On Fri, Aug 21, 2020 at 01:14:00AM +0000, Robert Sturrock via FreeIPA-users wrote: > Hi All, > > We are trying to get to the bottom of an issue with a (single instance) IPA > server in a trust relationship with AD. IPA will (intermittently) fail to > resolve all of a users’ groups. > > The IPA domain is ‘unix.domain.com<http://unix.domain.com>’ and the AD domain > is ‘domain.com<http://domain.com>’. > > Having been through the logs for clues as to why this is happening, one error > that stands out is this one: > > (Sun Aug 2 03:20:03 2020) > [sssd[be[unix.domain.com<http://unix.domain.com>]]] [be_mark_subdom_offline] > (0x1000): Marking subdomain domain.com<http://domain.com> as inactive
Hi, the reason why the domain is marked offline should be shown in the log messages before this line. Since the sssctl output shows a lot of resolved domain controllers I guess there is no DNS issue. Since you said that some lookups work I guess authentication to the AD DCs is working as well. So most probably some group related LDAP searches either time out or return an error which causes SSSD to switch into offline mode. Are you using the default sssd.conf created by ipa-client-install or did you modify sssd.conf? In the latter case, can you share sssd.conf or at least the changes? bye, Sumit > > This error is present in the log on the IPA server many, many thousands of > times. > > The output of ‘sssctl domain-status domain.com<http://domain.com>’ on the IPA > server also seems to see AD as being offline: > > root@vmpr-linuxidm:~# > ==> sssctl domain-status domain.com<http://domain.com> > Online status: Offline > > Active servers: > AD Global Catalog: papr-dc1.domain.com<http://papr-dc1.domain.com> > AD Domain Controller: papr-dc1.domain.com<http://papr-dc1.domain.com> > IPA: vmpr-linuxidm.unix.domain.com<http://vmpr-linuxidm.unix.domain.com> > > Discovered AD Global Catalog servers: > - vmpr-fac-dc2.facility.domain.com<http://vmpr-fac-dc2.facility.domain.com> > - papr-dc1.domain.com<http://papr-dc1.domain.com> > - papr-dc3.domain.com<http://papr-dc3.domain.com> > - vmpr-fac-dc1.facility.domain.com<http://vmpr-fac-dc1.facility.domain.com> > - papr-dc2.domain.com<http://papr-dc2.domain.com> > - azspr-dc1.domain.com<http://azspr-dc1.domain.com> > - stpr-dc1.domain.com<http://stpr-dc1.domain.com> > - stpr-dc2.domain.com<http://stpr-dc2.domain.com> > - papr-dc4.domain.com<http://papr-dc4.domain.com> > > Discovered AD Domain Controller servers: > - papr-dc1.domain.com<http://papr-dc1.domain.com> > - papr-dc2.domain.com<http://papr-dc2.domain.com> > - papr-dc3.domain.com<http://papr-dc3.domain.com> > - papr-dc4.domain.com<http://papr-dc4.domain.com> > - azspr-dc1.domain.com<http://azspr-dc1.domain.com> > - stpr-dc2.domain.com<http://stpr-dc2.domain.com> > - stpr-dc1.domain.com<http://stpr-dc1.domain.com> > > Discovered IPA servers: > - vmpr-linuxidm.unix.domain.com<http://vmpr-linuxidm.unix.domain.com> > > I don’t know whether this error is related to the symptom we’re seeing with > the groups, but it seems like an obvious problem that we should endeavour to > fix as a first step. > > If AD were truly ‘offline’, then I’d expect NO resolution of trust > users/groups to occur at all, but that’s not the case. > > Can anyone provide some pointers to help debug why IPA would think the AD > domain is offline? > > Regards, > > Robert. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
