John Williams wrote:
I've got some sporadic behavior on my IPA instance and I'm hoping
someone can help me resolve the issue. The problem is that many times
my clients cannot authenticate to the respective hosts. First, my
environment. Some details:
ipa2 - centos 6.3 - ipa server 3.0.0
ipa3 - centos 7.1 - ipa server 4.1.0
We had a FreeIPA server host ipa1 that died some time ago. I do not
have any details on that host.
Again, the problem is that clients cannot authenticate very frequently.
Here are some examples of the problems I am having:
I client can login to the console of a CentOS 6.7 host, but cannot
SSH into it.
One user can login to a host, but another user cannot.
Some diagnostics information:
Services running on IPA servers:
[root@ipa2 ~]# ps -ef | grep krb
root 6007 5936 0 19:21 pts/5 00:00:00 grep krb
root 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r AAA
-P /var/run/krb5kdc.pid -w 2
root 22344 22339 0 Feb06 ? 00:42:56 /usr/sbin/krb5kdc -r AAA
-P /var/run/krb5kdc.pid -w 2
root 22345 22339 0 Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA
-P /var/run/krb5kdc.pid -w 2
[root@ipa3 ~]# ps -ef | grep krb
root 2513 1 0 2015 ? 00:00:00 /usr/sbin/krb5kdc -P
/var/run/krb5kdc.pid -w 2
root 2514 2513 0 2015 ? 00:01:20 /usr/sbin/krb5kdc -P
/var/run/krb5kdc.pid -w 2
root 2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P
/var/run/krb5kdc.pid -w 2
root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb
slapd is running on both servers:
[root@ipa3 ~]# ps -ef | grep slapd
dirsrv 2464 1 0 2015 ? 09:39:37 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-IDEF -i /var/run/dirsrv/slapd-IDEF.pid -w
/var/run/dirsrv/slapd-IDEF.startpid
root 5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd
[root@ipa3 ~]#
[root@ipa2 ~]# ps -ef | grep slapd
root 6024 5936 0 19:26 pts/5 00:00:00 grep slapd
dirsrv 22137 1 3 Feb06 ? 1-20:48:55 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid -w
/var/run/dirsrv/slapd-AAA .startpid
pkisrv 22209 1 0 Feb06 ? 00:44:54 /usr/sbin/ns-slapd -D
/etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w
/var/run/dirsrv/slapd-PKI-IPA.startpid
[root@ipa2 ~]#
System time is synchronized across all hosts.
Check this https://fedorahosted.org/sssd/wiki/Troubleshooting
For DNS, I have the following entries:
[root@sharedone ~]# dig ipa.BBB.AAA +short
192.168.120.253
[root@sharedone ~]# dig ipa2.BBB.AAA +short
192.168.120.253
[root@sharedone ~]# dig ipa3.BBB.AAA +short
192.168.120.139
[root@sharedone ~]#
Now the ipa.AAA.AAA server does not exist anymore because it died. But
if I remove that DNS entrey everything stops working and no one can
authenticate, versus the sporadic issues we are having.
If you need more detials or specific information, please let me know.
I'm at a loss as to what causes this behavior.
You probably need to remove old SRV records for this host.
I assume you are working on switching the 3.0 host also to 4.x?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project