I seem to have an intermittent problem. When I ssh into it my server,( using sssd and registered to a freeipa server). I often get dates starting at 1970! I seem to be able to login without any issue. I suspect this may be that our AD server has multiple realms. Strangely enough, our AD has no "MYEDU.EDU" realm but has got an "AD.MYEDU.EDU", which is what I see when it works normally. I've logged the output of 'sssd -i -d 9 ' plenty of times, but I'm not sure what to even start looking for, nothing obvious is noticeable at the moment. I've noticed the same problem on Redhat 7, 8 and Ubuntu 18.04. Ubuntu 20.04 has not shown this issue and just works. The dates from klist on Ubuntu 20.04 look OK. They all have the same krb5.conf and sssd.conf. How would I debug this? What sort of things should I be looking at?
@ipa-testp01 ~]$ klist Ticket cache: KCM:500876:97839 Default principal: tony@MYEDU.EDU
Valid starting Expires Service principal 01/01/70 10:00:00 01/01/70 10:00:00 krbtgt/MYEDU.EDU@MYEDU.EDU
On Mon, 2021-11-15 at 06:59 +0000, Tony Delov via FreeIPA-users wrote:
I seem to have an intermittent problem. When I ssh into it my server,( using sssd and registered to a freeipa server). I often get dates starting at 1970! I seem to be able to login without any issue. I suspect this may be that our AD server has multiple realms. Strangely enough, our AD has no "MYEDU.EDU" realm but has got an "AD.MYEDU.EDU", which is what I see when it works normally. I've logged the output of 'sssd -i -d 9 ' plenty of times, but I'm not sure what to even start looking for, nothing obvious is noticeable at the moment. I've noticed the same problem on Redhat 7, 8 and Ubuntu 18.04. Ubuntu 20.04 has not shown this issue and just works. The dates from klist on Ubuntu 20.04 look OK. They all have the same krb5.conf and sssd.conf. How would I debug this? What sort of things should I be looking at?
@ipa-testp01 ~]$ klist Ticket cache: KCM:500876:97839 Default principal: tony@MYEDU.EDU
Valid starting Expires Service principal 01/01/70 10:00:00 01/01/70 10:00:00 krbtgt/MYEDU.EDU@MYEDU.EDU _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi,
I had an issue quite similiar just yesterday. It appears my ipa client could not synchronize time through ntp and was quite off. I suggest you check the date and time and make sure you are synced to the same ntp servers between the client and server.
I assume you could log in because the user was present in cache. In my case, when I cleaned the cache, I was unable to login anymore.
Regards
I'm reasonably sure the time is ok (on the client at least). I actually have been removing the cache and restarting. My ID was not in the cache.
systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* ; systemctl start sssd
# chronyd -q 2021-11-15T09:17:21Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) 2021-11-15T09:17:21Z Frequency -27.959 +/- 0.168 ppm read from /var/lib/chrony/chrony.drift 2021-11-15T09:17:25Z System clock wrong by 0.000003 seconds (step) 2021-11-15T09:17:25Z chronyd exiting
Am Mon, Nov 15, 2021 at 09:21:43AM -0000 schrieb Tony Delov via FreeIPA-users:
I'm reasonably sure the time is ok (on the client at least). I actually have been removing the cache and restarting. My ID was not in the cache.
Hi,
which version of SSSD are you using? Can you added 'debug_level=9' to the [domain/...] section in sssd.conf, restart SSSD, do the authentication again and share the SSSD debug logs (sssd_domain.name.log and krb5_child.log) here?
bye, Sumit
systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* ; systemctl start sssd
# chronyd -q 2021-11-15T09:17:21Z chronyd version 3.5 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG) 2021-11-15T09:17:21Z Frequency -27.959 +/- 0.168 ppm read from /var/lib/chrony/chrony.drift 2021-11-15T09:17:25Z System clock wrong by 0.000003 seconds (step) 2021-11-15T09:17:25Z chronyd exiting _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
Antoine Gatineau -
Sumit Bose -
Tony Delov