[Freeipa-users] SSSD to IPA connection?

Janelle janellenicole80 at gmail.com
Mon Jan 4 17:17:39 UTC 2016 

When this happens - it stops accepting logins for any of my users.
I have to restart SSSD to get it to work again.
And it is just kind of random when this happens.
How can a STATUS command sent to SSSD show a wrong password?


~J

On 1/4/16 9:11 AM, Jakub Hrozek wrote:
> On Mon, Jan 04, 2016 at 08:30:08AM -0800, Janelle wrote:
>> Happy New Year everyone!
>>
>> I came across a couple of my servers having some strange connection problems
>> and was wondering if anyone else has seen this or know what might cause it?
>> This is IPA 4.1.4 and client on RHEL 7.1. When you look at the status, for
>> some reason, SSSD has lost contact with the servers, and a restart is
>> required. What I don't understand is what this "Preauth" failure is?
>>
>> Ideas?
>> ~Janelle
>>
>> Redirecting to /bin/systemctl status  sssd.service
>> sssd.service - System Security Services Daemon
>>     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
>>    Drop-In: /etc/systemd/system/sssd.service.d
>>             └─journal.conf
>>     Active: active (running) since Sat 2015-12-12 07:41:55 EST; 2 weeks 4
>> days ago
>>    Process: 24482 ExecStart=/usr/sbin/sssd -D -f (code=exited,
>> status=0/SUCCESS)
>>   Main PID: 24483 (sssd)
>>     CGroup: /system.slice/sssd.service
>>             ├─24483 /usr/sbin/sssd -D -f
>>             ├─24484 /usr/libexec/sssd/sssd_be --domain example.com --uid 0
>> --gid 0 --debug-to-files
>>             ├─24485 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
>> --debug-to-files
>>             ├─24486 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
>> --debug-to-files
>>             ├─24487 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
>> --debug-to-files
>>             └─24488 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
>> --debug-to-files
>>
>> Jan 01 07:55:24 client.example.com [sssd[krb5_child[10456]]][10456]:
>> Preauthentication failed
>> Jan 01 07:56:07 client.example.com [sssd[krb5_child[10464]]][10464]:
>> Preauthentication failed
>> Jan 01 07:57:16 client.example.com [sssd[krb5_child[10471]]][10471]:
>> Preauthentication failed
> Preauthentication failed means more or less wrong password, but since
> the message is from krb5_child, I guess it's during user login.
>
> What exactly is not working?
>
>> Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1
>> Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1
>> Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 1
>> Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 2
>> Jan 01 08:20:10 client.example.com [sssd[krb5_child[10538]]][10538]:
>> Preauthentication failed
>> Jan 01 08:20:29 client.example.com [sssd[krb5_child[10541]]][10541]:
>> Preauthentication failed
>> Jan 01 08:20:48 client.example.com [sssd[krb5_child[10596]]][10596]:
>> Preauthentication failed
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list