Hello,
I know this is not a Thinlinc issue, but it affects Thinlinc and all users.
Sometimes, the server is not found in the kerberos database and the users can not login anymore.
I need to restart manually SSSD to make it work again, but if I do not take actions, it fix itself 10-20 min later, but during this period, users can not login.
- auth.log
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.12 user=user1
Apr 27 09:01:38 tl-alpha-d11 sshd[1994799]: pam_sss(sshd:auth): received for user user1: 4 (System error)
Apr 27 09:01:40 tl-alpha-d11 sshd[1994797]: error: PAM: Authentication failure for user1 from 10.1.1.12
- krb5_child.log
Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:01:38 tl-alpha-d11 krb5_child[1994800]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:11 tl-alpha-d11 krb5_child[1994890]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:15 tl-alpha-d11 krb5_child[1994901]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos database
Apr 27 09:02:23 tl-alpha-d11 krb5_child[1994911]: Server not found in Kerberos databas
Apr 27 09:10:43 tl-alpha-d11 ldap_child[1997028]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'TL-ALPHA-D11$@COMPANY.LAN' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
I have a Thinlinc HA cluster with 2 nodes.
The DNS entries are static, and the VIP is 10.100.150.42, is it because that the VIP address is also associated with the alpha node ? (When the beta is master, it has the VIP associated to its DNS name)
superbrowser is the name typed on the client to connect.