[Freeipa-users] SSSD and DNS

Sean Hogan schogan at us.ibm.com
Wed Jan 27 17:53:00 UTC 2016 


Hi All,

Tue Jan 26 19:01:32 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [ssh]. Attempt [0]
(Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [sudo]. Attempt [0]
(Tue Jan 26 19:06:50 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [ssh]. Attempt [0]
 Everything recovers and all is good for a while then;

(Tue Jan 26 19:14:11 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo.local]. Attempt [2]
(Tue Jan 26 19:14:21 2016) [sssd] [tasks_check_handler] (0x0020): Killing
service [foo.local], not responding to pings!
(Tue Jan 26 19:14:21 2016) [sssd] [ping_check] (0x0020): A service PING
timed out on [foo.local]. Attempt [3]
(Tue Jan 26 19:14:25 2016) [sssd] [mt_svc_exit_handler] (0x0040): Child
[foo.local] exited with code [0]
(Tue Jan 26 19:14:25 2016) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x10022c42aa0
(Tue Jan 26 19:14:25 2016) [sssd] [sbus_dispatch] (0x0080): Connection is
not open for dispatching.
(Tue Jan 26 19:14:25 2016) [sssd] [mt_svc_restart] (0x0400): Scheduling
service foo.local for restart 1
(Tue Jan 26 19:14:25 2016) [sssd] [get_ping_config] (0x0100): Time between
service pings for [foo.local]: [10]
(Tue Jan 26 19:14:25 2016) [sssd] [get_ping_config] (0x0100): Time between
SIGTERM and SIGKILL for [foo.local]: [60]
(Tue Jan 26 19:14:25 2016) [sssd] [start_service] (0x0100): Queueing
service foo.local for startup
(Tue Jan 26 19:18:44 2016) [sssd] [service_send_ping] (0x0100): Pinging pam
(Tue Jan 26 19:19:26 2016) [sssd] [sbus_add_timeout] (0x2000):
0x10022c47f60
(Tue Jan 26 19:19:26 2016) [sssd] [service_send_ping] (0x0100): Pinging ssh
(Tue Jan 26 19:19:26 2016) [sssd] [sbus_add_timeout] (0x2000):
0x10022c54600
(Tue Jan 26 19:19:26 2016) [sssd] [service_send_ping] (0x0100): Pinging pac
(Tue Jan 26 19:19:26 2016) [sssd] [sbus_add_timeout] (0x2000):
0x10022c307c0
(Tue Jan 26 19:19:26 2016) [sssd] [service_send_ping] (0x0100): Pinging
sudo
(Tue Jan 26 19:19:26 2016) [sssd] [sbus_add_timeout] (0x2000):
0x10022c488b0
(Tue Jan 26 19:19:26 2016) [sssd] [service_send_ping] (0x0100): Pinging nss
(Tue Jan 26 19:19:26 2016) [sssd] [sbus_add_timeout] (0x2000):
0x10022c47710
(Tue Jan 26 19:19:26 2016) [sssd] [service_send_ping] (0x2000): Service not
yet initialized
(Tue Jan 26 19:19:26 2016) [sssd] [tasks_check_handler] (0x0020): Child
(foo.local) not responding! (yet)
(Tue Jan 26 19:21:33 2016) [sssd] [tasks_check_handler] (0x0020): Child
(foo.local) not responding! (yet)


   Thouroughly confused now.. I thought I had the above issue pinned down
on IBM Java;
http://www-01.ibm.com/support/docview.wss?uid=swg1IV71405
IV71405: JGSS CANNOT GET KDC FROM DNS.

but now I also see this;
https://bugzilla.redhat.com/show_bug.cgi?id=966757
SSSD failover doesn't work if the first DNS server in resolv.conf is
unavailable

Seems both the above links are issues with reading and using DNS whether it
is caused by SSSD or IBM Java ibmjgssprovider.jar.
I am not running the version of sssd that in the bugzilla post but..
ipa-python-3.0.0-42.el6.ppc64
libipa_hbac-1.11.6-30.el6_6.4.ppc64
sssd-ipa-1.11.6-30.el6_6.4.ppc64
ipa-client-3.0.0-42.el6.ppc64
device-mapper-multipath-0.4.9-80.el6_6.3.ppc64


CPU spike to 100% for SSSD and requires a reboot or interestingly enough a
kill -9 java process.
Kinit also does not work on the box with:
com.ibm.security.krb5.KrbException, status code: 0
message: Cannot find KDC for realm foo.LOCAL

Also .. the box has been running fine for a couple of months with kinit not
working.  The kinit issue is the IBM APAR and I am working with IBM java
for a new ibmjgssprovider.jar but the sssd cpu spiking to 100% is so random
and all over the place.  Not sure if I am dealing with 2 issues or 1 issue
here.  I am thinking 2 issues with kinit being ibm java.. and cpu 100%
being sssd issue.

Systems are set for dns lookup in krb5.conf








Sean Hogan
Security Engineer






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/95f17f32/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 07645583.jpg
Type: image/jpeg
Size: 27085 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/95f17f32/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 07536454.gif
Type: image/gif
Size: 1650 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160127/95f17f32/attachment.gif>

More information about the Freeipa-users mailing list