On Tue, Sep 5, 2017 at 2:57 PM, Jakub Hrozek via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
> OK, so it's SSSD telling libkrb5 to talk to auth.astro. Since in your
> sssd.conf, auth.astro is listed in addition to the 'local' IPA server, I
> would check the sssd logs if sssd can contact the server it is running
> on.
>
> Because I think it's falling back to auth.astro, writing its IP address
> to the kdcinfo files which breaks other things. btw because similar
> issues were reported after 7.4 was released, we fixed sssd in git master
> already so that the kdcinfo files are not generated on the masters at
> all. You can achieve the same effect by setting 'krb5_use_kdcinfo =
> false', but I would also check the sssd logs for any issues talking to
> the IPA server, because it is listed first aftre all, so I assume sssd
> must be failing over..

That was it!

I'm guessing that the failover happened when I was upgrading the
machines, though jedgar was the first one upgraded and the other two a
few days later when things seemed to be working.  But I just added the
krb5_use_kdcinfo = false line to sssd.conf, restarted sssd, and the
'kinit' line succeeded.  Tried the web UI and it's working perfectly.
Will add that to the puppet config for IPA servers so the other two
should get it shortly and everything sorted.

Thank you very much for your time and assistance working through this.


-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to