Hi,
we are testing a FreeIPA trust to an Active Directory. Trust itself works, we are happy. Now we tested a failure on FreeIPA site. We have two instances, both with same roles. If we poweroff first installed server, and clean sssd caches with restart of sssd on client side , sssd service can’t establish a connection to second instance.
ipa-lx-test-01.ipa.example.com is the first installed FreeIPA with ipa-server-4.4.0-14.el7.centos.7.x86_64 on latest CentOS7 ipa-lx-test-02.ipa.example.com is the second installed FreeIPA with ipa-server-4.4.0-14.el7.centos.7.x86_64 on latest CentOS7 ipa-lx-test-debian9.ipa.example.com is a latest Debian 9.1 with sssd 1.15.0-3
For deeper inspection full log is attached. In logs we found something like this:
|(Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-lx-test-01.ipa.example.com' as 'name resolved' (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-lx-test-01.ipa.example.com: [x.x.x.x] TTL 1200 (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipa-lx-test-01.ipa.example.com' (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_2zXOse] (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_2zXOse] (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [19] for the connection. (Wed Aug 23 16:07:06 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sssd_async_connect_done] (0x0020): connect failed [113][Keine Route zum Zielrechner]. (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_init_done] (0x0020): sdap_async_sys_connect request failed: [113]: Keine Route zum Zielrechner. (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_state_destructor] (0x0400): closing socket [19] (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sss_ldap_init_sys_connect_done] (0x0020): sssd_async_socket_init request failed: [113]: Keine Route zum Zielrechner. (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [113]: Keine Route zum Zielrechner. (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x558252c36770], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0] (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1572 (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa-lx-test-01.ipa.example.com' as 'not working' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ipa-lx-test-01.ipa.example.com' as 'not working' |
Thats true, ‘Keine Route zum Zielrechner’ means ‘no route to host’, first instance is poweroff. Well looking forward in logfile
|(Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [get_server_status] (0x1000): Status of server 'ipa-lx-test-02.ipa.example.com' is 'name not resolved' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [get_port_status] (0x1000): Port status of port 389 for server 'ipa-lx-test-02.ipa.example.com' is 'neutral' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [get_server_status] (0x1000): Status of server 'ipa-lx-test-02.ipa.example.com' is 'name not resolved' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_is_address] (0x4000): [ipa-lx-test-02.ipa.example.com] does not look like an IP address (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa-lx-test-02.ipa.example.com' in files (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-lx-test-02.ipa.example.com' as 'resolving name' (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa-lx-test-02.ipa.example.com' in files (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa-lx-test-02.ipa.example.com' in DNS (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Wed Aug 23 16:07:09 2017) [sssd[be[ipa.example.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Wed Aug 23 16:07:10 2017) [sssd[be[ipa.example.com]]] [check_fd_timeouts] (0x4000): Checking for DNS timeouts (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [check_fd_timeouts] (0x4000): Checking for DNS timeouts (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [set_server_common_status] (0x0100): Marking server 'ipa-lx-test-02.ipa.example.com' as 'name resolved' (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-lx-test-02.ipa.example.com: [x.x.x.x] TTL 1200 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipa-lx-test-02.ipa.example.com' (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_U1QQrA] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_U1QQrA] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [19] for the connection. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://ipa-lx-test-02.ipa.example.com:389/??base] with fd [19]. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_print_server] (0x2000): Searching x.x.x.x:389 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 1 timeout 6 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x558252c35750], connected[1], ops[0x558252c36640], ldap[0x558252c130c0] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_entry] (0x1000): OriginalDN: []. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [changeLog] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [firstchangenumber] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastchangenumber] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipatopologypluginversion] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipatopologyismanaged] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaDomainLevel] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedFeatures] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastUSN] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x558252c35750], connected[1], ops[0x558252c36640], ldap[0x558252c130c0] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 1 finished (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [dc=ipa,dc=example,dc=com]. (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][dc=ipa,dc=example,dc=com][SUBTREE][] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_get_server_opts_from_rootdse] (0x4000): USN value: 41151 (int: 41151) (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ipa-lx-test-debian9.ipa.example.com, ipa.example.com, 86400) (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [get_server_status] (0x1000): Status of server 'ipa-lx-test-02.ipa.example.com' is 'name resolved' (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [get_server_status] (0x1000): Status of server 'ipa-lx-test-02.ipa.example.com' is 'name resolved' (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa-lx-test-02.ipa.example.com: [x.x.x.x] TTL 1200 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 81 (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [2104] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [2104] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x558252c35750], connected[1], ops[(nil)], ldap[0x558252c130c0] (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Wed Aug 23 16:07:11 2017) [sssd[be[ipa.example.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to tgt child [2104] reached. (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending SIGKILL to tgt child (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_sig_handler] (0x1000): Waiting for child [2104]. (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_sig_handler] (0x0020): child [2104] failed with status [7]. (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [child_callback] (0x0020): LDAP child was terminated due to timeout (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1207 (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa-lx-test-02.ipa.example.com' as 'not working' (Wed Aug 23 16:07:17 2017) [sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ipa-lx-test-02.ipa.example.com' as 'not working' |
Ok, second server was found, but we ran in an timeout getting a TGT. If i manually try to get a kerberos ticket it works, but with a long delay.
ipa-lx-test-debian9.ipa.example.com’s sssd.conf:
|[domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-lx-test-debian9.ipa.example.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa-lx-test-01.ipa.example.com ldap_tls_cacert = /etc/ipa/ca.crt #subdomain_homedir = /home/%u fallback_homedir = /home/%u default_shell = /bin/bash shell_fallback = /bin/bash debug_level = 10 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = nbg.webtrekk.com default_domain_suffix = example.com full_name_format = %1$s debug_level = 10 [nss] debug_level = 10 [pam] [sudo] [autofs] [ssh] debug_level = 10 [pac] [ifp] |
So some need is help.
Michael
freeipa-users@lists.fedorahosted.org