On (23/05/17 08:39), Joakim Tjernlund wrote: >On Tue, 2017-05-23 at 10:11 +0200, Joakim Tjernlund wrote: >> On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote: >> > On (22/05/17 14:53), Joakim Tjernlund wrote: >> > > > The time is not synchronised between client and server. >> > > > MIT krb5 can handle small offset. But I would highly recommends >> > > > to keep time in sync. >> > > >> > > There is some time problem on and off but this has never been too much. >> > > I don't >> > > think this was the root problem here ? >> > > >> > >> > As I already mention I would highly recommend to keep time in sync. >> > It will reduce possible errors. >> > >> > Configure ntpd/chrony on client and server is not a rocket science :-) >> >> Sure, no rocket science but I have little control over the AD servers. :( >> Anyhow, I did a "net ads info" and it came back with Server time offset: 0 >> so I don't think there is a time difference(or very small)? >> The clients are already on NTP. >> >> > >> > >> > > > Renewing of a ticket failed because it is already expired. >> > > > Maybe due to time shift between client and server(KDC) >> > > >> > > Yes, it is expired to begin with. I got a ticket, then suspended the >> > > computer long enough for >> > > the ticket to expire(10 hours here) and then woke up and unlocked the >> > > screen. >> > > The problem is that sssd never tries to get a new ticket using my creds >> > > I gave when unlocking. >> > > Even if I do several lock/unlocks after the network is restored, sssd >> > > will not get me a new ticket. >> > > >> > >> > sssd would get new ticket if it was in online mode. >> > But it offline mode. >> > >> > I would highly recommend to keep time in sync with server >> > and then debug why sssd was in offline mode. >> > Or why it went to offline mode. >> > >> > With 1.15 you can use sssctl e.g. >> >> I did run sssctl domain-status infinera.com and it came back with: >> Unable to get online status [3]: Communication error >> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes >> include: the remote application >> did not send a reply, the message bus security policy blocked the reply, the >> reply timeout expired, or the >> network connection was broken. >> Check that SSSD is running and the InfoPipe responder is enabled. Make sure >> 'ifp' is listed in the 'services' >> option in sssd.conf. >> Unable to get online status >> >> I then just added 'ifp' to 'services' and restarted sssd and now it works: >> sssctl domain-status infinera.com >> Online status: Online >> >> Active servers: >> AD Global Catalog: not connected >> AD Domain Controller: se-dc01.infinera.com >> ..... >> >> Could the problem I saw be related to not having ifp in services ? >> I will check again when the ticket expires again. >> >> Jocke > >On another machine I added ifp to services and just reloaded the sssd config >(signal HUG to sssd) and >just got this in the domain log: The only way how sssd can use new configuration is to RESTART sssd. sssd does not reload configuration after receiving SIGHUP.
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org