast]
> > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/
> > > >> > jump02.west-2.production.example.com at EXAMPLE.COM]
> > > >> >
> > > >>
> > > >> ...
> > > >>
> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]]
> > > >> [get_and_save_tgt]
> > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during
> > > >> > pre-auth.
> > > >> >
> > > >> >
> > > >> > Can you shed any light on this?
> > > >> >
> > > >>
> > > >> In the domain log the child with the pid 32382 is started to run a
> > > >> pre-authentication request. The request is needed to find out which
> > kind
> > > >> of authentication types are available for the user, e.g. password or
> > > >> 2-factor authentication with the OTP token. The request in the child
> > > >> with the PID 32731 looks like a real authentication request with
> > returns
> > > >> with an error code -1765328324 which just means 'Generic error' but
> > > >> might have cause SSSD to go offline.
> > > >>
> > > >> I would like to ask you to run the test again with debug_level=10 in
> > the
> > > >> [domain/...] section of sssd.conf which would enable some low level
> > > >> Kerberos tracing messages which might help to understand what kind of
> > > >> 'Generic error' was hit here. Additionally I would like ask you to
> > send
> > > >> the full log files as attachment or in an archive which would hep be
> > to
> > > >> better navigate through them.
> > > >>
> > > >> bye,
> > > >> Sumit
> > > >>
> > > >
> > > >
> >
More information about the Freeipa-users
mailing list