On 10/18/2017 03:58 AM, Rob Crittenden wrote:
> This looks like some problem with sssd. Do you see your user with "id
> <username"? Have a look at
>
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Yes, I'd start there as well. The keytab/kvno things I had you do was
to confirm that the keytab was ok. sssd won't work with IPA without a
valid keytab. Since you've confirmed that it works you can move onto
sssd troubleshooting.
rob
Well, after a couple of days of slamming by head against other issues
(and being on-call this entire week!) I finally had some time to work on
this again. Not long after I posted my previous reply, I generated a
new keytab and installed it on the problem server and not I do no get
the 'generic preauthentication error' as before. So, I've been debugging
SSSD. Here's a snippet of the logs that might help with this issue:
[resolv_discover_srv_done] (0x0040): SRV query failed [4]: Domain name
not found
[sssd[be[neonova.net]]] [fo_set_port_status] (0x0100): Marking port 0 of
server '(no name)' as 'not working'
[sssd[be[neonova.net]]] [resolve_srv_done] (0x0040): Unable to resolve
SRV [1432158229]: SRV record not found
[sssd[be[neonova.net]]] [set_srv_data_status] (0x0100): Marking SRV
lookup of service 'IPA' as 'not resolved'
[sssd[be[neonova.net]]] [be_resolve_server_process] (0x0080): Couldn't
resolve server (SRV lookup meta-server), resolver returned (1432158229)
[sssd[be[neonova.net]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'IPA'
[sssd[be[neonova.net]]] [resolv_gethostbyname_files_send] (0x0100):
Trying to resolve A record of 'ipa1.neonova.net' in files
[sssd[be[neonova.net]]] [set_server_common_status] (0x0100): Marking
server 'ipa1.neonova.net' as 'resolving name'
[sssd[be[neonova.net]]] [resolv_gethostbyname_files_send] (0x0100):
Trying to resolve AAAA record of 'ipa1.neonova.net' in files
[sssd[be[neonova.net]]] [resolv_gethostbyname_dns_query] (0x0100):
Trying to resolve A record of 'ipa1.neonova.net' in DNS
[sssd[be[neonova.net]]] [set_server_common_status] (0x0100): Marking
server 'ipa1.neonova.net' as 'name resolved'
[sssd[be[neonova.net]]] [generic_ext_search_handler] (0x0040):
sdap_get_generic_ext_recv failed [110]: Connection timed out
[sssd[be[neonova.net]]] [fo_set_port_status] (0x0100): Marking port 0 of
server 'ipa1.neonova.net' as 'not working'
I've attached the full log if that helps. I'm pretty sure the issue now
might be that while the client can resolve the name of the IPA servers,
when requesting data from either of them, the ports are being blocked.
This was a problem on some of the other customer boxes we have out in
the world. But, is there anything else in the logs that might also be
an issue? This was Debug level 4, BTW. I can turn it up higher if need
be, but figured this would be a good starting point.
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net