On 21.4.2016 15:44, Jeff Hallyburton wrote: > Sumit, > > We found a resolution for this and I'm dropping it here for posterity. > After some digging, it turns out that our ipa server and ipa replica were > returning different IPs for systems in the environment in DNS requests (one > returned internal results, one returned external results). > > After resolving this our intermittent connectivity issue went away. So it > seems that in some cases, the incorrect IP was being returned for LDAP > requests.
It would be interesting to see logs from named daemon running on these servers (around the time of failure). I hope it helps. Petr^2 Spacek > > One additional item found here, it seems that the timeout to resolve an > address (from the sssd logs) is 6 seconds. Can this be raised? > > Thanks, > > Jeff > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: supp...@bloomip.com > Billing Support: bill...@bloomip.com > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> > > On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <sb...@redhat.com> wrote: > >> On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: >>> Sumit, >>> >>> Raised the debug level to 10 and let it run for about 24 hours. >> Uploading >>> the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! >> >> Can you send the related krb5_child log file as well? >> >> bye, >> Sumit >> >>> >>> https://pastebin.com/MD6N1Dj7 >>> >>> Jeff Hallyburton >>> Strategic Systems Engineer >>> Bloomip Inc. >>> Web: http://www.bloomip.com >>> >>> Engineering Support: supp...@bloomip.com >>> Billing Support: bill...@bloomip.com >>> Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/ >>> >>> >>> On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < >>> jeff.hallybur...@bloomip.com> wrote: >>> >>>> Sumit, >>>> >>>> Raised the debug level to 10 and let it run for about 24 hours. >> Uploading >>>> the full sssd_domain.com.log. Thanks for your help! >>>> >>>> Jeff >>>> >>>> Jeff Hallyburton >>>> Strategic Systems Engineer >>>> Bloomip Inc. >>>> Web: http://www.bloomip.com >>>> >>>> Engineering Support: supp...@bloomip.com >>>> Billing Support: bill...@bloomip.com >>>> Customer Support Portal: https://my.bloomip.com < >> http://my.bloomip.com/> >>>> >>>> On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <sb...@redhat.com> wrote: >>>> >>>>> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: >>>>>> After setting debug_level=8, this is what I see in the >> sssd_domain_log: >>>>> >>>>> Unfortunately the domain log and the krb5_child log do not relate to >>>>> each other. >>>>> >>>>>> >>>>>> (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] >>>>> [child_handler_setup] >>>>>> (0x2000): Setting up signal handler up for pid [32382] >>>>>> >>>>> >>>>> .... >>>>> >>>>>> >>>>>> (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] >> [k5c_setup_fast] >>>>>> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ >>>>>> jump02.west-2.production.example....@example.com] >>>>>> >>>>> >>>>> ... >>>>> >>>>>> (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] >>>>> [get_and_save_tgt] >>>>>> (0x0400): krb5_get_init_creds_password returned [-1765328324} during >>>>>> pre-auth. >>>>>> >>>>>> >>>>>> Can you shed any light on this? >>>>>> >>>>> >>>>> In the domain log the child with the pid 32382 is started to run a >>>>> pre-authentication request. The request is needed to find out which >> kind >>>>> of authentication types are available for the user, e.g. password or >>>>> 2-factor authentication with the OTP token. The request in the child >>>>> with the PID 32731 looks like a real authentication request with >> returns >>>>> with an error code -1765328324 which just means 'Generic error' but >>>>> might have cause SSSD to go offline. >>>>> >>>>> I would like to ask you to run the test again with debug_level=10 in >> the >>>>> [domain/...] section of sssd.conf which would enable some low level >>>>> Kerberos tracing messages which might help to understand what kind of >>>>> 'Generic error' was hit here. Additionally I would like ask you to >> send >>>>> the full log files as attachment or in an archive which would hep be >> to >>>>> better navigate through them. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>> >>>> >> > > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project