On Wed, Aug 23, 2017 at 05:13:13PM +0200, Michael Gusek via FreeIPA-users wrote:
> Hi,
> 
> we are testing a FreeIPA trust to an Active Directory. Trust itself
> works, we are happy. Now we tested a failure on FreeIPA site. We have
> two instances, both with same roles. If we poweroff first installed
> server, and clean sssd caches with restart of sssd on client side , sssd
> service can’t establish a connection to second instance.
> 
> ipa-lx-test-01.ipa.example.com is the first installed FreeIPA with
> ipa-server-4.4.0-14.el7.centos.7.x86_64 on latest CentOS7
> ipa-lx-test-02.ipa.example.com is the second installed FreeIPA with
> ipa-server-4.4.0-14.el7.centos.7.x86_64 on latest CentOS7
> ipa-lx-test-debian9.ipa.example.com is a latest Debian 9.1 with sssd
> 1.15.0-3
> 
> For deeper inspection full log is attached. In logs we found something
> like this:

OK, so as you say communication with the KDC failed:
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] 
[be_resolve_server_process] (0x0200): Found address for server 
ipa-lx-test-02.ipa.example.com: [x.x.x.x] TTL 1200                              
         
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] 
[sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...      
                                                                        
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] 
[create_tgt_req_send_buffer] (0x0400): buffer size: 81                          
                                                                        
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [child_handler_setup] 
(0x2000): Setting up signal handler up for pid [2104]                           
                                                  
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [child_handler_setup] 
(0x2000): Signal handler set up for pid [2104]                                  
                                                  
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [set_tgt_child_timeout] 
(0x0400): Setting 6 seconds timeout for tgt child                               
                                                
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] 
(0x2000): Trace: sh[0x558252c35750], connected[1], ops[(nil)], 
ldap[0x558252c130c0]                                               
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] 
(0x2000): Trace: end of ldap_result list                                        
                                                  
(Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [write_pipe_handler] 
(0x0400): All data has been sent!                                               
                                                   
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] 
[get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to tgt child 
[2104] reached.                                                            
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] 
[get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending 
SIGKILL to tgt child                                                          
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [read_pipe_handler] 
(0x0400): EOF received, client finished                                         
                                                    
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_sig_handler] 
(0x1000): Waiting for child [2104].                                             
                                                    
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_sig_handler] 
(0x0020): child [2104] failed with status [7].                                  
                                                    
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_callback] 
(0x0020): LDAP child was terminated due to timeout                              
                                                       
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [sdap_kinit_done] 
(0x0080): Communication with KDC timed out, trying the next one                 
                                                      
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [_be_fo_set_port_status] 
(0x8000): Setting status: PORT_NOT_WORKING. Called from: 
../src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1207  
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] 
(0x0100): Marking port 389 of server 'ipa-lx-test-02.ipa.example.com' as 'not 
working'                                             
(Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] 
(0x0400): Marking port 389 of duplicate server 'ipa-lx-test-02.ipa.example.com' 
as 'not working' 

Could you check in the ldap_child.log which KDC did SSSD try to talk to
and what takes so long?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to