Hey folks,
During an internal reliability test, we recently found out that /var/lib/sss/pubconf/kdcinfo.${REALM} stays static even when the IP cached there is unreachable or down. During the test, kinit failed consistently for those unfortunate to have a bad KDC cached.
I found this draft document which would probably solve this issue for us: https://docs.pagure.org/SSSD.sssd/design_pages/kerberos_locator_red esign.html
But until said redesign happens, I'm thinking about workarounds. One idea is symlinking that file to /dev/null, another would be just periodically rm-ing it. I'm trying the first today on my laptop and it seems fine, but I haven't really tested it past that.
Any suggestions?
On Fri, Nov 17, 2017 at 07:43:15PM +0000, Mark Ignacio wrote:
Hey folks,
During an internal reliability test, we recently found out that /var/lib/sss/pubconf/kdcinfo.${REALM} stays static even when the IP cached there is unreachable or down. During the test, kinit failed consistently for those unfortunate to have a bad KDC cached.
I found this draft document which would probably solve this issue for us: https://docs.pagure.org/SSSD.sssd/design_pages/kerberos_locator_red esign.html
But until said redesign happens, I'm thinking about workarounds. One idea is symlinking that file to /dev/null, another would be just periodically rm-ing it. I'm trying the first today on my laptop and it seems fine, but I haven't really tested it past that.
Any suggestions?
You can also set the krb5_use_kdcinfo file to false to avoid generating the file in the first place.
That sounds like a much better idea! Thanks for pointing that out.
On Fri, 2017-11-17 at 20:52 +0100, Jakub Hrozek wrote:
On Fri, Nov 17, 2017 at 07:43:15PM +0000, Mark Ignacio wrote:
Hey folks,
During an internal reliability test, we recently found out that /var/lib/sss/pubconf/kdcinfo.${REALM} stays static even when the IP cached there is unreachable or down. During the test, kinit failed consistently for those unfortunate to have a bad KDC cached.
I found this draft document which would probably solve this issue for us: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.pagur e.org_SSSD.sssd_design-5Fpages_kerberos-5Flocator- 5Fred&d=DwIGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=lgOa2oE1vvpahikaSB8VLQ&m= 2YfgGyp0Q5ualblA5W2IjvgI-rXNIPST_q6vUPet6gg&s=- Uf6fXYtn14FAJSieNE1r14xYhfWID4u2p833iJI4WQ&e= esign.html
But until said redesign happens, I'm thinking about workarounds. One idea is symlinking that file to /dev/null, another would be just periodically rm-ing it. I'm trying the first today on my laptop and it seems fine, but I haven't really tested it past that.
Any suggestions?
You can also set the krb5_use_kdcinfo file to false to avoid generating the file in the first place. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.o rg
sssd-users@lists.fedorahosted.org