On 09/17/2012 02:18 PM, Michael Mercier wrote: > On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: > >> On 09/17/2012 10:14 AM, Michael Mercier wrote: >>> On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: >>> >>>> Michael Mercier wrote: >>>>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: >>>>> >>>>>> On 09/07/2012 12:42 PM, Michael Mercier wrote: >>>>>>> On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: >>>>>>> >>>>>>>> On 09/06/2012 10:40 AM, Michael Mercier wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I have experienced some odd connectivity issues using MMR with >>>>>>>>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / >>>>>>>>> ipaserver2) setup using MMR. >>>>>>>>> >>>>>>>>> [root@ipaserver ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root@ipaserver ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> [root@ipaserver2 ~]#ipa-replica-manage list >>>>>>>>> ipaserver.mpls.local: master >>>>>>>>> ipaserver2.mpls.local: master >>>>>>>>> [root@ipaserver2 ~]# rpm -qa|grep ipa >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-ca-theme-9.0.3-7.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch >>>>>>>>> >>>>>>>>> >>>>>>>>> [mike@ipaclient ~]$ rpm -qa|grep ipa >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> >>>>>>>>> >>>>>>>>> I have a webserver (zenoss) using kerberos authentication. >>>>>>>>> >>>>>>>>> [root@zenoss ~]# rpm -qa|grep ipa >>>>>>>>> libipa_hbac-1.8.0-32.el6.x86_64 >>>>>>>>> libipa_hbac-python-1.8.0-32.el6.x86_64 >>>>>>>>> ipa-python-2.2.0-16.el6.x86_64 >>>>>>>>> ipa-client-2.2.0-16.el6.x86_64 >>>>>>>>> python-iniparse-0.3.1-2.1.el6.noarch >>>>>>>>> ipa-admintools-2.2.0-16.el6.x86_64 >>>>>>>>> >>>>>>>>> <Location /> >>>>>>>>> SSLRequireSSL >>>>>>>>> AuthType Kerberos >>>>>>>>> AuthName "Kerberos Login" >>>>>>>>> >>>>>>>>> KrbMethodK5Passwd Off >>>>>>>>> KrbAuthRealms MPLS.LOCAL >>>>>>>>> KrbSaveCredentials on >>>>>>>>> KrbServiceName HTTP >>>>>>>>> Krb5KeyTab /etc/http/conf.d/http.keytab >>>>>>>>> >>>>>>>>> AuthLDAPUrl "ldap://ipaserver.mpls.local >>>>>>>>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >>>>>>>>> RequestHeader set X_REMOTE_USER %{remoteUser}e >>>>>>>>> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >>>>>>>>> </Location> >>>>>>>>> >>>>>>>>> >>>>>>>>> With both ipaserver and ipaserver2 'up', if I connect to >>>>>>>>> https://zenoss.mpls.local from ipaclient using firefox, I am >>>>>>>>> successfully connected. If on ipaserver I do a 'ifdown eth0' and >>>>>>>>> attempt another connection, it fails. I have also noticed the >>>>>>>>> following: >>>>>>>>> >>>>>>>>> 1. I am unable to use the ipaserver2 management interface when >>>>>>>>> ipaserver is unavailable. >>>>>>>>> 2. It takes a longer period of time to do a kinit >>>>>>>>> >>>>>>>>> If the I then perform: >>>>>>>>> [root@ipaserver ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [root@ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> [mike@ipaclient ~]$kinit >>>>>>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>>>>>> initial credentials >>>>>>>>> >>>>>>>>> [root@ipaserver2 ~]#ifup eth0 >>>>>>>>> >>>>>>>>> [mike@ipaclient ~]$ kinit >>>>>>>>> Password for mike@MPLS.LOCAL: >>>>>>>>> [mike@ipaclient ~]$ >>>>>>>>> >>>>>>>>> [root@ipaserver2 ~]#ifdown eth0 >>>>>>>>> >>>>>>>>> .. wait number of minutes >>>>>>>>> >>>>>>>>> ipaclient screen locks - type password - after a short delay (~7 >>>>>>>>> seconds) screen unlock compeletes >>>>>>>>> >>>>>>>>> [mike@ipaclient ~]$kinit >>>>>>>>> Password for mike@MPLS.LOCAL: >>>>>>>>> [mike@ipaclient ~]$ >>>>>>>>> >>>>>>>>> Any ideas? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Mike >>>>>>>> This seems to be some DNS problem. >>>>>>>> You client does not see the second replica and might have some name >>>>>>>> resolution timeouts. >>>>>>>> >>>>>>>> Please check your dns setup and krb5.conf on the client. >>>>>>>> >>>>>>>> To help more we need more details about you client configuration DNS >>>>>>>> and >>>>>>>> kerberos. >>>>>>> Hi, >>>>>>> >>>>>>> Additional information... >>>>>>> >>>>>>> [root@zenoss ~]#more /etc/resolv.conf >>>>>>> search mpls.local >>>>>>> domain mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root@zenoss ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root@ipaclient ~]# more /etc/resolv.conf >>>>>>> # Generated by NetworkManager >>>>>>> search mpls.local >>>>>>> nameserver 172.16.112.5 >>>>>>> nameserver 172.16.112.8 >>>>>>> >>>>>>> [root@ipaclient ~]# more /etc/krb5.conf >>>>>>> #File modified by ipa-client-install >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = MPLS.LOCAL >>>>>>> dns_lookup_realm = true >>>>>>> dns_lookup_kdc = true >>>>>>> rdns = false >>>>>>> ticket_lifetime = 24h >>>>>>> forwardable = yes >>>>>>> >>>>>>> [realms] >>>>>>> MPLS.LOCAL = { >>>>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>>>>> } >>>>>>> >>>>>>> [domain_realm] >>>>>>> .mpls.local = MPLS.LOCAL >>>>>>> mpls.local = MPLS.LOCAL >>>>>>> >>>>>>> [root@ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.5 >>>>>>> Address: 172.16.112.5#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root@ipaserver ~]#ifdown eth0 >>>>>>> >>>>>>> [root@ipaclient ~]# nslookup ipaserver >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver.mpls.local >>>>>>> Address: 172.16.112.5 >>>>>>> >>>>>>> [root@ipaclient ~]# nslookup ipaserver2 >>>>>>> Server: 172.16.112.8 >>>>>>> Address: 172.16.112.8#53 >>>>>>> >>>>>>> Name: ipaserver2.mpls.local >>>>>>> Address: 172.16.112.8 >>>>>>> >>>>>>> Copy/paste from the DNS page on ipaserver/ipaserver2 >>>>>>> >>>>>>> @ NS ipaserver.mpls.local. >>>>>>> NS ipaserver2.mpls.local. >>>>>>> _kerberos TXT MPLS.LOCAL >>>>>>> _kerberos-master._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos-master._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._tcp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kerberos._udp SRV 0 100 88 ipaserver >>>>>>> SRV 0 100 88 ipaserver2 >>>>>>> _kpasswd._tcp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _kpasswd._udp SRV 0 100 464 ipaserver >>>>>>> SRV 0 100 464 ipaserver2 >>>>>>> _ldap._tcp SRV 0 100 389 ipaserver >>>>>>> SRV 0 100 389 ipaserver2 >>>>>>> _ntp._udp SRV 0 100 123 ipaserver >>>>>>> SRV 0 100 123 ipaserver2 >>>>>>> ipaclient A 172.16.112.9 >>>>>>> ipaclient2 A 172.16.112.145 >>>>>>> ipaserver A 172.16.112.5 >>>>>>> ipaserver2 A 172.16.112.8 >>>>>>> zenoss A 172.16.112.6 >>>>>>> >>>>>>> Thanks, >>>>>>> Mike >>>>>>> >>>>>> I noticed that there is no domain line in the resolv.conf on the client. >>>>>> AFAIU in this case it would determine the domain by the gethostname and >>>>>> in case of network being down it will fail over to the hosts file. >>>>>> I wonder what is in your /etc/hosts? >>>>>> Dose it have just a short host name? >>>>> [root@ipaclient ~]# more /etc/hosts >>>>> 127.0.0.1 localhost.localdomain localhost >>>>> ::1 localhost6.localdomain6 localhost6 >>>>> >>>>> >>>>> Add domain mpls.local to /etc/resolv.conf >>>>> >>>>> [root@ipaserver ~]#ifdown eth0 >>>>> >>>>> [root@ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> [root@ipaclient ~]# nslookup ipaserver >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver.mpls.local >>>>> Address: 172.16.112.5 >>>>> >>>>> [root@ipaclient ~]# nslookup ipaserver2 >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> Name: ipaserver2.mpls.local >>>>> Address: 172.16.112.8 >>>>> >>>>> add '172.16.112.9 ipaclient.mpls.local ipaclient' to /etc/hosts >>>>> >>>>> [root@ipaserver ~]#ifup eth0 >>>>> >>>>> [root@ipaclient ~]# kinit mike >>>>> Password for mike@MPLS.LOCAL: >>>>> >>>>> [root@ipaserver ~]#ifdown eth0 >>>>> >>>>> [root@ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._tcp >>>>> Server: 172.16.112.8 >>>>> Address: 172.16.112.8#53 >>>>> >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 >>>>> ipaserver2.mpls.local. >>>>> _kerberos-master._tcp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>> >>>>> [root@ipaclient ~]# nslookup -type=srv _kerberos-master._udp >>>>> Server: 172.16.112.5 >>>>> Address: 172.16.112.5#53 >>>>> >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 ipaserver.mpls.local. >>>>> _kerberos-master._udp.mpls.local service = 0 100 88 >>>>> ipaserver2.mpls.local. >>>>> >>>>> >>>>> [root@ipaclient ~]# kinit mike >>>>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting >>>>> initial credentials >>>>> >>>>> [root@ipaserver ~]#ifup eth0 >>>>> >>>>> [root@ipaclient ~]# kinit mike >>>>> Password for mike@MPLS.LOCAL: >>>> I'd start with the sssd logs. Is it seeing the main server go offline and >>>> not switching to the second one? Or is it going into offline mode? >>>> >>>> Do you have _srv_ or both servers listed in ipa_server in >>>> /etc/sssd/sssd.conf? >>>> >>> Hello, >>> >>> [root@ipaclient ~]# more /etc/sssd/sssd.conf >>> [sssd] >>> config_file_version = 2 >>> services = nss, pam >>> # SSSD will not start if you do not configure any domains. >>> # Add new domain configurations as [domain/<NAME>] sections, and >>> # then add the list of domains (in the order you want them to be >>> # queried) to the "domains" attribute below and uncomment it. >>> # domains = LDAP >>> >>> domains = mpls.local >>> [nss] >>> >>> [pam] >>> >>> # Example LDAP domain >>> # [domain/LDAP] >>> # id_provider = ldap >>> # auth_provider = ldap >>> # ldap_schema can be set to "rfc2307", which stores group member names in >>> the >>> # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs >>> in >>> # the "member" attribute. If you do not know this value, ask your LDAP >>> # administrator. >>> # ldap_schema = rfc2307 >>> # ldap_uri = ldap://ldap.mydomain.org >>> # ldap_search_base = dc=mydomain,dc=org >>> # Note that enabling enumeration will have a moderate performance impact. >>> # Consequently, the default value for enumeration is FALSE. >>> # Refer to the sssd.conf man page for full details. >>> # enumerate = false >>> # Allow offline logins by locally storing password hashes (default: false). >>> # cache_credentials = true >>> >>> # An example Active Directory domain. Please note that this configuration >>> # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis >>> # compliant attribute names. To support UNIX clients with AD 2003 or older, >>> # you must install Microsoft Services For Unix and map LDAP attributes onto >>> # msSFU30* attribute names. >>> # [domain/AD] >>> # id_provider = ldap >>> # auth_provider = krb5 >>> # chpass_provider = krb5 >>> # >>> # ldap_uri = ldap://your.ad.example.com >>> # ldap_search_base = dc=example,dc=com >>> # ldap_schema = rfc2307bis >>> # ldap_sasl_mech = GSSAPI >>> # ldap_user_object_class = user >>> # ldap_group_object_class = group >>> # ldap_user_home_directory = unixHomeDirectory >>> # ldap_user_principal = userPrincipalName >>> # ldap_account_expire_policy = ad >>> # ldap_force_upper_case_realm = true >>> # >>> # krb5_server = your.ad.example.com >>> # krb5_realm = EXAMPLE.COM >>> [domain/mpls.local] >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = mpls.local >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = _srv_, ipaserver.mpls.local, ipaserver2.mpls.local >> Can you please for the sake of the test remove _srv_ from your >> configuration? >> There might be a bug in how we handle the case when the response from >> DNS lookup is not obtained or something like. >> It seems that it does not fail over properly. >> >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> >>> NOTE: I manually added ipaserver2.mpls.local >>> >>> Where specifically should I add the debugging? >>> I added debug_level = 5 to [sssd] >> You can add it to the bottom. That should work. >> >>> [root@ipaserver ~]ifdown eth0 >>> >>> [root@ipaserver2 ~]ifup eth0 >>> >>> (Mon Sep 17 10:08:47 2012) [sssd] [ping_check] (0x0100): Service mpls.local >>> replied to ping >>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:08:48 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service nss >>> replied to ping >>> (Mon Sep 17 10:08:48 2012) [sssd] [ping_check] (0x0100): Service pam >>> replied to ping >>> (Mon Sep 17 10:08:57 2012) [sssd] [service_send_ping] (0x0100): Pinging >>> mpls.local >>> (Mon Sep 17 10:08:57 2012) [sssd] [ping_check] (0x0100): Service mpls.local >>> replied to ping >>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:08:58 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service nss >>> replied to ping >>> (Mon Sep 17 10:08:58 2012) [sssd] [ping_check] (0x0100): Service pam >>> replied to ping >>> (Mon Sep 17 10:09:07 2012) [sssd] [service_send_ping] (0x0100): Pinging >>> mpls.local >>> (Mon Sep 17 10:09:07 2012) [sssd] [ping_check] (0x0100): Service mpls.local >>> replied to ping >>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:09:08 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service nss >>> replied to ping >>> (Mon Sep 17 10:09:08 2012) [sssd] [ping_check] (0x0100): Service pam >>> replied to ping >>> (Mon Sep 17 10:09:17 2012) [sssd] [service_send_ping] (0x0100): Pinging >>> mpls.local >>> (Mon Sep 17 10:09:17 2012) [sssd] [ping_check] (0x0100): Service mpls.local >>> replied to ping >>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging nss >>> (Mon Sep 17 10:09:18 2012) [sssd] [service_send_ping] (0x0100): Pinging pam >>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service nss >>> replied to ping >>> (Mon Sep 17 10:09:18 2012) [sssd] [ping_check] (0x0100): Service pam >>> replied to ping >>> >> This is not the right log. The most informative one is called >> sssd_default.log. > Hello, > > I did the following: > > add 'debug_level = 8' to section [domain/mpls.local] > remove _srv_ from ipa_server = > > [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike@MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > > [root@ipaserver ~]ifdown eth0 > > [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike@MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > > [root@ipaserver ~]ifup eth0 > [root@ipaserver2 ~]ifdown eth0 > > [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > Password for mike@MPLS.LOCAL: > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] open failed [2][No such file or directory]. > [sssd_krb5_locator] get_krb5info failed. > [sssd_krb5_locator] sssd_krb5_locator_close called > [root@ipaclient ~]# > > > NOTES: > 1. The final kinit although successful, took considerably longer to complete
So it was successful all three times, right? > 2. I do not have a /var/log/sssd/sssd_default.log Sorry I forgot that you explicitly renamed your domain from default. It would be /var/log/sssd_mpls.local.log then. > > Thanks, > Mike > > > >>>> rob >>>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users