On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: > > [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 > > > > [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > > [sssd_krb5_locator] sssd_krb5_locator_init called > > [sssd_krb5_locator] Found [172.16.112.8] in > > [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] > > family[0] socktype[2] locate_service[1] > > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] > > [sssd_krb5_locator] [172.16.112.8] used > > [sssd_krb5_locator] sssd_krb5_locator_close called > > [sssd_krb5_locator] sssd_krb5_locator_init called > > [sssd_krb5_locator] Found [172.16.112.8] in > > [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. > > [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] > > family[0] socktype[1] locate_service[1] > > [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] > > [sssd_krb5_locator] [172.16.112.8] used > > [sssd_krb5_locator] sssd_krb5_locator_close called > > kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial > > credentials > > Jakub, does this make sense to you? >
As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with "su - mike" or "ssh mike@ipaclient") in order to contact the SSSD so that the SSSD refreshes the file. Does using "su - mike" refresh the file? Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
