On 05/12/16 13:48, Lukas Slebodnik wrote: > It would be nice if you could provide reliable reproducer. > I'm sorry we do not have a crystall ball and sssd log files > did not help either. They are truncated. >
Thats all I got. > I would like to fix it but I do not know what to fix. > > Is there anything interesting/suspicious in syslog/journald > from the same time? > "journalctl -u sssd" says May 12 06:03:15 srvvm01.ac.example.com sssd[373]: Starting up May 12 06:03:21 srvvm01.ac.example.com sssd[be[417]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[438]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[440]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[437]: Starting up May 12 06:03:26 srvvm01.ac.example.com sssd[439]: Starting up May 12 06:03:29 srvvm01.ac.example.com sssd[441]: Starting up May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 1 May 12 06:03:39 srvvm01.ac.example.com sssd_be[417]: GSSAPI client step 2 May 12 06:04:05 srvvm01.ac.example.com systemd[1]: sssd.service start operation timed out. Terminating. May 12 06:04:05 srvvm01.ac.example.com sssd[438]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[437]: Shutting down May 12 06:04:05 srvvm01.ac.example.com sssd[be[417]: Shutting down May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Failed to start System Security Services Daemon. May 12 06:04:05 srvvm01.ac.example.com systemd[1]: Unit sssd.service entered failed state. AFAICS we have to focus in sssd_example.com.log on the log file entries between 06:03:29 and 06:04:05. Did you notice the "Backend is online, starting delayed online authentication" close to the end of the log file? Is this expected? What should have happened next? : : >> You have cut off the time stamps. Here they are: >> > That was on purpose. Because it's clear that "Communication with KDC timed > out" > The question is why? > 6 seconds must be enough unless you try to connect the the server > which is located in opposite site of globe. > Sorry to say, but this assumption is not justified. Next to network lag there can be other delays (swapped out jobs, out of entropy on /dev/random, a disk needs to spin up, high load, DNS not responding, whatever). Would you agree that this is OT, since sssd *did* find ipa1 within a reasonable time? Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
