On (23/05/17 08:11), Joakim Tjernlund wrote: >On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote: >> On (22/05/17 14:53), Joakim Tjernlund wrote: >> > > The time is not synchronised between client and server. >> > > MIT krb5 can handle small offset. But I would highly recommends >> > > to keep time in sync. >> > >> > There is some time problem on and off but this has never been too much. I >> > don't >> > think this was the root problem here ? >> > >> >> As I already mention I would highly recommend to keep time in sync. >> It will reduce possible errors. >> >> Configure ntpd/chrony on client and server is not a rocket science :-) > >Sure, no rocket science but I have little control over the AD servers. :( >Anyhow, I did a "net ads info" and it came back with Server time offset: 0 >so I don't think there is a time difference(or very small)? >The clients are already on NTP. > >> >> >> > > Renewing of a ticket failed because it is already expired. >> > > Maybe due to time shift between client and server(KDC) >> > >> > Yes, it is expired to begin with. I got a ticket, then suspended the >> > computer long enough for >> > the ticket to expire(10 hours here) and then woke up and unlocked the >> > screen. >> > The problem is that sssd never tries to get a new ticket using my creds I >> > gave when unlocking. >> > Even if I do several lock/unlocks after the network is restored, sssd will >> > not get me a new ticket. >> > >> >> sssd would get new ticket if it was in online mode. >> But it offline mode. >> >> I would highly recommend to keep time in sync with server >> and then debug why sssd was in offline mode. >> Or why it went to offline mode. >> >> With 1.15 you can use sssctl e.g. > >I did run sssctl domain-status infinera.com and it came back with: >Unable to get online status [3]: Communication error >org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes >include: the remote application >did not send a reply, the message bus security policy blocked the reply, the >reply timeout expired, or the >network connection was broken. >Check that SSSD is running and the InfoPipe responder is enabled. Make sure >'ifp' is listed in the 'services' >option in sssd.conf. >Unable to get online status > >I then just added 'ifp' to 'services' and restarted sssd and now it works: >sssctl domain-status infinera.com >Online status: Online > >Active servers: >AD Global Catalog: not connected >AD Domain Controller: se-dc01.infinera.com >..... > >Could the problem I saw be related to not having ifp in services ? >I will check again when the ticket expires again. > ifp service does not have any effect on ticket renewal.
it is just required by sssctl LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
