Re: [Freeipa-users] IPA Service Restart causes clients to stop working
Jakub, So far I have no logs, unfortunately since this is quite the disruptive activity I am not willing to reproduce. If I get some time I can try to built a replica environment and try it there, but I don't see me having that time. John On 7/7/14, 4:28 PM, Jakub Hrozek wrote: > On Mon, Jul 07, 2014 at 04:09:24PM -0300, Bruno Henrique Barbosa wrote: >> I can confirm this, I usually run through this after a power outage on my >> datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to >> SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every >> VM manually. > Hello Bruno, see my reply to John, if you can capture the sssd logs, > that would be very welcome in tracking down the problem. > >> - Mensagem original - >> >> De: "John Moyer" >> Para: "Jakub Hrozek" , freeipa-users@redhat.com >> Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 >> Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop >> working >> >> >> The /var/log/secure is saying invalid user. When I do a getent passwd $USER >> I can't get any user from IPA until sssd is restarted. The SSSD logs are >> completely empty. Below is the sssd.conf if that helps. >> >> >> Also I just had a server that I fixed (by restarting sssd) break again, >> restarting sssd fixed it again though. >> >> >> >> >> sssd.conf >> [domain/digitalreasoning.com] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = digitalreasoning.com >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = client.digitalreasoning.com >> chpass_provider = ipa >> ipa_server = _srv_, server1.digitalreasoning.com >> dns_discovery_domain = digitalreasoning.com >> [sssd] >> services = nss, pam, ssh >> config_file_version = 2 >> >> domains = digitalreasoning.com >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> On 7/7/14, 2:19 PM, Jakub Hrozek wrote: >> >> >> On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: >> >> Hello All, >> >> Some of the services in IPA stopped responding and I restarted the >> service (as I couldn't login to the website or via ssh to any registered >> hosts). After the restart I could login to the web app, but still no >> clients. I currently can login to one client that I restarted sssd on. >> Any suggestions how to fix the rest without having to go to all of >> them to restart sssd? >> >> Can you log in as root to the clients and check out /var/log/secure >> and/or the sssd logs? >> >> Do your clients cache credentials? >> >> I suspect that when IPA went down, the clients went offline and still >> haven't re-checked the online status..how long since the IPA server went >> offline? >> >> >> >> >> >> >> Thanks, >> >> John Moyer >> Director, IT Operations >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
On Mon, Jul 07, 2014 at 04:09:24PM -0300, Bruno Henrique Barbosa wrote: > I can confirm this, I usually run through this after a power outage on my > datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to > SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every > VM manually. Hello Bruno, see my reply to John, if you can capture the sssd logs, that would be very welcome in tracking down the problem. > > - Mensagem original - > > De: "John Moyer" > Para: "Jakub Hrozek" , freeipa-users@redhat.com > Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 > Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop > working > > > The /var/log/secure is saying invalid user. When I do a getent passwd $USER I > can't get any user from IPA until sssd is restarted. The SSSD logs are > completely empty. Below is the sssd.conf if that helps. > > > Also I just had a server that I fixed (by restarting sssd) break again, > restarting sssd fixed it again though. > > > > > sssd.conf > [domain/digitalreasoning.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = digitalreasoning.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = client.digitalreasoning.com > chpass_provider = ipa > ipa_server = _srv_, server1.digitalreasoning.com > dns_discovery_domain = digitalreasoning.com > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = digitalreasoning.com > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > On 7/7/14, 2:19 PM, Jakub Hrozek wrote: > > > On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: > > Hello All, > > Some of the services in IPA stopped responding and I restarted the > service (as I couldn't login to the website or via ssh to any registered > hosts). After the restart I could login to the web app, but still no > clients. I currently can login to one client that I restarted sssd on. > Any suggestions how to fix the rest without having to go to all of > them to restart sssd? > > Can you log in as root to the clients and check out /var/log/secure > and/or the sssd logs? > > Do your clients cache credentials? > > I suspect that when IPA went down, the clients went offline and still > haven't re-checked the online status..how long since the IPA server went > offline? > > > > > > > Thanks, > > John Moyer > Director, IT Operations > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
On Mon, Jul 07, 2014 at 02:56:18PM -0400, John Moyer wrote: > The /var/log/secure is saying invalid user. I wouldn't expect this, I would expect something like "cannot retrieve authentication info". > When I do a getent passwd > $USER I can't get any user from IPA until sssd is restarted. The SSSD > logs are completely empty. Right, by default, we don't log anything. If you can still reproduce, is it possible to change the level of sssd on the fly using the sss_debuglevel tool and /then/ check the logs. > Below is the sssd.conf if that helps. Interesting, the client does cache credentials. In this case, the logs would be quite welcome. > > > Also I just had a server that I fixed (by restarting sssd) break again, > restarting sssd fixed it again though. > > > > > sssd.conf > [domain/digitalreasoning.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = digitalreasoning.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = client.digitalreasoning.com > chpass_provider = ipa > ipa_server = _srv_, server1.digitalreasoning.com > dns_discovery_domain = digitalreasoning.com > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = digitalreasoning.com > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > On 7/7/14, 2:19 PM, Jakub Hrozek wrote: > > On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: > >> Hello All, > >> > >> Some of the services in IPA stopped responding and I restarted the > >> service (as I couldn't login to the website or via ssh to any registered > >> hosts). After the restart I could login to the web app, but still no > >> clients. I currently can login to one client that I restarted sssd on. > >> Any suggestions how to fix the rest without having to go to all of > >> them to restart sssd? > > Can you log in as root to the clients and check out /var/log/secure > > and/or the sssd logs? > > > > Do your clients cache credentials? > > > > I suspect that when IPA went down, the clients went offline and still > > haven't re-checked the online status..how long since the IPA server went > > offline? > > > > > > > Thanks, > > John Moyer > Director, IT Operations > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
I can confirm this, I usually run through this after a power outage on my datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every VM manually. - Mensagem original - De: "John Moyer" Para: "Jakub Hrozek" , freeipa-users@redhat.com Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop working The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. sssd.conf [domain/digitalreasoning.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = digitalreasoning.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.digitalreasoning.com chpass_provider = ipa ipa_server = _srv_, server1.digitalreasoning.com dns_discovery_domain = digitalreasoning.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = digitalreasoning.com [nss] [pam] [sudo] [autofs] [ssh] [pac] On 7/7/14, 2:19 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Can you log in as root to the clients and check out /var/log/secure and/or the sssd logs? Do your clients cache credentials? I suspect that when IPA went down, the clients went offline and still haven't re-checked the online status..how long since the IPA server went offline? Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. sssd.conf [domain/digitalreasoning.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = digitalreasoning.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.digitalreasoning.com chpass_provider = ipa ipa_server = _srv_, server1.digitalreasoning.com dns_discovery_domain = digitalreasoning.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = digitalreasoning.com [nss] [pam] [sudo] [autofs] [ssh] [pac] On 7/7/14, 2:19 PM, Jakub Hrozek wrote: > On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: >> Hello All, >> >> Some of the services in IPA stopped responding and I restarted the >> service (as I couldn't login to the website or via ssh to any registered >> hosts). After the restart I could login to the web app, but still no >> clients. I currently can login to one client that I restarted sssd on. >> Any suggestions how to fix the rest without having to go to all of >> them to restart sssd? > Can you log in as root to the clients and check out /var/log/secure > and/or the sssd logs? > > Do your clients cache credentials? > > I suspect that when IPA went down, the clients went offline and still > haven't re-checked the online status..how long since the IPA server went > offline? > Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: > Hello All, > > Some of the services in IPA stopped responding and I restarted the > service (as I couldn't login to the website or via ssh to any registered > hosts). After the restart I could login to the web app, but still no > clients. I currently can login to one client that I restarted sssd on. > Any suggestions how to fix the rest without having to go to all of > them to restart sssd? Can you log in as root to the clients and check out /var/log/secure and/or the sssd logs? Do your clients cache credentials? I suspect that when IPA went down, the clients went offline and still haven't re-checked the online status..how long since the IPA server went offline? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Service Restart causes clients to stop working
Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
