[Freeipa-users] IPA sporadic behavior
Rob Crittenden
rcritten at redhat.com
Mon Mar 28 13:15:43 UTC 2016
John Williams wrote:
> I've got some sporadic behavior on my IPA instance and I'm hoping
> someone can help me resolve the issue. The problem is that many times
> my clients cannot authenticate to the respective hosts. First, my
> environment. Some details:
>
> ipa2 - centos 6.3 - ipa server 3.0.0
> ipa3 - centos 7.1 - ipa server 4.1.0
>
> We had a FreeIPA server host ipa1 that died some time ago. I do not
> have any details on that host.
>
> Again, the problem is that clients cannot authenticate very frequently.
>
> Here are some examples of the problems I am having:
> I client can login to the console of a CentOS 6.7 host, but cannot
> SSH into it.
> One user can login to a host, but another user cannot.
>
> Some diagnostics information:
>
> Services running on IPA servers:
>
> [root at ipa2 ~]# ps -ef | grep krb
> root 6007 5936 0 19:21 pts/5 00:00:00 grep krb
> root 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
> root 22344 22339 0 Feb06 ? 00:42:56 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
> root 22345 22339 0 Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
>
> [root at ipa3 ~]# ps -ef | grep krb
> root 2513 1 0 2015 ? 00:00:00 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root 2514 2513 0 2015 ? 00:01:20 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root 2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb
>
> slapd is running on both servers:
>
> [root at ipa3 ~]# ps -ef | grep slapd
> dirsrv 2464 1 0 2015 ? 09:39:37 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w
> /var/run/dirsrv/slapd-IDEF.startpid
> root 5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd
> [root at ipa3 ~]#
>
>
> [root at ipa2 ~]# ps -ef | grep slapd
> root 6024 5936 0 19:26 pts/5 00:00:00 grep slapd
> dirsrv 22137 1 3 Feb06 ? 1-20:48:55 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w
> /var/run/dirsrv/slapd-AAA .startpid
> pkisrv 22209 1 0 Feb06 ? 00:44:54 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w
> /var/run/dirsrv/slapd-PKI-IPA.startpid
> [root at ipa2 ~]#
>
> System time is synchronized across all hosts.
Check this https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> For DNS, I have the following entries:
>
> [root at sharedone ~]# dig ipa.BBB.AAA +short
> 192.168.120.253
> [root at sharedone ~]# dig ipa2.BBB.AAA +short
> 192.168.120.253
> [root at sharedone ~]# dig ipa3.BBB.AAA +short
> 192.168.120.139
> [root at sharedone ~]#
>
> Now the ipa.AAA.AAA server does not exist anymore because it died. But
> if I remove that DNS entrey everything stops working and no one can
> authenticate, versus the sporadic issues we are having.
>
> If you need more detials or specific information, please let me know.
> I'm at a loss as to what causes this behavior.
You probably need to remove old SRV records for this host.
I assume you are working on switching the 3.0 host also to 4.x?
rob
More information about the Freeipa-users
mailing list