On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: > On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: >>> [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 >>> >>> [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] Found [172.16.112.8] in >>> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] >>> family[0] socktype[2] locate_service[1] >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] >>> [sssd_krb5_locator] [172.16.112.8] used >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> [sssd_krb5_locator] sssd_krb5_locator_init called >>> [sssd_krb5_locator] Found [172.16.112.8] in >>> [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. >>> [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] >>> family[0] socktype[1] locate_service[1] >>> [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] >>> [sssd_krb5_locator] [172.16.112.8] used >>> [sssd_krb5_locator] sssd_krb5_locator_close called >>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial >>> credentials >> >> Jakub, does this make sense to you? >> > > As stated elsewhere in this thread, bare kinit does not contact the SSSD > at all. You want to go through the PAM stack (with "su - mike" or "ssh > mike@ipaclient") in order to contact the SSSD so that the SSSD refreshes > the file. > > Does using "su - mike" refresh the file?
When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike > > Michael also said that the IP address 172.16.112.8 is the address of the > server that is down. I assume that at one point the SSSD was using that > server but no request came to the SSSD since the last one, so the SSSD > did not fail over to the other configured server. Your SRV records > indicated that the servers had the same priority fields, so selecting on > over another is pretty much random. > > I don't think the SSSD is operating in offline mode completely, > otherwise it would have removed the file to avoid this kind of timeouts. > > Bottom line, kinit does not contact the SSSD and does not refresh the > address via the locator plugin. > > Returning multiple addresses from the locator plugin or creating a > smarter way of interacting between the Kerberos tools and the SSSD is > the scope of https://fedorahosted.org/sssd/ticket/941 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users