On Tue, 2017-05-23 at 10:11 +0200, Joakim Tjernlund wrote:
> On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote:
> > On (22/05/17 14:53), Joakim Tjernlund wrote:
> > > > The time is not synchronised between client and server.
> > > > MIT krb5 can handle small offset. But I would highly recommends
> > > > to keep time in sync.
> > >
> > > There is some time problem on and off but this has never been too much. I
don't
> > > think this was the root problem here ?
> > >
> >
> > As I already mention I would highly recommend to keep time in sync.
> > It will reduce possible errors.
> >
> > Configure ntpd/chrony on client and server is not a rocket science :-)
>
> Sure, no rocket science but I have little control over the AD servers. :(
> Anyhow, I did a "net ads info" and it came back with Server time offset: 0
> so I don't think there is a time difference(or very small)?
> The clients are already on NTP.
>
> >
> >
> > > > Renewing of a ticket failed because it is already expired.
> > > > Maybe due to time shift between client and server(KDC)
> > >
> > > Yes, it is expired to begin with. I got a ticket, then suspended the
computer long enough for
> > > the ticket to expire(10 hours here) and then woke up and unlocked the
screen.
> > > The problem is that sssd never tries to get a new ticket using my creds I
gave when unlocking.
> > > Even if I do several lock/unlocks after the network is restored, sssd will
not get me a new ticket.
> > >
> >
> > sssd would get new ticket if it was in online mode.
> > But it offline mode.
> >
> > I would highly recommend to keep time in sync with server
> > and then debug why sssd was in offline mode.
> > Or why it went to offline mode.
> >
> > With 1.15 you can use sssctl e.g.
>
> I did run sssctl domain-status
infinera.com and it came back with:
> Unable to get online status [3]: Communication error
> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include:
the remote application
> did not send a reply, the message bus security policy blocked the reply, the reply
timeout expired, or the
> network connection was broken.
> Check that SSSD is running and the InfoPipe responder is enabled. Make sure
'ifp' is listed in the 'services'
> option in sssd.conf.
> Unable to get online status
>
> I then just added 'ifp' to 'services' and restarted sssd and now it
works:
> sssctl domain-status
infinera.com
> Online status: Online
>
> Active servers:
> AD Global Catalog: not connected
> AD Domain Controller:
se-dc01.infinera.com
> .....
>
> Could the problem I saw be related to not having ifp in services ?
> I will check again when the ticket expires again.
>
> Jocke
On another machine I added ifp to services and just reloaded the sssd config (signal HUG
to sssd) and
just got this in the domain log:
The only way how sssd can use new configuration is
to RESTART sssd.
sssd does not reload configuration after receiving SIGHUP.
LS