[Freeipa-users] Fwd: Marking subdomain offline

mike at chinewalking.com mike at chinewalking.com
Thu Apr 6 17:21:01 UTC 2017 

Hi,

My IPA<->AD trust setup experiences intermittent failures during login 
events. The AD subdomain goes in an inactive/offline state and users 
logging in are put into a 'delayed authentication' queue. Usually 
logging in after a minute or so succeeds as the subdomain is reset and 
the user is cached for following events. At all times getent/id and 
kinit's are succesfull, even with a purged sssd cache.
SRV records are correctly resolved, except for _kerberos-master.

I have not been able to further troubleshoot the intermittent failures. 
Traffic captures show no strange behaviour, yet the sssd_domain log is 
clearly showing AD to be unreachable at times. All AD servers are W2012 
and DNS masking _ldap and _kerberos to single nodes, factoring out any 
faulty Windows configs, so far has not had any effect (Would it?).

sssd's data_provider_fo.c :> be_fo_reset_svc() calls fo_get_service(), 
which returns EOK. I'm not familiar yet with the variables at play, 
would adding debug statements here reveal faults that may cause this?

Any pointers are very much appreciated.

Mike


[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_step] (0x0400): 
Looking up AD account
[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_done] (0x0080): 
Sudomain lookup failed, will try to reset sudomain..
[sssd[be[unix.foo.local]]] [ipa_server_trusted_dom_setup_send] (0x1000): 
Trust direction of subdom foo.local from forest foo.local is: one-way 
inbound: local domain trusts the remote domain
[sssd[be[unix.foo.local]]] [ipa_server_trusted_dom_setup_1way] (0x0400): 
Will re-fetch keytab for foo.local
[sssd[be[unix.foo.local]]] [ipa_getkeytab_send] (0x0400): Retrieving 
keytab for UNIX$@FOO.local from ipa01.unix.foo.local into 
/var/lib/sss/keytabs/foo.local.keytab6AXxWV using ccache 
/var/lib/sss/db/ccache_UNIX.FOO.local
[sssd[be[unix.foo.local]]] [child_handler_setup] (0x2000): Setting up 
signal handler up for pid [6242]
[sssd[be[unix.foo.local]]] [child_handler_setup] (0x2000): Signal 
handler set up for pid [6242]
[sssd[be[unix.foo.local]]] [sdap_process_result] (0x2000): Trace: 
sh[0x7f71cd9ddb80], connected[1], ops[(nil)], ldap[0x7f71cd9e65a0]
[sssd[be[unix.foo.local]]] [sdap_process_result] (0x2000): Trace: end of 
ldap_result list
[sssd[be[unix.foo.local]]] [ad_online_cb] (0x0400): The AD provider is 
online
[sssd[be[unix.foo.local]]] [be_ptask_online_cb] (0x0400): Back end is 
online
[sssd[be[unix.foo.local]]] [be_ptask_enable] (0x0080): Task [Subdomains 
Refresh]: already enabled
Keytab successfully retrieved and stored in: 
/var/lib/sss/keytabs/foo.local.keytab6AXxWV
[sssd[be[unix.foo.local]]] [child_sig_handler] (0x1000): Waiting for 
child [6242].
[sssd[be[unix.foo.local]]] [child_sig_handler] (0x0100): child [6242] 
finished successfully.
[sssd[be[unix.foo.local]]] [ipa_getkeytab_recv] (0x2000): ipa-getkeytab 
status 0
[sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): 
Keytab successfully retrieved to 
/var/lib/sss/keytabs/foo.local.keytab6AXxWV
[sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x2000): 
Keytab renamed to /var/lib/sss/keytabs/foo.local.keytab
[sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): 
Keytab /var/lib/sss/keytabs/foo.local.keytab6AXxWV contains the expected 
principals
[sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): 
Established trust context for foo.local
[sssd[be[unix.foo.local]]] [unique_filename_destructor] (0x2000): 
Unlinking [/var/lib/sss/keytabs/foo.local.keytab6AXxWV]
[sssd[be[unix.foo.local]]] [unlink_dbg] (0x2000): File already removed: 
[/var/lib/sss/keytabs/foo.local.keytab6AXxWV]
[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_retried] (0x0400): Sudomain 
re-set, will retry lookup
[sssd[be[unix.foo.local]]] [be_fo_reset_svc] (0x1000): Resetting all 
servers in service foo.local
[sssd[be[unix.foo.local]]] [be_fo_reset_svc] (0x0080): Cannot retrieve 
service [foo.local]
[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_step] (0x0400): 
Looking up AD account
[sssd[be[unix.foo.local]]] [be_mark_dom_offline] (0x1000): Marking 
subdomain foo.local offline
[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_done] (0x0040): 
ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
[sssd[be[unix.foo.local]]] [ipa_subdomain_account_done] (0x0040): 
ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive.
[sssd[be[unix.foo.local]]] [dp_reply_std_set] (0x0080): DP Error is OK 
on failed request?
[sssd[be[unix.foo.local]]] [dp_req_done] (0x0400): DP Request [Account 
#4]: Request handler finished [0]: Success

More information about the Freeipa-users mailing list