0017406: Failing ipa-otpd services lead to degraded systemd state - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017406	CentOS-8	ipa-server	public	2020-05-27 11:53	2020-07-06 07:18

Reporter	jhe
Priority	normal	Severity	minor	Reproducibility	sometimes
Status	new	Resolution	open
Product Version	8.1.1911
Target Version		Fixed in Version

Summary	0017406: Failing ipa-otpd services lead to degraded systemd state
Description	I have a FreeIPA installation consisting of ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 on a CentOS Stream 8 server, with Fedora 32 clients. My IPA account is configured to use a password and OTP, with two tokens configured: one TOTP on my phone, another HOTP on a Yubikey. Eventually the ipa-otpd starts to fail. In systemctl one sees things like: ● ipa-otpd@0-3991-0.service loaded failed failed ipa-otpd service ● ipa-otpd@1-3992-0.service loaded failed failed ipa-otpd service with an overall 'degraded' state. However the OTP login continues to work correctly. The log for such failed services typically read: # journalctl -u ipa-otpd@1-3992-0.service -- Logs begin at Wed 2020-05-27 00:38:26 BST, end at Wed 2020-05-27 12:44:19 BST. -- May 27 10:08:38 skipper.[my domain] systemd[1]: Started ipa-otpd service (PID 3992/UID 0). May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: LDAP: ldapi://%2Fvar%2Frun%2Fslapd-[my realm].socket May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: request received May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm] user query start May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: user query end: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc] May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind start: uid=james,cn=users,cn=accounts,dc=cb,dc=[my dc] May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: bind end: success May 27 10:08:38 skipper.[my domain] ipa-otpd[16008]: james@[my realm]: response sent: Access-Accept May 27 11:09:34 skipper.[my domain] ipa-otpd[16008]: bind.c:088: Input/output error: IO error received on bind socket May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Main process exited, code=exited, status=1/FAILURE May 27 11:09:34 skipper.[my domain] systemd[1]: ipa-otpd@1-3992-0.service: Failed with result 'exit-code'. Not seen anything else incriminating (like SELinux denials).
Steps To Reproduce	Restart machine running the IPA server, log in to a client using OTP. Happens eventually.
Additional Information	See also: https://pagure.io/freeipa/issue/6587
Tags	No tags attached.

slaanesh 2020-07-03 08:36 reporter ~0037296	Same thing happening here, every once in a while there is a failed instance of ipa-otpd. Fixing can be also by just running "systemctl reset-failed ipa-otpd@instance.service". We are on ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64.

slaanesh 2020-07-03 08:54 reporter ~0037297	Would like to point out that this service is started through a socket, and the ipa-otpd.socket was not enabled (but started, in our case). I've enabled it and will report if this fixes the issue.

slaanesh 2020-07-06 07:18 reporter ~0037306	No change even if the socket was enabled, same issue anyway: ipa-otpd[1416209]: bind.c:088: Input/output error: IO error received on bind socket

Date Modified	Username	Field	Change
2020-05-27 11:53	jhe	New Issue
2020-05-28 09:37	raheh76465	Tag Attached: ipa-otpb
2020-05-28 09:37	raheh76465	Tag Detached: ipa-otpb
2020-07-03 08:36	slaanesh	Note Added: 0037296
2020-07-03 08:54	slaanesh	Note Added: 0037297
2020-07-06 07:18	slaanesh	Note Added: 0037306