[Freeipa-users] sssd went away, failed to restart

Harald Dunkel harald.dunkel at aixigo.de
Thu May 12 13:35:46 UTC 2016 

On 05/12/16 13:48, Lukas Slebodnik wrote:
> It would be nice if you could provide reliable reproducer.
> I'm sorry we do not have a crystall ball and sssd log files
> did not help either. They are truncated.
> 

Thats all I got.

> I would like to fix it but I do not know what to fix.
> 
> Is there anything interesting/suspicious in syslog/journald
> from the same time?
> 

"journalctl -u sssd" says

May 12 06:03:15 srvvm01.ac.example.com sssd[373]: Starting up
May 12 06:03:21 srvvm01.ac.example.com sssd[be[417]: Starting up
May 12 06:03:26 srvvm01.ac.example.com sssd[438]: Starting up
May 12 06:03:26 srvvm01.ac.example.com sssd[440]: Starting up
May 12 06:03:26 srvvm01.ac.example.com sssd[437]: Starting up
May 12 06:03:26 srvvm01.ac.example.com sssd[439]: Starting up
May 12 06:03:29 srvvm01.ac.example.com sssd[441]: Starting up
May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1
May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1
May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1
May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 2
May 12 06:04:05 srvvm01.ac.example.com systemd[1]: sssd.service start operation timed out. Terminating.
May 12 06:04:05 srvvm01.ac.example.com sssd[438]: Shutting down
May 12 06:04:05 srvvm01.ac.example.com sssd[437]: Shutting down
May 12 06:04:05 srvvm01.ac.example.com sssd[be[417]: Shutting down
May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Failed to start System Security Services Daemon.
May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Unit sssd.service entered failed state.

AFAICS we have to focus in sssd_example.com.log on the
log file entries between 06:03:29 and 06:04:05. Did you
notice the "Backend is online, starting delayed online
authentication" close to the end of the log file? Is
this expected? What should have happened next?

:
:

>> You have cut off the time stamps. Here they are:
>>
> That was on purpose. Because it's clear that "Communication with KDC timed out"
> The question is why?
> 6 seconds must be enough unless you try to connect the the server
> which is located in opposite site of globe.
> 

Sorry to say, but this assumption is not justified. Next to
network lag there can be other delays (swapped out jobs, out
of entropy on /dev/random, a disk needs to spin up, high load,
DNS not responding, whatever).

Would you agree that this is OT, since sssd *did* find ipa1
within a reasonable time?


Regards
Harri

More information about the Freeipa-users mailing list