Hi,

My IPA<->AD trust setup experiences intermittent failures during login events. The AD subdomain goes in an inactive/offline state and users logging in are put into a 'delayed authentication' queue. Usually logging in after a minute or so succeeds as the subdomain is reset and the user is cached for following events. At all times getent/id and kinit's are succesfull, even with a purged sssd cache.
SRV records are correctly resolved, except for _kerberos-master.

I have not been able to further troubleshoot the intermittent failures. Traffic captures show no strange behaviour, yet the sssd_domain log is clearly showing AD to be unreachable at times. All AD servers are W2012 and DNS masking _ldap and _kerberos to single nodes, factoring out any faulty Windows configs, so far has not had any effect (Would it?).

sssd's data_provider_fo.c :> be_fo_reset_svc() calls fo_get_service(), which returns EOK. I'm not familiar yet with the variables at play, would adding debug statements here reveal faults that may cause this?

Any pointers are very much appreciated.

Mike


[sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account [sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain lookup failed, will try to reset sudomain.. [sssd[be[unix.foo.local]]] [ipa_server_trusted_dom_setup_send] (0x1000): Trust direction of subdom foo.local from forest foo.local is: one-way inbound: local domain trusts the remote domain [sssd[be[unix.foo.local]]] [ipa_server_trusted_dom_setup_1way] (0x0400): Will re-fetch keytab for foo.local [sssd[be[unix.foo.local]]] [ipa_getkeytab_send] (0x0400): Retrieving keytab for UNIX$@FOO.local from ipa01.unix.foo.local into /var/lib/sss/keytabs/foo.local.keytab6AXxWV using ccache /var/lib/sss/db/ccache_UNIX.FOO.local [sssd[be[unix.foo.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [6242] [sssd[be[unix.foo.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [6242] [sssd[be[unix.foo.local]]] [sdap_process_result] (0x2000): Trace: sh[0x7f71cd9ddb80], connected[1], ops[(nil)], ldap[0x7f71cd9e65a0] [sssd[be[unix.foo.local]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list [sssd[be[unix.foo.local]]] [ad_online_cb] (0x0400): The AD provider is online [sssd[be[unix.foo.local]]] [be_ptask_online_cb] (0x0400): Back end is online [sssd[be[unix.foo.local]]] [be_ptask_enable] (0x0080): Task [Subdomains Refresh]: already enabled Keytab successfully retrieved and stored in: /var/lib/sss/keytabs/foo.local.keytab6AXxWV [sssd[be[unix.foo.local]]] [child_sig_handler] (0x1000): Waiting for child [6242]. [sssd[be[unix.foo.local]]] [child_sig_handler] (0x0100): child [6242] finished successfully. [sssd[be[unix.foo.local]]] [ipa_getkeytab_recv] (0x2000): ipa-getkeytab status 0 [sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): Keytab successfully retrieved to /var/lib/sss/keytabs/foo.local.keytab6AXxWV [sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x2000): Keytab renamed to /var/lib/sss/keytabs/foo.local.keytab [sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): Keytab /var/lib/sss/keytabs/foo.local.keytab6AXxWV contains the expected principals [sssd[be[unix.foo.local]]] [ipa_server_trust_1way_kt_done] (0x0400): Established trust context for foo.local [sssd[be[unix.foo.local]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/keytabs/foo.local.keytab6AXxWV] [sssd[be[unix.foo.local]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/keytabs/foo.local.keytab6AXxWV] [sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_retried] (0x0400): Sudomain re-set, will retry lookup [sssd[be[unix.foo.local]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service foo.local [sssd[be[unix.foo.local]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [foo.local] [sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_step] (0x0400): Looking up AD account [sssd[be[unix.foo.local]]] [be_mark_dom_offline] (0x1000): Marking subdomain foo.local offline [sssd[be[unix.foo.local]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. [sssd[be[unix.foo.local]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [1432158270]: Subdomain is inactive. [sssd[be[unix.foo.local]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? [sssd[be[unix.foo.local]]] [dp_req_done] (0x0400): DP Request [Account #4]: Request handler finished [0]: Success

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to