On Tue, Sep 5, 2017 at 2:57 PM, Jakub Hrozek via FreeIPA-users <firstname.lastname@example.org> wrote: > OK, so it's SSSD telling libkrb5 to talk to auth.astro. Since in your > sssd.conf, auth.astro is listed in addition to the 'local' IPA server, I > would check the sssd logs if sssd can contact the server it is running > on. > > Because I think it's falling back to auth.astro, writing its IP address > to the kdcinfo files which breaks other things. btw because similar > issues were reported after 7.4 was released, we fixed sssd in git master > already so that the kdcinfo files are not generated on the masters at > all. You can achieve the same effect by setting 'krb5_use_kdcinfo = > false', but I would also check the sssd logs for any issues talking to > the IPA server, because it is listed first aftre all, so I assume sssd > must be failing over..
That was it! I'm guessing that the failover happened when I was upgrading the machines, though jedgar was the first one upgraded and the other two a few days later when things seemed to be working. But I just added the krb5_use_kdcinfo = false line to sssd.conf, restarted sssd, and the 'kinit' line succeeded. Tried the web UI and it's working perfectly. Will add that to the puppet config for IPA servers so the other two should get it shortly and everything sorted. Thank you very much for your time and assistance working through this. -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org