On Mon, Jan 18, 2016 at 09:27:23AM +0100, Martin Kosek wrote: > Hi Jeff and Janelle, > > I am glad you got things working, but I am not convinced this is the best way > to do it. The proxy is needed for SSSD SSH integration (public keys and > fingerprints), if the proxy is buggy, we should fix. And in order to fix it, > it > would be great to get our hands on the logs showing the fault - CCing Jakub > and > Honza on this one.
Yes, if you see issues with the proxy, by all means file bugs.. > > Thanks for help, > Martin > > On 01/18/2016 01:14 AM, Jeff Hallyburton wrote: > > Janelle, > > > > The proxy suggestion was spot on. After that things seem to work normally. > > > > Thanks! > > > > Jeff > > > > Jeff Hallyburton > > Strategic Systems Engineer > > Bloomip Inc. > > Web: http://www.bloomip.com > > > > Engineering Support: supp...@bloomip.com > > Billing Support: bill...@bloomip.com > > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> > > > > On Sun, Jan 17, 2016 at 9:58 AM, Janelle <janellenicol...@gmail.com> wrote: > > > >> Hi, > >> > >> Try commenting out the proxy command in /etc/ssh/ssh_config > >> > >> The sssd proxy of ssh is buggy as can be. > >> > >> ~J > >> > >>> On Jan 17, 2016, at 05:24, Jakub Hrozek <jhro...@redhat.com> wrote: > >>> > >>> > >>>> On 16 Jan 2016, at 02:21, Jeff Hallyburton < > >> jeff.hallybur...@bloomip.com> wrote: > >>>> > >>>> Having finished setting up an ipa server and replica, we're trying to > >> test failover to ensure that HA works as expected. We've been able to > >> verify the replication agreements and auto-discovery are working, and both > >> servers are picked up as expected at install time. > >>>> > >>>> That said, we're seeing some oddities with failover. Once I shut down > >> the ipa service on the main ipa server, I get most requests completing > >> after about a 2 min window. I am able to: > >>>> > >>>> 1. Authenticate to our jump server and get a kerberos ticket > >>>> 2. kinit successfully as other users > >>>> > >>>> However, whenever I try to ssh to another system within our domain, ssh > >> breaks with the following error: > >>>> > >>>> $ ssh -vvv automation01 > >>>> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 > >>>> debug1: Reading configuration data /etc/ssh/ssh_config > >>>> debug1: /etc/ssh/ssh_config line 5: Applying options for * > >>>> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > >> -p 22 automation01 > >>>> debug1: permanently_drop_suid: 1587000001 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1 > >>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type > >> -1 > >>>> debug1: Enabling compatibility mode for protocol 2.0 > >>>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1 > >>>> ssh_exchange_identification: Connection closed by remote host > >>> > >>> Did you crank up debug level on the machine where sshd is running and > >> see if anything is logged then? > >>> > >>>> > >>>> Nothing is logged in either /var/log/messages or /var/log/secure when > >> this happens, so I'm unsure where to begin debugging. Can you offer any > >> insight? > >>>> > >>>> Thanks, > >>>> > >>>> Jeff > >>>> > >>>> Jeff Hallyburton > >>>> Strategic Systems Engineer > >>>> Bloomip Inc. > >>>> Web: http://www.bloomip.com > >>>> > >>>> Engineering Support: supp...@bloomip.com > >>>> Billing Support: bill...@bloomip.com > >>>> Customer Support Portal: https://my.bloomip.com > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>> > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >> > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project