[Freeipa-users] Fwd: Marking subdomain offline
Jakub Hrozek
jhrozek at redhat.com
Thu Apr 6 18:18:42 UTC 2017
On Thu, Apr 06, 2017 at 07:21:01PM +0200, mike at chinewalking.com wrote:
> Hi,
>
> My IPA<->AD trust setup experiences intermittent failures during login
> events. The AD subdomain goes in an inactive/offline state and users logging
> in are put into a 'delayed authentication' queue. Usually logging in after a
> minute or so succeeds as the subdomain is reset and the user is cached for
> following events. At all times getent/id and kinit's are succesfull, even
> with a purged sssd cache.
> SRV records are correctly resolved, except for _kerberos-master.
>
> I have not been able to further troubleshoot the intermittent failures.
> Traffic captures show no strange behaviour, yet the sssd_domain log is
> clearly showing AD to be unreachable at times. All AD servers are W2012 and
> DNS masking _ldap and _kerberos to single nodes, factoring out any faulty
> Windows configs, so far has not had any effect (Would it?).
>
> sssd's data_provider_fo.c :> be_fo_reset_svc() calls fo_get_service(), which
> returns EOK. I'm not familiar yet with the variables at play, would adding
> debug statements here reveal faults that may cause this?
Could you paste a bit more context? I think what would work is to trim
the logs (truncate --size 0), then reproduce the issue and search for
the first occurence of "NOT_WORKING" message from any of the fo_*
functions.
More information about the Freeipa-users
mailing list