On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote: > > Hello, > > > > My freeipa master has crashed, and I have a replica running. > > The problem is that I can not use anymore the webapps on my main server > > which use a kerberos authentication since my server will not switch to > the > > kdc on my replica. > > As long as the authentication is done via sssd this should happen > automatically, well it does not seem to. The way I test it is using kinit. The only log that gets updated in /var/log/sssd is ldap_child.log.1 (what's strange is that there's a ldap_child.log which is empty). Each time I try a kinit, I get a log line like: (Tue Jan 5 18:10:55 2016) [[sssd[ldap_child[10069]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot contact any KDC for realm 'EXAMPLE.COM' I tried to send USR1 then USR2 to the main sssd process, without any improvement, In a previous email, Simo Sorce explained me that: Unfortunately it is, it is a bug in the way we update the krb5 libraries > to point to a KDC. > > SSSD updates this information in a file under /var/lib/sss/pubconf and > krb5 libraries read from it, however kinit cannot force sssd to > re-evaluate if the file needs updating. > > If you do a local login instead of a kinit, you will see that SSSD will > switch to the new server and subsequent kinit will start using it. > > This is tracked here: > https://fedorahosted.org/sssd/ticket/941 > Could this be related ? but you can send USR1 followed by USR2 to sssd to force > going offline and back online. It would be nice to look into the logs, > though, to see why wouldn't sssd fail over itself. > > > > > I remember that someone replied me on this list about that problem, but > I'd > > like to konw if there's something I can do besides rebooting my main > server > > ? > > > > freeipa 4.3 > > > > sssd 1.12.5-1 running on ubuntu 14.04 > > > > Thanks. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project