On 04/13/2015 10:41 PM, Thomas Lau wrote:
Hi,

It's an in-house program which runs on one kerberos user.
You need to look what this program is doing.
I suspect it is doing some sort of kinit itself and does not rely on the PAM stack, i.e it bypasses SSSD in the given scenario.
Can this be the case?


On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal <d...@redhat.com> wrote:
On 04/13/2015 08:23 AM, Thomas Lau wrote:

Hi,

These problem appear randomly, sometime it still work even under heavy
packet loss, some times would be like this. So its hard to catch.

On Apr 13, 2015 3:22 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote:
On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote:
Hi all,

We have cronjob which running on a FreeIPA LDAP user; When connection
between IPA server and client having heavy packet loss, following
error would occur:

CRON[20637]: Authentication service cannot retrieve authentication info

I have cache credentials and store password if offline enabled on
sssd, how these problem would still happening?

It might be that the cause of the problem is actually the packet loss or
some kind of delay.
SSSD might not think that it is offline but cron job itself times out and
reports failure.
Do you know what operation in the job fails?



sssd.conf:

cache_credentials = True
krb5_store_password_if_offline = True
Did the use log in at least once offline? You can verify if the password
has been cached using the ldbsearch utility. It would be best to catch
the occurence of the problem in logs.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to