#809 sssd does not handle kerberos server IP change
Closed: Fixed None Opened 9 years ago by tibbs.

I'm updating my kerberos infrastructure and have moved my master server to a different IP address without changing the hostname. Unfortunately sssd doesn't notice this and continues to contact the old server as long as it stays up. I generally try to leave old servers around at least until the DNS caches expire, but sssd is holding onto the old IP far longer than the DNS TTL. This is evidenced by the fact that /var/lib/sss/pubconf/kdcinfo.* still has the old IP. This behavior also manifests in kinit; I think that sssd has some interaction with the standard kerberos tools which causes this. (Hence I'm using kinit to test this easily.)

Restarting sssd fixes this as expected. Shutting down the old server switches over to a slave as expected. My concern is that I intend to update all of my infrastructure so that all IPs change eventually, so sssd will eventually run out of slaves to try. I gather that in this situation it will do fresh DNS lookups, though I'd rather avoid timeouts in this situation if possible.

I'm seeing this on my F13 machines running sssd-1.3.0-40.fc13.x86_64 and on F14 machines with sssd-1.5.1-3.fc14.x86_64.


Some more information:

For grins I took the slave kdc down to see what the client behavior would be. Unfortunately the F13 machine I tested switched back to the old IP for the master instead of doing fresh DNS lookups.

So, the sequence of events:
- sssd is configured to look at two KDCs: kerberos1 and kerberos2.
- Switch kerberos1 to a new IP, leaving old server (call it kerberos-old) up for the transition.
- sssd continues to contact kerberos-old pretty much permanently.
- Take kerberos-old down, sssd switches to kerberos2.
- Wait a while (a couple of hours in this case)
- Take kerberos2 down, sssd switches back to contacting kerberos-old, which is still down.
- All authentication stops working at this point.
- Restarting sssd fixes things.

I'm verifying the "switching" by tcpdump on the server hosts and looking at the IP /var/lib/sss/pubconf/kdcinfo.*

I'd have hoped that sssd would do fresh DNS lookups at some point and start picking up the proper IP for kerberos1 but that doesn't seem to be the case. Note that I've only tested this on F13 (sssd 1.3.0) as it's a bit scary to pull down the only KDC the clients seem to want use. I'll experiment more in the evening.

Fields changed

owner: somebody => jhrozek

master: 6c9cb2b

sssd-1-5: 52dacaa

resolution: => fixed
status: new => closed

Thanks, folks. BTW, "resetting" in the log message output by the new code is misspelled.

Fields changed

rhbz: => 0

Metadata Update from @tibbs:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1851

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata