On Thu, Apr 21, 2016 at 09:44:47AM -0400, Jeff Hallyburton wrote: > Sumit, > > We found a resolution for this and I'm dropping it here for posterity. > After some digging, it turns out that our ipa server and ipa replica were > returning different IPs for systems in the environment in DNS requests (one > returned internal results, one returned external results). > > After resolving this our intermittent connectivity issue went away. So it > seems that in some cases, the incorrect IP was being returned for LDAP > requests.
Thank you for the feedback. bye, Sumit > > One additional item found here, it seems that the timeout to resolve an > address (from the sssd logs) is 6 seconds. Can this be raised? > > Thanks, > > Jeff > > Jeff Hallyburton > Strategic Systems Engineer > Bloomip Inc. > Web: http://www.bloomip.com > > Engineering Support: [email protected] > Billing Support: [email protected] > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/> > > On Thu, Apr 21, 2016 at 7:47 AM, Sumit Bose <[email protected]> wrote: > > > On Wed, Apr 20, 2016 at 02:18:28PM -0400, Jeff Hallyburton wrote: > > > Sumit, > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > > Uploading > > > the last 2000~ lines of the sssd_domain.com.log. Thanks for your help! > > > > Can you send the related krb5_child log file as well? > > > > bye, > > Sumit > > > > > > > > https://pastebin.com/MD6N1Dj7 > > > > > > Jeff Hallyburton > > > Strategic Systems Engineer > > > Bloomip Inc. > > > Web: http://www.bloomip.com > > > > > > Engineering Support: [email protected] > > > Billing Support: [email protected] > > > Customer Support Portal: https://my.bloomip.com <http://my.bloomip.com/ > > > > > > > > > On Tue, Apr 19, 2016 at 1:14 PM, Jeff Hallyburton < > > > [email protected]> wrote: > > > > > > > Sumit, > > > > > > > > Raised the debug level to 10 and let it run for about 24 hours. > > Uploading > > > > the full sssd_domain.com.log. Thanks for your help! > > > > > > > > Jeff > > > > > > > > Jeff Hallyburton > > > > Strategic Systems Engineer > > > > Bloomip Inc. > > > > Web: http://www.bloomip.com > > > > > > > > Engineering Support: [email protected] > > > > Billing Support: [email protected] > > > > Customer Support Portal: https://my.bloomip.com < > > http://my.bloomip.com/> > > > > > > > > On Mon, Apr 18, 2016 at 10:58 AM, Sumit Bose <[email protected]> wrote: > > > > > > > >> On Fri, Apr 15, 2016 at 04:47:42PM -0400, Jeff Hallyburton wrote: > > > >> > After setting debug_level=8, this is what I see in the > > sssd_domain_log: > > > >> > > > >> Unfortunately the domain log and the krb5_child log do not relate to > > > >> each other. > > > >> > > > >> > > > > >> > (Fri Apr 15 20:10:46 2016) [sssd[be[example.com]]] > > > >> [child_handler_setup] > > > >> > (0x2000): Setting up signal handler up for pid [32382] > > > >> > > > > >> > > > >> .... > > > >> > > > >> > > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > [k5c_setup_fast] > > > >> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ > > > >> > [email protected]] > > > >> > > > > >> > > > >> ... > > > >> > > > >> > (Fri Apr 15 20:32:47 2016) [[sssd[krb5_child[32731]]]] > > > >> [get_and_save_tgt] > > > >> > (0x0400): krb5_get_init_creds_password returned [-1765328324} during > > > >> > pre-auth. > > > >> > > > > >> > > > > >> > Can you shed any light on this? > > > >> > > > > >> > > > >> In the domain log the child with the pid 32382 is started to run a > > > >> pre-authentication request. The request is needed to find out which > > kind > > > >> of authentication types are available for the user, e.g. password or > > > >> 2-factor authentication with the OTP token. The request in the child > > > >> with the PID 32731 looks like a real authentication request with > > returns > > > >> with an error code -1765328324 which just means 'Generic error' but > > > >> might have cause SSSD to go offline. > > > >> > > > >> I would like to ask you to run the test again with debug_level=10 in > > the > > > >> [domain/...] section of sssd.conf which would enable some low level > > > >> Kerberos tracing messages which might help to understand what kind of > > > >> 'Generic error' was hit here. Additionally I would like ask you to > > send > > > >> the full log files as attachment or in an archive which would hep be > > to > > > >> better navigate through them. > > > >> > > > >> bye, > > > >> Sumit > > > >> > > > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
