On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote:
> > Hello,
> > My freeipa master has crashed, and I have a replica running.
> > The problem is that I can not use anymore the webapps on my main server
> > which use a kerberos authentication since my server will not switch to
> > kdc on my replica.
> As long as the authentication is done via sssd this should happen
well it does not seem to.
The way I test it is using kinit.
The only log that gets updated in /var/log/sssd is ldap_child.log.1
(what's strange is that there's a ldap_child.log which is empty).
Each time I try a kinit, I get a log line like:
(Tue Jan 5 18:10:55 2016) [[sssd[ldap_child]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot
contact any KDC for realm 'EXAMPLE.COM'
I tried to send USR1 then USR2 to the main sssd process, without any
In a previous email, Simo Sorce explained me that:
Unfortunately it is, it is a bug in the way we update the krb5 libraries
> to point to a KDC.
> SSSD updates this information in a file under /var/lib/sss/pubconf and
> krb5 libraries read from it, however kinit cannot force sssd to
> re-evaluate if the file needs updating.
> If you do a local login instead of a kinit, you will see that SSSD will
> switch to the new server and subsequent kinit will start using it.
> This is tracked here:
Could this be related ?
but you can send USR1 followed by USR2 to sssd to force
> going offline and back online. It would be nice to look into the logs,
> though, to see why wouldn't sssd fail over itself.
> > I remember that someone replied me on this list about that problem, but
> > like to konw if there's something I can do besides rebooting my main
> > ?
> > freeipa 4.3
> > sssd 1.12.5-1 running on ubuntu 14.04
> > Thanks.
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project