[Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

Jeff Hallyburton jeff.hallyburton at bloomip.com
Mon Jan 18 00:14:18 UTC 2016 

Janelle,

The proxy suggestion was spot on.  After that things seem to work normally.

Thanks!

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>

On Sun, Jan 17, 2016 at 9:58 AM, Janelle <janellenicole80 at gmail.com> wrote:

> Hi,
>
> Try commenting out the proxy command in /etc/ssh/ssh_config
>
> The sssd proxy of ssh is buggy as can be.
>
> ~J
>
> > On Jan 17, 2016, at 05:24, Jakub Hrozek <jhrozek at redhat.com> wrote:
> >
> >
> >> On 16 Jan 2016, at 02:21, Jeff Hallyburton <
> jeff.hallyburton at bloomip.com> wrote:
> >>
> >> Having finished setting up an ipa server and replica, we're trying to
> test failover to ensure that HA works as expected.  We've been able to
> verify the replication agreements and auto-discovery are working, and both
> servers are picked up as expected at install time.
> >>
> >> That said, we're seeing some oddities with failover.  Once I shut down
> the ipa service on the main ipa server, I get most requests completing
> after about a 2 min window.  I am able to:
> >>
> >> 1.  Authenticate to our jump server and get a kerberos ticket
> >> 2.  kinit successfully as other users
> >>
> >> However, whenever I try to ssh to another system within our domain, ssh
> breaks with the following error:
> >>
> >> $ ssh -vvv automation01
> >> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
> >> debug1: Reading configuration data /etc/ssh/ssh_config
> >> debug1: /etc/ssh/ssh_config line 5: Applying options for *
> >> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy
> -p 22 automation01
> >> debug1: permanently_drop_suid: 1587000001
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1
> >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type
> -1
> >> debug1: Enabling compatibility mode for protocol 2.0
> >> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> >> ssh_exchange_identification: Connection closed by remote host
> >
> > Did you crank up debug level on the machine where sshd is running and
> see if anything is logged then?
> >
> >>
> >> Nothing is logged in either /var/log/messages or /var/log/secure when
> this happens, so I'm unsure where to begin debugging.  Can you offer any
> insight?
> >>
> >> Thanks,
> >>
> >> Jeff
> >>
> >> Jeff Hallyburton
> >> Strategic Systems Engineer
> >> Bloomip Inc.
> >> Web: http://www.bloomip.com
> >>
> >> Engineering Support: support at bloomip.com
> >> Billing Support: billing at bloomip.com
> >> Customer Support Portal:  https://my.bloomip.com
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160117/437be10c/attachment.htm>

More information about the Freeipa-users mailing list