On Mon, Jan 04, 2016 at 09:17:39AM -0800, Janelle wrote: > When this happens - it stops accepting logins for any of my users.
Can you please generate logs when this happens? I suspect sssd might go offline for one reason or another.. > I have to restart SSSD to get it to work again. ..and a restart would re-set the offline status. > And it is just kind of random when this happens. > How can a STATUS command sent to SSSD show a wrong password? I think krb5_child logs some of its errors to syslog, perhaps we shouldn't log preauth failed, though. > > > ~J > > On 1/4/16 9:11 AM, Jakub Hrozek wrote: > >On Mon, Jan 04, 2016 at 08:30:08AM -0800, Janelle wrote: > >>Happy New Year everyone! > >> > >>I came across a couple of my servers having some strange connection problems > >>and was wondering if anyone else has seen this or know what might cause it? > >>This is IPA 4.1.4 and client on RHEL 7.1. When you look at the status, for > >>some reason, SSSD has lost contact with the servers, and a restart is > >>required. What I don't understand is what this "Preauth" failure is? > >> > >>Ideas? > >>~Janelle > >> > >>Redirecting to /bin/systemctl status sssd.service > >>sssd.service - System Security Services Daemon > >> Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) > >> Drop-In: /etc/systemd/system/sssd.service.d > >> └─journal.conf > >> Active: active (running) since Sat 2015-12-12 07:41:55 EST; 2 weeks 4 > >>days ago > >> Process: 24482 ExecStart=/usr/sbin/sssd -D -f (code=exited, > >>status=0/SUCCESS) > >> Main PID: 24483 (sssd) > >> CGroup: /system.slice/sssd.service > >> ├─24483 /usr/sbin/sssd -D -f > >> ├─24484 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 > >>--gid 0 --debug-to-files > >> ├─24485 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 > >>--debug-to-files > >> ├─24486 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 > >>--debug-to-files > >> ├─24487 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 > >>--debug-to-files > >> └─24488 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 > >>--debug-to-files > >> > >>Jan 01 07:55:24 client.example.com [sssd[krb5_child[10456]]][10456]: > >>Preauthentication failed > >>Jan 01 07:56:07 client.example.com [sssd[krb5_child[10464]]][10464]: > >>Preauthentication failed > >>Jan 01 07:57:16 client.example.com [sssd[krb5_child[10471]]][10471]: > >>Preauthentication failed > >Preauthentication failed means more or less wrong password, but since > >the message is from krb5_child, I guess it's during user login. > > > >What exactly is not working? > > > >>Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1 > >>Jan 01 08:10:48 client.example.com sssd_be[12345]: GSSAPI client step 1 > >>Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 1 > >>Jan 01 08:10:49 client.example.com sssd_be[12345]: GSSAPI client step 2 > >>Jan 01 08:20:10 client.example.com [sssd[krb5_child[10538]]][10538]: > >>Preauthentication failed > >>Jan 01 08:20:29 client.example.com [sssd[krb5_child[10541]]][10541]: > >>Preauthentication failed > >>Jan 01 08:20:48 client.example.com [sssd[krb5_child[10596]]][10596]: > >>Preauthentication failed > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
