I was seeing a lot of entries in the krb5kdc.log like below

"krb5kdc[10403](info): TGS_REQ (4 etypes {18 17 16 23}) ISSUE:
authtime 1485450918, etypes {rep=18 tkt=18 ses=18}, host/my-host@MYDOMAIN"

On one env.. where users rarely log in... even there I see a lot of such

Finally , I think  I was able to track this down..  there are few local
accounts ( non freeipa ) on my hosts . These are used to run some custom
scripts through cron and run frequently ( every few mins ).
So, I feel  whenever thers a request for "su - <localuser>" or a sudo to
the local user, that would also end up calling the Kerbros service.. and
since it runs so frequently on all the hosts.. they would be choking the
IPA master / replica with so many requests..

Please correct me If I am wrong in the above assumption.

Going by the above logic.. I have added filter_users section with these
users in the sssd.conf . Hopefully I would see a drop in the number of

On Mon, Jan 23, 2017 at 11:27 PM, Robbie Harwood <rharw...@redhat.com>

> Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com> writes:
> > one more question I was curious is.. when does the krb5kdc.log get
> entries
> > . .. I mean is it only when someone makes an attempt to login to a server
> > that the log file  krb5kdc.log on the IPA master gets updated or there
> are
> > other scenarios as well
> It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section
> in
> `man 5 kdc.conf` for more information.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to