Hi, Try commenting out the proxy command in /etc/ssh/ssh_config
The sssd proxy of ssh is buggy as can be. ~J > On Jan 17, 2016, at 05:24, Jakub Hrozek <jhro...@redhat.com> wrote: > > >> On 16 Jan 2016, at 02:21, Jeff Hallyburton <jeff.hallybur...@bloomip.com> >> wrote: >> >> Having finished setting up an ipa server and replica, we're trying to test >> failover to ensure that HA works as expected. We've been able to verify the >> replication agreements and auto-discovery are working, and both servers are >> picked up as expected at install time. >> >> That said, we're seeing some oddities with failover. Once I shut down the >> ipa service on the main ipa server, I get most requests completing after >> about a 2 min window. I am able to: >> >> 1. Authenticate to our jump server and get a kerberos ticket >> 2. kinit successfully as other users >> >> However, whenever I try to ssh to another system within our domain, ssh >> breaks with the following error: >> >> $ ssh -vvv automation01 >> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: /etc/ssh/ssh_config line 5: Applying options for * >> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 >> automation01 >> debug1: permanently_drop_suid: 1587000001 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1 >> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type -1 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_6.6.1 >> ssh_exchange_identification: Connection closed by remote host > > Did you crank up debug level on the machine where sshd is running and see if > anything is logged then? > >> >> Nothing is logged in either /var/log/messages or /var/log/secure when this >> happens, so I'm unsure where to begin debugging. Can you offer any insight? >> >> Thanks, >> >> Jeff >> >> Jeff Hallyburton >> Strategic Systems Engineer >> Bloomip Inc. >> Web: http://www.bloomip.com >> >> Engineering Support: supp...@bloomip.com >> Billing Support: bill...@bloomip.com >> Customer Support Portal: https://my.bloomip.com >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project