[Freeipa-users] IPA sporadic behavior

Rob Crittenden rcritten at redhat.com
Mon Mar 28 13:15:43 UTC 2016 

John Williams wrote:
> I've got some sporadic behavior on my IPA instance and I'm hoping
> someone can help me resolve the issue.  The problem is that many times
> my clients cannot authenticate to the respective hosts.  First, my
> environment.  Some details:
>
> ipa2 - centos 6.3 -  ipa server 3.0.0
> ipa3 - centos 7.1 - ipa server 4.1.0
>
> We had a FreeIPA server host ipa1 that died some time ago.  I do not
> have any details on that host.
>
> Again, the problem is that clients cannot authenticate very frequently.
>
> Here are some examples of the problems I am having:
>    I client can login to the console of a CentOS 6.7 host, but cannot
> SSH into it.
>    One user can login to a host, but another user cannot.
>
> Some diagnostics information:
>
> Services running on IPA servers:
>
> [root at ipa2 ~]# ps -ef | grep krb
> root      6007  5936  0 19:21 pts/5    00:00:00 grep krb
> root     22339     1  0 Feb06 ?        00:00:00 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
> root     22344 22339  0 Feb06 ?        00:42:56 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
> root     22345 22339  0 Feb06 ?        00:42:50 /usr/sbin/krb5kdc -r AAA
> -P /var/run/krb5kdc.pid -w 2
>
> [root at ipa3 ~]# ps -ef | grep  krb
> root      2513     1  0  2015 ?        00:00:00 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root      2514  2513  0  2015 ?        00:01:20 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root      2515  2513  0  2015 ?        00:01:18 /usr/sbin/krb5kdc -P
> /var/run/krb5kdc.pid -w 2
> root      5702  5609  0 19:20 pts/1    00:00:00 grep --color=auto krb
>
> slapd is running on both servers:
>
> [root at ipa3 ~]# ps -ef | grep slapd
> dirsrv    2464     1  0  2015 ?        09:39:37 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w
> /var/run/dirsrv/slapd-IDEF.startpid
> root      5707  5609  0 19:25 pts/1    00:00:00 grep --color=auto slapd
> [root at ipa3 ~]#
>
>
> [root at ipa2 ~]# ps -ef | grep slapd
> root      6024  5936  0 19:26 pts/5    00:00:00 grep slapd
> dirsrv   22137     1  3 Feb06 ?        1-20:48:55 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w
> /var/run/dirsrv/slapd-AAA .startpid
> pkisrv   22209     1  0 Feb06 ?        00:44:54 /usr/sbin/ns-slapd -D
> /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w
> /var/run/dirsrv/slapd-PKI-IPA.startpid
> [root at ipa2 ~]#
>
> System time is synchronized across all hosts.

Check this https://fedorahosted.org/sssd/wiki/Troubleshooting

>
> For DNS, I have the following entries:
>
> [root at sharedone ~]# dig ipa.BBB.AAA +short
> 192.168.120.253
> [root at sharedone ~]# dig ipa2.BBB.AAA +short
> 192.168.120.253
> [root at sharedone ~]# dig ipa3.BBB.AAA +short
> 192.168.120.139
> [root at sharedone ~]#
>
> Now the ipa.AAA.AAA server does not exist anymore because it died.  But
> if I remove that DNS entrey everything stops working and no one can
> authenticate, versus the sporadic issues we are having.
>
> If you need more detials or specific information, please let me know.
>   I'm at a loss as to what causes this behavior.

You probably need to remove old SRV records for this host.

I assume you are working on switching the 3.0 host also to 4.x?

rob

More information about the Freeipa-users mailing list