On 2012-09-17, at 2:54 PM, Dmitri Pal wrote: > On 09/17/2012 02:18 PM, Michael Mercier wrote: >> On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: >> >>> On 09/17/2012 10:14 AM, Michael Mercier wrote: >>>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >>>> >>>>> Michael Mercier wrote: >>>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>>> >>>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>>> >>>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / >>>>>>>>>> ipaserver2) setup using MMR. >>>>>>>>>> >>>>>>>>>> [root@ipaserver ~]#ipa-replica-manage list >>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>> [root@ipaserver ~]# rpm -qa|grep ipa >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [root@ipaserver2 ~]#ipa-replica-manage list >>>>>>>>>> ipaserver.mpls.local: master >>>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>>> [root@ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [mike@ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>>> >>>>>>>>>> [root@zenoss ~]# rpm -qa|grep ipa >>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>>> >>>>>>>>>> <Location /> >>>>>>>>>> SSLRequireSSL >>>>>>>>>> AuthType Kerberos >>>>>>>>>> AuthName "Kerberos Login" >>>>>>>>>> >>>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>>> KrbSaveCredentials on >>>>>>>>>> KrbServiceName HTTP >>>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>>> >>>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>>> </Location> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>>>>> following: >>>>>>>>>> >>>>>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>>>>> ipaserver is unavailable. >>>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>>> >>>>>>>>>> If the I then perform: >>>>>>>>>> [root@ipaserver ~]#ifup eth0 >>>>>>>>>> >>>>>>>>>> [root@ipaserver2 ~]#ifdown eth0 >>>>>>>>>> >>>>>>>>>> [mike@ipaclient ~]$kinit >>>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>>>>>>> initial credentials >>>>>>>>>> >>>>>>>>>> [root@ipaserver2 ~]#ifup eth0 >>>>>>>>>> >>>>>>>>>> [mike@ipaclient ~]$ kinit >>>>>>>>>> Password for mike@MPLS.LOCAL: >>>>>>>>>> [mike@ipaclient ~]$ >>>>>>>>>> >>>>>>>>>> [root@ipaserver2 ~]#ifdown eth0 >>>>>>>>>> >>>>>>>>>> .. wait number of minutes >>>>>>>>>> >>>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>>>>> seconds) screen unlock compeletes >>>>>>>>>> >>>>>>>>>> [mike@ipaclient ~]$kinit >>>>>>>>>> Password for mike@MPLS.LOCAL: >>>>>>>>>> [mike@ipaclient ~]$ >>>>>>>>>> >>>>>>>>>> Any ideas? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Mike >>>>>>>>> This seems to be some DNS problem. >>>>>>>>> You client does not see the second replica and might have some name >>>>>>>>> resolution timeouts. >>>>>>>>> >>>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>>> >>>>>>>>> To help more we need more details about you client configuration DNS >>>>>>>>> and >>>>>>>>> kerberos. >>>>>>>> Hi, >>>>>>>> >>>>>>>> Additional information... >>>>>>>> >>>>>>>> [root@zenoss ~]#more /etc/resolv.conf >>>>>>>> search mpls.local >>>>>>>> domain mpls.local >>>>>>>> nameserver 172.16.112.5 >>>>>>>> nameserver 172.16.112.8 >>>>>>>> >>>>>>>> [root@zenoss ~]# more /etc/krb5.conf >>>>>>>> #File modified by ipa-client-install >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> default_realm = MPLS.LOCAL >>>>>>>> dns_lookup_realm = true >>>>>>>> dns_lookup_kdc = true >>>>>>>> rdns = false >>>>>>>> ticket_lifetime = 24h >>>>>>>> forwardable = yes >>>>>>>> >>>>>>>> [realms] >>>>>>>> MPLS.LOCAL = { >>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>> } >>>>>>>> >>>>>>>> [domain_realm] >>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>> >>>>>>>> [root@ipaclient ~]# more /etc/resolv.conf >>>>>>>> # Generated by NetworkManager >>>>>>>> search mpls.local >>>>>>>> nameserver 172.16.112.5 >>>>>>>> nameserver 172.16.112.8 >>>>>>>> >>>>>>>> [root@ipaclient ~]# more /etc/krb5.conf >>>>>>>> #File modified by ipa-client-install >>>>>>>> >>>>>>>> [libdefaults] >>>>>>>> default_realm = MPLS.LOCAL >>>>>>>> dns_lookup_realm = true >>>>>>>> dns_lookup_kdc = true >>>>>>>> rdns = false >>>>>>>> ticket_lifetime = 24h >>>>>>>> forwardable = yes >>>>>>>> >>>>>>>> [realms] >>>>>>>> MPLS.LOCAL = { >>>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>>> } >>>>>>>> >>>>>>>> [domain_realm] >>>>>>>> .mpls.local = MPLS.LOCAL >>>>>>>> mpls.local = MPLS.LOCAL >>>>>>>> >>>>>>>> [root@ipaclient ~]# nslookup ipaserver >>>>>>>> Server: 172.16.112.5 >>>>>>>> Address: 172.16.112.5#53 >>>>>>>> >>>>>>>> Name: ipaserver.mpls.local >>>>>>>> Address: 172.16.112.5 >>>>>>>> >>>>>>>> [root@ipaserver ~]#ifdown eth0 >>>>>>>> >>>>>>>> [root@ipaclient ~]# nslookup ipaserver >>>>>>>> Server: 172.16.112.8 >>>>>>>> Address: 172.16.112.8#53 >>>>>>>> >>>>>>>> Name: ipaserver.mpls.local >>>>>>>> Address: 172.16.112.5 >>>>>>>> >>>>>>>> [root@ipaclient ~]# nslookup ipaserver2 >>>>>>>> Server: 172.16.112.8 >>>>>>>> Address: 172.16.112.8#53 >>>>>>>> >>>>>>>> Name: ipaserver2.mpls.local >>>>>>>> Address: 172.16.112.8 >>>>>>>> >>>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>>> >>>>>>>> @ NS ipaserver.mpls.local. >>>>>>>> NS ipaserver2.mpls.local. >>>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>>> SRV 0 100 88 ipaserver2 >>>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>>> SRV 0 100 464 ipaserver2 >>>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>>> SRV 0 100 389 ipaserver2 >>>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>>> SRV 0 100 123 ipaserver2 >>>>>>>> ipaclient A 172.16.112.9 >>>>>>>> ipaclient2 A 172.16.112.145 >>>>>>>> ipaserver A 172.16.112.5 >>>>>>>> ipaserver2 A 172.16.112.8 >>>>>>>> zenoss A 172.16.112.6 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Mike >>>>>>>> >>>>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>>> in case of network being down it will fail over to the hosts file. >>>>>>> I wonder what is in your /etc/hosts? >>>>>>> Dose it have just a short host name? >>>>>> [root@ipaclient ~]# more /etc/hosts >>>>>> 127.0.0.1 localhost.localdomain localhost >>>>>> ::1 localhost6.localdomain6 localhost6 >>>>>> >>>>>> >>>>>> Add domain mpls.local to /etc/resolv.conf >>>>>> >>>>>> [root@ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root@ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>>> initial credentials >>>>>> [root@ipaclient ~]# nslookup ipaserver >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver.mpls.local >>>>>> Address: 172.16.112.5 >>>>>> >>>>>> [root@ipaclient ~]# nslookup ipaserver2 >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> Name: ipaserver2.mpls.local >>>>>> Address: 172.16.112.8 >>>>>> >>>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>>> >>>>>> [root@ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root@ipaclient ~]# kinit mike >>>>>> Password for mike@MPLS.LOCAL: >>>>>> >>>>>> [root@ipaserver ~]#ifdown eth0 >>>>>> >>>>>> [root@ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>>> initial credentials >>>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>>> Server: 172.16.112.8 >>>>>> Address: 172.16.112.8#53 >>>>>> >>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>>>> ipaserver2.mpls.local. >>>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>> >>>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>>> Server: 172.16.112.5 >>>>>> Address: 172.16.112.5#53 >>>>>> >>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>>>> ipaserver2.mpls.local. >>>>>> >>>>>> >>>>>> [root@ipaclient ~]# kinit mike >>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>>> initial credentials >>>>>> >>>>>> [root@ipaserver ~]#ifup eth0 >>>>>> >>>>>> [root@ipaclient ~]# kinit mike >>>>>> Password for mike@MPLS.LOCAL: >>>>> I'd start with the sssd logs. Is it seeing the main server go offline and >>>>> not switching to the second one? Or is it going into offline mode? >>>>> >>>>> Do you have _srv_ or both servers listed in ipa_server in >>>>> /etc/sssd/sssd.conf? >>>>> >>>> Hello, >>>> >>>> [root@ipaclient ~]# more /etc/sssd/sssd.conf >>>> [sssd] >>>> config_file_version = 2 >>>> services = nss, pam >>>> # SSSD will not start if you do not configure any domains. >>>> # Add new domain configurations as [domain/<NAME>] sections, and >>>> # then add the list of domains (in the order you want them to be >>>> # queried) to the "domains" attribute below and uncomment it. >>>> # domains = LDAP >>>> >>>> domains = mpls.local >>>> [nss] >>>> >>>> [pam] >>>> >>>> # Example LDAP domain >>>> # [domain/LDAP] >>>> # id_provider = ldap >>>> # auth_provider = ldap >>>> # ldap_schema can be set to "rfc2307", which stores group member names in >>>> the >>>> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs >>>> in >>>> # the "member" attribute. If you do not know this value, ask your LDAP >>>> # administrator. >>>> # ldap_schema = rfc2307 >>>> # ldap_uri = ldap://ldap.mydomain.org >>>> # ldap_search_base = dc=mydomain,dc=org >>>> # Note that enabling enumeration will have a moderate performance impact. >>>> # Consequently, the default value for enumeration is FALSE. >>>> # Refer to the sssd.conf man page for full details. >>>> # enumerate = false >>>> # Allow offline logins by locally storing password hashes (default: false). >>>> # cache_credentials = true >>>> >>>> # An example Active Directory domain. Please note that this configuration >>>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >>>> # compliant attribute names. To support UNIX clients with AD 2003 or older, >>>> # you must install Microsoft Services For Unix and map LDAP attributes onto >>>> # msSFU30* attribute names. >>>> # [domain/AD] >>>> # id_provider = ldap >>>> # auth_provider = krb5 >>>> # chpass_provider = krb5 >>>> # >>>> # ldap_uri = ldap://your.ad.example.com >>>> # ldap_search_base = dc=example,dc=com >>>> # ldap_schema = rfc2307bis >>>> # ldap_sasl_mech = GSSAPI >>>> # ldap_user_object_class = user >>>> # ldap_group_object_class = group >>>> # ldap_user_home_directory = unixHomeDirectory >>>> # ldap_user_principal = userPrincipalName >>>> # ldap_account_expire_policy = ad >>>> # ldap_force_upper_case_realm = true >>>> # >>>> # krb5_server = your.ad.example.com >>>> # krb5_realm = EXAMPLE.COM >>>> [domain/mpls.local] >>>> cache_credentials = True >>>> krb5_store_password_if_offline = True >>>> ipa_domain = mpls.local >>>> id_provider = ipa >>>> auth_provider = ipa >>>> access_provider = ipa >>>> chpass_provider = ipa >>>> ipa_dyndns_update = True >>>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local >>> Can you please for the sake of the test remove _srv_ from your >>> configuration? >>> There might be a bug in how we handle the case when the response from >>> DNS lookup is not obtained or something like. >>> It seems that it does not fail over properly. >>> >>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>> >>>> NOTE: I manually added ipaserver2.mpls.local >>>> >>>> Where specifically should I add the debugging? >>>> I added debug_level = 5 to [sssd] >>> You can add it to the bottom. That should work. >>> >>>> [root@ipaserver ~]ifdown eth0 >>>> >>>> [root@ipaserver2 ~]ifup eth0 >>>> >>>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service >>>> mpls.local replied to ping >>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss >>>> replied to ping >>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam >>>> replied to ping >>>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging >>>> mpls.local >>>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service >>>> mpls.local replied to ping >>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss >>>> replied to ping >>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam >>>> replied to ping >>>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging >>>> mpls.local >>>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service >>>> mpls.local replied to ping >>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss >>>> replied to ping >>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam >>>> replied to ping >>>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging >>>> mpls.local >>>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service >>>> mpls.local replied to ping >>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss >>>> replied to ping >>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam >>>> replied to ping >>>> >>> This is not the right log. The most informative one is called >>> sssd_default.log. >> Hello, >> >> I did the following: >> >> add 'debug_level = 8' to section [domain/mpls.local] >> remove _srv_ from ipa_server = >> >> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike@MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> >> [root@ipaserver ~]ifdown eth0 >> >> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike@MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> >> [root@ipaserver ~]ifup eth0 >> [root@ipaserver2 ~]ifdown eth0 >> >> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> Password for mike@MPLS.LOCAL: >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [sssd_krb5_locator] sssd_krb5_locator_init called >> [sssd_krb5_locator] open failed [2][No such file or directory]. >> [sssd_krb5_locator] get_krb5info failed. >> [sssd_krb5_locator] sssd_krb5_locator_close called >> [root@ipaclient ~]# >> >> >> NOTES: >> 1. The final kinit although successful, took considerably longer to complete > > So it was successful all three times, right?
Yes, it was successful all three times. > >> 2. I do not have a /var/log/sssd/sssd_default.log > > > Sorry I forgot that you explicitly renamed your domain from default. > It would be /var/log/sssd_mpls.local.log then. I set the log level to 8 and there is a large amount of data produced in this log file. Is there a level that you would suggest for me to share the information? Thanks, Mike > >> >> Thanks, >> Mike >> >> >> >>>>> rob >>>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
