[Freeipa-users] Data Provider is offline

Michaël Van de Borne michael.van.de.borne at gmail.com
Wed Mar 22 19:54:09 UTC 2017 

Thank you, this pointed me to a new direction.

So here was the problem (but I still don't know what caused it):
In the logs, I found that, when starting, sssd would try to kinit -kt 
/etc/krb5.keytab host/epoddev8.vgt.vito.be at VGT.VITO.BE
And that would throw:
kinit: Program lacks support for encryption type while getting initial 
credentials

So I ran klist -ke on each node (the one properly working, and the 
failing one) and both showed the same encryption types:
  (aes256-cts-hmac-sha1-96)
  (aes128-cts-hmac-sha1-96)
  (des3-cbc-sha1)
  (arcfour-hmac)

I began to think the issue was not about the encryption type, but a 
corrupted krb5.keytab. So I generated a new one using:
ipa-join -h epoddev8.vgt.vito.be -s epoddev5.vgt.vito.be

That gave me a new krb5.keytab, but kinit on it gave me:
kinit: Password incorrect while getting initial credentials

I didn't know what to do at this point and frustration was too big, so I 
just un-enroll and re-enrolled th host, and everything worked.

Really frustrating not to know what the problem was...
Let's consider the problem is solved, but if anybody has an idea of what 
was going around...

Cheers,

m.


-- 
*Michaël Van de Borne*
Free Bird Computing SPRL - Gérant
104 rue d'Azebois, 6230 Thiméon
*Tel:* +32(0)472 695716
*Skype:* mikemowgli
*TVA:* BE0637.834.386
Linkedin profile 
<https://www.linkedin.com/in/micha%C3%ABl-van-de-borne-56409167>

Le 22-03-17 à 17:51, Jakub Hrozek a écrit :
> On Wed, Mar 22, 2017 at 05:30:34PM +0100, Michaël Van de Borne wrote:
>> Hi all,
>>
>> So I have 2 Centos7 hosts, with same sssd and nsswitch configs.
>> One does find the users in IPA, and the other doesn't.
>> Looks like the Data Provider is offline.
>> I sent the SIGUSR2 signal to sssd which is supposed to bring him online.
>> Didn't help.
>> The hosts can resolve the IPA server hostname. SElinux is enforced. Iptables
>> is disabled.
>>
>> here's my sssd.conf
>>
>> [domain/vgt.vito.be]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = vgt.vito.be
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = epoddev8.vgt.vito.be
>> chpass_provider = ipa
>> ipa_server = _srv_, epoddev5.vgt.vito.be
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> debug_level = 7
>> [sssd]
>> services = nss, sudo, pam, ssh
>> domains = vgt.vito.be
>> [nss]
>> homedir_substring = /home
>> debug_level = 7
>> [pam]
>> [sudo]
>> [autofs]
>> [ssh]
>> [pac]
>> [ifp]
>>
>>
>> here's the log of sssd_nss.log
>>
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [accept_fd_handler] (0x0400): Client
>> connected!
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
>> Received client version [1].
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
>> Offered version [1].
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
>> command [17][SSS_NSS_GETPWNAM] with input [vdbornem].
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_parse_name_for_domains]
>> (0x0200): name 'vdbornem' matched without domain, user is vdbornem
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
>> Requesting info for [vdbornem] from [<ALL>]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
>> Requesting info for [vdbornem at vgt.vito.be]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
>> LOCAL view, continuing with provided values.
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400):
>> Issuing request for [0x7f7ffd1d1880:1:vdbornem at vgt.vito.be@vgt.vito.be]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
>> Creating request for
>> [vgt.vito.be][0x1][BE_REQ_USER][1][name=vdbornem at vgt.vito.be:-]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
>> Entering request [0x7f7ffd1d1880:1:vdbornem at vgt.vito.be@vgt.vito.be]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data
>> Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040):
>> Unable to get information from Data Provider
>> Error: 3, 5, Failed to get reply from Data Provider
>> Will try to return what we have in cache
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
>> Deleting request: [0x7f7ffd1d1880:1:vdbornem at vgt.vito.be@vgt.vito.be]
>> (Wed Mar 22 16:27:22 2017) [sssd[nss]] [client_recv] (0x0200): Client
>> disconnected!
> Restart sssd, which starts from a clean slate, then look for the first
> occurence of "Going offline" or "Not working" in the logs, then check
> which operation triggered that..
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170322/2ac4e448/attachment.htm>

More information about the Freeipa-users mailing list