On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote: > Hi, > > My IPA<->AD trust setup experiences intermittent failures during login > events. The AD subdomain goes in an inactive/offline state and users logging > in are put into a 'delayed authentication' queue. Usually logging in after a > minute or so succeeds as the subdomain is reset and the user is cached for > following events. At all times getent/id and kinit's are succesfull, even > with a purged sssd cache. > SRV records are correctly resolved, except for _kerberos-master. > > I have not been able to further troubleshoot the intermittent failures. > Traffic captures show no strange behaviour, yet the sssd_domain log is > clearly showing AD to be unreachable at times. All AD servers are W2012 and > DNS masking _ldap and _kerberos to single nodes, factoring out any faulty > Windows configs, so far has not had any effect (Would it?). > > sssd's data_provider_fo.c :> be_fo_reset_svc() calls fo_get_service(), which > returns EOK. I'm not familiar yet with the variables at play, would adding > debug statements here reveal faults that may cause this?
Could you paste a bit more context? I think what would work is to trim the logs (truncate --size 0), then reproduce the issue and search for the first occurence of "NOT_WORKING" message from any of the fo_* functions. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project