On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote:
> On (22/05/17 14:53), Joakim Tjernlund wrote:
> > > The time is not synchronised between client and server.
> > > MIT krb5 can handle small offset. But I would highly recommends
> > > to keep time in sync.
> > There is some time problem on and off but this has never been too much. I
> > think this was the root problem here ?
> As I already mention I would highly recommend to keep time in sync.
> It will reduce possible errors.
> Configure ntpd/chrony on client and server is not a rocket science :-)
Sure, no rocket science but I have little control over the AD servers. :(
Anyhow, I did a "net ads info" and it came back with Server time offset: 0
so I don't think there is a time difference(or very small)?
The clients are already on NTP.
> > > Renewing of a ticket failed because it is already expired.
> > > Maybe due to time shift between client and server(KDC)
> > Yes, it is expired to begin with. I got a ticket, then suspended the computer
long enough for
> > the ticket to expire(10 hours here) and then woke up and unlocked the screen.
> > The problem is that sssd never tries to get a new ticket using my creds I gave
> > Even if I do several lock/unlocks after the network is restored, sssd will not
get me a new ticket.
> sssd would get new ticket if it was in online mode.
> But it offline mode.
> I would highly recommend to keep time in sync with server
> and then debug why sssd was in offline mode.
> Or why it went to offline mode.
> With 1.15 you can use sssctl e.g.
I did run sssctl domain-status infinera.com
and it came back with:
Unable to get online status : Communication error
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the
did not send a reply, the message bus security policy blocked the reply, the reply timeout
expired, or the
network connection was broken.
Check that SSSD is running and the InfoPipe responder is enabled. Make sure 'ifp'
is listed in the 'services'
option in sssd.conf.
Unable to get online status
I then just added 'ifp' to 'services' and restarted sssd and now it
sssctl domain-status infinera.com
Online status: Online
AD Global Catalog: not connected
AD Domain Controller: se-dc01.infinera.com
Could the problem I saw be related to not having ifp in services ?
I will check again when the ticket expires again.
ifp service does not have any effect on ticket renewal.
it is just required by sssctl