[Freeipa-users] IPA sporadic behavior
John Williams
john.1209 at yahoo.com
Thu Mar 24 23:41:30 UTC 2016
I've got some sporadic behavior on my IPA instance and I'm hoping someone can help me resolve the issue. The problem is that many times my clients cannot authenticate to the respective hosts. First, my environment. Some details:
ipa2 - centos 6.3 - ipa server 3.0.0ipa3 - centos 7.1 - ipa server 4.1.0
We had a FreeIPA server host ipa1 that died some time ago. I do not have any details on that host.
Again, the problem is that clients cannot authenticate very frequently.
Here are some examples of the problems I am having: I client can login to the console of a CentOS 6.7 host, but cannot SSH into it. One user can login to a host, but another user cannot.
Some diagnostics information:
Services running on IPA servers:
[root at ipa2 ~]# ps -ef | grep krbroot 6007 5936 0 19:21 pts/5 00:00:00 grep krbroot 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root 22344 22339 0 Feb06 ? 00:42:56 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root 22345 22339 0 Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2
[root at ipa3 ~]# ps -ef | grep krbroot 2513 1 0 2015 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 2514 2513 0 2015 ? 00:01:20 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb
slapd is running on both servers:
[root at ipa3 ~]# ps -ef | grep slapddirsrv 2464 1 0 2015 ? 09:39:37 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w /var/run/dirsrv/slapd-IDEF.startpidroot 5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd[root at ipa3 ~]#
[root at ipa2 ~]# ps -ef | grep slapdroot 6024 5936 0 19:26 pts/5 00:00:00 grep slapddirsrv 22137 1 3 Feb06 ? 1-20:48:55 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w /var/run/dirsrv/slapd-AAA .startpidpkisrv 22209 1 0 Feb06 ? 00:44:54 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid[root at ipa2 ~]#
System time is synchronized across all hosts.
For DNS, I have the following entries:
[root at sharedone ~]# dig ipa.BBB.AAA +short192.168.120.253[root at sharedone ~]# dig ipa2.BBB.AAA +short192.168.120.253[root at sharedone ~]# dig ipa3.BBB.AAA +short192.168.120.139[root at sharedone ~]#
Now the ipa.AAA.AAA server does not exist anymore because it died. But if I remove that DNS entrey everything stops working and no one can authenticate, versus the sporadic issues we are having.
If you need more detials or specific information, please let me know. I'm at a loss as to what causes this behavior.
Thanks,
JT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160324/812708cc/attachment.htm>
More information about the Freeipa-users
mailing list