[Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

Jeff Hallyburton jeff.hallyburton at bloomip.com
Sat Jan 16 01:21:55 UTC 2016 

Having finished setting up an ipa server and replica, we're trying to test
failover to ensure that HA works as expected.  We've been able to verify
the replication agreements and auto-discovery are working, and both servers
are picked up as expected at install time.

That said, we're seeing some oddities with failover.  Once I shut down the
ipa service on the main ipa server, I get most requests completing after
about a 2 min window.  I am able to:

1.  Authenticate to our jump server and get a kerberos ticket
2.  kinit successfully as other users

However, whenever I try to ssh to another system within our domain, ssh
breaks with the following error:

$ ssh -vvv automation01

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 5: Applying options for *

debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
22 automation01

debug1: permanently_drop_suid: 1587000001

debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1

debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

ssh_exchange_identification: Connection closed by remote host


Nothing is logged in either /var/log/messages or /var/log/secure when this
happens, so I'm unsure where to begin debugging.  Can you offer any insight?

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160115/18224688/attachment.htm>

More information about the Freeipa-users mailing list