[Freeipa-users] Free-IPA failover succeeds, but ssh is broken?

Martin Kosek mkosek at redhat.com
Mon Jan 18 08:27:23 UTC 2016


Hi Jeff and Janelle,

I am glad you got things working, but I am not convinced this is the best way
to do it. The proxy is needed for SSSD SSH integration (public keys and
fingerprints), if the proxy is buggy, we should fix. And in order to fix it, it
would be great to get our hands on the logs showing the fault - CCing Jakub and
Honza on this one.

Thanks for help,
Martin

On 01/18/2016 01:14 AM, Jeff Hallyburton wrote:
> Janelle,
> 
> The proxy suggestion was spot on.  After that things seem to work normally.
> 
> Thanks!
> 
> Jeff
> 
> Jeff Hallyburton
> Strategic Systems Engineer
> Bloomip Inc.
> Web: http://www.bloomip.com
> 
> Engineering Support: support at bloomip.com
> Billing Support: billing at bloomip.com
> Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>
> 
> On Sun, Jan 17, 2016 at 9:58 AM, Janelle <janellenicole80 at gmail.com> wrote:
> 
>> Hi,
>>
>> Try commenting out the proxy command in /etc/ssh/ssh_config
>>
>> The sssd proxy of ssh is buggy as can be.
>>
>> ~J
>>
>>> On Jan 17, 2016, at 05:24, Jakub Hrozek <jhrozek at redhat.com> wrote:
>>>
>>>
>>>> On 16 Jan 2016, at 02:21, Jeff Hallyburton <
>> jeff.hallyburton at bloomip.com> wrote:
>>>>
>>>> Having finished setting up an ipa server and replica, we're trying to
>> test failover to ensure that HA works as expected.  We've been able to
>> verify the replication agreements and auto-discovery are working, and both
>> servers are picked up as expected at install time.
>>>>
>>>> That said, we're seeing some oddities with failover.  Once I shut down
>> the ipa service on the main ipa server, I get most requests completing
>> after about a 2 min window.  I am able to:
>>>>
>>>> 1.  Authenticate to our jump server and get a kerberos ticket
>>>> 2.  kinit successfully as other users
>>>>
>>>> However, whenever I try to ssh to another system within our domain, ssh
>> breaks with the following error:
>>>>
>>>> $ ssh -vvv automation01
>>>> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
>>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>>> debug1: /etc/ssh/ssh_config line 5: Applying options for *
>>>> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy
>> -p 22 automation01
>>>> debug1: permanently_drop_suid: 1587000001
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_rsa-cert type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_dsa-cert type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ecdsa-cert type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519 type -1
>>>> debug1: identity file /home/jeff.hallyburton/.ssh/id_ed25519-cert type
>> -1
>>>> debug1: Enabling compatibility mode for protocol 2.0
>>>> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
>>>> ssh_exchange_identification: Connection closed by remote host
>>>
>>> Did you crank up debug level on the machine where sshd is running and
>> see if anything is logged then?
>>>
>>>>
>>>> Nothing is logged in either /var/log/messages or /var/log/secure when
>> this happens, so I'm unsure where to begin debugging.  Can you offer any
>> insight?
>>>>
>>>> Thanks,
>>>>
>>>> Jeff
>>>>
>>>> Jeff Hallyburton
>>>> Strategic Systems Engineer
>>>> Bloomip Inc.
>>>> Web: http://www.bloomip.com
>>>>
>>>> Engineering Support: support at bloomip.com
>>>> Billing Support: billing at bloomip.com
>>>> Customer Support Portal:  https://my.bloomip.com
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> 




More information about the Freeipa-users mailing list