View Issue Details

IDProjectCategoryView StatusLast Update
0017406CentOS-8ipa-serverpublic2020-07-06 07:18
Reporterjhe 
PrioritynormalSeverityminorReproducibilitysometimes
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017406: Failing ipa-otpd services lead to degraded systemd state
DescriptionI have a FreeIPA installation consisting of ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 on a CentOS Stream 8 server, with Fedora 32 clients. My IPA account is configured to use a password and OTP, with two tokens configured: one TOTP on my phone, another HOTP on a Yubikey.

Eventually the ipa-otpd starts to fail. In systemctl one sees things like:

ipa-otpd@0-3991-0.service loaded failed failed ipa-otpd service
ipa-otpd@1-3992-0.service loaded failed failed ipa-otpd service

with an overall 'degraded' state. However the OTP login continues to work correctly. The log for such failed services typically read:

# journalctl -u ipa-otpd@1-3992-0.service
-- Logs begin at Wed 2020-05-27 00:38:26 BST, end at Wed 2020-05-27 12:44:19 BST. --
May 27 10:08:38 skipper.[my domain] systemd[1]: Started ipa-otpd service (PID 3992/UID 0).
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: LDAP: ldapi://%2Fvar%2Frun%2Fslapd-[my realm].socket
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: request received
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm] user query start
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: user query end: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc]
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind start: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc]
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind end: success
May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: response sent: Access-Accept
May 27 11:09:34 skipper.[my domain] ipa-otpd[16008]: bind.c:088: Input/output error: IO error received on bind socket
May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Main process exited, code=exited, status=1/FAILURE
May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Failed with result 'exit-code'.

Not seen anything else incriminating (like SELinux denials).
Steps To ReproduceRestart machine running the IPA server, log in to a client using OTP. Happens eventually.
Additional InformationSee also: https://pagure.io/freeipa/issue/6587
TagsNo tags attached.

Activities

slaanesh

slaanesh

2020-07-03 08:36

reporter   ~0037296

Same thing happening here, every once in a while there is a failed instance of ipa-otpd.
Fixing can be also by just running "systemctl reset-failed ipa-otpd@instance.service".

We are on ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64.
slaanesh

slaanesh

2020-07-03 08:54

reporter   ~0037297

Would like to point out that this service is started through a socket, and the ipa-otpd.socket was not enabled (but started, in our case).
I've enabled it and will report if this fixes the issue.
slaanesh

slaanesh

2020-07-06 07:18

reporter   ~0037306

No change even if the socket was enabled, same issue anyway:

ipa-otpd[1416209]: bind.c:088: Input/output error: IO error received on bind socket

Issue History

Date Modified Username Field Change
2020-05-27 11:53 jhe New Issue
2020-05-28 09:37 raheh76465 Tag Attached: ipa-otpb
2020-05-28 09:37 raheh76465 Tag Detached: ipa-otpb
2020-07-03 08:36 slaanesh Note Added: 0037296
2020-07-03 08:54 slaanesh Note Added: 0037297
2020-07-06 07:18 slaanesh Note Added: 0037306