Sumit, We found a resolution for this and I'm dropping it here for posterity. After some digging, it turns out that our ipa server and ipa replica were returning different IPs for systems in the environment in DNS requests (one returned internal results, one returned external results).
After resolving this our intermittent connectivity issue went away. So it seems that in some cases, the incorrect IP was being returned for LDAP requests. One additional item found here, it seems that the timeout to resolve an address (from the sssd logs) is 6 seconds. Can this be raised? Thanks, Jeff Jeff Hallyburton Strategic Systems Engineer Bloomip Inc. Web: http://www.bloomip.com Engineering Support: supp...@bloomip.com Billing Support: bill...@bloomip.com Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sb...@redhat.com> wrote: > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: > > Sumit, > > > > Raised the debug level to 10 and let it run for about 24 hours. > Uploading > > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! > > Can you send the related krb5_child log file as well? > > bye, > Sumit > > > > > https://pastebin.com/MD6N1Dj7 > > > > Jeff Hallyburton > > Strategic Systems Engineer > > Bloomip Inc. > > Web: http://www.bloomip.com > > > > Engineering Support: supp...@bloomip.com > > Billing Support: bill...@bloomip.com > > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/ > > > > > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < > > jeff.hallybur...@bloomip.com> wrote: > > > > > Sumit, > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > Uploading > > > the full sssd_domain.com.log. Thanks for your help! > > > > > > Jeff > > > > > > Jeff Hallyburton > > > Strategic Systems Engineer > > > Bloomip Inc. > > > Web: http://www.bloomip.com > > > > > > Engineering Support: supp...@bloomip.com > > > Billing Support: bill...@bloomip.com > > > Customer Support Portal: https://my.bloomip.com < > http://my.bloomip.com/> > > > > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sb...@redhat.com> wrote: > > > > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: > > >> > After setting debug_level=8, this is what I see in the > sssd_domain_log: > > >> > > >> Unfortunately the domain log and the krb5_child log do not relate to > > >> each other. > > >> > > >> > > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] > > >> [child_handler_setup] > > >> > (0x2000): Setting up signal handler up for pid [32382] > > >> > > > >> > > >> .... > > >> > > >> > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > [k5c_setup_fast] > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > >> > jump02.west-2.production.example....@example.com] > > >> > > > >> > > >> ... > > >> > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > >> [get_and_save_tgt] > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during > > >> > pre-auth. > > >> > > > >> > > > >> > Can you shed any light on this? > > >> > > > >> > > >> In the domain log the child with the pid 32382 is started to run a > > >> pre-authentication request. The request is needed to find out which > kind > > >> of authentication types are available for the user, e.g. password or > > >> 2-factor authentication with the OTP token. The request in the child > > >> with the PID 32731 looks like a real authentication request with > returns > > >> with an error code -1765328324 which just means 'Generic error' but > > >> might have cause SSSD to go offline. > > >> > > >> I would like to ask you to run the test again with debug_level=10 in > the > > >> [domain/...] section of sssd.conf which would enable some low level > > >> Kerberos tracing messages which might help to understand what kind of > > >> 'Generic error' was hit here. Additionally I would like ask you to > send > > >> the full log files as attachment or in an archive which would hep be > to > > >> better navigate through them. > > >> > > >> bye, > > >> Sumit > > >> > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
