On Аўт, 04 лют 2025, Djerk Geurts via FreeIPA-users wrote:
Hi All,
Testing an Ansible playbook, I’m running into what looks like throttling
issues. But the ssh debug logs list something else. Has anyone seen this happen
before?
debug1: kex_input_ext_info: [email protected]=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
debug3:
authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi-keyex,hostbased,publickey
debug3:
authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: No
credentials were supplied, or the credentials were unavailable or inaccessible
No Kerberos credentials available: Disk quota exceeded
debug1: No credentials were supplied, or the credentials were unavailable or
inaccessible
No Kerberos credentials available: Disk quota exceeded
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-keyex
debug3:
remaining preferred: hostbased,publickey
debug3: authmethod_lookup publickey
debug3:
remaining preferred: ,publickey
debug3: authmethod_is_enabled publickey
debug1:
Next authentication method: publickey
SSH between the hosts works fine, and the playbook runs fine until
some/all/most ssh sessions start to fail like this. Disk quota is fine
on the Ansible host and the targets.
The solution is probably to use key-based authentication, but as
Kerberos is attempted first, I want to make sure I’m not
hammering/killing an IPA server by Ansible trying Kerberos auth to 150
servers sequentially. Also, I want to be prepared for if/when another
user ends up doing the same thing.
'Disk quota exceeded' error message probably comes from use of KEYRING:
credentials cache collection. May be switch to KCM: or DIR: types for
the ansible runs?
See man page for keyrings(7) which also describes kernel keyring limits
for individual non-root users.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
