View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017406 | CentOS-8 | ipa-server | public | 2020-05-27 11:53 | 2020-07-06 07:18 |
Reporter | jhe | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | sometimes |
Status | new | Resolution | open | ||
Product Version | 8.1.1911 | ||||
Summary | 0017406: Failing ipa-otpd services lead to degraded systemd state | ||||
Description | I have a FreeIPA installation consisting of ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 on a CentOS Stream 8 server, with Fedora 32 clients. My IPA account is configured to use a password and OTP, with two tokens configured: one TOTP on my phone, another HOTP on a Yubikey. Eventually the ipa-otpd starts to fail. In systemctl one sees things like: ● ipa-otpd@0-3991-0.service loaded failed failed ipa-otpd service ● ipa-otpd@1-3992-0.service loaded failed failed ipa-otpd service with an overall 'degraded' state. However the OTP login continues to work correctly. The log for such failed services typically read: # journalctl -u ipa-otpd@1-3992-0.service -- Logs begin at Wed 2020-05-27 00:38:26 BST, end at Wed 2020-05-27 12:44:19 BST. -- May 27 10:08:38 skipper.[my domain] systemd[1]: Started ipa-otpd service (PID 3992/UID 0). May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: LDAP: ldapi://%2Fvar%2Frun%2Fslapd-[my realm].socket May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: request received May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm] user query start May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: user query end: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc] May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind start: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc] May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind end: success May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: response sent: Access-Accept May 27 11:09:34 skipper.[my domain] ipa-otpd[16008]: bind.c:088: Input/output error: IO error received on bind socket May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Main process exited, code=exited, status=1/FAILURE May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Failed with result 'exit-code'. Not seen anything else incriminating (like SELinux denials). | ||||
Steps To Reproduce | Restart machine running the IPA server, log in to a client using OTP. Happens eventually. | ||||
Additional Information | See also: https://pagure.io/freeipa/issue/6587 | ||||
Tags | No tags attached. | ||||
Same thing happening here, every once in a while there is a failed instance of ipa-otpd. Fixing can be also by just running "systemctl reset-failed ipa-otpd@instance.service". We are on ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64. |
|
Would like to point out that this service is started through a socket, and the ipa-otpd.socket was not enabled (but started, in our case). I've enabled it and will report if this fixes the issue. |
|
No change even if the socket was enabled, same issue anyway: ipa-otpd[1416209]: bind.c:088: Input/output error: IO error received on bind socket |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2020-05-27 11:53 | jhe | New Issue | |
2020-05-28 09:37 | raheh76465 | Tag Attached: ipa-otpb | |
2020-05-28 09:37 | raheh76465 | Tag Detached: ipa-otpb | |
2020-07-03 08:36 | slaanesh | Note Added: 0037296 | |
2020-07-03 08:54 | slaanesh | Note Added: 0037297 | |
2020-07-06 07:18 | slaanesh | Note Added: 0037306 |