On Tue, Sep 05, 2017 at 02:48:59PM -0400, Steve Huston via FreeIPA-users wrote:
On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
> - is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ?
> What does it contain?
There is, and it contains '128.112.24.29' with no EOL (the IP address
for
auth.astro.princeton.edu, the KDC that it contacted and the one
machine that allows user logins via password on the web UI)
OK, so it's SSSD telling libkrb5 to talk to auth.astro. Since in your
sssd.conf, auth.astro is listed in addition to the 'local' IPA server, I
would check the sssd logs if sssd can contact the server it is running
on.
Because I think it's falling back to auth.astro, writing its IP address
to the kdcinfo files which breaks other things. btw because similar
issues were reported after 7.4 was released, we fixed sssd in git master
already so that the kdcinfo files are not generated on the masters at
all. You can achieve the same effect by setting 'krb5_use_kdcinfo =
false', but I would also check the sssd logs for any issues talking to
the IPA server, because it is listed first aftre all, so I assume sssd
must be failing over..