[Freeipa-users] SSSD to IPA connection?

Jakub Hrozek jhrozek at redhat.com
Tue Jan 5 07:12:29 UTC 2016 

On Mon, Jan 04, 2016 at 09:17:39AM -0800, Janelle wrote:
> When this happens - it stops accepting logins for any of my users.

Can you please generate logs when this happens? I suspect sssd might go
offline for one reason or another..

> I have to restart SSSD to get it to work again.

..and a restart would re-set the offline status.

> And it is just kind of random when this happens.
> How can a STATUS command sent to SSSD show a wrong password?

I think krb5_child logs some of its errors to syslog, perhaps we
shouldn't log preauth failed, though.

> 
> 
> ~J
> 
> On 1/4/16 9:11 AM, Jakub Hrozek wrote:
> >On Mon, Jan 04, 2016 at 08:30:08AM -0800, Janelle wrote:
> >>Happy New Year everyone!
> >>
> >>I came across a couple of my servers having some strange connection problems
> >>and was wondering if anyone else has seen this or know what might cause it?
> >>This is IPA 4.1.4 and client on RHEL 7.1. When you look at the status, for
> >>some reason, SSSD has lost contact with the servers, and a restart is
> >>required. What I don't understand is what this "Preauth" failure is?
> >>
> >>Ideas?
> >>~Janelle
> >>
> >>Redirecting to /bin/systemctl status  sssd.service
> >>sssd.service - System Security Services Daemon
> >>    Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
> >>   Drop-In: /etc/systemd/system/sssd.service.d
> >>            └─journal.conf
> >>    Active: active (running) since Sat 2015-12-12 07:41:55 EST; 2 weeks 4
> >>days ago
> >>   Process: 24482 ExecStart=/usr/sbin/sssd -D -f (code=exited,
> >>status=0/SUCCESS)
> >>  Main PID: 24483 (sssd)
> >>    CGroup: /system.slice/sssd.service
> >>            ├─24483 /usr/sbin/sssd -D -f
> >>            ├─24484 /usr/libexec/sssd/sssd_be --domain example.com --uid 0
> >>--gid 0 --debug-to-files
> >>            ├─24485 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0
> >>--debug-to-files
> >>            ├─24486 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0
> >>--debug-to-files
> >>            ├─24487 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0
> >>--debug-to-files
> >>            └─24488 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0
> >>--debug-to-files
> >>
> >>Jan 01 07:55:24 client.example.com [sssd[krb5_child[10456]]][10456]:
> >>Preauthentication failed
> >>Jan 01 07:56:07 client.example.com [sssd[krb5_child[10464]]][10464]:
> >>Preauthentication failed
> >>Jan 01 07:57:16 client.example.com [sssd[krb5_child[10471]]][10471]:
> >>Preauthentication failed
> >Preauthentication failed means more or less wrong password, but since
> >the message is from krb5_child, I guess it's during user login.
> >
> >What exactly is not working?
> >
> >>Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1
> >>Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1
> >>Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 1
> >>Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 2
> >>Jan 01 08:20:10 client.example.com [sssd[krb5_child[10538]]][10538]:
> >>Preauthentication failed
> >>Jan 01 08:20:29 client.example.com [sssd[krb5_child[10541]]][10541]:
> >>Preauthentication failed
> >>Jan 01 08:20:48 client.example.com [sssd[krb5_child[10596]]][10596]:
> >>Preauthentication failed
> >>
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list