I've got some sporadic behavior on my IPA instance and I'm hoping someone can
help me resolve the issue. The problem is that many times my clients cannot
authenticate to the respective hosts. First, my environment. Some details:
ipa2 - centos 6.3 - ipa server 3.0.0ipa3 - centos 7.1 - ipa server 4.1.0
We had a FreeIPA server host ipa1 that died some time ago. I do not have any
details on that host.
Again, the problem is that clients cannot authenticate very frequently.
Here are some examples of the problems I am having: I client can login to the
console of a CentOS 6.7 host, but cannot SSH into it. One user can login to a
host, but another user cannot.
Some diagnostics information:
Services running on IPA servers:
[root@ipa2 ~]# ps -ef | grep krbroot 6007 5936 0 19:21 pts/5 00:00:00
grep krbroot 22339 1 0 Feb06 ? 00:00:00 /usr/sbin/krb5kdc -r
AAA -P /var/run/krb5kdc.pid -w 2root 22344 22339 0 Feb06 ? 00:42:56
/usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2root 22345 22339 0
Feb06 ? 00:42:50 /usr/sbin/krb5kdc -r AAA -P /var/run/krb5kdc.pid -w 2
[root@ipa3 ~]# ps -ef | grep krbroot 2513 1 0 2015 ?
00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root 2514 2513 0
2015 ? 00:01:20 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -w 2root
2515 2513 0 2015 ? 00:01:18 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
-w 2root 5702 5609 0 19:20 pts/1 00:00:00 grep --color=auto krb
slapd is running on both servers:
[root@ipa3 ~]# ps -ef | grep slapddirsrv 2464 1 0 2015 ?
09:39:37 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IDEF -i
/var/run/dirsrv/slapd-IDEF.pid -w /var/run/dirsrv/slapd-IDEF.startpidroot
5707 5609 0 19:25 pts/1 00:00:00 grep --color=auto slapd[root@ipa3 ~]#
[root@ipa2 ~]# ps -ef | grep slapdroot 6024 5936 0 19:26 pts/5
00:00:00 grep slapddirsrv 22137 1 3 Feb06 ? 1-20:48:55
/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-AAA -i /var/run/dirsrv/slapd-AAA .pid
-w /var/run/dirsrv/slapd-AAA .startpidpkisrv 22209 1 0 Feb06 ?
00:44:54 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i
/var/run/dirsrv/slapd-PKI-IPA.pid -w
/var/run/dirsrv/slapd-PKI-IPA.startpid[root@ipa2 ~]#
System time is synchronized across all hosts.
For DNS, I have the following entries:
[root@sharedone ~]# dig ipa.BBB.AAA +short192.168.120.253[root@sharedone ~]#
dig ipa2.BBB.AAA +short192.168.120.253[root@sharedone ~]# dig ipa3.BBB.AAA
+short192.168.120.139[root@sharedone ~]#
Now the ipa.AAA.AAA server does not exist anymore because it died. But if I
remove that DNS entrey everything stops working and no one can authenticate,
versus the sporadic issues we are having.
If you need more detials or specific information, please let me know. I'm at a
loss as to what causes this behavior.
Thanks,
JT
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
