[Freeipa-users] how to force switch to another kdc
Karl Forner
karl.forner at gmail.com
Tue Jan 5 17:16:47 UTC 2016
On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote:
> > Hello,
> >
> > My freeipa master has crashed, and I have a replica running.
> > The problem is that I can not use anymore the webapps on my main server
> > which use a kerberos authentication since my server will not switch to
> the
> > kdc on my replica.
>
> As long as the authentication is done via sssd this should happen
> automatically,
well it does not seem to.
The way I test it is using kinit.
The only log that gets updated in /var/log/sssd is ldap_child.log.1
(what's strange is that there's a ldap_child.log which is empty).
Each time I try a kinit, I get a log line like:
(Tue Jan 5 18:10:55 2016) [[sssd[ldap_child[10069]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot
contact any KDC for realm 'EXAMPLE.COM'
I tried to send USR1 then USR2 to the main sssd process, without any
improvement,
In a previous email, Simo Sorce explained me that:
Unfortunately it is, it is a bug in the way we update the krb5 libraries
> to point to a KDC.
>
> SSSD updates this information in a file under /var/lib/sss/pubconf and
> krb5 libraries read from it, however kinit cannot force sssd to
> re-evaluate if the file needs updating.
>
> If you do a local login instead of a kinit, you will see that SSSD will
> switch to the new server and subsequent kinit will start using it.
>
> This is tracked here:
> https://fedorahosted.org/sssd/ticket/941
>
Could this be related ?
but you can send USR1 followed by USR2 to sssd to force
> going offline and back online. It would be nice to look into the logs,
> though, to see why wouldn't sssd fail over itself.
>
> >
> > I remember that someone replied me on this list about that problem, but
> I'd
> > like to konw if there's something I can do besides rebooting my main
> server
> > ?
> >
> > freeipa 4.3
> >
> > sssd 1.12.5-1 running on ubuntu 14.04
> >
> > Thanks.
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160105/a3b0a034/attachment.htm>
More information about the Freeipa-users
mailing list