I think the semi-online status cause SSSD confused about what to do and causing it to timeout.
So that means no fix for now. On Thu, Apr 16, 2015 at 11:10 AM, Dmitri Pal <d...@redhat.com> wrote: > On 04/15/2015 10:17 PM, Thomas Lau wrote: >> >> Hi, >> >> I just checked with developer, there is no authentication related code >> in the program, we could treat it as normal cron job. >> >> is that possible to make sssd less contact with FreeIPA? for example, >> refresh all user info every 5 minutes, else use cache info. > > > OK, thanks for clarification. > Then it is SSSD. > > It would be hard to understand where the problem is. > For authentication SSSD does online if it knows that it is online. Packet > loss can cause it to loose connection and time out. > It might not failing over to offline mode as it is "semi online" because of > the packet loss and retries. > > The SSSD logs would really be helpful to diagnose the issue. > Also https://fedorahosted.org/sssd/ticket/1807 might be what you are looking > for. It is being worked on for the next release. > > >> On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal <d...@redhat.com> wrote: >>> >>> On 04/13/2015 10:41 PM, Thomas Lau wrote: >>>> >>>> Hi, >>>> >>>> It's an in-house program which runs on one kerberos user. >>> >>> You need to look what this program is doing. >>> I suspect it is doing some sort of kinit itself and does not rely on the >>> PAM >>> stack, i.e it bypasses SSSD in the given scenario. >>> Can this be the case? >>> >>> >>>> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal <d...@redhat.com> wrote: >>>>> >>>>> On 04/13/2015 08:23 AM, Thomas Lau wrote: >>>>> >>>>> Hi, >>>>> >>>>> These problem appear randomly, sometime it still work even under heavy >>>>> packet loss, some times would be like this. So its hard to catch. >>>>> >>>>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote: >>>>>> >>>>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>>>>> between IPA server and client having heavy packet loss, following >>>>>>> error would occur: >>>>>>> >>>>>>> CRON[20637]: Authentication service cannot retrieve authentication >>>>>>> info >>>>>>> >>>>>>> I have cache credentials and store password if offline enabled on >>>>>>> sssd, how these problem would still happening? >>>>> >>>>> >>>>> It might be that the cause of the problem is actually the packet loss >>>>> or >>>>> some kind of delay. >>>>> SSSD might not think that it is offline but cron job itself times out >>>>> and >>>>> reports failure. >>>>> Do you know what operation in the job fails? >>>>> >>>>> >>>>>>> sssd.conf: >>>>>>> >>>>>>> cache_credentials = True >>>>>>> krb5_store_password_if_offline = True >>>>>> >>>>>> Did the use log in at least once offline? You can verify if the >>>>>> password >>>>>> has been cached using the ldbsearch utility. It would be best to catch >>>>>> the occurence of the problem in logs. >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Thomas Lau Director of Infrastructure Tetrion Capital Limited Direct: +852-3976-8903 Mobile: +852-9323-9670 Address: 20/F, IFC 1, Central district, Hong Kong -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project