On 09/17/2012 03:02 PM, Michael Mercier wrote:
> On 2012-09-17, at 2:54 PM, Dmitri Pal wrote:
>
>> On 09/17/2012 02:18 PM, Michael Mercier wrote:
>>> On 2012-09-17, at 11:27 AM, Dmitri Pal wrote:
>>>
>>>> On 09/17/2012 10:14 AM, Michael Mercier wrote:
>>>>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote:
>>>>>
>>>>>> Michael Mercier wrote:
>>>>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
>>>>>>>
>>>>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote:
>>>>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
>>>>>>>>>
>>>>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote:
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I have experienced some odd connectivity issues using MMR with 
>>>>>>>>>>> FreeIPA (all systems CentOS 6.3).  I have 2 ipa servers (ipaserver 
>>>>>>>>>>> / ipaserver2) setup using MMR.
>>>>>>>>>>>
>>>>>>>>>>> [root@ipaserver ~]#ipa-replica-manage list
>>>>>>>>>>> ipaserver.mpls.local: master
>>>>>>>>>>> ipaserver2.mpls.local: master
>>>>>>>>>>> [root@ipaserver ~]# rpm -qa|grep ipa
>>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64
>>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64
>>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [root@ipaserver2 ~]#ipa-replica-manage list
>>>>>>>>>>> ipaserver.mpls.local: master
>>>>>>>>>>> ipaserver2.mpls.local: master
>>>>>>>>>>> [root@ipaserver2 ~]# rpm -qa|grep ipa
>>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-server-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64
>>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64
>>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64
>>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [mike@ipaclient ~]$ rpm -qa|grep ipa
>>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64
>>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64
>>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64
>>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I have a webserver (zenoss) using kerberos authentication.
>>>>>>>>>>>
>>>>>>>>>>> [root@zenoss ~]# rpm -qa|grep ipa
>>>>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64
>>>>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64
>>>>>>>>>>> ipa-python-2.2.0-16.el6.x86_64
>>>>>>>>>>> ipa-client-2.2.0-16.el6.x86_64
>>>>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch
>>>>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64
>>>>>>>>>>>
>>>>>>>>>>> <Location />
>>>>>>>>>>> SSLRequireSSL
>>>>>>>>>>> AuthType Kerberos
>>>>>>>>>>> AuthName "Kerberos Login"
>>>>>>>>>>>
>>>>>>>>>>> KrbMethodK5Passwd Off
>>>>>>>>>>> KrbAuthRealms MPLS.LOCAL
>>>>>>>>>>> KrbSaveCredentials on
>>>>>>>>>>> KrbServiceName HTTP
>>>>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab
>>>>>>>>>>>
>>>>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local 
>>>>>>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
>>>>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e
>>>>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
>>>>>>>>>>> </Location>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to 
>>>>>>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am 
>>>>>>>>>>> successfully connected.  If on ipaserver I do a 'ifdown eth0' and 
>>>>>>>>>>> attempt another connection, it fails.  I have also noticed the 
>>>>>>>>>>> following:
>>>>>>>>>>>
>>>>>>>>>>> 1. I am unable to use the ipaserver2 management interface when 
>>>>>>>>>>> ipaserver is unavailable.
>>>>>>>>>>> 2. It takes a longer period of time to do a kinit
>>>>>>>>>>>
>>>>>>>>>>> If the I then perform:
>>>>>>>>>>> [root@ipaserver ~]#ifup eth0
>>>>>>>>>>>
>>>>>>>>>>> [root@ipaserver2 ~]#ifdown eth0
>>>>>>>>>>>
>>>>>>>>>>> [mike@ipaclient ~]$kinit
>>>>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
>>>>>>>>>>> initial credentials
>>>>>>>>>>>
>>>>>>>>>>> [root@ipaserver2 ~]#ifup eth0
>>>>>>>>>>>
>>>>>>>>>>> [mike@ipaclient ~]$ kinit
>>>>>>>>>>> Password for mike@MPLS.LOCAL:
>>>>>>>>>>> [mike@ipaclient ~]$
>>>>>>>>>>>
>>>>>>>>>>> [root@ipaserver2 ~]#ifdown eth0
>>>>>>>>>>>
>>>>>>>>>>> .. wait number of minutes
>>>>>>>>>>>
>>>>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 
>>>>>>>>>>> seconds) screen unlock compeletes
>>>>>>>>>>>
>>>>>>>>>>> [mike@ipaclient ~]$kinit
>>>>>>>>>>> Password for mike@MPLS.LOCAL:
>>>>>>>>>>> [mike@ipaclient ~]$
>>>>>>>>>>>
>>>>>>>>>>> Any ideas?
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Mike
>>>>>>>>>> This seems to be some DNS problem.
>>>>>>>>>> You client does not see the second replica and might have some name
>>>>>>>>>> resolution timeouts.
>>>>>>>>>>
>>>>>>>>>> Please check your dns setup and krb5.conf on the client.
>>>>>>>>>>
>>>>>>>>>> To help more we need more details about you client configuration DNS 
>>>>>>>>>> and
>>>>>>>>>> kerberos.
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Additional information...
>>>>>>>>>
>>>>>>>>> [root@zenoss ~]#more /etc/resolv.conf
>>>>>>>>> search mpls.local
>>>>>>>>> domain mpls.local
>>>>>>>>> nameserver 172.16.112.5
>>>>>>>>> nameserver 172.16.112.8
>>>>>>>>>
>>>>>>>>> [root@zenoss ~]# more /etc/krb5.conf
>>>>>>>>> #File modified by ipa-client-install
>>>>>>>>>
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = MPLS.LOCAL
>>>>>>>>> dns_lookup_realm = true
>>>>>>>>> dns_lookup_kdc = true
>>>>>>>>> rdns = false
>>>>>>>>> ticket_lifetime = 24h
>>>>>>>>> forwardable = yes
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> MPLS.LOCAL = {
>>>>>>>>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> [domain_realm]
>>>>>>>>> .mpls.local = MPLS.LOCAL
>>>>>>>>> mpls.local = MPLS.LOCAL
>>>>>>>>>
>>>>>>>>> [root@ipaclient ~]# more /etc/resolv.conf
>>>>>>>>> # Generated by NetworkManager
>>>>>>>>> search mpls.local
>>>>>>>>> nameserver 172.16.112.5
>>>>>>>>> nameserver 172.16.112.8
>>>>>>>>>
>>>>>>>>> [root@ipaclient ~]# more /etc/krb5.conf
>>>>>>>>> #File modified by ipa-client-install
>>>>>>>>>
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = MPLS.LOCAL
>>>>>>>>> dns_lookup_realm = true
>>>>>>>>> dns_lookup_kdc = true
>>>>>>>>> rdns = false
>>>>>>>>> ticket_lifetime = 24h
>>>>>>>>> forwardable = yes
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> MPLS.LOCAL = {
>>>>>>>>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> [domain_realm]
>>>>>>>>> .mpls.local = MPLS.LOCAL
>>>>>>>>> mpls.local = MPLS.LOCAL
>>>>>>>>>
>>>>>>>>> [root@ipaclient ~]# nslookup ipaserver
>>>>>>>>> Server:               172.16.112.5
>>>>>>>>> Address:      172.16.112.5#53
>>>>>>>>>
>>>>>>>>> Name: ipaserver.mpls.local
>>>>>>>>> Address: 172.16.112.5
>>>>>>>>>
>>>>>>>>> [root@ipaserver ~]#ifdown eth0
>>>>>>>>>
>>>>>>>>> [root@ipaclient ~]# nslookup ipaserver
>>>>>>>>> Server:               172.16.112.8
>>>>>>>>> Address:      172.16.112.8#53
>>>>>>>>>
>>>>>>>>> Name: ipaserver.mpls.local
>>>>>>>>> Address: 172.16.112.5
>>>>>>>>>
>>>>>>>>> [root@ipaclient ~]# nslookup ipaserver2
>>>>>>>>> Server:               172.16.112.8
>>>>>>>>> Address:      172.16.112.8#53
>>>>>>>>>
>>>>>>>>> Name: ipaserver2.mpls.local
>>>>>>>>> Address: 172.16.112.8
>>>>>>>>>
>>>>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2
>>>>>>>>>
>>>>>>>>> @ NS ipaserver.mpls.local.
>>>>>>>>>   NS ipaserver2.mpls.local.
>>>>>>>>> _kerberos TXT MPLS.LOCAL
>>>>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver
>>>>>>>>>                                       SRV 0 100 88 ipaserver2
>>>>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver
>>>>>>>>>                                         SRV 0 100 88 ipaserver2
>>>>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver
>>>>>>>>>                          SRV 0 100 88 ipaserver2
>>>>>>>>> _kerberos._udp SRV 0 100 88 ipaserver
>>>>>>>>>                            SRV 0 100 88 ipaserver2
>>>>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver
>>>>>>>>>                           SRV 0 100 464 ipaserver2
>>>>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver
>>>>>>>>>                            SRV 0 100 464 ipaserver2
>>>>>>>>> _ldap._tcp SRV 0 100 389 ipaserver
>>>>>>>>>                   SRV 0 100 389 ipaserver2
>>>>>>>>> _ntp._udp SRV 0 100 123 ipaserver
>>>>>>>>>                  SRV 0 100 123 ipaserver2
>>>>>>>>> ipaclient A 172.16.112.9
>>>>>>>>> ipaclient2 A 172.16.112.145
>>>>>>>>> ipaserver A 172.16.112.5
>>>>>>>>> ipaserver2 A 172.16.112.8
>>>>>>>>> zenoss A 172.16.112.6
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Mike
>>>>>>>>>
>>>>>>>> I noticed that there is no domain line in the resolv.conf on the 
>>>>>>>> client.
>>>>>>>> AFAIU in this case it would determine the domain by the gethostname and
>>>>>>>> in case of network being down it will fail over to the hosts file.
>>>>>>>> I wonder what is in your /etc/hosts?
>>>>>>>> Dose it have just a short host name?
>>>>>>> [root@ipaclient ~]# more /etc/hosts
>>>>>>> 127.0.0.1       localhost.localdomain   localhost
>>>>>>> ::1     localhost6.localdomain6 localhost6
>>>>>>>
>>>>>>>
>>>>>>> Add domain mpls.local to /etc/resolv.conf
>>>>>>>
>>>>>>> [root@ipaserver ~]#ifdown eth0
>>>>>>>
>>>>>>> [root@ipaclient ~]# kinit mike
>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
>>>>>>> initial credentials
>>>>>>> [root@ipaclient ~]# nslookup ipaserver
>>>>>>> Server:         172.16.112.8
>>>>>>> Address:        172.16.112.8#53
>>>>>>>
>>>>>>> Name:   ipaserver.mpls.local
>>>>>>> Address: 172.16.112.5
>>>>>>>
>>>>>>> [root@ipaclient ~]# nslookup ipaserver2
>>>>>>> Server:         172.16.112.8
>>>>>>> Address:        172.16.112.8#53
>>>>>>>
>>>>>>> Name:   ipaserver2.mpls.local
>>>>>>> Address: 172.16.112.8
>>>>>>>
>>>>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts
>>>>>>>
>>>>>>> [root@ipaserver ~]#ifup eth0
>>>>>>>
>>>>>>> [root@ipaclient ~]# kinit mike
>>>>>>> Password for mike@MPLS.LOCAL:
>>>>>>>
>>>>>>> [root@ipaserver ~]#ifdown eth0
>>>>>>>
>>>>>>> [root@ipaclient ~]# kinit mike
>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
>>>>>>> initial credentials
>>>>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._tcp
>>>>>>> Server:         172.16.112.8
>>>>>>> Address:        172.16.112.8#53
>>>>>>>
>>>>>>> _kerberos-master._tcp.mpls.local        service = 0 100 88 
>>>>>>> ipaserver2.mpls.local.
>>>>>>> _kerberos-master._tcp.mpls.local        service = 0 100 88 
>>>>>>> ipaserver.mpls.local.
>>>>>>>
>>>>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._udp
>>>>>>> Server:         172.16.112.5
>>>>>>> Address:        172.16.112.5#53
>>>>>>>
>>>>>>> _kerberos-master._udp.mpls.local        service = 0 100 88 
>>>>>>> ipaserver.mpls.local.
>>>>>>> _kerberos-master._udp.mpls.local        service = 0 100 88 
>>>>>>> ipaserver2.mpls.local.
>>>>>>>
>>>>>>>
>>>>>>> [root@ipaclient ~]# kinit mike
>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting 
>>>>>>> initial credentials
>>>>>>>
>>>>>>> [root@ipaserver ~]#ifup eth0
>>>>>>>
>>>>>>> [root@ipaclient ~]# kinit mike
>>>>>>> Password for mike@MPLS.LOCAL:
>>>>>> I'd start with the sssd logs. Is it seeing the main server go offline 
>>>>>> and not switching to the second one? Or is it going into offline mode?
>>>>>>
>>>>>> Do you have _srv_ or both servers listed in ipa_server in 
>>>>>> /etc/sssd/sssd.conf?
>>>>>>
>>>>> Hello,
>>>>>
>>>>> [root@ipaclient ~]# more /etc/sssd/sssd.conf 
>>>>> [sssd]
>>>>> config_file_version = 2
>>>>> services = nss, pam
>>>>> # SSSD will not start if you do not configure any domains.
>>>>> # Add new domain configurations as [domain/<NAME>] sections, and
>>>>> # then add the list of domains (in the order you want them to be
>>>>> # queried) to the "domains" attribute below and uncomment it.
>>>>> # domains = LDAP
>>>>>
>>>>> domains = mpls.local
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> # Example LDAP domain
>>>>> # [domain/LDAP]
>>>>> # id_provider = ldap
>>>>> # auth_provider = ldap
>>>>> # ldap_schema can be set to "rfc2307", which stores group member names in 
>>>>> the
>>>>> # "memberuid" attribute, or to "rfc2307bis", which stores group member 
>>>>> DNs in
>>>>> # the "member" attribute. If you do not know this value, ask your LDAP
>>>>> # administrator.
>>>>> # ldap_schema = rfc2307
>>>>> # ldap_uri = ldap://ldap.mydomain.org
>>>>> # ldap_search_base = dc=mydomain,dc=org
>>>>> # Note that enabling enumeration will have a moderate performance impact.
>>>>> # Consequently, the default value for enumeration is FALSE.
>>>>> # Refer to the sssd.conf man page for full details.
>>>>> # enumerate = false
>>>>> # Allow offline logins by locally storing password hashes (default: 
>>>>> false).
>>>>> # cache_credentials = true
>>>>>
>>>>> # An example Active Directory domain. Please note that this configuration
>>>>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
>>>>> # compliant attribute names. To support UNIX clients with AD 2003 or 
>>>>> older,
>>>>> # you must install Microsoft Services For Unix and map LDAP attributes 
>>>>> onto
>>>>> # msSFU30* attribute names.
>>>>> # [domain/AD]
>>>>> # id_provider = ldap
>>>>> # auth_provider = krb5
>>>>> # chpass_provider = krb5
>>>>> #
>>>>> # ldap_uri = ldap://your.ad.example.com
>>>>> # ldap_search_base = dc=example,dc=com
>>>>> # ldap_schema = rfc2307bis
>>>>> # ldap_sasl_mech = GSSAPI
>>>>> # ldap_user_object_class = user
>>>>> # ldap_group_object_class = group
>>>>> # ldap_user_home_directory = unixHomeDirectory
>>>>> # ldap_user_principal = userPrincipalName
>>>>> # ldap_account_expire_policy = ad
>>>>> # ldap_force_upper_case_realm = true
>>>>> #
>>>>> # krb5_server = your.ad.example.com
>>>>> # krb5_realm = EXAMPLE.COM
>>>>> [domain/mpls.local]
>>>>> cache_credentials = True
>>>>> krb5_store_password_if_offline = True
>>>>> ipa_domain = mpls.local
>>>>> id_provider = ipa
>>>>> auth_provider = ipa
>>>>> access_provider = ipa
>>>>> chpass_provider = ipa
>>>>> ipa_dyndns_update = True
>>>>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local
>>>> Can you please for the sake of the test remove _srv_ from your
>>>> configuration?
>>>> There might be a bug in how we handle the case when the response from
>>>> DNS lookup is not obtained or something like.
>>>> It seems that it does not fail over properly.
>>>>
>>>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>>>>
>>>>> NOTE: I manually added ipaserver2.mpls.local
>>>>>
>>>>> Where specifically should I add the debugging?
>>>>> I added debug_level = 5 to [sssd]
>>>> You can add it to the bottom. That should work.
>>>>
>>>>> [root@ipaserver ~]ifdown eth0
>>>>>
>>>>> [root@ipaserver2 ~]ifup eth0
>>>>>
>>>>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service 
>>>>> mpls.local replied to ping
>>>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> nss
>>>>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> pam
>>>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> mpls.local
>>>>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service 
>>>>> mpls.local replied to ping
>>>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> nss
>>>>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> pam
>>>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> mpls.local
>>>>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service 
>>>>> mpls.local replied to ping
>>>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> nss
>>>>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> pam
>>>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> mpls.local
>>>>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service 
>>>>> mpls.local replied to ping
>>>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> nss
>>>>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging 
>>>>> pam
>>>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss 
>>>>> replied to ping
>>>>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam 
>>>>> replied to ping
>>>>>
>>>> This is not the right log. The most informative one is called
>>>> sssd_default.log.
>>> Hello,
>>>
>>> I did the following:
>>>
>>> add 'debug_level = 8' to section [domain/mpls.local]
>>> remove _srv_ from ipa_server =
>>>
>>> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> Password for mike@MPLS.LOCAL: 
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>>
>>> [root@ipaserver ~]ifdown eth0
>>>
>>> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> Password for mike@MPLS.LOCAL: 
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>>
>>> [root@ipaserver ~]ifup eth0
>>> [root@ipaserver2 ~]ifdown eth0
>>>
>>> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> Password for mike@MPLS.LOCAL: 
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [sssd_krb5_locator] sssd_krb5_locator_init called
>>> [sssd_krb5_locator] open failed [2][No such file or directory].
>>> [sssd_krb5_locator] get_krb5info failed.
>>> [sssd_krb5_locator] sssd_krb5_locator_close called
>>> [root@ipaclient ~]# 
>>>
>>>
>>> NOTES:
>>> 1. The final kinit although successful, took considerably longer to complete
>> So it was successful all three times, right?
> Yes, it was successful all three times.
>
>>> 2.  I do not have a /var/log/sssd/sssd_default.log
>>
>> Sorry I forgot that you explicitly renamed your domain from default.
>> It would be /var/log/sssd_mpls.local.log then.
> I set the log level to 8 and there is a large amount of data produced in this 
> log file.  Is there a level that you would suggest for me to share the 
> information?

It is hard to say where the problem is.
Something is definitely wrong with DNS resolution and failing over after it.
I know that this area was rewritten in SSSD 1.9 so this specific issue
might already be addressed.
Also it would be interesting to check if your DNS actually returns the
ipaserver2 server as the alternative to ipaserver. If it does not that
can be a part of the problem.

So we can continue troubleshooting in this case we would need the logs
with high debug level (tar and zip and may be open a trac ticket and
attach it there) or you can try 1.9 RC1 and see if the problem is
already addressed there. Alternatively you can remove _srv_ from your
configuration assuming the DNS configuration is correct and we actually
have a bug (but I am still not convinced).

>
> Thanks,
> Mike
>
>>> Thanks,
>>> Mike
>>>
>>>
>>>
>>>>>> rob
>>>>>>
>>>> -- 
>>>> Thank you,
>>>> Dmitri Pal
>>>>
>>>> Sr. Engineering Manager for IdM portfolio
>>>> Red Hat Inc.
>>>>
>>>>
>>>> -------------------------------
>>>> Looking to carve out IT costs?
>>>> www.redhat.com/carveoutcosts/
>>>>
>>>>
>>>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to