From janellenicole80 at gmail.com Wed Apr 1 02:32:54 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 31 Mar 2015 19:32:54 -0700 Subject: [Freeipa-users] where to disable components? Message-ID: <551B58D6.4000003@gmail.com> Hello again... Looking around, but probably just not in the right place. I would like to be able to disable httpd on all but a pair of servers, so we kind of force all updates to come from a "master" and "slave" pair. Just trying to keep updates defined to 2 servers rather than all of them in an 8 server configuration. Where might I find that? Or is it possible? Will it break anything? thank you ~J From rcritten at redhat.com Wed Apr 1 02:47:10 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 31 Mar 2015 22:47:10 -0400 Subject: [Freeipa-users] where to disable components? In-Reply-To: <551B58D6.4000003@gmail.com> References: <551B58D6.4000003@gmail.com> Message-ID: <551B5C2E.6030903@redhat.com> Janelle wrote: > Hello again... > > Looking around, but probably just not in the right place. I would like > to be able to disable httpd on all but a pair of servers, so we kind of > force all updates to come from a "master" and "slave" pair. Just trying > to keep updates defined to 2 servers rather than all of them in an 8 > server configuration. > > Where might I find that? Or is it possible? Will it break anything? > > thank you > ~J > Not sure the complete reasoning behind that but... The safest route would be to just firewall ports 80 and 443 off. There is a way to tell ipactl to not start a service but I haven't thought through the implications. The CA interfaces on those machines will also be inaccessible. rob From prashant at apigee.com Wed Apr 1 05:09:33 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 1 Apr 2015 10:39:33 +0530 Subject: [Freeipa-users] nsAccountLock attribute Message-ID: Hi , Is there a way of making the nsAccountLock attribute (User enable/disable) to be anonymously readable ? I'm trying to implement a SSH key lookup sshd authorized key command script. Based on this attribute the user will be allowed to login. I need this to be anonymously readable. Tried setting the permissions but it does not work. Any other ideas on this ? Thanks for your help. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Apr 1 05:36:27 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 01 Apr 2015 07:36:27 +0200 Subject: [Freeipa-users] nsAccountLock attribute In-Reply-To: References: Message-ID: <551B83DB.3050401@redhat.com> Hi, Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): > Hi , > > Is there a way of making the nsAccountLock attribute (User > enable/disable) to be anonymously readable ? > > I'm trying to implement a SSH key lookup sshd authorized key command > script. Based on this attribute the user will be allowed to login. I > need this to be anonymously readable. > > Tried setting the permissions but it does not work. > > Any other ideas on this ? If your SSH server is a properly configured IPA host (i.e. you had run ipa-client-install or ipa-server-install on it), rejecting locked user login should work automatically, without having to configure anything. > > Thanks for your help. > > --Prashant > > -- Jan Cholasta From lundman at lundman.net Wed Apr 1 05:51:25 2015 From: lundman at lundman.net (Jorgen Lundman) Date: Wed, 01 Apr 2015 14:51:25 +0900 Subject: [Freeipa-users] bind-dyndb-ldap vs DLZ In-Reply-To: <5513D7D6.7070408@redhat.com> References: <55122F5F.8030505@lundman.net> <55126655.30109@redhat.com> <551351F8.5070508@lundman.net> <5513D7D6.7070408@redhat.com> Message-ID: <551B875D.8070104@lundman.net> > Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that > there is 1:1 mapping between DNS name<->LDAP DN. This makes implementation of > dynamic updates much easier. Well, you weren't wrong there. :) I did try a few different solutions, first letting ARecord/NSRecord trickle in after SOA setup is done. But that did not fit well with some of the checks. (diff tests of SOA updates need to be tuples etc, SOA is handled much more strictly), you can't "just" re-register/update a zone as easily as records.. and so on. In the end, I went for the change where, before calling "update_zone()", I query DLZ for the additional information needed for the SOA record. ARecord/NSRecord etc, then tag those onto the "entry->attrs" list. This fits better with bind-dyndb-ldap existing framework, and only makes it worse for DLZ users. In addition to creating src/schema.h - to define the name of the common ldap attributes based on WITH_DLZ_SCHEMA. Annoyingly, DLZ Schema reuses the generic "DNSData" for a lot of things, so "one large search" just overwrote previous attributes - sigh. So, I was forced to do single individual ldapqueries for each ARecord/NSRecord/... type, then call finally update_zone(). Some additional mapping for update_record() as well, to map things like DNSIPAddr -> ARecord was needed. 01-Apr-2015 12:09:13.601 ldap_entry_create dn is 'DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.601 Attempting to pre-populate zone: dn DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.602 Adding 'DNSData' -> 'NSRecord' mapping here 01-Apr-2015 12:09:13.603 Adding 'DNSIPAddr' -> 'ARecord' mapping here 01-Apr-2015 12:09:13.606 fakesoa is 'hostmaster.example.com dns01.example.com. 20081028 3600 300 3600000 600 ' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'DNSPrimaryNS' 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'NSRecord' 01-Apr-2015 12:09:13.606 Matched 'DNSPrimaryNS' to 'dns01.example.com.' 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'ARecord' 01-Apr-2015 12:09:13.606 ldap_entry_nextrdtype: checking 'ARecord' on dn DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.606 leaving ldap_parse_rrentry 01-Apr-2015 12:09:13.606 make sure we have NS record here? 01-Apr-2015 12:09:13.606 diff.c:185: unexpected error: 01-Apr-2015 12:09:13.606 unexpected non-minimal diff 01-Apr-2015 12:09:13.606 ldap_entry_create dn is 'DNSRecord=A,DNSHostName=pop,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' 01-Apr-2015 12:09:13.607 DLZ attrib scam map 'A' + 'DNSIPAddr' 01-Apr-2015 12:09:13.607 dns_rdatatype_fromtext GOOD attr 'ARecord' 01-Apr-2015 12:09:13.607 Matched 'DNSIPAddr' to '210.157.5.28' 01-Apr-2015 12:09:13.607 zone example.com/IN: loaded serial 1427857753 # dig -p5353 @0 example.com any ; <<>> DiG 9.6-ESV-R8 <<>> -p5353 @0 example.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22383 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com. 600 IN A 210.157.5.35 example.com. 600 IN NS dns01.example.com. example.com. 600 IN SOA hostmaster.example.com.example.com. dns01.example.com. 1427857753 3600 300 3600000 600 Not entirely sure why I trip on the "unexpected non-minimal diff" INSIST. I had to comment it out. Obviously still very much hack'n'slash, to get a feel for what is involved. We could also change the schema of course, at least long term. Lund -- Jorgen Lundman | Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home) From lslebodn at redhat.com Wed Apr 1 06:34:29 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 1 Apr 2015 08:34:29 +0200 Subject: [Freeipa-users] [RFC] COPR drop support for old distribution Message-ID: <20150401063428.GA30096@mail.corp.redhat.com> ehlo, CentOS 7.1 was finally released[1]. Yupi. Fedora 21 was rewleased[2] few months ago. People can use FreeIPA 4.1 without any problem. So there's no more reason to maintain COPR repositories for older distributions. It will significantly reduce extra dependencies in repositories. It would be better to focus on backporting FreeIPA 4.2 in COPR. I know it has not been released yet. LS [1] http://lists.centos.org/pipermail/centos-announce/2015-April/021010.html [2] https://fedoraproject.org/wiki/Releases/21/Schedule From traiano at gmail.com Wed Apr 1 06:56:49 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 09:56:49 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason Message-ID: Hi List I've just tried to restart my IPA services after recently adding a new replica (0 configuration changes on the IPA server otherwise!), but ipactl fails when starting up named: --- [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Job for named.service failed. See 'systemctl status named.service' and 'journalctl -xn' for details. Failed to start named Service Shutting down Aborting ipactl --- I then manual start named service and try again, but then smb service fails: --- [root at lolpr-xyz-mstr ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Starting smb Service Job for smb.service failed. See 'systemctl status smb.service' and 'journalctl -xn' for details. Failed to start smb Service Shutting down Aborting ipactl --- systemctl status shows the following output for smb.service: --- [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 AST; 1min 14s ago Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 4662 (code=exited, status=1/FAILURE) Status: "Starting process..." CGroup: /system.slice/smb.service Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base DN. Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 09:21:10.211210, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start Samba SMB Daemon. Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service entered failed state. Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB Daemon. --- I manually try to start the smb service as follows, but can't (Of course the directory service is not up, so there's a little catch22 there and this many not mean much): --- [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; 57s ago Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=1/FAILURE) Main PID: 8089 (code=exited, status=1/FAILURE) Status: "Starting process..." Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base DN. Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 09:50:38.574903, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main process exited, code=exited, status=1/FAILURE Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start Samba SMB Daemon. Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service entered failed state. [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# --- Please could someone advise me on how to drill deeper into debugging this issue to get ipactl to start ? NOTES: - This server is successfully in a Trust relationship with ActiveDirectory. - There are a number of replicas established which have been working fine til this morning - Another replica was added around the time of the failure using the same steps as usual (not sure how this could be related) Many thanks in advance, Traiano From g.fer.ordas at unicyber.co.uk Wed Apr 1 07:00:04 2015 From: g.fer.ordas at unicyber.co.uk (Gonzalo Fernandez Ordas) Date: Wed, 01 Apr 2015 00:00:04 -0700 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <2588793.PXhtNmgmCt@shdehenw2471> References: <2588793.PXhtNmgmCt@shdehenw2471> Message-ID: <551B9774.6020004@unicyber.co.uk> Markus Not sure if this might be related, at least is a place where to look at.. https://bugzilla.redhat.com/show_bug.cgi?id=1196455 thanks On 31/03/2015 10:54, Markus Roth wrote: > Hi all, > > I want setup freeipa 4.1.3 on a fresh installed fedora 21. > The ipa-server-install shows the following output: > > configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute > [1/38]: creating directory server user > [2/38]: creating directory server instance > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configuring replication version plugin > [7/38]: enabling IPA enrollment plugin > [8/38]: enabling ldapi > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: creating indices > [16/38]: enabling referential integrity plugin > [17/38]: configuring certmap.conf > [18/38]: configure autobind for root > [19/38]: configure new location for managed entries > [20/38]: configure dirsrv ccache > [21/38]: enable SASL mapping fallback > [22/38]: restarting directory server > [23/38]: adding default layout > [24/38]: adding delegation layout > [25/38]: creating container for managed entries > [26/38]: configuring user private groups > [27/38]: configuring netgroups from hostgroups > [28/38]: creating default Sudo bind user > [29/38]: creating default Auto Member layout > [30/38]: adding range check plugin > [31/38]: creating default HBAC rule allow_all > [32/38]: initializing group membership > [33/38]: adding master entry > [34/38]: configuring Posix uid/gid generation > [35/38]: adding replication acis > [36/38]: enabling compatibility plugin > [37/38]: tuning directory server > [38/38]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > CA did not start in 300.0s > > The ipa server install log shows this: > > 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 526, in __start > self.start() > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 279, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 229, in start > self.wait_until_running() > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 223, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > RuntimeError: CA did not start in 300.0s > > 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s > 2015-03-31T17:39:36Z DEBUG File "/usr/lib/python2.7/site- > packages/ipaserver/install/installutils.py", line 642, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-server-install", line 1183, in main > ca_signing_algorithm=options.ca_signing_algorithm) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 520, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 382, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 372, in run_step > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 526, in __start > self.start() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 279, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 229, in start > self.wait_until_running() > > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line > 223, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > > 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, exception: > RuntimeError: CA did not start in 300.0s > > I uninstalled the ipa server completely several times and installed it again. > But it always stops at the same step with the setup. > > Can anybody help? > > Markus. > From traiano at gmail.com Wed Apr 1 07:20:34 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 10:20:34 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: Message-ID: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:11:01:49 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 threads to terminate [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errors [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop [01/Apr/2015:11:02:10 +0300] - All database threads now stopped [01/Apr/2015:11:02:10 +0300] - slapd stopped. [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=idm,dc=local [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time skew (-2771 secs). Current seqnum=3 [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/kwtpr-idm-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time skew (-2770 secs). Current seqnum=1 [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:10:15:39 +0300] - Listening on /var/run/slapd-IDM-LOCAL.socket for LDAPI requests [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time skew (-2771 secs). Current seqnum=1 [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 threads to terminate [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed out) [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop [01/Apr/2015:10:16:00 +0300] - All database threads now stopped [01/Apr/2015:10:16:00 +0300] - slapd stopped. On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: > Hi List > > I've just tried to restart my IPA services after recently adding a new > replica (0 configuration changes on the IPA server otherwise!), but > ipactl fails when starting up named: > > --- > [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Job for named.service failed. See 'systemctl status named.service' and > 'journalctl -xn' for details. > Failed to start named Service > Shutting down > Aborting ipactl > --- > > I then manual start named service and try again, but then smb service fails: > > --- > [root at lolpr-xyz-mstr ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Starting pki-tomcatd Service > Starting smb Service > Job for smb.service failed. See 'systemctl status smb.service' and > 'journalctl -xn' for details. > Failed to start smb Service > Shutting down > Aborting ipactl > --- > > systemctl status shows the following output for smb.service: > > --- > [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 > AST; 1min 14s ago > Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 4662 (code=exited, status=1/FAILURE) > Status: "Starting process..." > CGroup: /system.slice/smb.service > > Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 > Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base DN. > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > 09:21:10.211210, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > init (error was NT_STATUS_UNSUCCESSFUL) > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > Samba SMB Daemon. > Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > entered failed state. > Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB Daemon. > --- > > > I manually try to start the smb service as follows, but can't (Of > course the directory service is not up, so there's a little catch22 > there and this many not mean much): > > > --- > > [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service > smb.service - Samba SMB Daemon > Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; 57s ago > Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > status=1/FAILURE) > Main PID: 8089 (code=exited, status=1/FAILURE) > Status: "Starting process..." > > Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) > Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base DN. > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > 09:50:38.574903, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > init (error was NT_STATUS_UNSUCCESSFUL) > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > process exited, code=exited, status=1/FAILURE > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > Samba SMB Daemon. > Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > entered failed state. > [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# > > --- > > Please could someone advise me on how to drill deeper into debugging > this issue to get ipactl to start ? > > NOTES: > > - This server is successfully in a Trust relationship with ActiveDirectory. > - There are a number of replicas established which have been working > fine til this morning > - Another replica was added around the time of the failure using the > same steps as usual (not sure how this could be related) > > > Many thanks in advance, > Traiano From mkosek at redhat.com Wed Apr 1 07:20:39 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 09:20:39 +0200 Subject: [Freeipa-users] Migration mode fun and confusion In-Reply-To: <551AB44A.3030108@gmail.com> References: <551AA354.2090706@gmail.com> <551AA5DF.3090403@redhat.com> <551AB44A.3030108@gmail.com> Message-ID: <551B9C47.1070902@redhat.com> On 03/31/2015 04:50 PM, Janelle wrote: > > > On 3/31/15 6:49 AM, Dmitri Pal wrote: >> On 03/31/2015 09:38 AM, Janelle wrote: >>> Hello again, >>> >>> Is this a feature or a bug? >>> >>> Migration mode - works fine the first time. However, if you need to run it a >>> second time because someone added either new users or groups to your LDAP >>> config and you want to bring those over, if you re-run migration, it indeed >>> brings all the new users over, but NOT their secondary groups, only primary. >>> And even if you have overwrite of the GID option set. >>> >>> Would this be expected for some reason that I may be missing, or is it a bug? >>> >>> Thank you >>> ~J >>> >> Let be know if I get you right. > That's it exactly. > Ok - Bug. > :-) I am personally not convinced this is a bug. As Rob mentioned, this is a migration solution, not sync. So what likely happens is that you add new memberships to already-migrated groups (i.e. member attribute in group object), which are then not migrated as they are already present in the FreeIPA. So if anything, I would call it an RFE, for allowing overwriting the memberships for existing groups... > >> >> Setup: >> - Old LDAP server >> - IPA >> >> Users are migrated from LDAP to IPA using migrate-ds. >> Everything works as expected >> Now you add users to LDAP and put them into some groups (that were already >> been migrated the first time, right?) >> You run migrate-ds again and the new users are migrated but group membership >> is lost. >> >> Is this the scenario? >> If yes, looks like a bug. >> >> > From mkosek at redhat.com Wed Apr 1 07:29:11 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 09:29:11 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551AE032.9090606@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551AE032.9090606@redhat.com> Message-ID: <551B9E47.6090107@redhat.com> On 03/31/2015 07:58 PM, Dmitri Pal wrote: > On 03/31/2015 01:54 PM, Markus Roth wrote: >> Hi all, >> >> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >> The ipa-server-install shows the following output: >> >> configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv): Estimated time 1 minute >> [1/38]: creating directory server user >> [2/38]: creating directory server instance >> [3/38]: adding default schema >> [4/38]: enabling memberof plugin >> [5/38]: enabling winsync plugin >> [6/38]: configuring replication version plugin >> [7/38]: enabling IPA enrollment plugin >> [8/38]: enabling ldapi >> [9/38]: configuring uniqueness plugin >> [10/38]: configuring uuid plugin >> [11/38]: configuring modrdn plugin >> [12/38]: configuring DNS plugin >> [13/38]: enabling entryUSN plugin >> [14/38]: configuring lockout plugin >> [15/38]: creating indices >> [16/38]: enabling referential integrity plugin >> [17/38]: configuring certmap.conf >> [18/38]: configure autobind for root >> [19/38]: configure new location for managed entries >> [20/38]: configure dirsrv ccache >> [21/38]: enable SASL mapping fallback >> [22/38]: restarting directory server >> [23/38]: adding default layout >> [24/38]: adding delegation layout >> [25/38]: creating container for managed entries >> [26/38]: configuring user private groups >> [27/38]: configuring netgroups from hostgroups >> [28/38]: creating default Sudo bind user >> [29/38]: creating default Auto Member layout >> [30/38]: adding range check plugin >> [31/38]: creating default HBAC rule allow_all >> [32/38]: initializing group membership >> [33/38]: adding master entry >> [34/38]: configuring Posix uid/gid generation >> [35/38]: adding replication acis >> [36/38]: enabling compatibility plugin >> [37/38]: tuning directory server >> [38/38]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >> seconds >> [1/27]: creating certificate server user >> [2/27]: configuring certificate server instance >> [3/27]: stopping certificate server instance to update CS.cfg >> [4/27]: backing up CS.cfg >> [5/27]: disabling nonces >> [6/27]: set up CRL publishing >> [7/27]: enable PKIX certificate path discovery and validation >> [8/27]: starting certificate server instance >> [error] RuntimeError: CA did not start in 300.0s >> CA did not start in 300.0s >> >> The ipa server install log shows this: >> >> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... >> 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 372, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 526, in __start >> self.start() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 279, in start >> self.service.start(instance_name, capture_output=capture_output, >> wait=wait) >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line >> 229, in start >> self.wait_until_running() >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line >> 223, in wait_until_running >> raise RuntimeError('CA did not start in %ss' % timeout) >> RuntimeError: CA did not start in 300.0s >> >> 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in 300.0s >> 2015-03-31T17:39:36Z DEBUG File "/usr/lib/python2.7/site- >> packages/ipaserver/install/installutils.py", line 642, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-server-install", line 1183, in main >> ca_signing_algorithm=options.ca_signing_algorithm) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 520, in configure_instance >> self.start_creation(runtime=210) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 382, in start_creation >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 372, in run_step >> method() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 526, in __start >> self.start() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 279, in start >> self.service.start(instance_name, capture_output=capture_output, >> wait=wait) >> >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line >> 229, in start >> self.wait_until_running() >> >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line >> 223, in wait_until_running >> raise RuntimeError('CA did not start in %ss' % timeout) >> >> 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, exception: >> RuntimeError: CA did not start in 300.0s >> >> I uninstalled the ipa server completely several times and installed it again. >> But it always stops at the same step with the setup. >> >> Can anybody help? >> >> Markus. >> > Please provide install logs, and look at directory server and PKI server logs > created during the installation. > It seems that Dogtag did not start. It usually does not start when the DS under > it does not start. The logs would show that. > DS does not start does because of different issues. Can bind to the port for > example. So please review the logs and see what they reveal. > > This might help you with details http://www.freeipa.org/page/Troubleshooting +1. CCing Dogtag guys for reference. From mbabinsk at redhat.com Wed Apr 1 07:37:03 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 01 Apr 2015 09:37:03 +0200 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: Message-ID: <551BA01F.8030707@redhat.com> On 04/01/2015 09:20 AM, Traiano Welcome wrote: > Some information from the dirsrv error log (sanitized: XYZ = realm): > > [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up > [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=idm,dc=local > [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > cleanAllRUV task found, resuming the cleaning of rid(6)... > [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 > for LDAPS requests > [01/Apr/2015:11:01:49 +0300] - Listening on > /var/run/slapd-IDM-LOCAL.socket for LDAPI requests > [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - > agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation threads > [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 > threads to terminate > [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down > internal subsystems and plugins > [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Cleaning rid (6)... > [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting to process all the updates from the deleted replica... > [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting for all the replicas to be online... > [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Server shutting down. Process will resume at server startup > [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed > out) > [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > LDAP server) () > [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > errors > [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop > [01/Apr/2015:11:02:10 +0300] - All database threads now stopped > [01/Apr/2015:11:02:10 +0300] - slapd stopped. > [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up > [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=idm,dc=local > [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > cleanAllRUV task found, resuming the cleaning of rid(6)... > [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 2 (No such file or directory) > [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time > skew (-2771 secs). Current seqnum=3 > [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time > skew (-2770 secs). Current seqnum=1 > [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 > for LDAPS requests > [01/Apr/2015:10:15:39 +0300] - Listening on > /var/run/slapd-IDM-LOCAL.socket for LDAPI requests > [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - > agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time > skew (-2771 secs). Current seqnum=1 > [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation threads > [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 > threads to terminate > [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down > internal subsystems and plugins > [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Cleaning rid (6)... > [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting to process all the updates from the deleted replica... > [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting for all the replicas to be online... > [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Server shutting down. Process will resume at server startup > [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed > out) > [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > LDAP server) () > [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - > agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - > agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop > [01/Apr/2015:10:16:00 +0300] - All database threads now stopped > [01/Apr/2015:10:16:00 +0300] - slapd stopped. > > On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: >> Hi List >> >> I've just tried to restart my IPA services after recently adding a new >> replica (0 configuration changes on the IPA server otherwise!), but >> ipactl fails when starting up named: >> >> --- >> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >> Starting Directory Service >> Starting krb5kdc Service >> Starting kadmin Service >> Starting named Service >> Job for named.service failed. See 'systemctl status named.service' and >> 'journalctl -xn' for details. >> Failed to start named Service >> Shutting down >> Aborting ipactl >> --- >> >> I then manual start named service and try again, but then smb service fails: >> >> --- >> [root at lolpr-xyz-mstr ~]# ipactl start >> Existing service file detected! >> Assuming stale, cleaning and proceeding >> Starting Directory Service >> Starting krb5kdc Service >> Starting kadmin Service >> Starting named Service >> Starting ipa_memcached Service >> Starting httpd Service >> Starting pki-tomcatd Service >> Starting smb Service >> Job for smb.service failed. See 'systemctl status smb.service' and >> 'journalctl -xn' for details. >> Failed to start smb Service >> Shutting down >> Aborting ipactl >> --- >> >> systemctl status shows the following output for smb.service: >> >> --- >> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >> smb.service - Samba SMB Daemon >> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >> AST; 1min 14s ago >> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >> status=1/FAILURE) >> Main PID: 4662 (code=exited, status=1/FAILURE) >> Status: "Starting process..." >> CGroup: /system.slice/smb.service >> >> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 >> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >> Unspecified GSS failure. Minor code may provide more information >> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base DN. >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >> 09:21:10.211210, 0] >> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >> init (error was NT_STATUS_UNSUCCESSFUL) >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >> process exited, code=exited, status=1/FAILURE >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >> Samba SMB Daemon. >> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >> entered failed state. >> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB Daemon. >> --- >> >> >> I manually try to start the smb service as follows, but can't (Of >> course the directory service is not up, so there's a little catch22 >> there and this many not mean much): >> >> >> --- >> >> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >> smb.service - Samba SMB Daemon >> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; 57s ago >> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >> status=1/FAILURE) >> Main PID: 8089 (code=exited, status=1/FAILURE) >> Status: "Starting process..." >> >> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base DN. >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >> 09:50:38.574903, 0] >> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >> init (error was NT_STATUS_UNSUCCESSFUL) >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >> process exited, code=exited, status=1/FAILURE >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >> Samba SMB Daemon. >> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >> entered failed state. >> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >> >> --- >> >> Please could someone advise me on how to drill deeper into debugging >> this issue to get ipactl to start ? >> >> NOTES: >> >> - This server is successfully in a Trust relationship with ActiveDirectory. >> - There are a number of replicas established which have been working >> fine til this morning >> - Another replica was added around the time of the failure using the >> same steps as usual (not sure how this could be related) >> >> >> Many thanks in advance, >> Traiano > Hi Traiano, it seems like there is some problem with Kerberos keytab for DS service. Take a look at this guide: http://www.freeipa.org/page/Troubleshooting#Service_does_not_start and check whether there is something wrong with DS keytab and that the service principal is set up correctly. -- Martin^3 Babinsky From pspacek at redhat.com Wed Apr 1 07:41:56 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Apr 2015 09:41:56 +0200 Subject: [Freeipa-users] where to disable components? In-Reply-To: <551B5C2E.6030903@redhat.com> References: <551B58D6.4000003@gmail.com> <551B5C2E.6030903@redhat.com> Message-ID: <551BA144.9000205@redhat.com> On 1.4.2015 04:47, Rob Crittenden wrote: > Janelle wrote: >> Hello again... >> >> Looking around, but probably just not in the right place. I would like >> to be able to disable httpd on all but a pair of servers, so we kind of >> force all updates to come from a "master" and "slave" pair. Just trying >> to keep updates defined to 2 servers rather than all of them in an 8 >> server configuration. >> >> Where might I find that? Or is it possible? Will it break anything? >> >> thank you >> ~J >> > > Not sure the complete reasoning behind that but... > > The safest route would be to just firewall ports 80 and 443 off. There > is a way to tell ipactl to not start a service but I haven't thought > through the implications. > > The CA interfaces on those machines will also be inaccessible. Please keep in mind that this will not prevent users from making changes via LDAP or kpasswd protocol. E.g. password changes will be still possible, this only hides the web interface and API. Such configuration is not tested. Here be dragons. -- Petr^2 Spacek From jhrozek at redhat.com Wed Apr 1 07:58:09 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 1 Apr 2015 09:58:09 +0200 Subject: [Freeipa-users] AD users and IPA's sudo In-Reply-To: <7a399ff0d1b84aae8ac1ff1b8026a9b2@sib-ums01.Megafon.ru> References: <7a399ff0d1b84aae8ac1ff1b8026a9b2@sib-ums01.Megafon.ru> Message-ID: <20150401075809.GP3668@hendrix.redhat.com> On Mon, Mar 30, 2015 at 08:09:43AM +0000, Alexander Frolushkin wrote: > Hello everyone. > We have a IPA 3 and AD domain trust. > Users from AD successfully logs on to linux servers via ssh and hbac rules works fine with external groups. But not a sudo rules. > When rule defines as 'who' IPA users rule works well. If it is defines external group for corresponding AD group which is AD user member of, this user gets > user at ad.com is not allowed to run sudo on host.com. This incident will be reported. > > In debug there is a strings > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=user at ad.com)( > sudoUser=#xxxxxxxxxx)(sudoUser=%....cuted.......(sudoUser=%....cuted.....)(sudoUser=+*))(&(dataExpireTimestamp<=1427702040)))] > (Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0020): Error looking up SUDO rules(Mon Mar 30 13:54:00 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0020): Unable to retr > ieve expired sudo rules [5]: Input/output error > > I've seen a number of closed bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated. > > And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :( > Just to close this thread, we tracked the issue down into this SSSD bug - https://fedorahosted.org/sssd/ticket/2613 From traiano at gmail.com Wed Apr 1 08:14:01 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 11:14:01 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BA01F.8030707@redhat.com> References: <551BA01F.8030707@redhat.com> Message-ID: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky wrote: > On 04/01/2015 09:20 AM, Traiano Welcome wrote: >> >> Some information from the dirsrv error log (sanitized: XYZ = realm): >> >> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >> starting up >> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=idm,dc=local >> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> cleanAllRUV task found, resuming the cleaning of rid(6)... >> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> [01/Apr/2015:11:01:49 +0300] - Listening on >> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >> threads >> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >> threads to terminate >> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >> internal subsystems and plugins >> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Cleaning rid (6)... >> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting to process all the updates from the deleted replica... >> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting for all the replicas to be online... >> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Server shutting down. Process will resume at server startup >> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >> out) >> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> errors >> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (No Kerberos credentials available)) >> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >> starting up >> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=idm,dc=local >> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> cleanAllRUV task found, resuming the cleaning of rid(6)... >> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 2 (No such file or directory) >> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >> skew (-2771 secs). Current seqnum=3 >> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >> skew (-2770 secs). Current seqnum=1 >> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> [01/Apr/2015:10:15:39 +0300] - Listening on >> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >> skew (-2771 secs). Current seqnum=1 >> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >> threads >> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >> threads to terminate >> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >> internal subsystems and plugins >> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Cleaning rid (6)... >> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting to process all the updates from the deleted replica... >> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting for all the replicas to be online... >> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Server shutting down. Process will resume at server startup >> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >> out) >> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (No Kerberos credentials available)) >> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >> >> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: >>> >>> Hi List >>> >>> I've just tried to restart my IPA services after recently adding a new >>> replica (0 configuration changes on the IPA server otherwise!), but >>> ipactl fails when starting up named: >>> >>> --- >>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>> Starting Directory Service >>> Starting krb5kdc Service >>> Starting kadmin Service >>> Starting named Service >>> Job for named.service failed. See 'systemctl status named.service' and >>> 'journalctl -xn' for details. >>> Failed to start named Service >>> Shutting down >>> Aborting ipactl >>> --- >>> >>> I then manual start named service and try again, but then smb service >>> fails: >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# ipactl start >>> Existing service file detected! >>> Assuming stale, cleaning and proceeding >>> Starting Directory Service >>> Starting krb5kdc Service >>> Starting kadmin Service >>> Starting named Service >>> Starting ipa_memcached Service >>> Starting httpd Service >>> Starting pki-tomcatd Service >>> Starting smb Service >>> Job for smb.service failed. See 'systemctl status smb.service' and >>> 'journalctl -xn' for details. >>> Failed to start smb Service >>> Shutting down >>> Aborting ipactl >>> --- >>> >>> systemctl status shows the following output for smb.service: >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>> smb.service - Samba SMB Daemon >>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>> AST; 1min 14s ago >>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>> status=1/FAILURE) >>> Main PID: 4662 (code=exited, status=1/FAILURE) >>> Status: "Starting process..." >>> CGroup: /system.slice/smb.service >>> >>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 >>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>> Unspecified GSS failure. Minor code may provide more information >>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>> DN. >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>> 09:21:10.211210, 0] >>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>> init (error was NT_STATUS_UNSUCCESSFUL) >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>> process exited, code=exited, status=1/FAILURE >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>> Samba SMB Daemon. >>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>> entered failed state. >>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>> Daemon. >>> --- >>> >>> >>> I manually try to start the smb service as follows, but can't (Of >>> course the directory service is not up, so there's a little catch22 >>> there and this many not mean much): >>> >>> >>> --- >>> >>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>> smb.service - Samba SMB Daemon >>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; >>> 57s ago >>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>> status=1/FAILURE) >>> Main PID: 8089 (code=exited, status=1/FAILURE) >>> Status: "Starting process..." >>> >>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>> DN. >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>> 09:50:38.574903, 0] >>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>> init (error was NT_STATUS_UNSUCCESSFUL) >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>> process exited, code=exited, status=1/FAILURE >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>> Samba SMB Daemon. >>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>> entered failed state. >>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>> >>> --- >>> >>> Please could someone advise me on how to drill deeper into debugging >>> this issue to get ipactl to start ? >>> >>> NOTES: >>> >>> - This server is successfully in a Trust relationship with >>> ActiveDirectory. >>> - There are a number of replicas established which have been working >>> fine til this morning >>> - Another replica was added around the time of the failure using the >>> same steps as usual (not sure how this could be related) >>> >>> >>> Many thanks in advance, >>> Traiano >> >> > > Hi Traiano, > > it seems like there is some problem with Kerberos keytab for DS service. > > Take a look at this guide: > > http://www.freeipa.org/page/Troubleshooting#Service_does_not_start > > and check whether there is something wrong with DS keytab and that the > service principal is set up correctly. > Walking through this pedantically: Service does not start: 1) See service log of the respective service for the exact error text. For example, the Directory Server stores the log in /var/log/dirsrv/slapd-REALM-NAME/errors check 2) Make sure that the server the service is running on has a fully qualified domain name --- [root at lolpr-xyz-mstr ~]# hostname lolpr-xyz-mstr.xyz.local [root at lolpr-xyz-mstr ~]# host `hostname` lolpr-xyz-mstr.xyz.local has address 172.16.100.68 [root at lolpr-xyz-mstr ~]# host 172.16.100.68 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. [root at lolpr-xyz-mstr ~]# --- 3) See what keys are in the keytab used for authentication of the service, e.g.: # klist -kt /etc/dirsrv/ds.keytab --- [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL --- 4) Make sure that the stored principals match the system FQDN system name check: --- [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local lolpr-xyz-mstr.xyz.local has address 172.16.100.68 [root at lolpr-xyz-mstr ~]# --- 5) Make sure that the version of the keys (KVNO) stored in the keytab and in the FreeIPA server match: $ kvno ldap/ipa.example.com at EXAMPLE.COM check ... This is unusual: --- [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL kvno: Credentials cache keyring 'persistent:0:0' not found while getting client principal name --- Now, when I look at my krb5.conf, I see the file has had a recent change ... yet, I'm sure this file was never edited: Does the krb5.conf below look correct for a standard IPA primary server?: --- [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf --- --- [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XYZ.LOCAL dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes default_ccache_name = KEYRING:persistent:%{uid} [realms] XYZ.LOCAL = { kdc = lolpr-xyz-mstr.xyz.local:88 master_kdc = lolpr-xyz-mstr.xyz.local:88 admin_server = lolpr-xyz-mstr.xyz.local:749 default_domain = xyz.local pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ auth_to_local = DEFAULT } [domain_realm] .xyz.local = XYZ.LOCAL xyz.local = XYZ.LOCAL [dbmodules] XYZ.LOCAL = { db_library = ipadb.so } --- 6) Make sure that there are no DNS Issues and both forward and reverse DNS records of the are OK and match the system name and the stored principal keys check. DNS works. 7) Make sure that the system time difference on the host and FreeIPA server is not greater than 5 minutes They're one and the same in this case. > -- > Martin^3 Babinsky Thanks, Traiano From tlau at tetrioncapital.com Wed Apr 1 08:19:34 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Wed, 1 Apr 2015 16:19:34 +0800 Subject: [Freeipa-users] Power down all FreeIPA servers Message-ID: Hi all, we are going to have power maintenance and needed to shutdown two core FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA server? Anything I need to aware of? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Wed Apr 1 09:03:20 2015 From: dkupka at redhat.com (David Kupka) Date: Wed, 01 Apr 2015 11:03:20 +0200 Subject: [Freeipa-users] Power down all FreeIPA servers In-Reply-To: References: Message-ID: <551BB458.7080501@redhat.com> On 04/01/2015 10:19 AM, Thomas Lau wrote: > Hi all, > > we are going to have power maintenance and needed to shutdown two core > FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA > server? Anything I need to aware of? > > > Hello, IFAIK there is no recommended Trick. You can turn them off and on normaly (with system or using ipactl stop/start) and after they start again the replication process should continue. -- David Kupka From abokovoy at redhat.com Wed Apr 1 09:35:35 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Apr 2015 12:35:35 +0300 Subject: [Freeipa-users] OTP integrations In-Reply-To: <551B246B.5060104@redhat.com> References: <551B246B.5060104@redhat.com> Message-ID: <20150401093535.GU3878@redhat.com> On Tue, 31 Mar 2015, Dmitri Pal wrote: >On 03/31/2015 05:30 PM, Andrew Holway wrote: >>Hello FreeIPA people, >> >>I must say that FreeIPA v4 looks very pretty and I am looking >>forward to trying out the new features. >> >>I'm wondering what application and tools can be used to authenticate >>with the OTP in freeipa. For instance, if we wanted to set up a VPN >>that uses it how might we go about that? Is there a common library >>that I should look out for? > >With VPN you usually do the following: >a) Pick a VPN of your choice based on features and needs you have >b) Make sure the VPN server supports different authentication methods. >You need at least RADIUS which is the most popular option and I would >be surprise to find VPN server that does not talk RADIUS to actually >do the authentication. >c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it >happens) box , configure it to do kinit authentication or pam >authentication via SSSD against IPA, see freeRADIUS manuals for more >details >d) Connect VPN server to the RADIUS server >e) Provision tokens (or hook IPA to existing OTP solution using >another RADIUS server) >f) Profit > >If you have an application that can use RADIUS in such setup you can >use FreeIPA 2FA. >Also see http://www.freeipa.org/page/Web_App_Authentication how to >enable any web application to take advantage of the IPA authentication >including 2FA. It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: # grep plugin /etc/openvpn/server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn -> system-auth # LANG=C ipa user-show vpnuser User login: vpnuser First name: VPN Last name: TestUser Home directory: /home/vpnuser Login shell: /bin/sh Email address: vpnuser at example.com UID: 1792600005 GID: 1792600005 Account disabled: False User authentication types: otp Password: True Member of groups: ipausers Kerberos keys available: True Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser' -- / Alexander Bokovoy From abokovoy at redhat.com Wed Apr 1 09:37:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Apr 2015 12:37:30 +0300 Subject: [Freeipa-users] where to disable components? In-Reply-To: <551B58D6.4000003@gmail.com> References: <551B58D6.4000003@gmail.com> Message-ID: <20150401093730.GV3878@redhat.com> On Tue, 31 Mar 2015, Janelle wrote: >Hello again... > >Looking around, but probably just not in the right place. I would like >to be able to disable httpd on all but a pair of servers, so we kind >of force all updates to come from a "master" and "slave" pair. Just >trying to keep updates defined to 2 servers rather than all of them in >an 8 server configuration. > >Where might I find that? Or is it possible? Will it break anything? You wouldn't get anything by doing such a selecting 'disabling'. Every Kerberos authentication causes updates of LDAP objects on the KDC, so if you have 8 KDCs, all of them will be modifying LDAP store and replicating to each other. -- / Alexander Bokovoy From prashant at apigee.com Wed Apr 1 09:43:46 2015 From: prashant at apigee.com (Prashant Bapat) Date: Wed, 1 Apr 2015 15:13:46 +0530 Subject: [Freeipa-users] nsAccountLock attribute In-Reply-To: <551B83DB.3050401@redhat.com> References: <551B83DB.3050401@redhat.com> Message-ID: Hi Jan, Thanks for your response. But my problem is AmazonLinux does not support ipa-client or sssd. No binaries available, lots of dependency issues compiling from source. So the route I have taken is to use FreeIPA on Fedora21. And use authconfig to enumerate users/groups. And have a SSH command to lookup the keys. Thanks. --Prashant On 1 April 2015 at 11:06, Jan Cholasta wrote: > Hi, > > Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): > > Hi , >> >> Is there a way of making the nsAccountLock attribute (User >> enable/disable) to be anonymously readable ? >> >> I'm trying to implement a SSH key lookup sshd authorized key command >> script. Based on this attribute the user will be allowed to login. I >> need this to be anonymously readable. >> >> Tried setting the permissions but it does not work. >> >> Any other ideas on this ? >> > > If your SSH server is a properly configured IPA host (i.e. you had run > ipa-client-install or ipa-server-install on it), rejecting locked user > login should work automatically, without having to configure anything. > > > >> Thanks for your help. >> >> --Prashant >> >> >> > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 1 10:03:53 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 12:03:53 +0200 Subject: [Freeipa-users] nsAccountLock attribute In-Reply-To: References: Message-ID: <551BC289.4080308@redhat.com> On 04/01/2015 07:09 AM, Prashant Bapat wrote: > Hi , > > Is there a way of making the nsAccountLock attribute (User enable/disable) > to be anonymously readable ? > > I'm trying to implement a SSH key lookup sshd authorized key command > script. Based on this attribute the user will be allowed to login. I need > this to be anonymously readable. > > Tried setting the permissions but it does not work. Permissions should just work. You can either switch "System: Read User Addressbook Attributes" permission for anonymous user, with knowing all consequences it brings to your system, all create a new read permission just for this attribute. BTW, note that this attribute is operational and has to be searched out explicitly in the ldapsearch, e.g.: # ldapsearch -Y GSSAPI -h `hostname` -b "uid=fbar,cn=users,cn=accounts,dc=f21" nsaccountlock SASL/GSSAPI authentication started SASL username: admin at F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: nsaccountlock # # fbar, users, accounts, f21 dn: uid=fbar,cn=users,cn=accounts,dc=f21 nsaccountlock: TRUE # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 Final note, new users do not have this attribute until the first time they are enabled/disabled. HTH, Martin From andrew.holway at gmail.com Wed Apr 1 11:15:03 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 13:15:03 +0200 Subject: [Freeipa-users] OTP integrations In-Reply-To: <20150401093535.GU3878@redhat.com> References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> Message-ID: > > >> It is simple to configure OpenVPN with authentication against FreeIPA in > Fedora 21, all the heavy lifting is done by SSSD: > I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). > > # grep plugin /etc/openvpn/server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn > login USERNAME password PASSWORD" > > # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 > /etc/pam.d/openvpn -> system-auth > > # LANG=C ipa user-show vpnuser > User login: vpnuser > First name: VPN > Last name: TestUser > Home directory: /home/vpnuser > Login shell: /bin/sh > Email address: vpnuser at example.com > UID: 1792600005 > GID: 1792600005 > Account disabled: False > User authentication types: otp > Password: True > Member of groups: ipausers > Kerberos keys available: True > > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > received command code: 0 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > USER: vpnuser > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > my_conv[0] query='login:' style=2 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > name match found, query/match-string ['login:', 'login'] = 'USERNAME' > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > my_conv[0] query='Password: ' style=1 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' > Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=vpnuser > Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=vpnuser > Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 > PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ > PLUGIN_AUTH_USER_PASS_VERIFY status=0 > Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: > Username/Password authentication succeeded for username 'vpnuser' > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 1 11:16:57 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Apr 2015 14:16:57 +0300 Subject: [Freeipa-users] ipa: ERROR: Cannot find specified domain or server name Message-ID: HI i have installed latest FreeIPA 4.1.4 on RHEL 7.1 My DNS is working fine. I am getting good response [root at kwtprsolipa01 ~]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ""; dig @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v "^;" | egrep _ _ldap._tcp.SUN.LOCAL. 86398 IN SRV 0 100 389 kwtprsolipa01.sun.local. _kerberos._tcp.SUN.LOCAL. 86398 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos._udp.SUN.LOCAL. 84696 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._tcp.SUN.LOCAL. 84699 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._udp.SUN.LOCAL. 86398 IN SRV 0 100 88 kwtprsolipa01.sun.local. _ntp._udp.SUN.LOCAL. 86398 IN SRV 0 100 123 kwtprsolipa01.sun.local. and ad domain is pining from IPA server. [root at kwtprsolipa01 ~]# dig SRV _ldap._tcp.mha.local ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV _ldap._tcp.mha.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44181 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.mha.local. IN SRV ;; ANSWER SECTION: _ldap._tcp.mha.local. 600 IN SRV 0 100 389 rusmosprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 kwtprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 dxbprdc002.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 kwtprdc001.mha.local. _ldap._tcp.mha.local. 600 IN SRV 0 100 389 dxbprdc001.mha.local. ;; ADDITIONAL SECTION: rusmosprdc002.mha.local. 3600 IN A 192.168.115.42 kwtprdc002.mha.local. 3600 IN A 172.16.98.171 dxbprdc002.mha.local. 3600 IN A 10.10.10.10 kwtprdc001.mha.local. 3600 IN A 172.16.100.180 dxbprdc001.mha.local. 3600 IN A 10.10.10.11 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 01 13:58:24 AST 2015 ;; MSG SIZE rcvd: 332 [root at kwtprsolipa01 ~]# dig SRV _ldap._tcp.sun.local ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV _ldap._tcp.sun.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63551 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_ldap._tcp.sun.local. IN SRV ;; ANSWER SECTION: _ldap._tcp.sun.local. 84509 IN SRV 0 100 389 kwtprsolipa01.sun.local. ;; ADDITIONAL SECTION: kwtprsolipa01.sun.local. 182 IN A 172.16.99.99 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 01 13:58:31 AST 2015 ;; MSG SIZE rcvd: 108 all result was as expected and i was following the excat steps from quick start page. but when i try to create trust, i am getting "ipa: ERROR: Cannot find specified domain or server name" please help me to solve this Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Apr 1 11:20:44 2015 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 01 Apr 2015 13:20:44 +0200 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: <551BA01F.8030707@redhat.com> Message-ID: <551BD48C.5020902@redhat.com> On 04/01/2015 10:14 AM, Traiano Welcome wrote: > Hi Martin > > Thanks for the response. Check results inline: > > > On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky wrote: >> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>> >>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>> >>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>> starting up >>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [01/Apr/2015:11:01:49 +0300] - Listening on >>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >>> threads >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>> threads to terminate >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Cleaning rid (6)... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting to process all the updates from the deleted replica... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting for all the replicas to be online... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Server shutting down. Process will resume at server startup >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>> out) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -1 (Can't contact LDAP server) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> errors >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>> may provide more information (No Kerberos credentials available)) >>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>> starting up >>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 2 (No such file or directory) >>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>> skew (-2771 secs). Current seqnum=3 >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>> skew (-2770 secs). Current seqnum=1 >>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [01/Apr/2015:10:15:39 +0300] - Listening on >>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>> skew (-2771 secs). Current seqnum=1 >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >>> threads >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>> threads to terminate >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Cleaning rid (6)... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting to process all the updates from the deleted replica... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting for all the replicas to be online... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Server shutting down. Process will resume at server startup >>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>> out) >>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -1 (Can't contact LDAP server) >>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>> may provide more information (No Kerberos credentials available)) >>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>> >>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: >>>> >>>> Hi List >>>> >>>> I've just tried to restart my IPA services after recently adding a new >>>> replica (0 configuration changes on the IPA server otherwise!), but >>>> ipactl fails when starting up named: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Job for named.service failed. See 'systemctl status named.service' and >>>> 'journalctl -xn' for details. >>>> Failed to start named Service >>>> Shutting down >>>> Aborting ipactl >>>> --- >>>> >>>> I then manual start named service and try again, but then smb service >>>> fails: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>> Existing service file detected! >>>> Assuming stale, cleaning and proceeding >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Starting ipa_memcached Service >>>> Starting httpd Service >>>> Starting pki-tomcatd Service >>>> Starting smb Service >>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>> 'journalctl -xn' for details. >>>> Failed to start smb Service >>>> Shutting down >>>> Aborting ipactl >>>> --- >>>> >>>> systemctl status shows the following output for smb.service: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>> smb.service - Samba SMB Daemon >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>>> AST; 1min 14s ago >>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>> status=1/FAILURE) >>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>> Status: "Starting process..." >>>> CGroup: /system.slice/smb.service >>>> >>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 >>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>> Unspecified GSS failure. Minor code may provide more information >>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>>> DN. >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>> 09:21:10.211210, 0] >>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>> process exited, code=exited, status=1/FAILURE >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>> Samba SMB Daemon. >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>> entered failed state. >>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>>> Daemon. >>>> --- >>>> >>>> >>>> I manually try to start the smb service as follows, but can't (Of >>>> course the directory service is not up, so there's a little catch22 >>>> there and this many not mean much): >>>> >>>> >>>> --- >>>> >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>> smb.service - Samba SMB Daemon >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; >>>> 57s ago >>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>> status=1/FAILURE) >>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>> Status: "Starting process..." >>>> >>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>>> DN. >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:38.574903, 0] >>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>> process exited, code=exited, status=1/FAILURE >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>> Samba SMB Daemon. >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>> entered failed state. >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>> >>>> --- >>>> >>>> Please could someone advise me on how to drill deeper into debugging >>>> this issue to get ipactl to start ? >>>> >>>> NOTES: >>>> >>>> - This server is successfully in a Trust relationship with >>>> ActiveDirectory. >>>> - There are a number of replicas established which have been working >>>> fine til this morning >>>> - Another replica was added around the time of the failure using the >>>> same steps as usual (not sure how this could be related) >>>> >>>> >>>> Many thanks in advance, >>>> Traiano >>> >>> >> >> Hi Traiano, >> >> it seems like there is some problem with Kerberos keytab for DS service. >> >> Take a look at this guide: >> >> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >> >> and check whether there is something wrong with DS keytab and that the >> service principal is set up correctly. >> > > > > Walking through this pedantically: > > Service does not start: > > 1) See service log of the respective service for the exact error text. > For example, the Directory Server stores the log in > /var/log/dirsrv/slapd-REALM-NAME/errors > > check > > 2) Make sure that the server the service is running on has a fully > qualified domain name > > --- > [root at lolpr-xyz-mstr ~]# hostname > lolpr-xyz-mstr.xyz.local > [root at lolpr-xyz-mstr ~]# host `hostname` > lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > [root at lolpr-xyz-mstr ~]# host 172.16.100.68 > 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. > [root at lolpr-xyz-mstr ~]# > --- > > 3) See what keys are in the keytab used for authentication of the service, e.g.: > # klist -kt /etc/dirsrv/ds.keytab > > > --- > [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab > Keytab name: FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > --- > > 4) Make sure that the stored principals match the system FQDN system name > > check: > > --- > [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local > lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > [root at lolpr-xyz-mstr ~]# > --- > > 5) Make sure that the version of the keys (KVNO) stored in the keytab > and in the FreeIPA server match: > $ kvno ldap/ipa.example.com at EXAMPLE.COM > > > check ... This is unusual: > > --- > [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > kvno: Credentials cache keyring 'persistent:0:0' not found while > getting client principal name > --- Your root account has no Kerberos credentials. Either kinit as IPA admin for root or run this command from an account that is already kinit'ed as IPA admin. > > Now, when I look at my krb5.conf, I see the file has had a recent > change ... yet, I'm sure this file was never edited: Does the > krb5.conf below look correct for a standard IPA primary server?: > > --- > [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf > -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf > --- > > > --- > [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XYZ.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > XYZ.LOCAL = { > kdc = lolpr-xyz-mstr.xyz.local:88 > master_kdc = lolpr-xyz-mstr.xyz.local:88 > admin_server = lolpr-xyz-mstr.xyz.local:749 > default_domain = xyz.local > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = > RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ > auth_to_local = DEFAULT > } > > [domain_realm] > .xyz.local = XYZ.LOCAL > xyz.local = XYZ.LOCAL > > [dbmodules] > XYZ.LOCAL = { > db_library = ipadb.so > } > --- > This looks OK to me but I'm no Kerberos expert. I cc'ed Sumit and Simo, they should be able to help you more that I. > 6) Make sure that there are no DNS Issues and both forward and reverse > DNS records of the are OK and match the system name and the stored > principal keys > > check. DNS works. > > 7) Make sure that the system time difference on the host and FreeIPA > server is not greater than 5 minutes > > They're one and the same in this case. > >> -- >> Martin^3 Babinsky > > Thanks, > Traiano > Just to make sure, what version of IPA are you using? -- Martin^3 Babinsky From dpal at redhat.com Wed Apr 1 11:23:42 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 07:23:42 -0400 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: <551BA01F.8030707@redhat.com> Message-ID: <551BD53E.8070203@redhat.com> On 04/01/2015 04:14 AM, Traiano Welcome wrote: > Hi Martin > > Thanks for the response. Check results inline: > > > On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky wrote: >> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>> >>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>> starting up >>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [01/Apr/2015:11:01:49 +0300] - Listening on >>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >>> threads >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>> threads to terminate >>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Cleaning rid (6)... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting to process all the updates from the deleted replica... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting for all the replicas to be online... >>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Server shutting down. Process will resume at server startup >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>> out) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -1 (Can't contact LDAP server) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> errors >>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>> may provide more information (No Kerberos credentials available)) >>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>> starting up >>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>> should be added before the CoS Definition. >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 2 (No such file or directory) >>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>> skew (-2771 secs). Current seqnum=3 >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>> skew (-2770 secs). Current seqnum=1 >>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>> Interfaces port 389 for LDAP requests >>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>> for LDAPS requests >>> [01/Apr/2015:10:15:39 +0300] - Listening on >>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>> skew (-2771 secs). Current seqnum=1 >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >>> threads >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>> threads to terminate >>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>> internal subsystems and plugins >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Cleaning rid (6)... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting to process all the updates from the deleted replica... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Waiting for all the replicas to be online... >>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>> Server shutting down. Process will resume at server startup >>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>> out) >>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -1 (Can't contact LDAP server) >>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>> Minor code may provide more information (No Kerberos credentials >>> available)) >>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>> GSS failure. Minor code may provide more information (No Kerberos >>> credentials available)) errno 0 (Success) >>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>> error -2 (Local error) >>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>> may provide more information (No Kerberos credentials available)) >>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>> >>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: >>>> Hi List >>>> >>>> I've just tried to restart my IPA services after recently adding a new >>>> replica (0 configuration changes on the IPA server otherwise!), but >>>> ipactl fails when starting up named: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Job for named.service failed. See 'systemctl status named.service' and >>>> 'journalctl -xn' for details. >>>> Failed to start named Service >>>> Shutting down >>>> Aborting ipactl >>>> --- >>>> >>>> I then manual start named service and try again, but then smb service >>>> fails: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>> Existing service file detected! >>>> Assuming stale, cleaning and proceeding >>>> Starting Directory Service >>>> Starting krb5kdc Service >>>> Starting kadmin Service >>>> Starting named Service >>>> Starting ipa_memcached Service >>>> Starting httpd Service >>>> Starting pki-tomcatd Service >>>> Starting smb Service >>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>> 'journalctl -xn' for details. >>>> Failed to start smb Service >>>> Shutting down >>>> Aborting ipactl >>>> --- >>>> >>>> systemctl status shows the following output for smb.service: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>> smb.service - Samba SMB Daemon >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>>> AST; 1min 14s ago >>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>> status=1/FAILURE) >>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>> Status: "Starting process..." >>>> CGroup: /system.slice/smb.service >>>> >>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 >>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>> Unspecified GSS failure. Minor code may provide more information >>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>>> DN. >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>> 09:21:10.211210, 0] >>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>> process exited, code=exited, status=1/FAILURE >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>> Samba SMB Daemon. >>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>> entered failed state. >>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>>> Daemon. >>>> --- >>>> >>>> >>>> I manually try to start the smb service as follows, but can't (Of >>>> course the directory service is not up, so there's a little catch22 >>>> there and this many not mean much): >>>> >>>> >>>> --- >>>> >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>> smb.service - Samba SMB Daemon >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; >>>> 57s ago >>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>> status=1/FAILURE) >>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>> Status: "Starting process..." >>>> >>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>>> DN. >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>> 09:50:38.574903, 0] >>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>> process exited, code=exited, status=1/FAILURE >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>> Samba SMB Daemon. >>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>> entered failed state. >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>> >>>> --- >>>> >>>> Please could someone advise me on how to drill deeper into debugging >>>> this issue to get ipactl to start ? >>>> >>>> NOTES: >>>> >>>> - This server is successfully in a Trust relationship with >>>> ActiveDirectory. >>>> - There are a number of replicas established which have been working >>>> fine til this morning >>>> - Another replica was added around the time of the failure using the >>>> same steps as usual (not sure how this could be related) >>>> >>>> >>>> Many thanks in advance, >>>> Traiano >>> >> Hi Traiano, >> >> it seems like there is some problem with Kerberos keytab for DS service. >> >> Take a look at this guide: >> >> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >> >> and check whether there is something wrong with DS keytab and that the >> service principal is set up correctly. >> > > > Walking through this pedantically: > > Service does not start: > > 1) See service log of the respective service for the exact error text. > For example, the Directory Server stores the log in > /var/log/dirsrv/slapd-REALM-NAME/errors > > check > > 2) Make sure that the server the service is running on has a fully > qualified domain name > > --- > [root at lolpr-xyz-mstr ~]# hostname > lolpr-xyz-mstr.xyz.local > [root at lolpr-xyz-mstr ~]# host `hostname` > lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > [root at lolpr-xyz-mstr ~]# host 172.16.100.68 > 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. > [root at lolpr-xyz-mstr ~]# > --- > > 3) See what keys are in the keytab used for authentication of the service, e.g.: > # klist -kt /etc/dirsrv/ds.keytab > > > --- > [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab > Keytab name: FILE:/etc/dirsrv/ds.keytab > KVNO Timestamp Principal > ---- ------------------- ------------------------------------------------------ > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > --- > > 4) Make sure that the stored principals match the system FQDN system name > > check: > > --- > [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local > lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > [root at lolpr-xyz-mstr ~]# > --- > > 5) Make sure that the version of the keys (KVNO) stored in the keytab > and in the FreeIPA server match: > $ kvno ldap/ipa.example.com at EXAMPLE.COM > > > check ... This is unusual: > > --- > [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > kvno: Credentials cache keyring 'persistent:0:0' not found while > getting client principal name > --- > > Now, when I look at my krb5.conf, I see the file has had a recent > change ... yet, I'm sure this file was never edited: Does the > krb5.conf below look correct for a standard IPA primary server?: > > --- > [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf > -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf > --- > > > --- > [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = XYZ.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > XYZ.LOCAL = { > kdc = lolpr-xyz-mstr.xyz.local:88 > master_kdc = lolpr-xyz-mstr.xyz.local:88 > admin_server = lolpr-xyz-mstr.xyz.local:749 > default_domain = xyz.local > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = > RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ > auth_to_local = DEFAULT > } > > [domain_realm] > .xyz.local = XYZ.LOCAL > xyz.local = XYZ.LOCAL > > [dbmodules] > XYZ.LOCAL = { > db_library = ipadb.so > } > --- I do not see any glaring problems in this file. This seems to be 4.1 bits. There is definitely something wrong with the Kerberos part though. And the fact that you can't access credential cache is pointing to a problem. Do you see any selinux denials? If the file was touched may be it was touched by recent update or installation of some other package on the system. The update/install might have set wrong context on the cred cache causing problems like this. Anything interesting in the KDC log? > > 6) Make sure that there are no DNS Issues and both forward and reverse > DNS records of the are OK and match the system name and the stored > principal keys > > check. DNS works. > > 7) Make sure that the system time difference on the host and FreeIPA > server is not greater than 5 minutes > > They're one and the same in this case. > >> -- >> Martin^3 Babinsky > Thanks, > Traiano > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From traiano at gmail.com Wed Apr 1 11:33:40 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 14:33:40 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BD48C.5020902@redhat.com> References: <551BA01F.8030707@redhat.com> <551BD48C.5020902@redhat.com> Message-ID: On Wed, Apr 1, 2015 at 2:20 PM, Martin Babinsky wrote: > On 04/01/2015 10:14 AM, Traiano Welcome wrote: >> >> Hi Martin >> >> Thanks for the response. Check results inline: >> >> >> On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky >> wrote: >>> >>> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>>> >>>> >>>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>>> >>>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>> starting up >>>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> [01/Apr/2015:11:01:49 +0300] - Listening on >>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >>>> threads >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>>> threads to terminate >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>>> internal subsystems and plugins >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Cleaning rid (6)... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting to process all the updates from the deleted replica... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting for all the replicas to be online... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Server shutting down. Process will resume at server startup >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>> out) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -1 (Can't contact LDAP server) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>> LDAP server) () >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> errors >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>> may provide more information (No Kerberos credentials available)) >>>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>> starting up >>>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 2 (No such file or directory) >>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2771 secs). Current seqnum=3 >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2770 secs). Current seqnum=1 >>>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> [01/Apr/2015:10:15:39 +0300] - Listening on >>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2771 secs). Current seqnum=1 >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >>>> threads >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>>> threads to terminate >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>>> internal subsystems and plugins >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Cleaning rid (6)... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting to process all the updates from the deleted replica... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting for all the replicas to be online... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Server shutting down. Process will resume at server startup >>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>> out) >>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -1 (Can't contact LDAP server) >>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>> LDAP server) () >>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>> may provide more information (No Kerberos credentials available)) >>>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>>> >>>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome >>>> wrote: >>>>> >>>>> >>>>> Hi List >>>>> >>>>> I've just tried to restart my IPA services after recently adding a new >>>>> replica (0 configuration changes on the IPA server otherwise!), but >>>>> ipactl fails when starting up named: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>>> Starting Directory Service >>>>> Starting krb5kdc Service >>>>> Starting kadmin Service >>>>> Starting named Service >>>>> Job for named.service failed. See 'systemctl status named.service' and >>>>> 'journalctl -xn' for details. >>>>> Failed to start named Service >>>>> Shutting down >>>>> Aborting ipactl >>>>> --- >>>>> >>>>> I then manual start named service and try again, but then smb service >>>>> fails: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>>> Existing service file detected! >>>>> Assuming stale, cleaning and proceeding >>>>> Starting Directory Service >>>>> Starting krb5kdc Service >>>>> Starting kadmin Service >>>>> Starting named Service >>>>> Starting ipa_memcached Service >>>>> Starting httpd Service >>>>> Starting pki-tomcatd Service >>>>> Starting smb Service >>>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>>> 'journalctl -xn' for details. >>>>> Failed to start smb Service >>>>> Shutting down >>>>> Aborting ipactl >>>>> --- >>>>> >>>>> systemctl status shows the following output for smb.service: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>>> smb.service - Samba SMB Daemon >>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>>>> AST; 1min 14s ago >>>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>> status=1/FAILURE) >>>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>>> Status: "Starting process..." >>>>> CGroup: /system.slice/smb.service >>>>> >>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step >>>>> 1 >>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>>> Unspecified GSS failure. Minor code may provide more information >>>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>>>> DN. >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>> 09:21:10.211210, 0] >>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>> process exited, code=exited, status=1/FAILURE >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>> Samba SMB Daemon. >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>> entered failed state. >>>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>>>> Daemon. >>>>> --- >>>>> >>>>> >>>>> I manually try to start the smb service as follows, but can't (Of >>>>> course the directory service is not up, so there's a little catch22 >>>>> there and this many not mean much): >>>>> >>>>> >>>>> --- >>>>> >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>>> smb.service - Samba SMB Daemon >>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 >>>>> AST; >>>>> 57s ago >>>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>> status=1/FAILURE) >>>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>>> Status: "Starting process..." >>>>> >>>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>>>> DN. >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:38.574903, 0] >>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>> process exited, code=exited, status=1/FAILURE >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>> Samba SMB Daemon. >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>> entered failed state. >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>>> >>>>> --- >>>>> >>>>> Please could someone advise me on how to drill deeper into debugging >>>>> this issue to get ipactl to start ? >>>>> >>>>> NOTES: >>>>> >>>>> - This server is successfully in a Trust relationship with >>>>> ActiveDirectory. >>>>> - There are a number of replicas established which have been working >>>>> fine til this morning >>>>> - Another replica was added around the time of the failure using the >>>>> same steps as usual (not sure how this could be related) >>>>> >>>>> >>>>> Many thanks in advance, >>>>> Traiano >>>> >>>> >>>> >>> >>> Hi Traiano, >>> >>> it seems like there is some problem with Kerberos keytab for DS service. >>> >>> Take a look at this guide: >>> >>> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >>> >>> and check whether there is something wrong with DS keytab and that the >>> service principal is set up correctly. >>> >> >> >> >> Walking through this pedantically: >> >> Service does not start: >> >> 1) See service log of the respective service for the exact error text. >> For example, the Directory Server stores the log in >> /var/log/dirsrv/slapd-REALM-NAME/errors >> >> check >> >> 2) Make sure that the server the service is running on has a fully >> qualified domain name >> >> --- >> [root at lolpr-xyz-mstr ~]# hostname >> lolpr-xyz-mstr.xyz.local >> [root at lolpr-xyz-mstr ~]# host `hostname` >> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >> [root at lolpr-xyz-mstr ~]# host 172.16.100.68 >> 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. >> [root at lolpr-xyz-mstr ~]# >> --- >> >> 3) See what keys are in the keytab used for authentication of the service, >> e.g.: >> # klist -kt /etc/dirsrv/ds.keytab >> >> >> --- >> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab >> Keytab name: FILE:/etc/dirsrv/ds.keytab >> KVNO Timestamp Principal >> ---- ------------------- >> ------------------------------------------------------ >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> --- >> >> 4) Make sure that the stored principals match the system FQDN system name >> >> check: >> >> --- >> [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local >> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >> [root at lolpr-xyz-mstr ~]# >> --- >> >> 5) Make sure that the version of the keys (KVNO) stored in the keytab >> and in the FreeIPA server match: >> $ kvno ldap/ipa.example.com at EXAMPLE.COM >> >> >> check ... This is unusual: >> >> --- >> [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> kvno: Credentials cache keyring 'persistent:0:0' not found while >> getting client principal name >> --- > > Your root account has no Kerberos credentials. Either kinit as IPA admin for > root or run this command from an account that is already kinit'ed as IPA > admin. > True, but since ipa services are all down, I don't think kinit should work (I think ipa kerberos service would at least need to be up to bootstrap this?): [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# klist klist: No credentials cache found (ticket cache KEYRING:persistent:0:0) [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# kinit kinit: Cannot contact any KDC for realm 'XYZ.LOCAL' while getting initial credentials [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# kinit admin at XYZ.LOCAL kinit: Cannot contact any KDC for realm 'XYZ.LOCAL' while getting initial credentials [root at lolpr-xyz-mstr ~]# [root at lolpr-xyz-mstr ~]# >> >> Now, when I look at my krb5.conf, I see the file has had a recent >> change ... yet, I'm sure this file was never edited: Does the >> krb5.conf below look correct for a standard IPA primary server?: >> >> --- >> [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf >> -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf >> --- >> >> >> --- >> [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = XYZ.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> XYZ.LOCAL = { >> kdc = lolpr-xyz-mstr.xyz.local:88 >> master_kdc = lolpr-xyz-mstr.xyz.local:88 >> admin_server = lolpr-xyz-mstr.xyz.local:749 >> default_domain = xyz.local >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> auth_to_local = >> RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ >> auth_to_local = DEFAULT >> } >> >> [domain_realm] >> .xyz.local = XYZ.LOCAL >> xyz.local = XYZ.LOCAL >> >> [dbmodules] >> XYZ.LOCAL = { >> db_library = ipadb.so >> } >> --- >> > This looks OK to me but I'm no Kerberos expert. I cc'ed Sumit and Simo, they > should be able to help you more that I. >> >> 6) Make sure that there are no DNS Issues and both forward and reverse >> DNS records of the are OK and match the system name and the stored >> principal keys >> >> check. DNS works. >> >> 7) Make sure that the system time difference on the host and FreeIPA >> server is not greater than 5 minutes >> >> They're one and the same in this case. >> >>> -- >>> Martin^3 Babinsky >> >> >> Thanks, >> Traiano >> > > Just to make sure, what version of IPA are you using? IPA 3.3, installed off the CentOS7 ISO: CentOS Linux release 7.0.1406 (Core): --- rpm -qa | grep ipa: sssd-ipa-1.11.2-65.el7.x86_64 ipa-server-3.3.3-28.el7.centos.x86_64 libipa_hbac-python-1.11.2-65.el7.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-3.3.3-28.el7.centos.x86_64 ipa-server-trust-ad-3.3.3-28.el7.centos.x86_64 libipa_hbac-1.11.2-65.el7.x86_64 iniparser-3.1-5.el7.x86_64 ipa-client-3.3.3-28.el7.centos.x86_64 ipa-python-3.3.3-28.el7.centos.x86_64 --- > > -- > Martin^3 Babinsky From roberto.cornacchia at gmail.com Wed Apr 1 11:38:56 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Wed, 1 Apr 2015 13:38:56 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <2588793.PXhtNmgmCt@shdehenw2471> References: <2588793.PXhtNmgmCt@shdehenw2471> Message-ID: I had this error during my first installation. It turned out the problem was that port 8443 was already used by another process. Roberto On 31 March 2015 at 19:54, Markus Roth wrote: > Hi all, > > I want setup freeipa 4.1.3 on a fresh installed fedora 21. > The ipa-server-install shows the following output: > > configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute > [1/38]: creating directory server user > [2/38]: creating directory server instance > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configuring replication version plugin > [7/38]: enabling IPA enrollment plugin > [8/38]: enabling ldapi > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: creating indices > [16/38]: enabling referential integrity plugin > [17/38]: configuring certmap.conf > [18/38]: configure autobind for root > [19/38]: configure new location for managed entries > [20/38]: configure dirsrv ccache > [21/38]: enable SASL mapping fallback > [22/38]: restarting directory server > [23/38]: adding default layout > [24/38]: adding delegation layout > [25/38]: creating container for managed entries > [26/38]: configuring user private groups > [27/38]: configuring netgroups from hostgroups > [28/38]: creating default Sudo bind user > [29/38]: creating default Auto Member layout > [30/38]: adding range check plugin > [31/38]: creating default HBAC rule allow_all > [32/38]: initializing group membership > [33/38]: adding master entry > [34/38]: configuring Posix uid/gid generation > [35/38]: adding replication acis > [36/38]: enabling compatibility plugin > [37/38]: tuning directory server > [38/38]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > CA did not start in 300.0s > > The ipa server install log shows this: > > 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 526, in __start > self.start() > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 279, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line > 229, in start > self.wait_until_running() > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line > 223, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > RuntimeError: CA did not start in 300.0s > > 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in > 300.0s > 2015-03-31T17:39:36Z DEBUG File "/usr/lib/python2.7/site- > packages/ipaserver/install/installutils.py", line 642, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-server-install", line 1183, in main > ca_signing_algorithm=options.ca_signing_algorithm) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 520, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 382, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 372, in run_step > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 526, in __start > self.start() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line > 279, in start > self.service.start(instance_name, capture_output=capture_output, > wait=wait) > > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line > 229, in start > self.wait_until_running() > > File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line > 223, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > > 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, > exception: > RuntimeError: CA did not start in 300.0s > > I uninstalled the ipa server completely several times and installed it > again. > But it always stops at the same step with the setup. > > Can anybody help? > > Markus. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From traiano at gmail.com Wed Apr 1 11:52:20 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 14:52:20 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BD53E.8070203@redhat.com> References: <551BA01F.8030707@redhat.com> <551BD53E.8070203@redhat.com> Message-ID: Hi Dmitri On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal wrote: > On 04/01/2015 04:14 AM, Traiano Welcome wrote: >> >> Hi Martin >> >> Thanks for the response. Check results inline: >> >> >> On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky >> wrote: >>> >>> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>>> >>>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>>> >>>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>> starting up >>>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> [01/Apr/2015:11:01:49 +0300] - Listening on >>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >>>> threads >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>>> threads to terminate >>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>>> internal subsystems and plugins >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Cleaning rid (6)... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting to process all the updates from the deleted replica... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting for all the replicas to be online... >>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Server shutting down. Process will resume at server startup >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>> out) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -1 (Can't contact LDAP server) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>> LDAP server) () >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> errors >>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>> may provide more information (No Kerberos credentials available)) >>>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>> starting up >>>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>> should be added before the CoS Definition. >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 2 (No such file or directory) >>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2771 secs). Current seqnum=3 >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2770 secs). Current seqnum=1 >>>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>>> Interfaces port 389 for LDAP requests >>>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>>> for LDAPS requests >>>> [01/Apr/2015:10:15:39 +0300] - Listening on >>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>>> skew (-2771 secs). Current seqnum=1 >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >>>> threads >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>>> threads to terminate >>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>>> internal subsystems and plugins >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Cleaning rid (6)... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting to process all the updates from the deleted replica... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Waiting for all the replicas to be online... >>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>> Server shutting down. Process will resume at server startup >>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>> out) >>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -1 (Can't contact LDAP server) >>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>> LDAP server) () >>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>> Minor code may provide more information (No Kerberos credentials >>>> available)) >>>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>> GSS failure. Minor code may provide more information (No Kerberos >>>> credentials available)) errno 0 (Success) >>>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>> error -2 (Local error) >>>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>> may provide more information (No Kerberos credentials available)) >>>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>>> >>>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome >>>> wrote: >>>>> >>>>> Hi List >>>>> >>>>> I've just tried to restart my IPA services after recently adding a new >>>>> replica (0 configuration changes on the IPA server otherwise!), but >>>>> ipactl fails when starting up named: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>>> Starting Directory Service >>>>> Starting krb5kdc Service >>>>> Starting kadmin Service >>>>> Starting named Service >>>>> Job for named.service failed. See 'systemctl status named.service' and >>>>> 'journalctl -xn' for details. >>>>> Failed to start named Service >>>>> Shutting down >>>>> Aborting ipactl >>>>> --- >>>>> >>>>> I then manual start named service and try again, but then smb service >>>>> fails: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>>> Existing service file detected! >>>>> Assuming stale, cleaning and proceeding >>>>> Starting Directory Service >>>>> Starting krb5kdc Service >>>>> Starting kadmin Service >>>>> Starting named Service >>>>> Starting ipa_memcached Service >>>>> Starting httpd Service >>>>> Starting pki-tomcatd Service >>>>> Starting smb Service >>>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>>> 'journalctl -xn' for details. >>>>> Failed to start smb Service >>>>> Shutting down >>>>> Aborting ipactl >>>>> --- >>>>> >>>>> systemctl status shows the following output for smb.service: >>>>> >>>>> --- >>>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>>> smb.service - Samba SMB Daemon >>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>>>> AST; 1min 14s ago >>>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>> status=1/FAILURE) >>>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>>> Status: "Starting process..." >>>>> CGroup: /system.slice/smb.service >>>>> >>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step >>>>> 1 >>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>>> Unspecified GSS failure. Minor code may provide more information >>>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>>>> DN. >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>> 09:21:10.211210, 0] >>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>> process exited, code=exited, status=1/FAILURE >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>> Samba SMB Daemon. >>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>> entered failed state. >>>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>>>> Daemon. >>>>> --- >>>>> >>>>> >>>>> I manually try to start the smb service as follows, but can't (Of >>>>> course the directory service is not up, so there's a little catch22 >>>>> there and this many not mean much): >>>>> >>>>> >>>>> --- >>>>> >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>>> smb.service - Samba SMB Daemon >>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 >>>>> AST; >>>>> 57s ago >>>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>> status=1/FAILURE) >>>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>>> Status: "Starting process..." >>>>> >>>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>>>> DN. >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>> 09:50:38.574903, 0] >>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>> process exited, code=exited, status=1/FAILURE >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>> Samba SMB Daemon. >>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>> entered failed state. >>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>>> >>>>> --- >>>>> >>>>> Please could someone advise me on how to drill deeper into debugging >>>>> this issue to get ipactl to start ? >>>>> >>>>> NOTES: >>>>> >>>>> - This server is successfully in a Trust relationship with >>>>> ActiveDirectory. >>>>> - There are a number of replicas established which have been working >>>>> fine til this morning >>>>> - Another replica was added around the time of the failure using the >>>>> same steps as usual (not sure how this could be related) >>>>> >>>>> >>>>> Many thanks in advance, >>>>> Traiano >>>> >>>> >>> Hi Traiano, >>> >>> it seems like there is some problem with Kerberos keytab for DS service. >>> >>> Take a look at this guide: >>> >>> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >>> >>> and check whether there is something wrong with DS keytab and that the >>> service principal is set up correctly. >>> >> >> >> Walking through this pedantically: >> >> Service does not start: >> >> 1) See service log of the respective service for the exact error text. >> For example, the Directory Server stores the log in >> /var/log/dirsrv/slapd-REALM-NAME/errors >> >> check >> >> 2) Make sure that the server the service is running on has a fully >> qualified domain name >> >> --- >> [root at lolpr-xyz-mstr ~]# hostname >> lolpr-xyz-mstr.xyz.local >> [root at lolpr-xyz-mstr ~]# host `hostname` >> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >> [root at lolpr-xyz-mstr ~]# host 172.16.100.68 >> 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. >> [root at lolpr-xyz-mstr ~]# >> --- >> >> 3) See what keys are in the keytab used for authentication of the service, >> e.g.: >> # klist -kt /etc/dirsrv/ds.keytab >> >> >> --- >> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab >> Keytab name: FILE:/etc/dirsrv/ds.keytab >> KVNO Timestamp Principal >> ---- ------------------- >> ------------------------------------------------------ >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> --- >> >> 4) Make sure that the stored principals match the system FQDN system name >> >> check: >> >> --- >> [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local >> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >> [root at lolpr-xyz-mstr ~]# >> --- >> >> 5) Make sure that the version of the keys (KVNO) stored in the keytab >> and in the FreeIPA server match: >> $ kvno ldap/ipa.example.com at EXAMPLE.COM >> >> >> check ... This is unusual: >> >> --- >> [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >> kvno: Credentials cache keyring 'persistent:0:0' not found while >> getting client principal name >> --- >> >> Now, when I look at my krb5.conf, I see the file has had a recent >> change ... yet, I'm sure this file was never edited: Does the >> krb5.conf below look correct for a standard IPA primary server?: >> >> --- >> [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf >> -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf >> --- >> >> >> --- >> [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = XYZ.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> XYZ.LOCAL = { >> kdc = lolpr-xyz-mstr.xyz.local:88 >> master_kdc = lolpr-xyz-mstr.xyz.local:88 >> admin_server = lolpr-xyz-mstr.xyz.local:749 >> default_domain = xyz.local >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> auth_to_local = >> RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ >> auth_to_local = DEFAULT >> } >> >> [domain_realm] >> .xyz.local = XYZ.LOCAL >> xyz.local = XYZ.LOCAL >> >> [dbmodules] >> XYZ.LOCAL = { >> db_library = ipadb.so >> } >> --- > > > > I do not see any glaring problems in this file. > This seems to be 4.1 bits. IPA 3.3 on CentOS release 7.0.1406 (Core) > There is definitely something wrong with the Kerberos part though. > And the fact that you can't access credential cache is pointing to a > problem. Yes. Trying to start the krb5kdc service manually: --- job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' and 'journalctl -xn' for details. --- Checking the krb5kdc.service status: --- [root at lolpr-xyz-mstr log]# systemctl status krb5kdc.service krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) Active: failed (Result: exit-code) since Wed 2015-04-01 14:42:15 AST; 7s ago Process: 3884 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Starting Kerberos 5 KDC... Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local krb5kdc[3884]: krb5kdc: cannot initialize realm XYZ.LOCAL - see log file for details Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: krb5kdc.service: control process exited, code=exited status=1 Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start Kerberos 5 KDC. Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Unit krb5kdc.service entered failed state. --- Checking the logs: --- [root at lolpr-xyz-mstr log]# cat krb5kdc.log krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL --- > Do you see any selinux denials? Selinux has been disabled for months. I see this is still so in selinux conf: SELINUX=disabled > If the file was touched may be it was touched by recent update or > installation of some other package on the system. > The update/install might have set wrong context on the cred cache causing > problems like this. I've been careful to disable all external repos on the system since installation, so I'm only using packages on the original installation iso. It's a hermetically sealed system from the package point of view: [root at lolpr-xyz-mstr yum.repos.d]# ls -l total 4 -rw-r--r--. 1 root root 133 Nov 5 19:06 CentOS-Local.repo [root at lolpr-xyz-mstr yum.repos.d]# [root at lolpr-xyz-mstr yum.repos.d]# [root at lolpr-xyz-mstr yum.repos.d]# cat CentOS-Local.repo [LocalRepo] name=Local Repository baseurl=file:///repo enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 [root at lolpr-xyz-mstr yum.repos.d]# > > Anything interesting in the KDC log? > This looks like a clue: krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL ... But I'm not sure how to interpret this usefully ... > >> >> 6) Make sure that there are no DNS Issues and both forward and reverse >> DNS records of the are OK and match the system name and the stored >> principal keys >> >> check. DNS works. >> >> 7) Make sure that the system time difference on the host and FreeIPA >> server is not greater than 5 minutes >> >> They're one and the same in this case. >> >>> -- >>> Martin^3 Babinsky >> >> Thanks, >> Traiano >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dpal at redhat.com Wed Apr 1 12:06:44 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 08:06:44 -0400 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: <551BA01F.8030707@redhat.com> <551BD53E.8070203@redhat.com> Message-ID: <551BDF54.9070703@redhat.com> On 04/01/2015 07:52 AM, Traiano Welcome wrote: > Hi Dmitri > > > On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal wrote: >> On 04/01/2015 04:14 AM, Traiano Welcome wrote: >>> Hi Martin >>> >>> Thanks for the response. Check results inline: >>> >>> >>> On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky >>> wrote: >>>> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>>>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>>>> >>>>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>>> starting up >>>>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>> should be added before the CoS Definition. >>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>> should be added before the CoS Definition. >>>>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>>>> for LDAPS requests >>>>> [01/Apr/2015:11:01:49 +0300] - Listening on >>>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation >>>>> threads >>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>>>> threads to terminate >>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>>>> internal subsystems and plugins >>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Cleaning rid (6)... >>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Waiting to process all the updates from the deleted replica... >>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Waiting for all the replicas to be online... >>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Server shutting down. Process will resume at server startup >>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>>> out) >>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -1 (Can't contact LDAP server) >>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>>> LDAP server) () >>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> errors >>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>>> may provide more information (No Kerberos credentials available)) >>>>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>>>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>>>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>>>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>>> starting up >>>>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>> should be added before the CoS Definition. >>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>> should be added before the CoS Definition. >>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 2 (No such file or directory) >>>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>>> skew (-2771 secs). Current seqnum=3 >>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>>> skew (-2770 secs). Current seqnum=1 >>>>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>>>> Interfaces port 389 for LDAP requests >>>>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>>>> for LDAPS requests >>>>> [01/Apr/2015:10:15:39 +0300] - Listening on >>>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>>>> skew (-2771 secs). Current seqnum=1 >>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation >>>>> threads >>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>>>> threads to terminate >>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>>>> internal subsystems and plugins >>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Cleaning rid (6)... >>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Waiting to process all the updates from the deleted replica... >>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Waiting for all the replicas to be online... >>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>> Server shutting down. Process will resume at server startup >>>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>>> out) >>>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -1 (Can't contact LDAP server) >>>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>>> LDAP server) () >>>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>> Minor code may provide more information (No Kerberos credentials >>>>> available)) >>>>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>> credentials available)) errno 0 (Success) >>>>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>> error -2 (Local error) >>>>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>>> may provide more information (No Kerberos credentials available)) >>>>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>>>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>>>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>>>> >>>>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome >>>>> wrote: >>>>>> Hi List >>>>>> >>>>>> I've just tried to restart my IPA services after recently adding a new >>>>>> replica (0 configuration changes on the IPA server otherwise!), but >>>>>> ipactl fails when starting up named: >>>>>> >>>>>> --- >>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>>>> Starting Directory Service >>>>>> Starting krb5kdc Service >>>>>> Starting kadmin Service >>>>>> Starting named Service >>>>>> Job for named.service failed. See 'systemctl status named.service' and >>>>>> 'journalctl -xn' for details. >>>>>> Failed to start named Service >>>>>> Shutting down >>>>>> Aborting ipactl >>>>>> --- >>>>>> >>>>>> I then manual start named service and try again, but then smb service >>>>>> fails: >>>>>> >>>>>> --- >>>>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>>>> Existing service file detected! >>>>>> Assuming stale, cleaning and proceeding >>>>>> Starting Directory Service >>>>>> Starting krb5kdc Service >>>>>> Starting kadmin Service >>>>>> Starting named Service >>>>>> Starting ipa_memcached Service >>>>>> Starting httpd Service >>>>>> Starting pki-tomcatd Service >>>>>> Starting smb Service >>>>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>>>> 'journalctl -xn' for details. >>>>>> Failed to start smb Service >>>>>> Shutting down >>>>>> Aborting ipactl >>>>>> --- >>>>>> >>>>>> systemctl status shows the following output for smb.service: >>>>>> >>>>>> --- >>>>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>>>> smb.service - Samba SMB Daemon >>>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 >>>>>> AST; 1min 14s ago >>>>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>>> status=1/FAILURE) >>>>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>>>> Status: "Starting process..." >>>>>> CGroup: /system.slice/smb.service >>>>>> >>>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step >>>>>> 1 >>>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>>>> Unspecified GSS failure. Minor code may provide more information >>>>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base >>>>>> DN. >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>>> 09:21:10.211210, 0] >>>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>>> process exited, code=exited, status=1/FAILURE >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>>> Samba SMB Daemon. >>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>>> entered failed state. >>>>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB >>>>>> Daemon. >>>>>> --- >>>>>> >>>>>> >>>>>> I manually try to start the smb service as follows, but can't (Of >>>>>> course the directory service is not up, so there's a little catch22 >>>>>> there and this many not mean much): >>>>>> >>>>>> >>>>>> --- >>>>>> >>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>>>> smb.service - Samba SMB Daemon >>>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 >>>>>> AST; >>>>>> 57s ago >>>>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, >>>>>> status=1/FAILURE) >>>>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>>>> Status: "Starting process..." >>>>>> >>>>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>>> code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base >>>>>> DN. >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>> 09:50:38.574903, 0] >>>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly >>>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main >>>>>> process exited, code=exited, status=1/FAILURE >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>>> Samba SMB Daemon. >>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>>> entered failed state. >>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>>>> >>>>>> --- >>>>>> >>>>>> Please could someone advise me on how to drill deeper into debugging >>>>>> this issue to get ipactl to start ? >>>>>> >>>>>> NOTES: >>>>>> >>>>>> - This server is successfully in a Trust relationship with >>>>>> ActiveDirectory. >>>>>> - There are a number of replicas established which have been working >>>>>> fine til this morning >>>>>> - Another replica was added around the time of the failure using the >>>>>> same steps as usual (not sure how this could be related) >>>>>> >>>>>> >>>>>> Many thanks in advance, >>>>>> Traiano >>>>> >>>> Hi Traiano, >>>> >>>> it seems like there is some problem with Kerberos keytab for DS service. >>>> >>>> Take a look at this guide: >>>> >>>> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >>>> >>>> and check whether there is something wrong with DS keytab and that the >>>> service principal is set up correctly. >>>> >>> >>> Walking through this pedantically: >>> >>> Service does not start: >>> >>> 1) See service log of the respective service for the exact error text. >>> For example, the Directory Server stores the log in >>> /var/log/dirsrv/slapd-REALM-NAME/errors >>> >>> check >>> >>> 2) Make sure that the server the service is running on has a fully >>> qualified domain name >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# hostname >>> lolpr-xyz-mstr.xyz.local >>> [root at lolpr-xyz-mstr ~]# host `hostname` >>> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >>> [root at lolpr-xyz-mstr ~]# host 172.16.100.68 >>> 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. >>> [root at lolpr-xyz-mstr ~]# >>> --- >>> >>> 3) See what keys are in the keytab used for authentication of the service, >>> e.g.: >>> # klist -kt /etc/dirsrv/ds.keytab >>> >>> >>> --- >>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab >>> Keytab name: FILE:/etc/dirsrv/ds.keytab >>> KVNO Timestamp Principal >>> ---- ------------------- >>> ------------------------------------------------------ >>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>> --- >>> >>> 4) Make sure that the stored principals match the system FQDN system name >>> >>> check: >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local >>> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >>> [root at lolpr-xyz-mstr ~]# >>> --- >>> >>> 5) Make sure that the version of the keys (KVNO) stored in the keytab >>> and in the FreeIPA server match: >>> $ kvno ldap/ipa.example.com at EXAMPLE.COM >>> >>> >>> check ... This is unusual: >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>> kvno: Credentials cache keyring 'persistent:0:0' not found while >>> getting client principal name >>> --- >>> >>> Now, when I look at my krb5.conf, I see the file has had a recent >>> change ... yet, I'm sure this file was never edited: Does the >>> krb5.conf below look correct for a standard IPA primary server?: >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf >>> -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf >>> --- >>> >>> >>> --- >>> [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf >>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>> >>> [logging] >>> default = FILE:/var/log/krb5libs.log >>> kdc = FILE:/var/log/krb5kdc.log >>> admin_server = FILE:/var/log/kadmind.log >>> >>> [libdefaults] >>> default_realm = XYZ.LOCAL >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> default_ccache_name = KEYRING:persistent:%{uid} >>> >>> [realms] >>> XYZ.LOCAL = { >>> kdc = lolpr-xyz-mstr.xyz.local:88 >>> master_kdc = lolpr-xyz-mstr.xyz.local:88 >>> admin_server = lolpr-xyz-mstr.xyz.local:749 >>> default_domain = xyz.local >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> auth_to_local = >>> RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ >>> auth_to_local = DEFAULT >>> } >>> >>> [domain_realm] >>> .xyz.local = XYZ.LOCAL >>> xyz.local = XYZ.LOCAL >>> >>> [dbmodules] >>> XYZ.LOCAL = { >>> db_library = ipadb.so >>> } >>> --- >> >> >> I do not see any glaring problems in this file. >> This seems to be 4.1 bits. > > IPA 3.3 on CentOS release 7.0.1406 (Core) > > >> There is definitely something wrong with the Kerberos part though. >> And the fact that you can't access credential cache is pointing to a >> problem. > Yes. Trying to start the krb5kdc service manually: > > > --- > job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' > and 'journalctl -xn' for details. > --- > > Checking the krb5kdc.service status: > > --- > [root at lolpr-xyz-mstr log]# systemctl status krb5kdc.service > krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) > Active: failed (Result: exit-code) since Wed 2015-04-01 14:42:15 AST; 7s ago > Process: 3884 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Starting Kerberos 5 KDC... > Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local krb5kdc[3884]: krb5kdc: > cannot initialize realm XYZ.LOCAL - see log file for details > Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: krb5kdc.service: > control process exited, code=exited status=1 > Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > Kerberos 5 KDC. > Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Unit > krb5kdc.service entered failed state. > --- > > > Checking the logs: > > --- > [root at lolpr-xyz-mstr log]# cat krb5kdc.log > krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL > --- > > > >> Do you see any selinux denials? > Selinux has been disabled for months. I see this is still so in > selinux conf: SELINUX=disabled > > > >> If the file was touched may be it was touched by recent update or >> installation of some other package on the system. >> The update/install might have set wrong context on the cred cache causing >> problems like this. > I've been careful to disable all external repos on the system since > installation, so I'm only using packages on the original installation > iso. It's a hermetically sealed system from the package point of view: > > [root at lolpr-xyz-mstr yum.repos.d]# ls -l > total 4 > -rw-r--r--. 1 root root 133 Nov 5 19:06 CentOS-Local.repo > [root at lolpr-xyz-mstr yum.repos.d]# > [root at lolpr-xyz-mstr yum.repos.d]# > [root at lolpr-xyz-mstr yum.repos.d]# cat CentOS-Local.repo > [LocalRepo] > name=Local Repository > baseurl=file:///repo > enabled=1 > gpgcheck=1 > gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 > [root at lolpr-xyz-mstr yum.repos.d]# > > >> Anything interesting in the KDC log? >> > > This looks like a clue: > > krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL > > ... But I'm not sure how to interpret this usefully ... This means that DS has not started as master key is in DS. Can you check the DS server logs? > > > >>> 6) Make sure that there are no DNS Issues and both forward and reverse >>> DNS records of the are OK and match the system name and the stored >>> principal keys >>> >>> check. DNS works. >>> >>> 7) Make sure that the system time difference on the host and FreeIPA >>> server is not greater than 5 minutes >>> >>> They're one and the same in this case. >>> >>>> -- >>>> Martin^3 Babinsky >>> Thanks, >>> Traiano >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From pspacek at redhat.com Wed Apr 1 12:36:22 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Apr 2015 14:36:22 +0200 Subject: [Freeipa-users] nsAccountLock attribute In-Reply-To: References: <551B83DB.3050401@redhat.com> Message-ID: <551BE646.9000403@redhat.com> On 1.4.2015 11:43, Prashant Bapat wrote: > Hi Jan, > > Thanks for your response. But my problem is AmazonLinux does not support > ipa-client or sssd. No binaries available, lots of dependency issues > compiling from source. > > So the route I have taken is to use FreeIPA on Fedora21. And use authconfig > to enumerate users/groups. And have a SSH command to lookup the keys. Interesting. Please complain to Amazon support about this, it will improve situation for others too. Petr^2 Spacek > Thanks. > --Prashant > > On 1 April 2015 at 11:06, Jan Cholasta wrote: > >> Hi, >> >> Dne 1.4.2015 v 07:09 Prashant Bapat napsal(a): >> >> Hi , >>> >>> Is there a way of making the nsAccountLock attribute (User >>> enable/disable) to be anonymously readable ? >>> >>> I'm trying to implement a SSH key lookup sshd authorized key command >>> script. Based on this attribute the user will be allowed to login. I >>> need this to be anonymously readable. >>> >>> Tried setting the permissions but it does not work. >>> >>> Any other ideas on this ? >>> >> >> If your SSH server is a properly configured IPA host (i.e. you had run >> ipa-client-install or ipa-server-install on it), rejecting locked user >> login should work automatically, without having to configure anything. From traiano at gmail.com Wed Apr 1 12:36:50 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 15:36:50 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BDF54.9070703@redhat.com> References: <551BA01F.8030707@redhat.com> <551BD53E.8070203@redhat.com> <551BDF54.9070703@redhat.com> Message-ID: Hi Dmitri On Wed, Apr 1, 2015 at 3:06 PM, Dmitri Pal wrote: > On 04/01/2015 07:52 AM, Traiano Welcome wrote: >> >> Hi Dmitri >> >> >> On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal wrote: >>> >>> On 04/01/2015 04:14 AM, Traiano Welcome wrote: >>>> >>>> Hi Martin >>>> >>>> Thanks for the response. Check results inline: >>>> >>>> >>>> On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky >>>> wrote: >>>>> >>>>> On 04/01/2015 09:20 AM, Traiano Welcome wrote: >>>>>> >>>>>> Some information from the dirsrv error log (sanitized: XYZ = realm): >>>>>> >>>>>> [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>>>> starting up >>>>>> [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no >>>>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>>> should be added before the CoS Definition. >>>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>>>> [01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password >>>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>>> should be added before the CoS Definition. >>>>>> [01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 >>>>>> for LDAPS requests >>>>>> [01/Apr/2015:11:01:49 +0300] - Listening on >>>>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> [01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling >>>>>> operation >>>>>> threads >>>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 >>>>>> threads to terminate >>>>>> [01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down >>>>>> internal subsystems and plugins >>>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Cleaning rid (6)... >>>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Waiting to process all the updates from the deleted replica... >>>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Waiting for all the replicas to be online... >>>>>> [01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Server shutting down. Process will resume at server startup >>>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>>>> out) >>>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -1 (Can't contact LDAP server) >>>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>>>> LDAP server) () >>>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> errors >>>>>> [01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>>>> may provide more information (No Kerberos credentials available)) >>>>>> [01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop >>>>>> [01/Apr/2015:11:02:10 +0300] - All database threads now stopped >>>>>> [01/Apr/2015:11:02:10 +0300] - slapd stopped. >>>>>> [01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 >>>>>> starting up >>>>>> [01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no >>>>>> entries set up under cn=computers, cn=compat,dc=idm,dc=local >>>>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>>> should be added before the CoS Definition. >>>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> cleanAllRUV task found, resuming the cleaning of rid(6)... >>>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password >>>>>> Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which >>>>>> should be added before the CoS Definition. >>>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 2 (No such file or directory) >>>>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>>>> skew (-2771 secs). Current seqnum=3 >>>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> [01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial >>>>>> credentials for principal [ldap/kwtpr-idm-mstr@] in keytab >>>>>> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >>>>>> [01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time >>>>>> skew (-2770 secs). Current seqnum=1 >>>>>> [01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All >>>>>> Interfaces port 389 for LDAP requests >>>>>> [01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 >>>>>> for LDAPS requests >>>>>> [01/Apr/2015:10:15:39 +0300] - Listening on >>>>>> /var/run/slapd-IDM-LOCAL.socket for LDAPI requests >>>>>> [01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> [01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time >>>>>> skew (-2771 secs). Current seqnum=1 >>>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling >>>>>> operation >>>>>> threads >>>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 >>>>>> threads to terminate >>>>>> [01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down >>>>>> internal subsystems and plugins >>>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Cleaning rid (6)... >>>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Waiting to process all the updates from the deleted replica... >>>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Waiting for all the replicas to be online... >>>>>> [01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >>>>>> Server shutting down. Process will resume at server startup >>>>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed >>>>>> out) >>>>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -1 (Can't contact LDAP server) >>>>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>>>>> LDAP server) () >>>>>> [01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): >>>>>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >>>>>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >>>>>> Minor code may provide more information (No Kerberos credentials >>>>>> available)) >>>>>> [01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: >>>>>> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >>>>>> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >>>>>> GSS failure. Minor code may provide more information (No Kerberos >>>>>> credentials available)) errno 0 (Success) >>>>>> [01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not >>>>>> perform interactive bind for id [] authentication mechanism [GSSAPI]: >>>>>> error -2 (Local error) >>>>>> [01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - >>>>>> agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication >>>>>> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >>>>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >>>>>> may provide more information (No Kerberos credentials available)) >>>>>> [01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop >>>>>> [01/Apr/2015:10:16:00 +0300] - All database threads now stopped >>>>>> [01/Apr/2015:10:16:00 +0300] - slapd stopped. >>>>>> >>>>>> On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome >>>>>> wrote: >>>>>>> >>>>>>> Hi List >>>>>>> >>>>>>> I've just tried to restart my IPA services after recently adding a >>>>>>> new >>>>>>> replica (0 configuration changes on the IPA server otherwise!), but >>>>>>> ipactl fails when starting up named: >>>>>>> >>>>>>> --- >>>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start >>>>>>> Starting Directory Service >>>>>>> Starting krb5kdc Service >>>>>>> Starting kadmin Service >>>>>>> Starting named Service >>>>>>> Job for named.service failed. See 'systemctl status named.service' >>>>>>> and >>>>>>> 'journalctl -xn' for details. >>>>>>> Failed to start named Service >>>>>>> Shutting down >>>>>>> Aborting ipactl >>>>>>> --- >>>>>>> >>>>>>> I then manual start named service and try again, but then smb service >>>>>>> fails: >>>>>>> >>>>>>> --- >>>>>>> [root at lolpr-xyz-mstr ~]# ipactl start >>>>>>> Existing service file detected! >>>>>>> Assuming stale, cleaning and proceeding >>>>>>> Starting Directory Service >>>>>>> Starting krb5kdc Service >>>>>>> Starting kadmin Service >>>>>>> Starting named Service >>>>>>> Starting ipa_memcached Service >>>>>>> Starting httpd Service >>>>>>> Starting pki-tomcatd Service >>>>>>> Starting smb Service >>>>>>> Job for smb.service failed. See 'systemctl status smb.service' and >>>>>>> 'journalctl -xn' for details. >>>>>>> Failed to start smb Service >>>>>>> Shutting down >>>>>>> Aborting ipactl >>>>>>> --- >>>>>>> >>>>>>> systemctl status shows the following output for smb.service: >>>>>>> >>>>>>> --- >>>>>>> [root at lolpr-xyz-mstr ~]# systemctl -l status smb.service >>>>>>> smb.service - Samba SMB Daemon >>>>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 >>>>>>> 09:21:10 >>>>>>> AST; 1min 14s ago >>>>>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS >>>>>>> (code=exited, >>>>>>> status=1/FAILURE) >>>>>>> Main PID: 4662 (code=exited, status=1/FAILURE) >>>>>>> Status: "Starting process..." >>>>>>> CGroup: /system.slice/smb.service >>>>>>> >>>>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client >>>>>>> step >>>>>>> 1 >>>>>>> Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: >>>>>>> Unspecified GSS failure. Minor code may provide more information >>>>>>> (Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>>>> 09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get >>>>>>> base >>>>>>> DN. >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 >>>>>>> 09:21:10.211210, 0] >>>>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend >>>>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not >>>>>>> correctly >>>>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: >>>>>>> main >>>>>>> process exited, code=exited, status=1/FAILURE >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>>>> Samba SMB Daemon. >>>>>>> Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>>>> entered failed state. >>>>>>> Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba >>>>>>> SMB >>>>>>> Daemon. >>>>>>> --- >>>>>>> >>>>>>> >>>>>>> I manually try to start the smb service as follows, but can't (Of >>>>>>> course the directory service is not up, so there's a little catch22 >>>>>>> there and this many not mean much): >>>>>>> >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service >>>>>>> smb.service - Samba SMB Daemon >>>>>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) >>>>>>> Active: failed (Result: exit-code) since Wed 2015-04-01 >>>>>>> 09:50:38 >>>>>>> AST; >>>>>>> 57s ago >>>>>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS >>>>>>> (code=exited, >>>>>>> status=1/FAILURE) >>>>>>> Main PID: 8089 (code=exited, status=1/FAILURE) >>>>>>> Status: "Starting process..." >>>>>>> >>>>>>> Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>>>> code=-1765328228, message=Cannot contact any KDC for realm >>>>>>> 'XYZ.LOCAL' >>>>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>>> 09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) >>>>>>> Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: >>>>>>> code=-1765328228, message=Cannot contact any KDC for realm >>>>>>> 'XYZ.LOCAL' >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>>> 09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get >>>>>>> base >>>>>>> DN. >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 >>>>>>> 09:50:38.574903, 0] >>>>>>> ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend >>>>>>> ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not >>>>>>> correctly >>>>>>> init (error was NT_STATUS_UNSUCCESSFUL) >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: >>>>>>> main >>>>>>> process exited, code=exited, status=1/FAILURE >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >>>>>>> Samba SMB Daemon. >>>>>>> Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service >>>>>>> entered failed state. >>>>>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# >>>>>>> >>>>>>> --- >>>>>>> >>>>>>> Please could someone advise me on how to drill deeper into debugging >>>>>>> this issue to get ipactl to start ? >>>>>>> >>>>>>> NOTES: >>>>>>> >>>>>>> - This server is successfully in a Trust relationship with >>>>>>> ActiveDirectory. >>>>>>> - There are a number of replicas established which have been working >>>>>>> fine til this morning >>>>>>> - Another replica was added around the time of the failure using the >>>>>>> same steps as usual (not sure how this could be related) >>>>>>> >>>>>>> >>>>>>> Many thanks in advance, >>>>>>> Traiano >>>>>> >>>>>> >>>>> Hi Traiano, >>>>> >>>>> it seems like there is some problem with Kerberos keytab for DS >>>>> service. >>>>> >>>>> Take a look at this guide: >>>>> >>>>> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start >>>>> >>>>> and check whether there is something wrong with DS keytab and that the >>>>> service principal is set up correctly. >>>>> >>>> >>>> Walking through this pedantically: >>>> >>>> Service does not start: >>>> >>>> 1) See service log of the respective service for the exact error text. >>>> For example, the Directory Server stores the log in >>>> /var/log/dirsrv/slapd-REALM-NAME/errors >>>> >>>> check >>>> >>>> 2) Make sure that the server the service is running on has a fully >>>> qualified domain name >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# hostname >>>> lolpr-xyz-mstr.xyz.local >>>> [root at lolpr-xyz-mstr ~]# host `hostname` >>>> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >>>> [root at lolpr-xyz-mstr ~]# host 172.16.100.68 >>>> 68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. >>>> [root at lolpr-xyz-mstr ~]# >>>> --- >>>> >>>> 3) See what keys are in the keytab used for authentication of the >>>> service, >>>> e.g.: >>>> # klist -kt /etc/dirsrv/ds.keytab >>>> >>>> >>>> --- >>>> [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab >>>> Keytab name: FILE:/etc/dirsrv/ds.keytab >>>> KVNO Timestamp Principal >>>> ---- ------------------- >>>> ------------------------------------------------------ >>>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>>> 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>>> --- >>>> >>>> 4) Make sure that the stored principals match the system FQDN system >>>> name >>>> >>>> check: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local >>>> lolpr-xyz-mstr.xyz.local has address 172.16.100.68 >>>> [root at lolpr-xyz-mstr ~]# >>>> --- >>>> >>>> 5) Make sure that the version of the keys (KVNO) stored in the keytab >>>> and in the FreeIPA server match: >>>> $ kvno ldap/ipa.example.com at EXAMPLE.COM >>>> >>>> >>>> check ... This is unusual: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL >>>> kvno: Credentials cache keyring 'persistent:0:0' not found while >>>> getting client principal name >>>> --- >>>> >>>> Now, when I look at my krb5.conf, I see the file has had a recent >>>> change ... yet, I'm sure this file was never edited: Does the >>>> krb5.conf below look correct for a standard IPA primary server?: >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf >>>> -rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf >>>> --- >>>> >>>> >>>> --- >>>> [root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> >>>> [libdefaults] >>>> default_realm = XYZ.LOCAL >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> default_ccache_name = KEYRING:persistent:%{uid} >>>> >>>> [realms] >>>> XYZ.LOCAL = { >>>> kdc = lolpr-xyz-mstr.xyz.local:88 >>>> master_kdc = lolpr-xyz-mstr.xyz.local:88 >>>> admin_server = lolpr-xyz-mstr.xyz.local:749 >>>> default_domain = xyz.local >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> auth_to_local = >>>> RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ >>>> auth_to_local = DEFAULT >>>> } >>>> >>>> [domain_realm] >>>> .xyz.local = XYZ.LOCAL >>>> xyz.local = XYZ.LOCAL >>>> >>>> [dbmodules] >>>> XYZ.LOCAL = { >>>> db_library = ipadb.so >>>> } >>>> --- >>> >>> >>> >>> I do not see any glaring problems in this file. >>> This seems to be 4.1 bits. >> >> >> IPA 3.3 on CentOS release 7.0.1406 (Core) >> >> >>> There is definitely something wrong with the Kerberos part though. >>> And the fact that you can't access credential cache is pointing to a >>> problem. >> >> Yes. Trying to start the krb5kdc service manually: >> >> >> --- >> job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' >> and 'journalctl -xn' for details. >> --- >> >> Checking the krb5kdc.service status: >> >> --- >> [root at lolpr-xyz-mstr log]# systemctl status krb5kdc.service >> krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) >> Active: failed (Result: exit-code) since Wed 2015-04-01 14:42:15 AST; >> 7s ago >> Process: 3884 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid >> $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >> >> Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Starting Kerberos 5 >> KDC... >> Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local krb5kdc[3884]: krb5kdc: >> cannot initialize realm XYZ.LOCAL - see log file for details >> Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: krb5kdc.service: >> control process exited, code=exited status=1 >> Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start >> Kerberos 5 KDC. >> Apr 01 14:42:15 lolpr-xyz-mstr.xyz.local systemd[1]: Unit >> krb5kdc.service entered failed state. >> --- >> >> >> Checking the logs: >> >> --- >> [root at lolpr-xyz-mstr log]# cat krb5kdc.log >> krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL >> --- >> >> >> >>> Do you see any selinux denials? >> >> Selinux has been disabled for months. I see this is still so in >> selinux conf: SELINUX=disabled >> >> >> >>> If the file was touched may be it was touched by recent update or >>> installation of some other package on the system. >>> The update/install might have set wrong context on the cred cache causing >>> problems like this. >> >> I've been careful to disable all external repos on the system since >> installation, so I'm only using packages on the original installation >> iso. It's a hermetically sealed system from the package point of view: >> >> [root at lolpr-xyz-mstr yum.repos.d]# ls -l >> total 4 >> -rw-r--r--. 1 root root 133 Nov 5 19:06 CentOS-Local.repo >> [root at lolpr-xyz-mstr yum.repos.d]# >> [root at lolpr-xyz-mstr yum.repos.d]# >> [root at lolpr-xyz-mstr yum.repos.d]# cat CentOS-Local.repo >> [LocalRepo] >> name=Local Repository >> baseurl=file:///repo >> enabled=1 >> gpgcheck=1 >> gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 >> [root at lolpr-xyz-mstr yum.repos.d]# >> >> >>> Anything interesting in the KDC log? >>> >> >> This looks like a clue: >> >> krb5kdc: Server error - while fetching master key K/M for realm XYZ.LOCAL >> >> ... But I'm not sure how to interpret this usefully ... > > > This means that DS has not started as master key is in DS. > Can you check the DS server logs? > > I do see this entry in the dirsrv error loog (full log is below): set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) But looking at it with ktutil, I can't see what the issue is: --- [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ls -l /etc/dirsrv/ds.keytab -rw-------. 1 dirsrv dirsrv 338 Nov 6 13:13 /etc/dirsrv/ds.keytab [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# [root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ktutil ktutil: read_kt /etc/dirsrv/ds.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 2 2 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 3 2 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL 4 2 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL ktutil: ktutil: --- This is a freshly generated DS log (sanitized: XYZ = realm): 389-Directory/1.3.1.6 B2014.160.2139 lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=xyz,dc=local [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: cleanAllRUV task found, resuming the cleaning of rid(6)... [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt="cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat" (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which should be added before the CoS Definition. [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 2 (No such file or directory) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt="cn=meTololard-xyz-slve.xyz.local" (lolard-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -1 (Can't contact LDAP server) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt="cn=meTololospr-xyz-slve.xyz.local" (lolospr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 for LDAPS requests [01/Apr/2015:15:19:02 +0300] - Listening on /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial credentials for principal [ldap/lolpr-xyz-mstr@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt="cn=meTololpr-xyz-slve.xyz.local" (lolpr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) errno 0 (Success) [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error -2 (Local error) [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - agmt="cn=meToukpr-xyz-slve.xyz.local" (ukpr-xyz-slve:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available)) [01/Apr/2015:15:19:04 +0300] - slapd shutting down - signaling operation threads [01/Apr/2015:15:19:04 +0300] - slapd shutting down - closing down internal subsystems and plugins [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Cleaning rid (6)... [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting to process all the updates from the deleted replica... [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to be online... [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: Server shutting down. Process will resume at server startup [01/Apr/2015:15:19:05 +0300] - Waiting for 4 database threads to stop [01/Apr/2015:15:19:05 +0300] - All database threads now stopped [01/Apr/2015:15:19:05 +0300] - slapd stopped. >> >> >> >>>> 6) Make sure that there are no DNS Issues and both forward and reverse >>>> DNS records of the are OK and match the system name and the stored >>>> principal keys >>>> >>>> check. DNS works. >>>> >>>> 7) Make sure that the system time difference on the host and FreeIPA >>>> server is not greater than 5 minutes >>>> >>>> They're one and the same in this case. >>>> >>>>> -- >>>>> Martin^3 Babinsky >>>> >>>> Thanks, >>>> Traiano >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > From pspacek at redhat.com Wed Apr 1 12:39:25 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Apr 2015 14:39:25 +0200 Subject: [Freeipa-users] ipa: ERROR: Cannot find specified domain or server name In-Reply-To: References: Message-ID: <551BE6FD.9040301@redhat.com> On 1.4.2015 13:16, Ben .T.George wrote: > HI > > i have installed latest FreeIPA 4.1.4 on RHEL 7.1 > > My DNS is working fine. I am getting good response > > [root at kwtprsolipa01 ~]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp > _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ""; dig > @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa > +noadditional +noauthority; done | egrep -v "^;" | egrep _ > _ldap._tcp.SUN.LOCAL. 86398 IN SRV 0 100 389 > kwtprsolipa01.sun.local. > _kerberos._tcp.SUN.LOCAL. 86398 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos._udp.SUN.LOCAL. 84696 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos-master._tcp.SUN.LOCAL. 84699 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos-master._udp.SUN.LOCAL. 86398 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _ntp._udp.SUN.LOCAL. 86398 IN SRV 0 100 123 > kwtprsolipa01.sun.local. > > and ad domain is pining from IPA server. > > [root at kwtprsolipa01 ~]# dig SRV _ldap._tcp.mha.local > > ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV > _ldap._tcp.mha.local > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44181 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;_ldap._tcp.mha.local. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.mha.local. 600 IN SRV 0 100 389 > rusmosprdc002.mha.local. > _ldap._tcp.mha.local. 600 IN SRV 0 100 389 > kwtprdc002.mha.local. > _ldap._tcp.mha.local. 600 IN SRV 0 100 389 > dxbprdc002.mha.local. > _ldap._tcp.mha.local. 600 IN SRV 0 100 389 > kwtprdc001.mha.local. > _ldap._tcp.mha.local. 600 IN SRV 0 100 389 > dxbprdc001.mha.local. > > ;; ADDITIONAL SECTION: > rusmosprdc002.mha.local. 3600 IN A 192.168.115.42 > kwtprdc002.mha.local. 3600 IN A 172.16.98.171 > dxbprdc002.mha.local. 3600 IN A 10.10.10.10 > kwtprdc001.mha.local. 3600 IN A 172.16.100.180 > dxbprdc001.mha.local. 3600 IN A 10.10.10.11 > > ;; Query time: 0 msec > ;; SERVER: 172.16.100.180#53(172.16.100.180) > ;; WHEN: Wed Apr 01 13:58:24 AST 2015 > ;; MSG SIZE rcvd: 332 > > > > [root at kwtprsolipa01 ~]# dig SRV _ldap._tcp.sun.local > > ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> SRV > _ldap._tcp.sun.local > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63551 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;_ldap._tcp.sun.local. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.sun.local. 84509 IN SRV 0 100 389 > kwtprsolipa01.sun.local. > > ;; ADDITIONAL SECTION: > kwtprsolipa01.sun.local. 182 IN A 172.16.99.99 > > ;; Query time: 0 msec > ;; SERVER: 172.16.100.180#53(172.16.100.180) > ;; WHEN: Wed Apr 01 13:58:31 AST 2015 > ;; MSG SIZE rcvd: 108 > > > all result was as expected and i was following the excat steps from quick > start page. > > but when i try to create trust, i am getting > > "ipa: ERROR: Cannot find specified domain or server name" > > > please help me to solve this Please follow http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust ... and send us results and logs. -- Petr^2 Spacek From andrew.holway at gmail.com Wed Apr 1 12:51:26 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 14:51:26 +0200 Subject: [Freeipa-users] OTP integrations In-Reply-To: References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> Message-ID: Please could someone explain to me what is happening internally? In my head I have the following process.... The openvpn pam module sends the username and password to pam. Pam passes this onto sssd sssd then does the kerberos thing kerberos passes the password to the LDAP some LDAP module takes the password from the database, appends on the OTP and actually does the auth... On 1 April 2015 at 13:15, Andrew Holway wrote: > >>> It is simple to configure OpenVPN with authentication against FreeIPA in >> Fedora 21, all the heavy lifting is done by SSSD: >> > > I have to say that this sssd / pam method is working very very well. > > I do however need to get my head around radius. Something for a rainy > sunday I think :). > > > > >> >> # grep plugin /etc/openvpn/server.conf >> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn >> login USERNAME password PASSWORD" >> >> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 >> /etc/pam.d/openvpn -> system-auth >> >> # LANG=C ipa user-show vpnuser >> User login: vpnuser >> First name: VPN >> Last name: TestUser >> Home directory: /home/vpnuser >> Login shell: /bin/sh >> Email address: vpnuser at example.com >> UID: 1792600005 >> GID: 1792600005 >> Account disabled: False >> User authentication types: otp >> Password: True >> Member of groups: ipausers >> Kerberos keys available: True >> >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> received command code: 0 >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> USER: vpnuser >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> my_conv[0] query='login:' style=2 >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> name match found, query/match-string ['login:', 'login'] = 'USERNAME' >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> my_conv[0] query='Password: ' style=1 >> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' >> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): >> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= >> user=vpnuser >> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): >> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= >> user=vpnuser >> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 >> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ >> PLUGIN_AUTH_USER_PASS_VERIFY status=0 >> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: >> Username/Password authentication succeeded for username 'vpnuser' >> >> >> -- >> / Alexander Bokovoy >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Apr 1 13:12:35 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 01 Apr 2015 15:12:35 +0200 Subject: [Freeipa-users] bind-dyndb-ldap vs DLZ In-Reply-To: <551B875D.8070104@lundman.net> References: <55122F5F.8030505@lundman.net> <55126655.30109@redhat.com> <551351F8.5070508@lundman.net> <5513D7D6.7070408@redhat.com> <551B875D.8070104@lundman.net> Message-ID: <551BEEC3.8040404@redhat.com> On 1.4.2015 07:51, Jorgen Lundman wrote: > >> Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that >> there is 1:1 mapping between DNS name<->LDAP DN. This makes implementation of >> dynamic updates much easier. > > Well, you weren't wrong there. :) I did try a few different solutions, > first letting ARecord/NSRecord trickle in after SOA setup is done. But that > did not fit well with some of the checks. (diff tests of SOA updates need > to be tuples etc, SOA is handled much more strictly), you can't "just" > re-register/update a zone as easily as records.. and so on. > > In the end, I went for the change where, before calling "update_zone()", I > query DLZ for the additional information needed for the SOA record. > ARecord/NSRecord etc, then tag those onto the "entry->attrs" list. This > fits better with bind-dyndb-ldap existing framework, and only makes it > worse for DLZ users. > > In addition to creating src/schema.h - to define the name of the common > ldap attributes based on WITH_DLZ_SCHEMA. > > Annoyingly, DLZ Schema reuses the generic "DNSData" for a lot of things, so > "one large search" just overwrote previous attributes - sigh. > > So, I was forced to do single individual ldapqueries for each > ARecord/NSRecord/... type, then call finally update_zone(). > > Some additional mapping for update_record() as well, to map things like > DNSIPAddr -> ARecord was needed. > > > > > 01-Apr-2015 12:09:13.601 ldap_entry_create dn is > 'DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' > 01-Apr-2015 12:09:13.601 Attempting to pre-populate zone: dn > DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp > 01-Apr-2015 12:09:13.602 Adding 'DNSData' -> 'NSRecord' mapping here > 01-Apr-2015 12:09:13.603 Adding 'DNSIPAddr' -> 'ARecord' mapping here > > 01-Apr-2015 12:09:13.606 fakesoa is 'hostmaster.example.com > dns01.example.com. 20081028 3600 300 3600000 600 ' > > 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'DNSPrimaryNS' > 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'NSRecord' > 01-Apr-2015 12:09:13.606 Matched 'DNSPrimaryNS' to 'dns01.example.com.' > > 01-Apr-2015 12:09:13.606 DLZ attrib scam map 'soa' + 'ARecord' > 01-Apr-2015 12:09:13.606 ldap_entry_nextrdtype: checking 'ARecord' on dn > DNSRecord=SOA,DNSHostName=@,DNSZoneName=example.com,ou=dns,dc=test,dc=jp > 01-Apr-2015 12:09:13.606 dns_rdatatype_fromtext GOOD attr 'ARecord' > > 01-Apr-2015 12:09:13.606 leaving ldap_parse_rrentry > 01-Apr-2015 12:09:13.606 make sure we have NS record here? > 01-Apr-2015 12:09:13.606 diff.c:185: unexpected error: > 01-Apr-2015 12:09:13.606 unexpected non-minimal diff I guess that minimal diff can contain only one del + add operation for arbitrary (name, RR type, data) combination. Maybe you are adding NS which is already in there or something like that. > 01-Apr-2015 12:09:13.606 ldap_entry_create dn is > 'DNSRecord=A,DNSHostName=pop,DNSZoneName=example.com,ou=dns,dc=test,dc=jp' > > 01-Apr-2015 12:09:13.607 DLZ attrib scam map 'A' + 'DNSIPAddr' > 01-Apr-2015 12:09:13.607 dns_rdatatype_fromtext GOOD attr 'ARecord' > 01-Apr-2015 12:09:13.607 Matched 'DNSIPAddr' to '210.157.5.28' > > 01-Apr-2015 12:09:13.607 zone example.com/IN: loaded serial 1427857753 > > > > > > # dig -p5353 @0 example.com any > > ; <<>> DiG 9.6-ESV-R8 <<>> -p5353 @0 example.com any > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22383 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;example.com. IN ANY > > ;; ANSWER SECTION: > example.com. 600 IN A 210.157.5.35 > example.com. 600 IN NS dns01.example.com. > example.com. 600 IN SOA hostmaster.example.com.example.com. > dns01.example.com. 1427857753 3600 300 3600000 600 > > > Not entirely sure why I trip on the "unexpected non-minimal diff" INSIST. I > had to comment it out. > > Obviously still very much hack'n'slash, to get a feel for what is involved. Thank you for letting us know. (It is worse than I expected :-) Anyway, let me know if you have some specific questions about bind-dyndb-ldap. > We could also change the schema of course, at least long term. That sounds like a good idea, unless you want to get crazy from maintenance of this hybrid. -- Petr^2 Spacek From abokovoy at redhat.com Wed Apr 1 13:14:10 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 1 Apr 2015 16:14:10 +0300 Subject: [Freeipa-users] OTP integrations In-Reply-To: References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> Message-ID: <20150401131410.GW3878@redhat.com> On Wed, 01 Apr 2015, Andrew Holway wrote: >Please could someone explain to me what is happening internally? > >In my head I have the following process.... > >The openvpn pam module sends the username and password to pam. >Pam passes this onto sssd >sssd then does the kerberos thing >kerberos passes the password to the LDAP KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then binds to IPA LDAP to verify the password >some LDAP module takes the password from the database, appends on the OTP >and actually does the auth... Yes, the rest is correct. http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture from on "the Kerberos thing" > > >On 1 April 2015 at 13:15, Andrew Holway wrote: > >> >>>> It is simple to configure OpenVPN with authentication against FreeIPA in >>> Fedora 21, all the heavy lifting is done by SSSD: >>> >> >> I have to say that this sssd / pam method is working very very well. >> >> I do however need to get my head around radius. Something for a rainy >> sunday I think :). >> >> >> >> >>> >>> # grep plugin /etc/openvpn/server.conf >>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn >>> login USERNAME password PASSWORD" >>> >>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 >>> /etc/pam.d/openvpn -> system-auth >>> >>> # LANG=C ipa user-show vpnuser >>> User login: vpnuser >>> First name: VPN >>> Last name: TestUser >>> Home directory: /home/vpnuser >>> Login shell: /bin/sh >>> Email address: vpnuser at example.com >>> UID: 1792600005 >>> GID: 1792600005 >>> Account disabled: False >>> User authentication types: otp >>> Password: True >>> Member of groups: ipausers >>> Kerberos keys available: True >>> >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> received command code: 0 >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> USER: vpnuser >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> my_conv[0] query='login:' style=2 >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> name match found, query/match-string ['login:', 'login'] = 'USERNAME' >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> my_conv[0] query='Password: ' style=1 >>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' >>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): >>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= >>> user=vpnuser >>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): >>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= >>> user=vpnuser >>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 >>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ >>> PLUGIN_AUTH_USER_PASS_VERIFY status=0 >>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: >>> Username/Password authentication succeeded for username 'vpnuser' >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> -- / Alexander Bokovoy From rcritten at redhat.com Wed Apr 1 13:40:34 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2015 09:40:34 -0400 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: References: <551BA01F.8030707@redhat.com> <551BD53E.8070203@redhat.com> <551BDF54.9070703@redhat.com> Message-ID: <551BF552.4000200@redhat.com> Traiano Welcome wrote: > Hi Dmitri > > This is a freshly generated DS log (sanitized: XYZ = realm): > > > 389-Directory/1.3.1.6 B2014.160.2139 > lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) > > [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up > [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no > entries set up under cn=computers, cn=compat,dc=xyz,dc=local > [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > cleanAllRUV task found, resuming the cleaning of rid(6)... > [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 0 > (Success) > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat" > (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP > error -1 (Can't contact LDAP server) () > [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/lolpr-xyz-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/lolpr-xyz-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password > Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which > should be added before the CoS Definition. > [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/lolpr-xyz-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 2 (No such file or directory) > [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - > agmt="cn=meTololard-xyz-slve.xyz.local" (lolard-xyz-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/lolpr-xyz-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -1 (Can't contact LDAP server) ((null)) errno 0 (Success) > [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -1 (Can't contact LDAP server) > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - > agmt="cn=meTololospr-xyz-slve.xyz.local" (lolospr-xyz-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > LDAP server) () > [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 > for LDAPS requests > [01/Apr/2015:15:19:02 +0300] - Listening on > /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests > [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial > credentials for principal [ldap/lolpr-xyz-mstr@] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - > agmt="cn=meTololpr-xyz-slve.xyz.local" (lolpr-xyz-slve:389): > Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (No Kerberos credentials > available)) > [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) errno 0 (Success) > [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not > perform interactive bind for id [] authentication mechanism [GSSAPI]: > error -2 (Local error) > [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - > agmt="cn=meToukpr-xyz-slve.xyz.local" (ukpr-xyz-slve:389): Replication > bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > may provide more information (No Kerberos credentials available)) > [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (No Kerberos > credentials available)) > [01/Apr/2015:15:19:04 +0300] - slapd shutting down - signaling operation threads > [01/Apr/2015:15:19:04 +0300] - slapd shutting down - closing down > internal subsystems and plugins > [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Cleaning rid (6)... > [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting to process all the updates from the deleted replica... > [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Waiting for all the replicas to be online... > [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > Server shutting down. Process will resume at server startup > [01/Apr/2015:15:19:05 +0300] - Waiting for 4 database threads to stop > [01/Apr/2015:15:19:05 +0300] - All database threads now stopped > [01/Apr/2015:15:19:05 +0300] - slapd stopped. At least some of this noise is expected. When 389-ds starts it has no ccache, logs about it, then goes about getting one. At the same time replication agreements are starting and if the credentials haven't been obtained yet, those fail as well. It all (usually) ends up syncing back up within a few seconds. Do you hae an entry for this machine in /etc/hosts? If so, is the FQDN first? If not it should be. rob From traiano at gmail.com Wed Apr 1 14:09:24 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 1 Apr 2015 17:09:24 +0300 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BF552.4000200@redhat.com> References: <551BA01F.8030707@redhat.com> <551BD53E.8070203@redhat.com> <551BDF54.9070703@redhat.com> <551BF552.4000200@redhat.com> Message-ID: Dude. You rock :-) That was it !! All the entries were the wrong way round (not sure how I missed that ... time for a visit to the optometrists) Beer is in the mail! And thanks to all @redhat for an excellent piece of software and for all the help today! On Wed, Apr 1, 2015 at 4:40 PM, Rob Crittenden wrote: > Traiano Welcome wrote: >> Hi Dmitri >> >> This is a freshly generated DS log (sanitized: XYZ = realm): >> >> >> 389-Directory/1.3.1.6 B2014.160.2139 >> lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) >> >> [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up >> [01/Apr/2015:15:19:01 +0300] schema-compat-plugin - warning: no >> entries set up under cn=computers, cn=compat,dc=xyz,dc=local >> [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> cleanAllRUV task found, resuming the cleaning of rid(6)... >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 0 >> (Success) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=masterAgreement1-lolospr-xyz-slve.xyz.local-pki-tomcat" >> (lolospr-xyz-slve:389): Replication bind with SIMPLE auth failed: LDAP >> error -1 (Can't contact LDAP server) () >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] - Skipping CoS Definition cn=Password >> Policy,cn=accounts,dc=xyz,dc=local--no CoS Templates found, which >> should be added before the CoS Definition. >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 2 (No such file or directory) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololard-xyz-slve.xyz.local" (lolard-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -1 (Can't contact LDAP server) ((null)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -1 (Can't contact LDAP server) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololospr-xyz-slve.xyz.local" (lolospr-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >> LDAP server) () >> [01/Apr/2015:15:19:02 +0300] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [01/Apr/2015:15:19:02 +0300] - Listening on All Interfaces port 636 >> for LDAPS requests >> [01/Apr/2015:15:19:02 +0300] - Listening on >> /var/run/slapd-XYZ-LOCAL.socket for LDAPI requests >> [01/Apr/2015:15:19:02 +0300] set_krb5_creds - Could not get initial >> credentials for principal [ldap/lolpr-xyz-mstr@] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meTololpr-xyz-slve.xyz.local" (lolpr-xyz-slve:389): >> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) >> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. >> Minor code may provide more information (No Kerberos credentials >> available)) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) errno 0 (Success) >> [01/Apr/2015:15:19:02 +0300] slapi_ldap_bind - Error: could not >> perform interactive bind for id [] authentication mechanism [GSSAPI]: >> error -2 (Local error) >> [01/Apr/2015:15:19:02 +0300] NSMMReplicationPlugin - >> agmt="cn=meToukpr-xyz-slve.xyz.local" (ukpr-xyz-slve:389): Replication >> bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code >> may provide more information (No Kerberos credentials available)) >> [01/Apr/2015:15:19:02 +0300] slapd_ldap_sasl_interactive_bind - Error: >> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error >> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified >> GSS failure. Minor code may provide more information (No Kerberos >> credentials available)) >> [01/Apr/2015:15:19:04 +0300] - slapd shutting down - signaling operation threads >> [01/Apr/2015:15:19:04 +0300] - slapd shutting down - closing down >> internal subsystems and plugins >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Cleaning rid (6)... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting to process all the updates from the deleted replica... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Waiting for all the replicas to be online... >> [01/Apr/2015:15:19:05 +0300] NSMMReplicationPlugin - CleanAllRUV Task: >> Server shutting down. Process will resume at server startup >> [01/Apr/2015:15:19:05 +0300] - Waiting for 4 database threads to stop >> [01/Apr/2015:15:19:05 +0300] - All database threads now stopped >> [01/Apr/2015:15:19:05 +0300] - slapd stopped. > > At least some of this noise is expected. When 389-ds starts it has no > ccache, logs about it, then goes about getting one. At the same time > replication agreements are starting and if the credentials haven't been > obtained yet, those fail as well. It all (usually) ends up syncing back > up within a few seconds. > > Do you hae an entry for this machine in /etc/hosts? If so, is the FQDN > first? If not it should be. > > rob > From mkosek at redhat.com Wed Apr 1 14:17:44 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 16:17:44 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: References: <2588793.PXhtNmgmCt@shdehenw2471> Message-ID: <551BFE08.8090602@redhat.com> Hmm, really? The port 8443 is already checked in FreeIPA 4.0.4 or later, based on this ticket: https://fedorahosted.org/freeipa/ticket/4564 If your installation crashed because port 8443 was occupied, the fix 4564 is either incomplete or non-functional and we should fix it. On 04/01/2015 01:38 PM, Roberto Cornacchia wrote: > I had this error during my first installation. It turned out the problem > was that port 8443 was already used by another process. > > Roberto > > On 31 March 2015 at 19:54, Markus Roth wrote: > >> Hi all, >> >> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >> The ipa-server-install shows the following output: >> >> configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv): Estimated time 1 minute >> [1/38]: creating directory server user >> [2/38]: creating directory server instance >> [3/38]: adding default schema >> [4/38]: enabling memberof plugin >> [5/38]: enabling winsync plugin >> [6/38]: configuring replication version plugin >> [7/38]: enabling IPA enrollment plugin >> [8/38]: enabling ldapi >> [9/38]: configuring uniqueness plugin >> [10/38]: configuring uuid plugin >> [11/38]: configuring modrdn plugin >> [12/38]: configuring DNS plugin >> [13/38]: enabling entryUSN plugin >> [14/38]: configuring lockout plugin >> [15/38]: creating indices >> [16/38]: enabling referential integrity plugin >> [17/38]: configuring certmap.conf >> [18/38]: configure autobind for root >> [19/38]: configure new location for managed entries >> [20/38]: configure dirsrv ccache >> [21/38]: enable SASL mapping fallback >> [22/38]: restarting directory server >> [23/38]: adding default layout >> [24/38]: adding delegation layout >> [25/38]: creating container for managed entries >> [26/38]: configuring user private groups >> [27/38]: configuring netgroups from hostgroups >> [28/38]: creating default Sudo bind user >> [29/38]: creating default Auto Member layout >> [30/38]: adding range check plugin >> [31/38]: creating default HBAC rule allow_all >> [32/38]: initializing group membership >> [33/38]: adding master entry >> [34/38]: configuring Posix uid/gid generation >> [35/38]: adding replication acis >> [36/38]: enabling compatibility plugin >> [37/38]: tuning directory server >> [38/38]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >> seconds >> [1/27]: creating certificate server user >> [2/27]: configuring certificate server instance >> [3/27]: stopping certificate server instance to update CS.cfg >> [4/27]: backing up CS.cfg >> [5/27]: disabling nonces >> [6/27]: set up CRL publishing >> [7/27]: enable PKIX certificate path discovery and validation >> [8/27]: starting certificate server instance >> [error] RuntimeError: CA did not start in 300.0s >> CA did not start in 300.0s >> >> The ipa server install log shows this: >> >> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... >> 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 382, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 372, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 526, in __start >> self.start() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 279, in start >> self.service.start(instance_name, capture_output=capture_output, >> wait=wait) >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >> line >> 229, in start >> self.wait_until_running() >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >> line >> 223, in wait_until_running >> raise RuntimeError('CA did not start in %ss' % timeout) >> RuntimeError: CA did not start in 300.0s >> >> 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in >> 300.0s >> 2015-03-31T17:39:36Z DEBUG File "/usr/lib/python2.7/site- >> packages/ipaserver/install/installutils.py", line 642, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-server-install", line 1183, in main >> ca_signing_algorithm=options.ca_signing_algorithm) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 520, in configure_instance >> self.start_creation(runtime=210) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 382, in start_creation >> run_step(full_msg, method) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 372, in run_step >> method() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >> line 526, in __start >> self.start() >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line >> 279, in start >> self.service.start(instance_name, capture_output=capture_output, >> wait=wait) >> >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >> line >> 229, in start >> self.wait_until_running() >> >> File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >> line >> 223, in wait_until_running >> raise RuntimeError('CA did not start in %ss' % timeout) >> >> 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, >> exception: >> RuntimeError: CA did not start in 300.0s >> >> I uninstalled the ipa server completely several times and installed it >> again. >> But it always stops at the same step with the setup. >> >> Can anybody help? >> >> Markus. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > From janellenicole80 at gmail.com Wed Apr 1 14:29:55 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 01 Apr 2015 07:29:55 -0700 Subject: [Freeipa-users] RUVs Message-ID: <551C00E3.70104@gmail.com> Hello again, This is a more general question as I am new to "dirsrv" a bit. I have read through a lot of the docs, including 389-ds, but with regards to IPA, well, I am not 100% clear and perhaps this could help others in the future. Are there guidelines or suggestions for RUV's and cleaning and how to know when you are actually seeing a problem that needs to be fixed? In a good system, for example, my 8 servers, if there are no issues, what would I expect to see from a "list-ruv"? What errors would indicate the need to run a "clean-ruv id"? I am thinking if there was a write up or FAQ for this, it would go a long way to helping new admins with FreeIPA in understanding all of this. Just a suggestion. Thank you ~J From roberto.cornacchia at gmail.com Wed Apr 1 14:31:40 2015 From: roberto.cornacchia at gmail.com (Roberto Cornacchia) Date: Wed, 1 Apr 2015 16:31:40 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551BFE08.8090602@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551BFE08.8090602@redhat.com> Message-ID: Unfortunately I don't have the log anymore, as it was overwritten by the following successful installation. But the personal log I kept manually says (this was freeIPA 4.1.2): ... Restarting the directory server Restarting the KDC Restarting the certificate server CA did not start in 300.0s It seems that Stash was already using port 8443. Changed Stash configuration and (just to be sure) stopped both Jira and Stash before attempting again Ran $ ipa-server-install --uninstall and tried installation again. Succeeded: On 1 April 2015 at 16:17, Martin Kosek wrote: > Hmm, really? The port 8443 is already checked in FreeIPA 4.0.4 or later, > based > on this ticket: > > https://fedorahosted.org/freeipa/ticket/4564 > > If your installation crashed because port 8443 was occupied, the fix 4564 > is > either incomplete or non-functional and we should fix it. > > On 04/01/2015 01:38 PM, Roberto Cornacchia wrote: > > I had this error during my first installation. It turned out the problem > > was that port 8443 was already used by another process. > > > > Roberto > > > > On 31 March 2015 at 19:54, Markus Roth wrote: > > > >> Hi all, > >> > >> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > >> The ipa-server-install shows the following output: > >> > >> configuring NTP daemon (ntpd) > >> [1/4]: stopping ntpd > >> [2/4]: writing configuration > >> [3/4]: configuring ntpd to start on boot > >> [4/4]: starting ntpd > >> Done configuring NTP daemon (ntpd). > >> Configuring directory server (dirsrv): Estimated time 1 minute > >> [1/38]: creating directory server user > >> [2/38]: creating directory server instance > >> [3/38]: adding default schema > >> [4/38]: enabling memberof plugin > >> [5/38]: enabling winsync plugin > >> [6/38]: configuring replication version plugin > >> [7/38]: enabling IPA enrollment plugin > >> [8/38]: enabling ldapi > >> [9/38]: configuring uniqueness plugin > >> [10/38]: configuring uuid plugin > >> [11/38]: configuring modrdn plugin > >> [12/38]: configuring DNS plugin > >> [13/38]: enabling entryUSN plugin > >> [14/38]: configuring lockout plugin > >> [15/38]: creating indices > >> [16/38]: enabling referential integrity plugin > >> [17/38]: configuring certmap.conf > >> [18/38]: configure autobind for root > >> [19/38]: configure new location for managed entries > >> [20/38]: configure dirsrv ccache > >> [21/38]: enable SASL mapping fallback > >> [22/38]: restarting directory server > >> [23/38]: adding default layout > >> [24/38]: adding delegation layout > >> [25/38]: creating container for managed entries > >> [26/38]: configuring user private groups > >> [27/38]: configuring netgroups from hostgroups > >> [28/38]: creating default Sudo bind user > >> [29/38]: creating default Auto Member layout > >> [30/38]: adding range check plugin > >> [31/38]: creating default HBAC rule allow_all > >> [32/38]: initializing group membership > >> [33/38]: adding master entry > >> [34/38]: configuring Posix uid/gid generation > >> [35/38]: adding replication acis > >> [36/38]: enabling compatibility plugin > >> [37/38]: tuning directory server > >> [38/38]: configuring directory to start on boot > >> Done configuring directory server (dirsrv). > >> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 > >> seconds > >> [1/27]: creating certificate server user > >> [2/27]: configuring certificate server instance > >> [3/27]: stopping certificate server instance to update CS.cfg > >> [4/27]: backing up CS.cfg > >> [5/27]: disabling nonces > >> [6/27]: set up CRL publishing > >> [7/27]: enable PKIX certificate path discovery and validation > >> [8/27]: starting certificate server instance > >> [error] RuntimeError: CA did not start in 300.0s > >> CA did not start in 300.0s > >> > >> The ipa server install log shows this: > >> > >> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > >> 2015-03-31T17:39:36Z DEBUG Traceback (most recent call last): > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 382, in start_creation > >> run_step(full_msg, method) > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 372, in run_step > >> method() > >> File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >> line 526, in __start > >> self.start() > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 279, in start > >> self.service.start(instance_name, capture_output=capture_output, > >> wait=wait) > >> File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > >> line > >> 229, in start > >> self.wait_until_running() > >> File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > >> line > >> 223, in wait_until_running > >> raise RuntimeError('CA did not start in %ss' % timeout) > >> RuntimeError: CA did not start in 300.0s > >> > >> 2015-03-31T17:39:36Z DEBUG [error] RuntimeError: CA did not start in > >> 300.0s > >> 2015-03-31T17:39:36Z DEBUG File "/usr/lib/python2.7/site- > >> packages/ipaserver/install/installutils.py", line 642, in run_script > >> return_value = main_function() > >> > >> File "/usr/sbin/ipa-server-install", line 1183, in main > >> ca_signing_algorithm=options.ca_signing_algorithm) > >> > >> File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >> line 520, in configure_instance > >> self.start_creation(runtime=210) > >> > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 382, in start_creation > >> run_step(full_msg, method) > >> > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 372, in run_step > >> method() > >> > >> File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > >> line 526, in __start > >> self.start() > >> > >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > >> line > >> 279, in start > >> self.service.start(instance_name, capture_output=capture_output, > >> wait=wait) > >> > >> File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > >> line > >> 229, in start > >> self.wait_until_running() > >> > >> File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > >> line > >> 223, in wait_until_running > >> raise RuntimeError('CA did not start in %ss' % timeout) > >> > >> 2015-03-31T17:39:36Z DEBUG The ipa-server-install command failed, > >> exception: > >> RuntimeError: CA did not start in 300.0s > >> > >> I uninstalled the ipa server completely several times and installed it > >> again. > >> But it always stops at the same step with the setup. > >> > >> Can anybody help? > >> > >> Markus. > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Apr 1 14:49:58 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 01 Apr 2015 16:49:58 +0200 Subject: [Freeipa-users] RUVs In-Reply-To: <551C00E3.70104@gmail.com> References: <551C00E3.70104@gmail.com> Message-ID: <551C0596.2090700@redhat.com> Hi, a RUV (replica update vector) is a structure which on each sever maintains a state of updates it has seen from any other server, it is used in a replication session to determine which updates have to be sent. Normally you don't need to deal with it, only if you remove a replica it is advisable to remove the references to the no longer existing server using clean ruv Ludwig On 04/01/2015 04:29 PM, Janelle wrote: > Hello again, > > This is a more general question as I am new to "dirsrv" a bit. I have > read through a lot of the docs, including 389-ds, but with regards to > IPA, well, I am not 100% clear and perhaps this could help others in > the future. > > Are there guidelines or suggestions for RUV's and cleaning and how to > know when you are actually seeing a problem that needs to be fixed? In > a good system, for example, my 8 servers, if there are no issues, what > would I expect to see from a "list-ruv"? What errors would indicate > the need to run a "clean-ruv id"? > > I am thinking if there was a write up or FAQ for this, it would go a > long way to helping new admins with FreeIPA in understanding all of > this. Just a suggestion. > > Thank you > ~J > From rcritten at redhat.com Wed Apr 1 14:55:52 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2015 10:55:52 -0400 Subject: [Freeipa-users] RUVs In-Reply-To: <551C0596.2090700@redhat.com> References: <551C00E3.70104@gmail.com> <551C0596.2090700@redhat.com> Message-ID: <551C06F8.6080809@redhat.com> Ludwig Krispenz wrote: > Hi, > > a RUV (replica update vector) is a structure which on each sever > maintains a state of updates it has seen from any other server, it is > used in a replication session to determine which updates have to be sent. > Normally you don't need to deal with it, only if you remove a replica it > is advisable to remove the references to the no longer existing server > using clean ruv The clean-ruv should be done as part of replica removal these days. The separate commands are there for when things go bump in the night. rob > > Ludwig > On 04/01/2015 04:29 PM, Janelle wrote: >> Hello again, >> >> This is a more general question as I am new to "dirsrv" a bit. I have >> read through a lot of the docs, including 389-ds, but with regards to >> IPA, well, I am not 100% clear and perhaps this could help others in >> the future. >> >> Are there guidelines or suggestions for RUV's and cleaning and how to >> know when you are actually seeing a problem that needs to be fixed? In >> a good system, for example, my 8 servers, if there are no issues, what >> would I expect to see from a "list-ruv"? What errors would indicate >> the need to run a "clean-ruv id"? >> >> I am thinking if there was a write up or FAQ for this, it would go a >> long way to helping new admins with FreeIPA in understanding all of >> this. Just a suggestion. >> >> Thank you >> ~J >> > From luiz.vianna at tivit.com.br Wed Apr 1 15:14:16 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Wed, 1 Apr 2015 15:14:16 +0000 Subject: [Freeipa-users] Expired password change on AIX Client Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040CD102@rctr246> Hello All. I?ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ? Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding ?kpasswd_protocol = SET_CHANGE? as well as ?kpasswd_protocol = RPCSEC_GSS? to the [realms] section but none of them worked. Here is the output from an ssh test session for user ?teste? on a AIX 7.1 machine: -bash-4.2$ ssh teste at localhost ################################################################################ # NICE MOTD ################################################################################ teste at localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. ******************************************************************************* * * * * * Welcome to AIX Version 7.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* ################################################################################ # NICE MOTD ################################################################################ WARNING: Your password has expired. You must change your password now and login again! Changing password for "teste" teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Wed Apr 1 15:46:55 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 17:46:55 +0200 Subject: [Freeipa-users] OTP integrations In-Reply-To: <20150401131410.GW3878@redhat.com> References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> <20150401131410.GW3878@redhat.com> Message-ID: Thanks Alexander. What happens to the passwords? Are they hashed by Kerberos? On 1 April 2015 at 15:14, Alexander Bokovoy wrote: > On Wed, 01 Apr 2015, Andrew Holway wrote: > >> Please could someone explain to me what is happening internally? >> >> In my head I have the following process.... >> >> The openvpn pam module sends the username and password to pam. >> Pam passes this onto sssd >> sssd then does the kerberos thing >> kerberos passes the password to the LDAP >> > KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then > binds to IPA LDAP to verify the password > >> some LDAP module takes the password from the database, appends on the OTP >> and actually does the auth... >> > Yes, the rest is correct. > > http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture > from on "the Kerberos thing" > > > >> >> On 1 April 2015 at 13:15, Andrew Holway wrote: >> >> >>> It is simple to configure OpenVPN with authentication against FreeIPA >>>>> in >>>>> >>>> Fedora 21, all the heavy lifting is done by SSSD: >>>> >>>> >>> I have to say that this sssd / pam method is working very very well. >>> >>> I do however need to get my head around radius. Something for a rainy >>> sunday I think :). >>> >>> >>> >>> >>> >>>> # grep plugin /etc/openvpn/server.conf >>>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn >>>> login USERNAME password PASSWORD" >>>> >>>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 >>>> 10:55 >>>> /etc/pam.d/openvpn -> system-auth >>>> >>>> # LANG=C ipa user-show vpnuser >>>> User login: vpnuser >>>> First name: VPN >>>> Last name: TestUser >>>> Home directory: /home/vpnuser >>>> Login shell: /bin/sh >>>> Email address: vpnuser at example.com >>>> UID: 1792600005 >>>> GID: 1792600005 >>>> Account disabled: False >>>> User authentication types: otp >>>> Password: True >>>> Member of groups: ipausers >>>> Kerberos keys available: True >>>> >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> received command code: 0 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> USER: vpnuser >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> my_conv[0] query='login:' style=2 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> name match found, query/match-string ['login:', 'login'] = 'USERNAME' >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> my_conv[0] query='Password: ' style=1 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> name match found, query/match-string ['Password: ', 'password'] = >>>> 'PASSWORD' >>>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): >>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= >>>> user=vpnuser >>>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): >>>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= >>>> user=vpnuser >>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 >>>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/ope >>>> nvpn-plugin-auth-pam.so/ >>>> PLUGIN_AUTH_USER_PASS_VERIFY status=0 >>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 >>>> TLS: >>>> Username/Password authentication succeeded for username 'vpnuser' >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 1 16:21:18 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 12:21:18 -0400 Subject: [Freeipa-users] OTP integrations In-Reply-To: References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> <20150401131410.GW3878@redhat.com> Message-ID: <551C1AFE.5090405@redhat.com> On 04/01/2015 11:46 AM, Andrew Holway wrote: > Thanks Alexander. > > What happens to the passwords? Are they hashed by Kerberos? Yes. But stored in LDAP. > > On 1 April 2015 at 15:14, Alexander Bokovoy > wrote: > > On Wed, 01 Apr 2015, Andrew Holway wrote: > > Please could someone explain to me what is happening internally? > > In my head I have the following process.... > > The openvpn pam module sends the username and password to pam. > Pam passes this onto sssd > sssd then does the kerberos thing > kerberos passes the password to the LDAP > > KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) > which then > binds to IPA LDAP to verify the password > > some LDAP module takes the password from the database, appends > on the OTP > and actually does the auth... > > Yes, the rest is correct. > > http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture > from on "the Kerberos thing" > > > > > On 1 April 2015 at 13:15, Andrew Holway > > wrote: > > > It is simple to configure OpenVPN with > authentication against FreeIPA in > > Fedora 21, all the heavy lifting is done by SSSD: > > > I have to say that this sssd / pam method is working very > very well. > > I do however need to get my head around radius. Something > for a rainy > sunday I think :). > > > > > > # grep plugin /etc/openvpn/server.conf > plugin > /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so > "openvpn > login USERNAME password PASSWORD" > > # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root > root 11 Apr 1 10:55 > /etc/pam.d/openvpn -> system-auth > > # LANG=C ipa user-show vpnuser > User login: vpnuser > First name: VPN > Last name: TestUser > Home directory: /home/vpnuser > Login shell: /bin/sh > Email address: vpnuser at example.com > > UID: 1792600005 > GID: 1792600005 > Account disabled: False > User authentication types: otp > Password: True > Member of groups: ipausers > Kerberos keys available: True > > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > received command code: 0 > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > USER: vpnuser > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > my_conv[0] query='login:' style=2 > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > name match found, query/match-string ['login:', > 'login'] = 'USERNAME' > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > my_conv[0] query='Password: ' style=1 > Apr 01 11:24:50 ipa.example.com > openvpn[29723]: AUTH-PAM: > BACKGROUND: > name match found, query/match-string ['Password: ', > 'password'] = 'PASSWORD' > Apr 01 11:24:50 ipa.example.com > openvpn[29724]: > pam_unix(openvpn:auth): > authentication failure; logname= uid=0 euid=0 tty= > ruser= rhost= > user=vpnuser > Apr 01 11:24:53 ipa.example.com > openvpn[29724]: > pam_sss(openvpn:auth): > authentication success; logname= uid=0 euid=0 tty= > ruser= rhost= > user=vpnuser > Apr 01 11:24:55 ipa.example.com > openvpn[29732]: > MY-IP_ADDRESS:50232 > PLUGIN_CALL: POST > /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ > > PLUGIN_AUTH_USER_PASS_VERIFY status=0 > Apr 01 11:24:55 ipa.example.com > openvpn[29732]: > MY-IP-ADDRESS:50232 TLS: > Username/Password authentication succeeded for > username 'vpnuser' > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing > list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -- > / Alexander Bokovoy > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 1 16:26:42 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 12:26:42 -0400 Subject: [Freeipa-users] Expired password change on AIX Client In-Reply-To: <1B1DB5490C5E3A408CA3086D02CD34FA040CD102@rctr246> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD102@rctr246> Message-ID: <551C1C42.3030409@redhat.com> On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: > > Hello All. > > I've searched the archives of this mailing list looking for an answer > for this one, but all I found lead me nowhere. L > > Closest thread to help me was: > https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html > > Has anyone figured out a way to have expired password changes work on > AIX clients? > > I have tried adding "kpasswd_protocol = SET_CHANGE" as well as > "kpasswd_protocol = RPCSEC_GSS" to the [realms] section but none of > them worked. > > Here is the output from an ssh test session for user "teste" on a AIX > 7.1 machine: > > -bash-4.2$ ssh teste at localhost > > ################################################################################ > > # NICE MOTD > > ################################################################################ > > teste at localhost's password: > > [KRB5]: 3004-332 Your password has expired. > > 3004-333 A password change is required. > > [KRB5]: 3004-332 Your password has expired. > > ******************************************************************************* > > * * > > * * > > * Welcome to AIX Version 7.1! * > > * * > > * * > > * Please see the README file in /usr/lpp/bos for information > pertinent to * > > * this release of the AIX Operating System. > * > > * * > > * * > > ******************************************************************************* > > ################################################################################ > > # NICE MOTD > > ################################################################################ > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for "teste" > > teste's Old password: > > teste's New password: > > Enter the new password again: > > 3004-604 Your entry does not match the old password. > > Connection to localhost closed. > > -bash-4.2$ > So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? > Atenciosamente/Best Regards > > *__________________________________________* > > *L**uiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Wed Apr 1 16:29:51 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 18:29:51 +0200 Subject: [Freeipa-users] OTP integrations In-Reply-To: <551C1AFE.5090405@redhat.com> References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> <20150401131410.GW3878@redhat.com> <551C1AFE.5090405@redhat.com> Message-ID: > > Yes. But stored in LDAP. > Stored in LDAP salted I assume? -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 1 16:32:20 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Apr 2015 19:32:20 +0300 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." Message-ID: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving "Your session has expired. Please re-login." i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 1 16:33:04 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 12:33:04 -0400 Subject: [Freeipa-users] OTP integrations In-Reply-To: References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> <20150401131410.GW3878@redhat.com> <551C1AFE.5090405@redhat.com> Message-ID: <551C1DC0.6050709@redhat.com> On 04/01/2015 12:29 PM, Andrew Holway wrote: > > Yes. But stored in LDAP. > > > Stored in LDAP salted I assume? > Yes. As the standard prescribes. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 1 16:35:19 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 12:35:19 -0400 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: References: Message-ID: <551C1E47.7050501@redhat.com> On 04/01/2015 12:32 PM, Ben .T.George wrote: > Hi > > I have re-installed verything from RHEL 7.1 DVD and current ipa > version is 4.0.1 > > everything is working including AD trust. > > but my web interface always giving "Your session has expired. Please > re-login." > > i faced the issue before that time i destroyed kerbros ticket > (Kdestroy) and initiated again(kinit admin). after that it got worked. > > but now i did all the exercises ans still not working > > please anyone solved this issue. or is this a known bug? > > if i open the page from chorm browser, i am getting another login > screen like .htacess login. If i gave password, it re-appering again > > Regards, > Ben > > Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 1 16:45:10 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Apr 2015 19:45:10 +0300 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: <551C1E47.7050501@redhat.com> References: <551C1E47.7050501@redhat.com> Message-ID: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal wrote: > On 04/01/2015 12:32 PM, Ben .T.George wrote: > > Hi > > I have re-installed verything from RHEL 7.1 DVD and current ipa version > is 4.0.1 > > everything is working including AD trust. > > but my web interface always giving "Your session has expired. Please > re-login." > > i faced the issue before that time i destroyed kerbros ticket (Kdestroy) > and initiated again(kinit admin). after that it got worked. > > but now i did all the exercises ans still not working > > please anyone solved this issue. or is this a known bug? > > if i open the page from chorm browser, i am getting another login screen > like .htacess login. If i gave password, it re-appering again > > Regards, > Ben > > > Have you cleaned you browser cache data? > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Wed Apr 1 16:52:05 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 01 Apr 2015 09:52:05 -0700 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: References: Message-ID: <551C2235.5000503@gmail.com> On 4/1/15 9:32 AM, Ben .T.George wrote: > Hi > > I have re-installed verything from RHEL 7.1 DVD and current ipa > version is 4.0.1 > > everything is working including AD trust. > > but my web interface always giving "Your session has expired. Please > re-login." > > i faced the issue before that time i destroyed kerbros ticket > (Kdestroy) and initiated again(kinit admin). after that it got worked. > > but now i did all the exercises ans still not working > > please anyone solved this issue. or is this a known bug? > > if i open the page from chorm browser, i am getting another login > screen like .htacess login. If i gave password, it re-appering again > > Regards, > Ben > > On a related to browser issues -- has anyone else seen a user login to change their PW, any browser - from Chrome, to Firefox, etc, and with the exception of the top portion of the screen, the details of the user account are blank (white screen below main header) ? They can still use the "pull down" to reset the PW, but everything else seems to be missing. I have also seen this "Session expired" even when not using a kerberized browser, so if there is a solution -- looking forward to it. ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 1 16:54:55 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Apr 2015 19:54:55 +0300 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: References: <551C1E47.7050501@redhat.com> Message-ID: HI i have checked from chrome and got 401 error: This is what exactly i reported 3 weeks back :( http://s1.postimg.org/41ik3o1hr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:45 PM, Ben .T.George wrote: > HI > > yes i have creared cache. tried from different browsers, tried from > portable browser, configure kerbros plugin in firefox > > this is what i got from inspect: > > http://s9.postimg.org/51c5809xr/kerb.jpg > > Regards, > Ben > > On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal wrote: > >> On 04/01/2015 12:32 PM, Ben .T.George wrote: >> >> Hi >> >> I have re-installed verything from RHEL 7.1 DVD and current ipa version >> is 4.0.1 >> >> everything is working including AD trust. >> >> but my web interface always giving "Your session has expired. Please >> re-login." >> >> i faced the issue before that time i destroyed kerbros ticket >> (Kdestroy) and initiated again(kinit admin). after that it got worked. >> >> but now i did all the exercises ans still not working >> >> please anyone solved this issue. or is this a known bug? >> >> if i open the page from chorm browser, i am getting another login >> screen like .htacess login. If i gave password, it re-appering again >> >> Regards, >> Ben >> >> >> Have you cleaned you browser cache data? >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Apr 1 16:56:38 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Apr 2015 11:56:38 -0500 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551B9E47.6090107@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551AE032.9090606@redhat.com> <551B9E47.6090107@redhat.com> Message-ID: <551C2346.3040808@redhat.com> On 4/1/2015 2:29 AM, Martin Kosek wrote: > On 03/31/2015 07:58 PM, Dmitri Pal wrote: >> On 03/31/2015 01:54 PM, Markus Roth wrote: >>> Hi all, >>> >>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >>> The ipa-server-install shows the following output: ... >>> Done configuring directory server (dirsrv). >>> Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 >>> seconds >>> [1/27]: creating certificate server user >>> [2/27]: configuring certificate server instance >>> [3/27]: stopping certificate server instance to update CS.cfg >>> [4/27]: backing up CS.cfg >>> [5/27]: disabling nonces >>> [6/27]: set up CRL publishing >>> [7/27]: enable PKIX certificate path discovery and validation >>> [8/27]: starting certificate server instance >>> [error] RuntimeError: CA did not start in 300.0s >>> CA did not start in 300.0s >>> >>> The ipa server install log shows this: >>> >>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... ... >>> I uninstalled the ipa server completely several times and installed it again. >>> But it always stops at the same step with the setup. >>> >>> Can anybody help? >>> >>> Markus. >>> >> Please provide install logs, and look at directory server and PKI server logs >> created during the installation. >> It seems that Dogtag did not start. It usually does not start when the DS under >> it does not start. The logs would show that. >> DS does not start does because of different issues. Can bind to the port for >> example. So please review the logs and see what they reveal. >> >> This might help you with details http://www.freeipa.org/page/Troubleshooting > > +1. CCing Dogtag guys for reference. Based on the IPA install log alone it looks like the DS is already started, and the Dogtag is already started too in step [3/27]. It's the restart on step [8/27] that is failing. We will need to see the Dogtag debug log in order to know if Dogtag is indeed failing to restart or the installer for some reason cannot connect to Dogtag. -- Endi S. Dewata From luiz.vianna at tivit.com.br Wed Apr 1 16:57:56 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Wed, 1 Apr 2015 16:57:56 +0000 Subject: [Freeipa-users] FreeIPA integration with AIX and sudo Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven?t figured out a way to make this work and I?ll send you the solution I came up with. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Apr 1 17:02:31 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2015 13:02:31 -0400 Subject: [Freeipa-users] OTP integrations In-Reply-To: <551C1DC0.6050709@redhat.com> References: <551B246B.5060104@redhat.com> <20150401093535.GU3878@redhat.com> <20150401131410.GW3878@redhat.com> <551C1AFE.5090405@redhat.com> <551C1DC0.6050709@redhat.com> Message-ID: <1427907751.19641.2.camel@willson.usersys.redhat.com> On Wed, 2015-04-01 at 12:33 -0400, Dmitri Pal wrote: > On 04/01/2015 12:29 PM, Andrew Holway wrote: > > > > Yes. But stored in LDAP. > > > > > > Stored in LDAP salted I assume? > > > Yes. As the standard prescribes. Except for the RC4 keys, but the whole keyset is encrypted with the master key, so the hashes cannot be seen even if you have access to the LDAP attribute. Simo. -- Simo Sorce * Red Hat, Inc * New York From andrew.holway at gmail.com Wed Apr 1 17:02:56 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 19:02:56 +0200 Subject: [Freeipa-users] Openvpn and Certificates Message-ID: Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal. (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying to find a way to provide server and client certificates but, to be honest, my understanding of certificates is not good enough to be able to take the leap. I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use "service certificates". From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" command to generate the server.crt and private.key and I know where to find ca.crt however: - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? - Is it bad If this file is compromised? Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From guertin at middlebury.edu Wed Apr 1 17:21:06 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Wed, 1 Apr 2015 17:21:06 +0000 Subject: [Freeipa-users] RHEL 5 client? Message-ID: I've just set up an IPA domain that is working with our RHEL 6 clients. (The servers are running RHEL 7.) But about half of our Linux servers are running RHEL 5, and I'd like to be able to add these as clients as well. Unfortunately I haven't been able to get it working. Before I get too deep into debugging and log files, is this even possible? The documentation that I've been able to find is unclear on this. So far I've been looking at this thread: https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html and this document: https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client but without much success. Is there documentation somewhere that describes the procedure, if indeed one exists? David Guertin -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Wed Apr 1 17:31:37 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 1 Apr 2015 13:31:37 -0400 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: References: <551C1E47.7050501@redhat.com> Message-ID: <20150401173137.GA1672@redhat.com> On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote: > HI > > yes i have creared cache. tried from different browsers, tried from > portable browser, configure kerbros plugin in firefox > > this is what i got from inspect: > > http://s9.postimg.org/51c5809xr/kerb.jpg Just to be sure, the policies for ticket lifetimes are still set to their defaults, right? Is there anything in the server-side logs (/var/log/krb5kdc.log, /var/log/httpd/error_log) that might shed some light on things, perhaps after having set "debug=True" in the [global] section of the server's /etc/ipa/default.conf and restarted the httpd service? Nalin From rcritten at redhat.com Wed Apr 1 17:34:19 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 01 Apr 2015 13:34:19 -0400 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: References: Message-ID: <551C2C1B.2050006@redhat.com> Guertin, David S. wrote: > I?ve just set up an IPA domain that is working with our RHEL 6 clients. > (The servers are running RHEL 7.) But about half of our Linux servers > are running RHEL 5, and I?d like to be able to add these as clients as > well. Unfortunately I haven?t been able to get it working. Before I get > too deep into debugging and log files, is this even possible? The > documentation that I?ve been able to find is unclear on this. So far > I?ve been looking at this thread: > > > > https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html > > > > and this document: > > > > https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client > > > > but without much success. Is there documentation somewhere that > describes the procedure, if indeed one exists? The 5.x ipa-client should work fine. What isn't working? rob From gianluca.cecchi at gmail.com Wed Apr 1 17:45:02 2015 From: gianluca.cecchi at gmail.com (Gianluca Cecchi) Date: Wed, 1 Apr 2015 19:45:02 +0200 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <551C2C1B.2050006@redhat.com> References: <551C2C1B.2050006@redhat.com> Message-ID: Il 01/Apr/2015 19:36 "Rob Crittenden" ha scritto: > > Guertin, David S. wrote: > > I?ve just set up an IPA domain that is working with our RHEL 6 clients. > > (The servers are running RHEL 7.) But about half of our Linux servers > > are running RHEL 5, and I?d like to be able to add these as clients as > > well. Unfortunately I haven?t been able to get it working. Before I get > > too deep into debugging and log files, is this even possible? The > > documentation that I?ve been able to find is unclear on this. So far > > I?ve been looking at this thread: > > > > > > > > https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html > > > > > > > > and this document: > > > > > > > > https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client > > > > > > > > but without much success. Is there documentation somewhere that > > describes the procedure, if indeed one exists? > > The 5.x ipa-client should work fine. What isn't working? > > rob I would go with identity mgmt guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/index.html And in particular chapter 2: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/setting-up-clients.html I don't think it requires a rhel 5.x ipa server. Hih, Gianluca -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 1 17:46:43 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 1 Apr 2015 20:46:43 +0300 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: <20150401173137.GA1672@redhat.com> References: <551C1E47.7050501@redhat.com> <20150401173137.GA1672@redhat.com> Message-ID: everything is default. but now the issue solved after many restart,kinit & ipactl restart don't still don't know how it got fixed Regards, Ben On Wed, Apr 1, 2015 at 8:31 PM, Nalin Dahyabhai wrote: > On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote: > > HI > > > > yes i have creared cache. tried from different browsers, tried from > > portable browser, configure kerbros plugin in firefox > > > > this is what i got from inspect: > > > > http://s9.postimg.org/51c5809xr/kerb.jpg > > Just to be sure, the policies for ticket lifetimes are still set to > their defaults, right? > > Is there anything in the server-side logs (/var/log/krb5kdc.log, > /var/log/httpd/error_log) that might shed some light on things, perhaps > after having set "debug=True" in the [global] section of the server's > /etc/ipa/default.conf and restarted the httpd service? > > Nalin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From luiz.vianna at tivit.com.br Wed Apr 1 17:58:14 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Wed, 1 Apr 2015 17:58:14 +0000 Subject: [Freeipa-users] RES: FreeIPA integration with AIX and sudo In-Reply-To: <551C24A6.9010605@degauquier.net> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> <551C24A6.9010605@degauquier.net> Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo?s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn?t work well with AIX?s LDAP fileset. That?s my guess why most sudo packages for AIX aren?t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX?s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions: ? sudo >= 1.8.11 ? gettext >= 0.10.40 ? openldap >= 2.4.23 ? openssl >= 1.0.1j-1 ? zlib Make sure you don?t have the sudo fileset installed or another sudo rpm package. Don?t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won?t. Don?t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won?t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a ?rpm -ivh *.rpm --test? and if all goes well proceed without the ?--test?, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM?s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo?s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX?s LDAP, this is OpenLdap?s config only used by sudo. Don?t worry, this won?t conflict with AIX?s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that?s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running ?sudo -l?, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: Yves Degauquier [mailto:yves at degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven?t figured out a way to make this work and I?ll send you the solution I came up with. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Wed Apr 1 18:02:34 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 1 Apr 2015 14:02:34 -0400 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: Message-ID: <20150401180234.GC1672@redhat.com> On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > I understand from previous discussions that client certificates are not yet > supported in FreeIPA, instead I understand one can use "service > certificates". From an OpenVPN standpoint I'm guessing this is fine because > a vpn client can be entered in Freeipa as a client and a certificate > generated for it. This might actually be a preferred model for VPN. > > My OVPN server config looks like this: > ca ca.crt > cert server.crt > key server.key > # Diffie hellman parameters. > dh dh2048.pem > > I guess I can use the > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > command to generate the server.crt and private.key and I know where to find > ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. I see mention in the docs of optionally requiring that a peer certificate include a particular value in its nsCertType extension (support for that's not currently planned AFAIK), or a particular value in its extendedKeyUsage (EKU) extension (there's a ticket [1] for supporting that), but you're not setting such a requirement above. > - How about the Diffie hellman parameters? > - Is dh2048.pem just a bunch of shared primes that enable the two parties > to establish encryption together? Yes to both. I'm going by the PKI section of the howto [2] and the man page here. > - Is it bad If this file is compromised? The howto and man pages say it's not required to be kept secret, and the secrecy of a key that's generated using DH key agreement doesn't depend on the parameters being kept secret, so I'd say no. HTH, Nalin [1] https://fedorahosted.org/freeipa/ticket/2915 [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki From luiz.vianna at tivit.com.br Wed Apr 1 18:08:19 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Wed, 1 Apr 2015 18:08:19 +0000 Subject: [Freeipa-users] RES: [Marketing Mail] Re: Expired password change on AIX Client In-Reply-To: <551C1C42.3030409@redhat.com> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD102@rctr246> <551C1C42.3030409@redhat.com> Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040CDCBC@rctr246> Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users at redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I?ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ? Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding ?kpasswd_protocol = SET_CHANGE? as well as ?kpasswd_protocol = RPCSEC_GSS? to the [realms] section but none of them worked. Here is the output from an ssh test session for user ?teste? on a AIX 7.1 machine: -bash-4.2$ ssh teste at localhost ################################################################################ # NICE MOTD ################################################################################ teste at localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. ******************************************************************************* * * * * * Welcome to AIX Version 7.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* ################################################################################ # NICE MOTD ################################################################################ WARNING: Your password has expired. You must change your password now and login again! Changing password for "teste" teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 1 18:24:39 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 20:24:39 +0200 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: References: <551C2C1B.2050006@redhat.com> Message-ID: <551C37E7.5070505@redhat.com> On 04/01/2015 07:45 PM, Gianluca Cecchi wrote: > > Il 01/Apr/2015 19:36 "Rob Crittenden" > ha scritto: > > > > Guertin, David S. wrote: > > > I?ve just set up an IPA domain that is working with our RHEL 6 clients. > > > (The servers are running RHEL 7.) But about half of our Linux servers > > > are running RHEL 5, and I?d like to be able to add these as clients as > > > well. Unfortunately I haven?t been able to get it working. Before I get > > > too deep into debugging and log files, is this even possible? The > > > documentation that I?ve been able to find is unclear on this. So far > > > I?ve been looking at this thread: > > > > > > > > > > > > https://www.redhat.com/archives/freeipa-users/2013-July/msg00277.html > > > > > > > > > > > > and this document: > > > > > > > > > > > > > https://www.freeipa.org/page/FreeIPAv1:ConfiguringRhelClients#Configuring_RHEL_5_as_an_IPA_Client > > > > > > > > > > > > but without much success. Is there documentation somewhere that > > > describes the procedure, if indeed one exists? > > > > The 5.x ipa-client should work fine. What isn't working? > > > > rob > > I would go with identity mgmt guide: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/index.html > > And in particular chapter 2: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/setting-up-clients.html > > I don't think it requires a rhel 5.x ipa server. Right, it does not. There is (fortunately) no such thing as RHEL-5.x IPA server :-) RHEL-5.x client should work with RHEL-6.x and RHEL-7.x server just fine. From mkosek at redhat.com Wed Apr 1 18:26:13 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 20:26:13 +0200 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: References: <551C1E47.7050501@redhat.com> <20150401173137.GA1672@redhat.com> Message-ID: <551C3845.6090207@redhat.com> On 04/01/2015 07:46 PM, Ben .T.George wrote: > everything is default. > > but now the issue solved after many restart,kinit & ipactl restart > > don't still don't know how it got fixed We collected all known potential issues that can have this behavior on this page: http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI I wonder what is it in your case. From guertin at middlebury.edu Wed Apr 1 18:28:53 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Wed, 1 Apr 2015 18:28:53 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <551C2C1B.2050006@redhat.com> References: <551C2C1B.2050006@redhat.com> Message-ID: >The 5.x ipa-client should work fine. What isn't working? I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails: $ ssh -l 'MIDD\juser' yakko.ipa Red Hat Enterprise Linux Server release 5.11 (Tikanga) Kernel 2.6.18-402.el5 on an x86_64 Password: Password: Password: MIDD\juser at yakko.ipa's password: Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something? David Guertin From luiz.vianna at tivit.com.br Wed Apr 1 18:28:31 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Wed, 1 Apr 2015 18:28:31 +0000 Subject: [Freeipa-users] Expired password change on AIX Client Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040CDDD1@rctr246> Hello Dmitri. Server is running: ipa-server-3.0.0-37.el6.x86_64 My kerberos configuration looks like this on a client: # cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts [realms] DOMAIN.COM = { kdc = ldap.domain.com:88 admin_server = ldap.domain.com:749 default_domain = domain.com } [domain_realm] .domain.com = DOMAIN.COM ldap.domain.com = DOMAIN.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.log # What does the KDC log show?: Where do I get this log from? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Dmitri Pal Enviada em: quarta-feira, 1 de abril de 2015 13:27 Para: freeipa-users at redhat.com Assunto: [Marketing Mail] Re: [Freeipa-users] Expired password change on AIX Client On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: Hello All. I?ve searched the archives of this mailing list looking for an answer for this one, but all I found lead me nowhere. ? Closest thread to help me was: https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html Has anyone figured out a way to have expired password changes work on AIX clients? I have tried adding ?kpasswd_protocol = SET_CHANGE? as well as ?kpasswd_protocol = RPCSEC_GSS? to the [realms] section but none of them worked. Here is the output from an ssh test session for user ?teste? on a AIX 7.1 machine: -bash-4.2$ ssh teste at localhost ################################################################################ # NICE MOTD ################################################################################ teste at localhost's password: [KRB5]: 3004-332 Your password has expired. 3004-333 A password change is required. [KRB5]: 3004-332 Your password has expired. ******************************************************************************* * * * * * Welcome to AIX Version 7.1! * * * * * * Please see the README file in /usr/lpp/bos for information pertinent to * * this release of the AIX Operating System. * * * * * ******************************************************************************* ################################################################################ # NICE MOTD ################################################################################ WARNING: Your password has expired. You must change your password now and login again! Changing password for "teste" teste's Old password: teste's New password: Enter the new password again: 3004-604 Your entry does not match the old password. Connection to localhost closed. -bash-4.2$ So you are setting up AIX client using kerberos against IPA server and trying to log with a user that has expired password. Did I get it right? What version of the server you are using? How your kerberos configuration looks on a client? What does the KDC log show? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 1 18:31:17 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 01 Apr 2015 20:31:17 +0200 Subject: [Freeipa-users] IPA web interface always giving "Your session has expired. Please re-login." In-Reply-To: <551C2235.5000503@gmail.com> References: <551C2235.5000503@gmail.com> Message-ID: <551C3975.7000605@redhat.com> On 04/01/2015 06:52 PM, Janelle wrote: > On 4/1/15 9:32 AM, Ben .T.George wrote: >> Hi >> >> I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 >> >> everything is working including AD trust. >> >> but my web interface always giving "Your session has expired. Please re-login." >> >> i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and >> initiated again(kinit admin). after that it got worked. >> >> but now i did all the exercises ans still not working >> >> please anyone solved this issue. or is this a known bug? >> >> if i open the page from chorm browser, i am getting another login screen like >> .htacess login. If i gave password, it re-appering again >> >> Regards, >> Ben >> >> > On a related to browser issues -- has anyone else seen a user login to change > their PW, any browser - from Chrome, to Firefox, etc, and with the exception of > the top portion of the screen, the details of the user account are blank (white > screen below main header) ? They can still use the "pull down" to reset the > PW, but everything else seems to be missing. If you give us a screenshot, Apache error_log and access_log, we should be able to see where the problem is. Did the person try to connect to FreeIPA public demo, to see if it caused by the browser? https://ipa.demo1.freeipa.org/ipa/ui/ > I have also seen this "Session expired" even when not using a kerberized > browser, so if there is a solution -- looking forward to it. When the browser is not configured for Kerberos, you should still be able to login with login+password. If not, it is a bug. Note that we require cookies, see potential cave-eats in http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI From yamakasi.014 at gmail.com Wed Apr 1 18:41:42 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Wed, 1 Apr 2015 20:41:42 +0200 Subject: [Freeipa-users] freeipa behind a load balancer In-Reply-To: References: <551A9160.7060800@redhat.com> <551A9B3F.4010900@redhat.com> <551AA7F2.2070105@redhat.com> <551AAE2C.8070606@redhat.com> <551AB84C.6080004@redhat.com> <1427816508.24621.14.camel@desktop.bpk2.com> <1427820780.8302.188.camel@willson.usersys.redhat.com> <1427822496.24621.25.camel@desktop.bpk2.com> <1427824216.8302.192.camel@willson.usersys.redhat.com> <1427824450.8302.195.camel@willson.usersys.redhat.com> <1427825445.24621.39.camel@desktop.bpk2.com> <551AE5D8.3010201@redhat.com> Message-ID: Hi, I'm not gicing up on this, so I'm testing. I'm unsure at the moment about the keytab. The keytab is normally for the user that needs to be able to do "stuff", but in this case we need one for the loadbalancer name or the client .... maybe combined ? I lost that overvieuw... would be nice to get some advice here. Thanks! Matt 2015-03-31 21:23 GMT+02:00 Matt . : > OK, but we need to do this using IPA or (as IPA does some things > different it seems). > > Anyone testing this perhaps ? (/me is multitasking atm) > > 2015-03-31 20:22 GMT+02:00 Rob Crittenden : >> Brendan Kearney wrote: >>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>>>> But IPA is more complex and some operations will be performed directly >>>>> against the specific server name, so you need to keep 2 sets of keys >>>>> (one for the server name and one for the load balancer name), but that >>>>> does not work right now. >>>> >>>> One experiment that can be done is to remove all "per-server" HTTP >>>> services for the IPA server, and instead add their name as aliases on >>>> the common load-balancer name. >>>> >>>> This would mean that all IPA servers would have just one key in their >>>> HTTP keytab, but the KDC would release tickets readable by that key for >>>> any name the clients may ask for. >>>> >>>> It is a bit tricky, every time you build a replica you want to >>>> load-balance you'll have to go back and remove the service and switch >>>> keytabs, but it may be an option. Of course if you brick IPA then you >>>> get to keep the pieces :-) >>>> >>>> Simo. >>>> >>> >>> careful there, as kerberos balks at CNAME records. i think you need to >>> use A records. i ran into a couple odd issues and decided to only use >>> A/PTR records for my stuff and never went "exploring" for >>> options/alternatives. >>> >> >> Not DNS aliases, Kerberos principal alises. >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From janellenicole80 at gmail.com Wed Apr 1 18:42:27 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 01 Apr 2015 11:42:27 -0700 Subject: [Freeipa-users] IPA Web UI - blank screen In-Reply-To: References: <551C1E47.7050501@redhat.com> Message-ID: <551C3C13.2020901@gmail.com> the example of a blank screen -- anyone seen this before? Seems to be very random, but across all browsers. ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gjghdcch. Type: image/png Size: 111307 bytes Desc: not available URL: From andrew.holway at gmail.com Wed Apr 1 19:11:54 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 1 Apr 2015 21:11:54 +0200 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: <20150401180234.GC1672@redhat.com> References: <20150401180234.GC1672@redhat.com> Message-ID: On 1 April 2015 at 20:02, Nalin Dahyabhai wrote: > On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > > I understand from previous discussions that client certificates are not > yet > > supported in FreeIPA, instead I understand one can use "service > > certificates". From an OpenVPN standpoint I'm guessing this is fine > because > > a vpn client can be entered in Freeipa as a client and a certificate > > generated for it. This might actually be a preferred model for VPN. > > > > My OVPN server config looks like this: > > ca ca.crt > > cert server.crt > > key server.key > > # Diffie hellman parameters. > > dh dh2048.pem > > > > I guess I can use the > > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > > command to generate the server.crt and private.key and I know where to > find > > ca.crt however: > > Unless there are other requirements on the contents of the certificate, > I'd expect that to work. > ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain.de at DOMAIN.DE -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) The GUI has some weird advice that did not make much sense when I did: Actions -> New Certificate: Issue New Certificate for Host andrews-macbook-air.local.domain.de Create a certificate database or use an existing one. To create a new database: # certutil -N -d Create a CSR with subject CN=,O=, for example: # certutil -R -d -a -g -s 'CN= andrews-macbook-air.local.otternetworks.de,O=OTTERNETWORKS.DE' Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to -----END NEW CERTIFICATE REQUEST-----) into the text area below: > > I see mention in the docs of optionally requiring that a peer > certificate include a particular value in its nsCertType extension > (support for that's not currently planned AFAIK), or a particular value > in its extendedKeyUsage (EKU) extension (there's a ticket [1] for > supporting that), but you're not setting such a requirement above. > > > - How about the Diffie hellman parameters? > > - Is dh2048.pem just a bunch of shared primes that enable the two parties > > to establish encryption together? > > Yes to both. I'm going by the PKI section of the howto [2] and the man > page here. > > > - Is it bad If this file is compromised? > > The howto and man pages say it's not required to be kept secret, and the > secrecy of a key that's generated using DH key agreement doesn't depend > on the parameters being kept secret, so I'd say no. > > HTH, > > Nalin > > [1] https://fedorahosted.org/freeipa/ticket/2915 > [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mareynol at redhat.com Wed Apr 1 19:33:38 2015 From: mareynol at redhat.com (Mark Reynolds) Date: Wed, 01 Apr 2015 15:33:38 -0400 Subject: [Freeipa-users] Unexpected IPA Crashes In-Reply-To: References: Message-ID: <551C4812.7060108@redhat.com> In regards to the hangs in the Directory Server that were observed, it seems related thread 15 that is polling waiting for something to come through the pipe which never happens. The default poll timeout is 1800000(or 30 minutes!). Reducing this timeout should resolve the "hang". Example: # ldapmodify -p PORT -h HOST -D "cn=directory manager" -w PASSWORD dn: cn=config changetype: modify replace: nsslapd-ioblocktimeout nsslapd-ioblocktimeout: 10000 This should be done for all the Directory Servers in your deployment. Regards, Mark On 03/26/2015 06:18 PM, David Kreuter wrote: > We have been using FreeIPA since two years and were more than happy. > But since two weeks we are facing unexpected crashed and can not > really debug the strange behaviours. The crashes are definitely not > caused by connecting a new system or changing the LDAP schema heavily. > Following IPA is used: > > Name : ipa-server > > Arch : x86_64 > > Version : 3.3.3 > > Release : 28.0.1.el7.centos.3 > > Size : 4.1 M > > > I have followed the troubleshooting > guide http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting > and activated logging and activated the core dumping. Unfortunately, I > cannot provide you any core dump, because it is not created after the > ipa servers crashes. I'm sure the dirsrv is causing the problem, > because when i restart the 389, then ipa works fine for a while. > Currently I have activated the replication log level 8192. The error > log shows no suspicious error or any fatal error. Following 389* > versions are used: > > > Installed Packages > > 389-ds-base.x86_64 > 1.3.3.1-15.el7_1 @/389-ds-base-1.3.3.1-15.el7_1.x86_64 > > 389-ds-base-debuginfo.x86_64 > 1.3.1.6-26.el7_0 @base-debuginfo > > 389-ds-base-libs.x86_64 > 1.3.3.1-15.el7_1 > > > Can you please provide some hint how I can debug this problem in more > detail. Btw, the ipa infrastructure consist of one master and one > replica. The server was also crashing, when the replica server was > turned off. Do you thing an upgrade would solve the problem as the > last resort? > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Apr 1 21:04:54 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Apr 2015 16:04:54 -0500 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551C2346.3040808@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551AE032.9090606@redhat.com> <551B9E47.6090107@redhat.com> <551C2346.3040808@redhat.com> Message-ID: <551C5D76.2080509@redhat.com> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: >>> On 03/31/2015 01:54 PM, Markus Roth wrote: >>>> Hi all, >>>> >>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >>>> The ipa-server-install shows the following output: > > ... > >>>> Done configuring directory server (dirsrv). >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 >>>> minutes 30 >>>> seconds >>>> [1/27]: creating certificate server user >>>> [2/27]: configuring certificate server instance >>>> [3/27]: stopping certificate server instance to update CS.cfg >>>> [4/27]: backing up CS.cfg >>>> [5/27]: disabling nonces >>>> [6/27]: set up CRL publishing >>>> [7/27]: enable PKIX certificate path discovery and validation >>>> [8/27]: starting certificate server instance >>>> [error] RuntimeError: CA did not start in 300.0s >>>> CA did not start in 300.0s >>>> >>>> The ipa server install log shows this: >>>> >>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > > ... > >>>> I uninstalled the ipa server completely several times and installed >>>> it again. >>>> But it always stops at the same step with the setup. >>>> >>>> Can anybody help? > Based on the IPA install log alone it looks like the DS is already > started, and the Dogtag is already started too in step [3/27]. It's the > restart on step [8/27] that is failing. > > We will need to see the Dogtag debug log in order to know if Dogtag is > indeed failing to restart or the installer for some reason cannot > connect to Dogtag. Hi Markus, Based on the logs that you sent me, the Dogtag took a really long time to start: INFORMATION: Server startup in 739700 ms More than half of that time was spent starting the CA subsystem alone: INFORMATION: Deployment of configuration descriptor /etc/pki /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms The whole (failed) IPA installation took about 38 minutes. Is this correct? It's possible the system was running out of entropy. You might want to install haveged or rngd. See: http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ https://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged However, the system seems to be running very slowly in general. How powerful is this machine? -- Endi S. Dewata From markus at die5roths.de Wed Apr 1 21:29:41 2015 From: markus at die5roths.de (Markus Roth) Date: Wed, 01 Apr 2015 23:29:41 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551C5D76.2080509@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> Message-ID: <4593147.Vqzm0ENHAm@eeepc.roth.lan> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > >>> On 03/31/2015 01:54 PM, Markus Roth wrote: > >>>> Hi all, > >>>> > >>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > > > >>>> The ipa-server-install shows the following output: > > ... > > > >>>> Done configuring directory server (dirsrv). > >>>> Configuring certificate server (pki-tomcatd): Estimated time 3 > >>>> minutes 30 > >>>> seconds > >>>> > >>>> [1/27]: creating certificate server user > >>>> [2/27]: configuring certificate server instance > >>>> [3/27]: stopping certificate server instance to update CS.cfg > >>>> [4/27]: backing up CS.cfg > >>>> [5/27]: disabling nonces > >>>> [6/27]: set up CRL publishing > >>>> [7/27]: enable PKIX certificate path discovery and validation > >>>> [8/27]: starting certificate server instance > >>>> [error] RuntimeError: CA did not start in 300.0s > >>>> > >>>> CA did not start in 300.0s > >>>> > >>>> The ipa server install log shows this: > >>>> > >>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > > > > ... > > > >>>> I uninstalled the ipa server completely several times and installed > >>>> it again. > >>>> But it always stops at the same step with the setup. > >>>> > >>>> Can anybody help? > > > > Based on the IPA install log alone it looks like the DS is already > > started, and the Dogtag is already started too in step [3/27]. It's the > > restart on step [8/27] that is failing. > > > > We will need to see the Dogtag debug log in order to know if Dogtag is > > indeed failing to restart or the installer for some reason cannot > > connect to Dogtag. > > Hi Markus, > > Based on the logs that you sent me, the Dogtag took a really long time > to start: > > INFORMATION: Server startup in 739700 ms > > More than half of that time was spent starting the CA subsystem alone: > > INFORMATION: Deployment of configuration descriptor /etc/pki > /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms > > The whole (failed) IPA installation took about 38 minutes. Is this correct? > > It's possible the system was running out of entropy. You might want to > install haveged or rngd. See: > http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ > https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent > ropy-for-cloud-servers-using-haveged > > However, the system seems to be running very slowly in general. How > powerful is this machine? Hi Endi the system is a banana pi system. Seems that this ARM CPU based system isn't suitable for FreeIPA.... From edewata at redhat.com Wed Apr 1 21:56:51 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 01 Apr 2015 16:56:51 -0500 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <4593147.Vqzm0ENHAm@eeepc.roth.lan> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> <4593147.Vqzm0ENHAm@eeepc.roth.lan> Message-ID: <551C69A3.3050202@redhat.com> On 4/1/2015 4:29 PM, Markus Roth wrote: > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: >>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: >>>>>> Hi all, >>>>>> >>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >>> >>>>>> The ipa-server-install shows the following output: >>> ... >>> >>>>>> Done configuring directory server (dirsrv). >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 >>>>>> minutes 30 >>>>>> seconds >>>>>> >>>>>> [1/27]: creating certificate server user >>>>>> [2/27]: configuring certificate server instance >>>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>>> [4/27]: backing up CS.cfg >>>>>> [5/27]: disabling nonces >>>>>> [6/27]: set up CRL publishing >>>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>>> [8/27]: starting certificate server instance >>>>>> [error] RuntimeError: CA did not start in 300.0s >>>>>> >>>>>> CA did not start in 300.0s >>>>>> >>>>>> The ipa server install log shows this: >>>>>> >>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... >>> >>> ... >>> >>>>>> I uninstalled the ipa server completely several times and installed >>>>>> it again. >>>>>> But it always stops at the same step with the setup. >>>>>> >>>>>> Can anybody help? >>> >>> Based on the IPA install log alone it looks like the DS is already >>> started, and the Dogtag is already started too in step [3/27]. It's the >>> restart on step [8/27] that is failing. >>> >>> We will need to see the Dogtag debug log in order to know if Dogtag is >>> indeed failing to restart or the installer for some reason cannot >>> connect to Dogtag. >> >> Hi Markus, >> >> Based on the logs that you sent me, the Dogtag took a really long time >> to start: >> >> INFORMATION: Server startup in 739700 ms >> >> More than half of that time was spent starting the CA subsystem alone: >> >> INFORMATION: Deployment of configuration descriptor /etc/pki >> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms >> >> The whole (failed) IPA installation took about 38 minutes. Is this correct? >> >> It's possible the system was running out of entropy. You might want to >> install haveged or rngd. See: >> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ >> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent >> ropy-for-cloud-servers-using-haveged >> >> However, the system seems to be running very slowly in general. How >> powerful is this machine? > > Hi Endi > > the system is a banana pi system. Seems that this ARM CPU based system isn't > suitable for FreeIPA.... The installation might still succeed if IPA doesn't have the 300s time limit. If you want to try, you probably can specify a larger startup_timeout in ~/.ipa/default.conf, or change the code in ipaplatform/redhat/services.py to wait indefinitely, and see what happens. I don't know if it will be usable though. -- Endi S. Dewata From markus at die5roths.de Wed Apr 1 22:06:08 2015 From: markus at die5roths.de (Markus Roth) Date: Thu, 02 Apr 2015 00:06:08 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551C69A3.3050202@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> Message-ID: <1880602.tNH7NcT2p4@eeepc.roth.lan> Am Mittwoch, 1. April 2015, 16:56:51 schrieb Endi Sukma Dewata: > On 4/1/2015 4:29 PM, Markus Roth wrote: > > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > >>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: > >>>>>> Hi all, > >>>>>> > >>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > >>> > >>>>>> The ipa-server-install shows the following output: > >>> ... > >>> > >>>>>> Done configuring directory server (dirsrv). > >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 > >>>>>> minutes 30 > >>>>>> seconds > >>>>>> > >>>>>> [1/27]: creating certificate server user > >>>>>> [2/27]: configuring certificate server instance > >>>>>> [3/27]: stopping certificate server instance to update CS.cfg > >>>>>> [4/27]: backing up CS.cfg > >>>>>> [5/27]: disabling nonces > >>>>>> [6/27]: set up CRL publishing > >>>>>> [7/27]: enable PKIX certificate path discovery and validation > >>>>>> [8/27]: starting certificate server instance > >>>>>> [error] RuntimeError: CA did not start in 300.0s > >>>>>> > >>>>>> CA did not start in 300.0s > >>>>>> > >>>>>> The ipa server install log shows this: > >>>>>> > >>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > >>> > >>> ... > >>> > >>>>>> I uninstalled the ipa server completely several times and installed > >>>>>> it again. > >>>>>> But it always stops at the same step with the setup. > >>>>>> > >>>>>> Can anybody help? > >>> > >>> Based on the IPA install log alone it looks like the DS is already > >>> started, and the Dogtag is already started too in step [3/27]. It's the > >>> restart on step [8/27] that is failing. > >>> > >>> We will need to see the Dogtag debug log in order to know if Dogtag is > >>> indeed failing to restart or the installer for some reason cannot > >>> connect to Dogtag. > >> > >> Hi Markus, > >> > >> Based on the logs that you sent me, the Dogtag took a really long time > >> > >> to start: > >> INFORMATION: Server startup in 739700 ms > >> > >> More than half of that time was spent starting the CA subsystem alone: > >> INFORMATION: Deployment of configuration descriptor /etc/pki > >> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms > >> > >> The whole (failed) IPA installation took about 38 minutes. Is this > >> correct? > >> > >> It's possible the system was running out of entropy. You might want to > >> install haveged or rngd. See: > >> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ > >> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-> >> ent ropy-for-cloud-servers-using-haveged > >> > >> However, the system seems to be running very slowly in general. How > >> powerful is this machine? > > > > Hi Endi > > > > the system is a banana pi system. Seems that this ARM CPU based system > > isn't suitable for FreeIPA.... > > The installation might still succeed if IPA doesn't have the 300s time > limit. If you want to try, you probably can specify a larger > startup_timeout in ~/.ipa/default.conf, or change the code in > ipaplatform/redhat/services.py to wait indefinitely, and see what > happens. I don't know if it will be usable though. I will try it in the next days. I'll give feedback if IPA is suitable as small server (four users). From Steven.Jones at vuw.ac.nz Wed Apr 1 22:41:03 2015 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 1 Apr 2015 22:41:03 +0000 Subject: [Freeipa-users] IPA and geographically distributed masters In-Reply-To: <1880602.tNH7NcT2p4@eeepc.roth.lan> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com>,<1880602.tNH7NcT2p4@eeepc.roth.lan> Message-ID: <1427927920041.73751@vuw.ac.nz> Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J From mail at willsheldon.com Wed Apr 1 22:56:54 2015 From: mail at willsheldon.com (Will Sheldon) Date: Wed, 1 Apr 2015 15:56:54 -0700 Subject: [Freeipa-users] IPA and geographically distributed masters In-Reply-To: <1427927920041.73751@vuw.ac.nz> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> Message-ID: We have multiple distributed replicas running in the following locations: East coast AMER West coast AMER London EMEA and have had no issues with replication or performance. (max ping is about 120ms) ? Will Sheldon On April 1, 2015 at 3:50:23 PM, Steven Jones (steven.jones at vuw.ac.nz) wrote: Hi, Would IPA have issues if one master is one one side of the Pacific (New Zealand) and another in the USA? regards Steven J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.fer.ordas at unicyber.co.uk Wed Apr 1 23:22:00 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Thu, 02 Apr 2015 00:22:00 +0100 Subject: [Freeipa-users] IPA and geographically distributed masters In-Reply-To: <1427927920041.73751@vuw.ac.nz> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com>,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> Message-ID: <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> Hi if you got the NTPs in sync and using the same timzeone on both it should be ok thanks On 2015-04-01 23:41, Steven Jones wrote: > Hi, > > Would IPA have issues if one master is one one side of the Pacific > (New Zealand) and another in the USA? > > > regards > > Steven J From simo at redhat.com Wed Apr 1 23:36:09 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 01 Apr 2015 19:36:09 -0400 Subject: [Freeipa-users] IPA and geographically distributed masters In-Reply-To: <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> References: <2588793.PXhtNmgmCt@shdehenw2471> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> ,<1880602.tNH7NcT2p4@eeepc.roth.lan> <1427927920041.73751@vuw.ac.nz> <23bb37a85b9f65dd62107ce00c03852a@unicyber.co.uk> Message-ID: <1427931369.19641.6.camel@willson.usersys.redhat.com> On Thu, 2015-04-02 at 00:22 +0100, g.fer.ordas at unicyber.co.uk wrote: > Hi > > if you got the NTPs in sync and using the same timzeone on both it > should be ok All operations use UTC, so you can set whatever timezone you want on the machines. Simo. -- Simo Sorce * Red Hat, Inc * New York From amessina at messinet.com Wed Apr 1 23:37:11 2015 From: amessina at messinet.com (Anthony Messina) Date: Wed, 01 Apr 2015 18:37:11 -0500 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: Message-ID: <2265319.6ZpVpvWv79@linux-ws1.messinet.com> On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote: > Hello, > > After following Alexanders advice to use sssd/pam for OpenVPN with OTP I > have it all working rather nice but with self signed certificates which is > not ideal. > > (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP > android app. wtf??!! :) > > I'm scratching around trying to find a way to provide server and client > certificates but, to be honest, my understanding of certificates is not > good enough to be able to take the leap. > > I understand from previous discussions that client certificates are not yet > supported in FreeIPA, instead I understand one can use "service > certificates". From an OpenVPN standpoint I'm guessing this is fine because > a vpn client can be entered in Freeipa as a client and a certificate > generated for it. This might actually be a preferred model for VPN. > > My OVPN server config looks like this: > ca ca.crt > cert server.crt > key server.key > # Diffie hellman parameters. > dh dh2048.pem > > I guess I can use the > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > command to generate the server.crt and private.key and I know where to find > ca.crt however: > - How about the Diffie hellman parameters? > - Is dh2048.pem just a bunch of shared primes that enable the two parties > to establish encryption together? > - Is it bad If this file is compromised? > > Thanks, > > Andrew https://fedorahosted.org/freeipa/ticket/2915 says it's planned for 4.2, which I'm hoping for, since I want to have more of the certificate functionality of Dogtag exposed. To use all the bells and whistles that OpenVPN can check on certificates, FreeIPA needs to support setting custom parameters on service certificates, which right now, it cannot do. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From dpal at redhat.com Thu Apr 2 03:00:30 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 01 Apr 2015 23:00:30 -0400 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: References: <551C2C1B.2050006@redhat.com> Message-ID: <551CB0CE.3040306@redhat.com> On 04/01/2015 02:28 PM, Guertin, David S. wrote: >> The 5.x ipa-client should work fine. What isn't working? > I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my original post.) The client installs without errors, and I can get a Kerberos ticket for the admin user. But when I try to SSH in as an AD domain user, the login fails: > > $ ssh -l 'MIDD\juser' yakko.ipa > Red Hat Enterprise Linux Server release 5.11 (Tikanga) > Kernel 2.6.18-402.el5 on an x86_64 > > Password: > Password: > Password: > MIDD\juser at yakko.ipa's password: > Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser > > And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: > > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [] > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) > (Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! > > There's a trust relationship set up between the IPA domain and the AD domain, but it's like the RHEL 5 client doesn't know about it. Did I miss something? > > David Guertin > Ah so you are using it with trust. Then you should change the configuration to not use kerberos but rather LDAP instead. More details are here. http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Thu Apr 2 04:22:37 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Apr 2015 07:22:37 +0300 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: References: <551C2C1B.2050006@redhat.com> Message-ID: <20150402042237.GX3878@redhat.com> On Wed, 01 Apr 2015, Guertin, David S. wrote: >>The 5.x ipa-client should work fine. What isn't working? > >I cannot SSH in as an AD user. (Sorry, I should have mentioned that in >my original post.) The client installs without errors, and I can get a >Kerberos ticket for the admin user. But when I try to SSH in as an AD >domain user, the login fails: > >$ ssh -l 'MIDD\juser' yakko.ipa >Red Hat Enterprise Linux Server release 5.11 (Tikanga) >Kernel 2.6.18-402.el5 on an x86_64 > >Password: >Password: >Password: >MIDD\juser at yakko.ipa's password: >Received disconnect from 140.233.1.100: 2: Too many authentication failures for MIDD\\juser > >And on the client, with debug_level = 10 for sssd, /var/log/sssd/sssd_nss.log shows: > >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_set_str] (6): Adding [NCE/USER/ipa.middlebury.edu/MIDD\juser] to negative cache >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_dp_req_destructor] (8): Could not clear entry from request queue >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [reset_idle_timer] (9): Idle timer re-set for client [0x1aeec870][17] >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [MIDD\juser] from [] >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/ipa.middlebury.edu/MIDD\juser] >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [MIDD\juser] does not exist in [ipa.middlebury.edu]! (negative cache) >(Wed Apr 1 14:24:03 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No matching domain found for [MIDD\juser], fail! > >There's a trust relationship set up between the IPA domain and the AD >domain, but it's like the RHEL 5 client doesn't know about it. Did I >miss something? Show your sssd.conf. Practically, in order to provide access to RHEL5 systems for AD users, you need to configure sssd on RHEL5 against compat tree on IPA LDAP. More to that, we had few bugs that prevented successful authentication to complete from older clients against compat tree. These bugs are fixed as part of RHEL7.1 update 1 cumulative release. A typical RHEL5 configuration script can be obtained by running 'ipa-advise config-redhat-sssd-before-1-9' on IPA master. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Apr 2 04:30:39 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Apr 2015 07:30:39 +0300 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: <20150401180234.GC1672@redhat.com> Message-ID: <20150402043039.GY3878@redhat.com> On Wed, 01 Apr 2015, Andrew Holway wrote: >On 1 April 2015 at 20:02, Nalin Dahyabhai wrote: > >> On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: >> > I understand from previous discussions that client certificates are not >> yet >> > supported in FreeIPA, instead I understand one can use "service >> > certificates". From an OpenVPN standpoint I'm guessing this is fine >> because >> > a vpn client can be entered in Freeipa as a client and a certificate >> > generated for it. This might actually be a preferred model for VPN. >> > >> > My OVPN server config looks like this: >> > ca ca.crt >> > cert server.crt >> > key server.key >> > # Diffie hellman parameters. >> > dh dh2048.pem >> > >> > I guess I can use the >> > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" >> > command to generate the server.crt and private.key and I know where to >> find >> > ca.crt however: >> >> Unless there are other requirements on the contents of the certificate, >> I'd expect that to work. >> > >ipa service-add-host --hosts ipa.domain.de client/ >andrews-macbook-air.local.domain.de > >ipa-getcert request -f >/var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k >/var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= >andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de >-K client/andrews-macbook-air.local.domain.de at DOMAIN.DE > >-- Then shuffle the keys and certs around -- > >-- Restart OpenVPN -- > >And et voila! It works! Although it does feel a bit hacky :) I do it the same way as I control my systems and can be sure there is one user per system for VPN access. Works nicely. The only issue if you want some systems authenticate with certificates only and others with user/password+OTP. Unfortunately, this combination does not work with OpenVPN as all authentication methods must succeed. There is an option --auth-user-pass-optional that allows core OpenVPN to work without the requirement of passwords but then plugins/scripts must account for it and openvpn-plugin-auth-pam is not aware of that, it seems. -- / Alexander Bokovoy From andrew.holway at gmail.com Thu Apr 2 06:55:09 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 2 Apr 2015 08:55:09 +0200 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: <20150402043039.GY3878@redhat.com> References: <20150401180234.GC1672@redhat.com> <20150402043039.GY3878@redhat.com> Message-ID: > > And et voila! It works! Although it does feel a bit hacky :) >> > I do it the same way as I control my systems and can be sure there is > one user per system for VPN access. Works nicely. > Is it possible to manage key revocation? I understand that this mechanism is mostly quite broken. How long are you making Certificates valid for? -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Thu Apr 2 07:02:09 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Thu, 2 Apr 2015 09:02:09 +0200 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: <20150401180234.GC1672@redhat.com> <20150402043039.GY3878@redhat.com> Message-ID: Is it possible to generate certs without the host having an entry in the DNS? On 2 April 2015 at 08:55, Andrew Holway wrote: > And et voila! It works! Although it does feel a bit hacky :) >>> >> I do it the same way as I control my systems and can be sure there is >> one user per system for VPN access. Works nicely. >> > > Is it possible to manage key revocation? I understand that this mechanism > is mostly quite broken. How long are you making Certificates valid for? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Apr 2 07:18:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Apr 2015 10:18:25 +0300 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: <20150401180234.GC1672@redhat.com> <20150402043039.GY3878@redhat.com> Message-ID: <20150402071825.GB3878@redhat.com> On Thu, 02 Apr 2015, Andrew Holway wrote: >> >> And et voila! It works! Although it does feel a bit hacky :) >>> >> I do it the same way as I control my systems and can be sure there is >> one user per system for VPN access. Works nicely. >> > >Is it possible to manage key revocation? I understand that this mechanism >is mostly quite broken. How long are you making Certificates valid for? Standard mechanism works fine -- 'ipa cert-revoke'. However, you need to deliver CRL to OpenVPN server because OpenVPN only supports checking CRL from a file system. Theoretically one could make a systemd socket unit that would use 'nc' and curl to pick up CRL from a CA every time OpenVPN asks for it (on each client connection) or provide a cached version of it. An easiest way is to make CRL retrieval periodical and populate whatever directory or file crl-verify is pointed to. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Apr 2 07:20:16 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Apr 2015 10:20:16 +0300 Subject: [Freeipa-users] Openvpn and Certificates In-Reply-To: References: <20150401180234.GC1672@redhat.com> <20150402043039.GY3878@redhat.com> Message-ID: <20150402072016.GC3878@redhat.com> On Thu, 02 Apr 2015, Andrew Holway wrote: >Is it possible to generate certs without the host having an entry in the >DNS? Yes. Create a host with 'ipa host-add --force' and then use normal ways to generate certificates for this host. -- / Alexander Bokovoy From prasun.gera at gmail.com Thu Apr 2 07:27:58 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 2 Apr 2015 03:27:58 -0400 Subject: [Freeipa-users] Understanding the migration mode In-Reply-To: References: <55148136.8040003@redhat.com> <5514C804.4040207@redhat.com> <55156455.7090401@redhat.com> <5515C3DF.5020701@redhat.com> <551AA80F.5070807@redhat.com> Message-ID: I tried enabling crypt for experimentation, and things seem to work well for both NIS and SSSD clients. I noticed that the crypt format that the NIS plugin in IPA provides is the traditional crypt format with a 2 character salt and 13 character hash. NIS clients can understand newer crypt encodings which allow MD5, SHA256 and SHA512 ( https://docs.python.org/3/library/crypt.html) . Is it possible to force one of those as the storage scheme in the directory server ? On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera wrote: > I've figured it out. You are right. SSSD triggers key generation. For > migrated clients though, since ypbind still runs and the NIS-plugin serves > maps, they authenticate first using NIS before SSSD. If ypbind is stopped, > it is forced to use SSSD, and then it triggers the migration. Thanks for > persisting with this. It's pretty clear how it works now. > > On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera > wrote: > >> >> >>> ? SSSD does not seem to be involved as user is found in the /etc/passwd >>> and this SSSD should not do anything. >>> >>> It's not a local user. There's no entry in /etc/passwd. Here's the >> relevant sssd log >> >> >> sssd_ssh >> >> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains] >> (0x0200): name 'testuser2' matched without domain, user is testuser2 >> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client >> disconnected! >> (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >> Received client version [0]. >> >> sssd_pam >> >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: >> ipadomain >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user: >> testuser2 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> service: sshd >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: >> not set >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: >> host_ip >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok >> type: 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> newauthtok type: 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> cli_pid: 23983 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon >> name: testuser2 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): >> pam_dp_send_req returned 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): >> received: [0][ipadomain] >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply >> called with result [0]. >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client >> disconnected! >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu Apr 2 07:38:50 2015 From: sbose at redhat.com (Sumit Bose) Date: Thu, 2 Apr 2015 09:38:50 +0200 Subject: [Freeipa-users] ipactl start fails for no apparent reason In-Reply-To: <551BD48C.5020902@redhat.com> References: <551BA01F.8030707@redhat.com> <551BD48C.5020902@redhat.com> Message-ID: <20150402073850.GS8895@p.redhat.com> On Wed, Apr 01, 2015 at 01:20:44PM +0200, Martin Babinsky wrote: > On 04/01/2015 10:14 AM, Traiano Welcome wrote: > >Hi Martin > > > > Thanks for the response. Check results inline: > > > > > >On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky wrote: > >>On 04/01/2015 09:20 AM, Traiano Welcome wrote: > >>> > >>>Some information from the dirsrv error log (sanitized: XYZ = realm): > >>> > >>>[01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 > >>>starting up > >>>[01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no > >>>entries set up under cn=computers, cn=compat,dc=idm,dc=local > >>>[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password > >>>Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > >>>should be added before the CoS Definition. > >>>[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>cleanAllRUV task found, resuming the cleaning of rid(6)... > >>>[01/Apr/2015:11:01:49 +0300] - Skipping CoS Definition cn=Password > >>>Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > >>>should be added before the CoS Definition. > >>>[01/Apr/2015:11:01:49 +0300] - slapd started. Listening on All > >>>Interfaces port 389 for LDAP requests > >>>[01/Apr/2015:11:01:49 +0300] - Listening on All Interfaces port 636 > >>>for LDAPS requests > >>>[01/Apr/2015:11:01:49 +0300] - Listening on > >>>/var/run/slapd-IDM-LOCAL.socket for LDAPI requests > >>>[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:11:01:49 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>[01/Apr/2015:11:01:49 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:11:01:49 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:11:01:49 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>[01/Apr/2015:11:01:50 +0300] - slapd shutting down - signaling operation > >>>threads > >>>[01/Apr/2015:11:01:50 +0300] - slapd shutting down - waiting for 27 > >>>threads to terminate > >>>[01/Apr/2015:11:01:50 +0300] - slapd shutting down - closing down > >>>internal subsystems and plugins > >>>[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Cleaning rid (6)... > >>>[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Waiting to process all the updates from the deleted replica... > >>>[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Waiting for all the replicas to be online... > >>>[01/Apr/2015:11:01:58 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Server shutting down. Process will resume at server startup > >>>[01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed > >>>out) > >>>[01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -1 (Can't contact LDAP server) > >>>[01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > >>>LDAP server) () > >>>[01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>errors > >>>[01/Apr/2015:11:02:09 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:11:02:09 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:11:02:09 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication > >>>bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > >>>generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > >>>may provide more information (No Kerberos credentials available)) > >>>[01/Apr/2015:11:02:09 +0300] - Waiting for 4 database threads to stop > >>>[01/Apr/2015:11:02:10 +0300] - All database threads now stopped > >>>[01/Apr/2015:11:02:10 +0300] - slapd stopped. > >>>[01/Apr/2015:10:15:39 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 > >>>starting up > >>>[01/Apr/2015:10:15:39 +0300] schema-compat-plugin - warning: no > >>>entries set up under cn=computers, cn=compat,dc=idm,dc=local > >>>[01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password > >>>Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > >>>should be added before the CoS Definition. > >>>[01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>cleanAllRUV task found, resuming the cleaning of rid(6)... > >>>[01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:10:15:39 +0300] - Skipping CoS Definition cn=Password > >>>Policy,cn=accounts,dc=idm,dc=local--no CoS Templates found, which > >>>should be added before the CoS Definition. > >>>[01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 2 (No such file or directory) > >>>[01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time > >>>skew (-2771 secs). Current seqnum=3 > >>>[01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtard-idm-slve.idm.local" (kwtard-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>[01/Apr/2015:10:15:39 +0300] set_krb5_creds - Could not get initial > >>>credentials for principal [ldap/kwtpr-idm-mstr@] in keytab > >>>[FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) > >>>[01/Apr/2015:10:15:39 +0300] csngen_new_csn - Warning: too much time > >>>skew (-2770 secs). Current seqnum=1 > >>>[01/Apr/2015:10:15:39 +0300] - slapd started. Listening on All > >>>Interfaces port 389 for LDAP requests > >>>[01/Apr/2015:10:15:39 +0300] - Listening on All Interfaces port 636 > >>>for LDAPS requests > >>>[01/Apr/2015:10:15:39 +0300] - Listening on > >>>/var/run/slapd-IDM-LOCAL.socket for LDAPI requests > >>>[01/Apr/2015:10:15:39 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:10:15:39 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:10:15:39 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meToindpr-idm-slve.idm.local" (indpr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>[01/Apr/2015:10:15:40 +0300] csngen_new_csn - Warning: too much time > >>>skew (-2771 secs). Current seqnum=1 > >>>[01/Apr/2015:10:15:41 +0300] - slapd shutting down - signaling operation > >>>threads > >>>[01/Apr/2015:10:15:41 +0300] - slapd shutting down - waiting for 28 > >>>threads to terminate > >>>[01/Apr/2015:10:15:41 +0300] - slapd shutting down - closing down > >>>internal subsystems and plugins > >>>[01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Cleaning rid (6)... > >>>[01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Waiting to process all the updates from the deleted replica... > >>>[01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Waiting for all the replicas to be online... > >>>[01/Apr/2015:10:15:48 +0300] NSMMReplicationPlugin - CleanAllRUV Task: > >>>Server shutting down. Process will resume at server startup > >>>[01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-1 (Can't contact LDAP server) ((null)) errno 110 (Connection timed > >>>out) > >>>[01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -1 (Can't contact LDAP server) > >>>[01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtospr-idm-slve.idm.local" (kwtospr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact > >>>LDAP server) () > >>>[01/Apr/2015:10:15:58 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:10:15:58 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:10:15:58 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meTokwtpr-idm-slve.idm.local" (kwtpr-idm-slve:389): > >>>Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) > >>>(SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > >>>Minor code may provide more information (No Kerberos credentials > >>>available)) > >>>[01/Apr/2015:10:15:59 +0300] slapd_ldap_sasl_interactive_bind - Error: > >>>could not perform interactive bind for id [] mech [GSSAPI]: LDAP error > >>>-2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified > >>>GSS failure. Minor code may provide more information (No Kerberos > >>>credentials available)) errno 0 (Success) > >>>[01/Apr/2015:10:15:59 +0300] slapi_ldap_bind - Error: could not > >>>perform interactive bind for id [] authentication mechanism [GSSAPI]: > >>>error -2 (Local error) > >>>[01/Apr/2015:10:15:59 +0300] NSMMReplicationPlugin - > >>>agmt="cn=meToukpr-idm-slve.idm.local" (ukpr-idm-slve:389): Replication > >>>bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): > >>>generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > >>>may provide more information (No Kerberos credentials available)) > >>>[01/Apr/2015:10:15:59 +0300] - Waiting for 4 database threads to stop > >>>[01/Apr/2015:10:16:00 +0300] - All database threads now stopped > >>>[01/Apr/2015:10:16:00 +0300] - slapd stopped. > >>> > >>>On Wed, Apr 1, 2015 at 9:56 AM, Traiano Welcome wrote: > >>>> > >>>>Hi List > >>>> > >>>>I've just tried to restart my IPA services after recently adding a new > >>>>replica (0 configuration changes on the IPA server otherwise!), but > >>>>ipactl fails when starting up named: > >>>> > >>>>--- > >>>>[root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start > >>>>Starting Directory Service > >>>>Starting krb5kdc Service > >>>>Starting kadmin Service > >>>>Starting named Service > >>>>Job for named.service failed. See 'systemctl status named.service' and > >>>>'journalctl -xn' for details. > >>>>Failed to start named Service > >>>>Shutting down > >>>>Aborting ipactl > >>>>--- > >>>> > >>>>I then manual start named service and try again, but then smb service > >>>>fails: > >>>> > >>>>--- > >>>>[root at lolpr-xyz-mstr ~]# ipactl start > >>>>Existing service file detected! > >>>>Assuming stale, cleaning and proceeding > >>>>Starting Directory Service > >>>>Starting krb5kdc Service > >>>>Starting kadmin Service > >>>>Starting named Service > >>>>Starting ipa_memcached Service > >>>>Starting httpd Service > >>>>Starting pki-tomcatd Service > >>>>Starting smb Service > >>>>Job for smb.service failed. See 'systemctl status smb.service' and > >>>>'journalctl -xn' for details. > >>>>Failed to start smb Service > >>>>Shutting down > >>>>Aborting ipactl > >>>>--- > >>>> > >>>>systemctl status shows the following output for smb.service: > >>>> > >>>>--- > >>>>[root at lolpr-xyz-mstr ~]# systemctl -l status smb.service > >>>>smb.service - Samba SMB Daemon > >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:21:10 > >>>>AST; 1min 14s ago > >>>> Process: 4662 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > >>>>status=1/FAILURE) > >>>> Main PID: 4662 (code=exited, status=1/FAILURE) > >>>> Status: "Starting process..." > >>>> CGroup: /system.slice/smb.service > >>>> > >>>>Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI client step 1 > >>>>Apr 01 09:21:09 lolpr-xyz-mstr.xyz.local smbd[4662]: GSSAPI Error: > >>>>Unspecified GSS failure. Minor code may provide more information > >>>>(Server ldap/lolpr-xyz-mstr at XYZ.LOCAL not found in Kerberos database) > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > >>>>09:21:10.211028, 0] ipa_sam.c:4440(pdb_init_ipasam) > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: Failed to get base > >>>>DN. > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: [2015/04/01 > >>>>09:21:10.211210, 0] > >>>>../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local smbd[4662]: pdb backend > >>>>ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > >>>>init (error was NT_STATUS_UNSUCCESSFUL) > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > >>>>process exited, code=exited, status=1/FAILURE > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > >>>>Samba SMB Daemon. > >>>>Apr 01 09:21:10 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > >>>>entered failed state. > >>>>Apr 01 09:21:12 lolpr-xyz-mstr.xyz.local systemd[1]: Stopped Samba SMB > >>>>Daemon. > >>>>--- > >>>> > >>>> > >>>>I manually try to start the smb service as follows, but can't (Of > >>>>course the directory service is not up, so there's a little catch22 > >>>>there and this many not mean much): > >>>> > >>>> > >>>>--- > >>>> > >>>>[root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# systemctl status smb.service > >>>>smb.service - Samba SMB Daemon > >>>> Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled) > >>>> Active: failed (Result: exit-code) since Wed 2015-04-01 09:50:38 AST; > >>>>57s ago > >>>> Process: 8089 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, > >>>>status=1/FAILURE) > >>>> Main PID: 8089 (code=exited, status=1/FAILURE) > >>>> Status: "Starting process..." > >>>> > >>>>Apr 01 09:50:36 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > >>>>code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > >>>>Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > >>>>09:50:37.573772, 0] ipa_sam.c:4128(bind_callback_cleanup) > >>>>Apr 01 09:50:37 lolpr-xyz-mstr.xyz.local smbd[8089]: kerberos error: > >>>>code=-1765328228, message=Cannot contact any KDC for realm 'XYZ.LOCAL' > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > >>>>09:50:38.574722, 0] ipa_sam.c:4440(pdb_init_ipasam) > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: Failed to get base > >>>>DN. > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: [2015/04/01 > >>>>09:50:38.574903, 0] > >>>>../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local smbd[8089]: pdb backend > >>>>ipasam:ldapi://%2fvar%2frun%2fslapd-XYZ-LOCAL.socket did not correctly > >>>>init (error was NT_STATUS_UNSUCCESSFUL) > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: smb.service: main > >>>>process exited, code=exited, status=1/FAILURE > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Failed to start > >>>>Samba SMB Daemon. > >>>>Apr 01 09:50:38 lolpr-xyz-mstr.xyz.local systemd[1]: Unit smb.service > >>>>entered failed state. > >>>>[root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# > >>>> > >>>>--- > >>>> > >>>>Please could someone advise me on how to drill deeper into debugging > >>>>this issue to get ipactl to start ? > >>>> > >>>>NOTES: > >>>> > >>>>- This server is successfully in a Trust relationship with > >>>>ActiveDirectory. > >>>>- There are a number of replicas established which have been working > >>>>fine til this morning > >>>>- Another replica was added around the time of the failure using the > >>>>same steps as usual (not sure how this could be related) > >>>> > >>>> > >>>>Many thanks in advance, > >>>>Traiano > >>> > >>> > >> > >>Hi Traiano, > >> > >>it seems like there is some problem with Kerberos keytab for DS service. > >> > >>Take a look at this guide: > >> > >> http://www.freeipa.org/page/Troubleshooting#Service_does_not_start > >> > >>and check whether there is something wrong with DS keytab and that the > >>service principal is set up correctly. > >> > > > > > > > >Walking through this pedantically: > > > >Service does not start: > > > >1) See service log of the respective service for the exact error text. > >For example, the Directory Server stores the log in > >/var/log/dirsrv/slapd-REALM-NAME/errors > > > > check > > > >2) Make sure that the server the service is running on has a fully > >qualified domain name > > > >--- > >[root at lolpr-xyz-mstr ~]# hostname > >lolpr-xyz-mstr.xyz.local > >[root at lolpr-xyz-mstr ~]# host `hostname` > >lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > >[root at lolpr-xyz-mstr ~]# host 172.16.100.68 > >68.100.16.172.in-addr.arpa domain name pointer lolpr-xyz-mstr.xyz.local. > >[root at lolpr-xyz-mstr ~]# > >--- > > > >3) See what keys are in the keytab used for authentication of the service, e.g.: > ># klist -kt /etc/dirsrv/ds.keytab > > > > > >--- > >[root at lolpr-xyz-mstr slapd-XYZ-LOCAL]# klist -kt /etc/dirsrv/ds.keytab > >Keytab name: FILE:/etc/dirsrv/ds.keytab > >KVNO Timestamp Principal > >---- ------------------- ------------------------------------------------------ > > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > > 2 11/06/2014 13:13:06 ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > >--- > > > >4) Make sure that the stored principals match the system FQDN system name > > > >check: > > > >--- > > [root at lolpr-xyz-mstr ~]# host lolpr-xyz-mstr.xyz.local > >lolpr-xyz-mstr.xyz.local has address 172.16.100.68 > >[root at lolpr-xyz-mstr ~]# > >--- > > > >5) Make sure that the version of the keys (KVNO) stored in the keytab > >and in the FreeIPA server match: > >$ kvno ldap/ipa.example.com at EXAMPLE.COM > > > > > >check ... This is unusual: > > > >--- > >[root at lolpr-xyz-mstr ~]# kvno ldap/lolpr-xyz-mstr.xyz.local at XYZ.LOCAL > >kvno: Credentials cache keyring 'persistent:0:0' not found while > >getting client principal name > >--- > Your root account has no Kerberos credentials. Either kinit as IPA admin for > root or run this command from an account that is already kinit'ed as IPA > admin. > > > >Now, when I look at my krb5.conf, I see the file has had a recent > >change ... yet, I'm sure this file was never edited: Does the > >krb5.conf below look correct for a standard IPA primary server?: > > > >--- > >[root at lolpr-xyz-mstr ~]# ls -l /etc/krb5.conf > >-rw-r--r-- 1 root root 811 Apr 1 11:01 /etc/krb5.conf > >--- > > > > > >--- > >[root at lolpr-xyz-mstr ~]# cat /etc/krb5.conf > >includedir /var/lib/sss/pubconf/krb5.include.d/ > > > >[logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > >[libdefaults] > > default_realm = XYZ.LOCAL > > dns_lookup_realm = false > > dns_lookup_kdc = true > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > default_ccache_name = KEYRING:persistent:%{uid} > > > >[realms] > > XYZ.LOCAL = { > > kdc = lolpr-xyz-mstr.xyz.local:88 > > master_kdc = lolpr-xyz-mstr.xyz.local:88 > > admin_server = lolpr-xyz-mstr.xyz.local:749 > > default_domain = xyz.local > > pkinit_anchors = FILE:/etc/ipa/ca.crt > > auth_to_local = > >RULE:[1:$1@$0](^.*@WINDOM.LOCAL$)s/@WINDOM.LOCAL/@windom.local/ > > auth_to_local = DEFAULT > >} > > > >[domain_realm] > > .xyz.local = XYZ.LOCAL > > xyz.local = XYZ.LOCAL > > > >[dbmodules] > > XYZ.LOCAL = { > > db_library = ipadb.so > > } > >--- > > > This looks OK to me but I'm no Kerberos expert. I cc'ed Sumit and Simo, they > should be able to help you more that I. yes, krb5.conf looks ok. Most of the changes to this file are done during ipa-server-install. Only the 2 auth_to_local lines must be added manually alter on to allow some basic mapping of Kerberos principals to user names for AD users, but this should not be related to any startup issues (as long as they are syntactically correct). bye, Sumit > >6) Make sure that there are no DNS Issues and both forward and reverse > >DNS records of the are OK and match the system name and the stored > >principal keys > > > > check. DNS works. > > > >7) Make sure that the system time difference on the host and FreeIPA > >server is not greater than 5 minutes > > > > They're one and the same in this case. > > > >>-- > >>Martin^3 Babinsky > > > >Thanks, > >Traiano > > > > Just to make sure, what version of IPA are you using? > > -- > Martin^3 Babinsky From yamakasi.014 at gmail.com Thu Apr 2 08:03:04 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Thu, 2 Apr 2015 10:03:04 +0200 Subject: [Freeipa-users] freeipa behind a load balancer In-Reply-To: References: <551A9160.7060800@redhat.com> <551A9B3F.4010900@redhat.com> <551AA7F2.2070105@redhat.com> <551AAE2C.8070606@redhat.com> <551AB84C.6080004@redhat.com> <1427816508.24621.14.camel@desktop.bpk2.com> <1427820780.8302.188.camel@willson.usersys.redhat.com> <1427822496.24621.25.camel@desktop.bpk2.com> <1427824216.8302.192.camel@willson.usersys.redhat.com> <1427824450.8302.195.camel@willson.usersys.redhat.com> <1427825445.24621.39.camel@desktop.bpk2.com> <551AE5D8.3010201@redhat.com> Message-ID: OK, to keep this updated. With some Kerberos Guru's we have looked how IPA behaves when you change all DNS names, PTR's and A's to the LB-er and all time you get a ticket from the server service principal itself. With kvno you can get a ticket for the loadbalancer but when you run your "failing script" you also see a ticket coming back from the ipa server itself. I have seen some mailings from last year too with no solution... it seems to be a showstopper on that part :( 2015-04-01 20:41 GMT+02:00 Matt . : > Hi, > > I'm not gicing up on this, so I'm testing. > > I'm unsure at the moment about the keytab. The keytab is normally for > the user that needs to be able to do "stuff", but in this case we need > one for the loadbalancer name or the client .... maybe combined ? > > I lost that overvieuw... would be nice to get some advice here. > > Thanks! > > Matt > > 2015-03-31 21:23 GMT+02:00 Matt . : >> OK, but we need to do this using IPA or (as IPA does some things >> different it seems). >> >> Anyone testing this perhaps ? (/me is multitasking atm) >> >> 2015-03-31 20:22 GMT+02:00 Rob Crittenden : >>> Brendan Kearney wrote: >>>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >>>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>>>>> But IPA is more complex and some operations will be performed directly >>>>>> against the specific server name, so you need to keep 2 sets of keys >>>>>> (one for the server name and one for the load balancer name), but that >>>>>> does not work right now. >>>>> >>>>> One experiment that can be done is to remove all "per-server" HTTP >>>>> services for the IPA server, and instead add their name as aliases on >>>>> the common load-balancer name. >>>>> >>>>> This would mean that all IPA servers would have just one key in their >>>>> HTTP keytab, but the KDC would release tickets readable by that key for >>>>> any name the clients may ask for. >>>>> >>>>> It is a bit tricky, every time you build a replica you want to >>>>> load-balance you'll have to go back and remove the service and switch >>>>> keytabs, but it may be an option. Of course if you brick IPA then you >>>>> get to keep the pieces :-) >>>>> >>>>> Simo. >>>>> >>>> >>>> careful there, as kerberos balks at CNAME records. i think you need to >>>> use A records. i ran into a couple odd issues and decided to only use >>>> A/PTR records for my stuff and never went "exploring" for >>>> options/alternatives. >>>> >>> >>> Not DNS aliases, Kerberos principal alises. >>> >>> rob >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project From wdh at dds.nl Thu Apr 2 10:53:02 2015 From: wdh at dds.nl (Winfried de Heiden) Date: Thu, 02 Apr 2015 12:53:02 +0200 Subject: [Freeipa-users] freeipa-server on Raspberry Pi 2 Message-ID: <551D1F8E.2080707@dds.nl> An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Apr 2 11:38:21 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 02 Apr 2015 13:38:21 +0200 Subject: [Freeipa-users] freeipa-server on Raspberry Pi 2 In-Reply-To: <551D1F8E.2080707@dds.nl> References: <551D1F8E.2080707@dds.nl> Message-ID: <551D2A2D.1020901@redhat.com> On 02/04/15 12:53, Winfried de Heiden wrote: > Hi all, > > "Because I can try" I gave a shot on installing freeipa-server on a > Raspberry Pi 2. I used Fedora 21 for this. Installing looks promising, > but fails somewhere halfway: > > [8/27]: starting certificate server instance > [error] RuntimeError: CA did not start in 300.0s > CA did not start in 300.0s > > > and the install log will tell: > > [root at ipa log]# tail /var/log/ipaserver-install.log > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 279, in start > self.service.start(instance_name, > capture_output=capture_output, wait=wait) > > File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line 229, in start > self.wait_until_running() > > File > "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", > line 223, in wait_until_running > raise RuntimeError('CA did not start in %ss' % timeout) > > 2015-04-02T09:58:36Z DEBUG The ipa-server-install command failed, > exception: RuntimeError: CA did not start in 300.0s > > > I 'm wondering if this is a timing issue... Of course the Pi2 tends to > be slow and no wonder starting things will takes "some time"... (Yep, > I 'm trying to move tons of stones using only a 2CV car...) The > catalina log (that's the CA (Tomcat) log right?) > tells it needs some more time to start: > > [root at ipa pki-tomcat]# tail > /var/log/pki/pki-tomcat/catalina.2015-04-02.log > Apr 02, 2015 11:59:20 AM org.apache.catalina.startup.HostConfig > deployDescriptor > INFO: Deployment of configuration descriptor > /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in > 84,815 ms > Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8080"] > Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-bio-8443"] > Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] > Apr 02, 2015 11:59:20 AM org.apache.catalina.startup.Catalina start > INFO: Server startup in 355603 ms > > Anyone got an idea how to set the time out for the CA to start to 10 > or 15 minuten? Any other sugestion what is causing this problem? (no, > I am not upgrading from an older version, this is a fresh install) > > Kind regards, > > Winfried > > > > Hello, you can try: https://www.redhat.com/archives/freeipa-users/2015-April/msg00076.html -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 2 13:20:45 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Apr 2015 09:20:45 -0400 Subject: [Freeipa-users] Expired password change on AIX Client In-Reply-To: <1B1DB5490C5E3A408CA3086D02CD34FA040CDDD1@rctr246> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CDDD1@rctr246> Message-ID: <551D422D.6020900@redhat.com> On 04/01/2015 02:28 PM, Luiz Fernando Vianna da Silva wrote: > > Hello Dmitri. > > Server is running: ipa-server-3.0.0-37.el6.x86_64 > > My kerberos configuration looks like this on a client: > > # cat /etc/krb5.conf > > [libdefaults] > > default_realm = DOMAIN.COM > > default_keytab_name = FILE:/etc/krb5/krb5.keytab > > default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts > des-cbc-md5 des-cbc-crc aes128-cts > > default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts > des-cbc-md5 des-cbc-crc aes128-cts > > [realms] > > DOMAIN.COM = { > > kdc = ldap.domain.com:88 > > admin_server = ldap.domain.com:749 > > default_domain = domain.com > > } > > [domain_realm] > > .domain.com = DOMAIN.COM > > ldap.domain.com = DOMAIN.COM > > [logging] > > kdc = FILE:/var/krb5/log/krb5kdc.log > > admin_server = FILE:/var/krb5/log/kadmin.log > > kadmin_local = FILE:/var/krb5/log/kadmin_local.log > > default = FILE:/var/krb5/log/krb5lib.log > > # > > What does the KDC log show?: Where do I get this log from? > /var/log/krb5kdc.log > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > *De:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *Em nome de *Dmitri Pal > *Enviada em:* quarta-feira, 1 de abril de 2015 13:27 > *Para:* freeipa-users at redhat.com > *Assunto:* [Marketing Mail] Re: [Freeipa-users] Expired password > change on AIX Client > > On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote: > > Hello All. > > I?ve searched the archives of this mailing list looking for an > answer for this one, but all I found lead me nowhere. L > > Closest thread to help me was: > https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html > > Has anyone figured out a way to have expired password changes work > on AIX clients? > > I have tried adding ?kpasswd_protocol = SET_CHANGE? as well as > ?kpasswd_protocol = RPCSEC_GSS? to the [realms] section but none > of them worked. > > Here is the output from an ssh test session for user ?teste? on a > AIX 7.1 machine: > > -bash-4.2$ ssh teste at localhost > > ################################################################################ > > # NICE MOTD > > ################################################################################ > > teste at localhost's password: > > [KRB5]: 3004-332 Your password has expired. > > 3004-333 A password change is required. > > [KRB5]: 3004-332 Your password has expired. > > ******************************************************************************* > > * * > > * * > > * Welcome to AIX Version > 7.1! * > > * * > > * * > > * Please see the README file in /usr/lpp/bos for information > pertinent to * > > * this release of the AIX Operating System. > * > > * * > > * * > > ******************************************************************************* > > ################################################################################ > > # NICE MOTD > > ################################################################################ > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for "teste" > > teste's Old password: > > teste's New password: > > Enter the new password again: > > 3004-604 Your entry does not match the old password. > > Connection to localhost closed. > > -bash-4.2$ > > > So you are setting up AIX client using kerberos against IPA server and > trying to log with a user that has expired password. Did I get it right? > > What version of the server you are using? > How your kerberos configuration looks on a client? > What does the KDC log show? > > Atenciosamente/Best Regards > > *__________________________________________* > > *L**uiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 2 13:22:41 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 02 Apr 2015 09:22:41 -0400 Subject: [Freeipa-users] RES: FreeIPA integration with AIX and sudo In-Reply-To: <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> <551C24A6.9010605@degauquier.net> <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> Message-ID: <551D42A1.3080303@redhat.com> On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: > > Hi Yves. > > First a little background information regarding sudo on AIX: Most sudo > packages compiled for AIX are _/NOT/_ compiled with LDAP support. > > Although sudo's documentation states that sudo supports different LDAP > implementations, other than OpenLDAP, I suppose it doesn't work well > with AIX's LDAP fileset. > > That's my guess why most sudo packages for AIX aren't compiled with > LDAP support. [BTW, you can check this by running, as root, sudo -V| > grep -i ldap]. > > The good news is that Michel Perzl, has successfully compiled a sudo > package with LDAP support, although its compiled against OpenLDAP and > not AIX's LDAP fileset. > > So, here is how I did it: > > (1) Go to http://www.perzl.org/aix/ and > download the following RPM packages on their latest versions: > > ?sudo >= 1.8.11 > > ?gettext >= 0.10.40 > > ?openldap >= 2.4.23 > > ?openssl >= 1.0.1j-1 > > ?zlib > > Make sure you don't have the sudo fileset installed or another sudo > rpm package. > > Don't worry about openssl from this RPM package conflicting with the > OpenSSL fileset from AIX, they won't. > > Don't worry about openldap from this RPM package conflicting with the > ldap fileset from AIX, they won't. > > (2) Upload the rpm packages to you AIX LPAR and put them all in a > directory, I used /tmp/sudopack. [From here on I assume you are root > on your LPAR]. > > (3) From the directory where you put your packages run a "rpm -ivh > *.rpm --test" and if all goes well proceed without the "--test", > otherwise sort out the dependencies and conflicts like the grown man > you are :). > > (4) Once the rpms are installed, add the following line to the bottom > of your /etc/netsvc.conf file: sudoers = files, ldap > > I know this is not expected syntax according to IBM's netsvc.conf > documentation, but sudo requires it to work with ldap. According to > sudo's documentation it uses that line on netsvc.conf to emulate what > sudo would expect to find on /etc/nsswitch.conf on a Linux machine > [hack much?]. > > (5) Create a file called /etc/ldap.conf . This has nothing to do with > the /etc/security/ldap/ldap.cfg file you use to configure AIX's LDAP, > this is OpenLdap's config only used by sudo. Don't worry, this won't > conflict with AIX's LDAP functionality. > > Add this to your /etc/ldap.conf: > > tls_cacert /etc/ipa/ca.crt > > uri ldap://youripaserver.domain.com > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com > > bindpw yourclientpassword > > sudoers_base ou=sudoers,dc=domain,dc=com > > (6) Create a directory called /etc/ipa and download your ca > certificate file and place it there. Make sure to permission the > directory 755 and the ca.crt file 644. > > (7) And that's pretty much it, no need to edit a single line on > /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that > comes with the rpm, unchanged. > > Log into your LPAR with a domain user and try running "sudo -l", it > should output the sudo rules you set on the IPA server. > > I hope this helps you and other AIX client users out there. > Would you mind creating a howto page on the IPA wiki? > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > *De:*Yves Degauquier [mailto:yves at degauquier.net] > *Enviada em:* quarta-feira, 1 de abril de 2015 14:03 > *Para:* Luiz Fernando Vianna da Silva > *Assunto:* Re: [Freeipa-users] FreeIPA integration with AIX and sudo > > Hi Luiz, > > I was not able to make it running, I was a bit lost with the LDAP, > PAM, LAM configuration, and didn't found any idea with Google... > > If you can share the solution or point me to some important point to > do, I will be happy. > > Thanks in advance, > > Best regards, > > Yves > > On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: > > Hello Yves. > > I was browsing the mailing list archives and found your email from > December 2013 > (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). > > I have successfully found a way to have sudo on AIX work with the > sudo rules on IPA, just like Linux clients. > > Give me a reply if you haven't figured out a way to make this work > and I'll send you the solution I came up with. > > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e > seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a > tenha recebido por engano, queira, por favor, retorn?-la ao > destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o > autorizado, replica??o ou dissemina??o desta mensagem ou parte > dela ? expressamente proibido. A TIVIT n?o se responsabilizar? > pelo conte?do ou pela veracidade desta informa??o. > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Thu Apr 2 13:30:56 2015 From: janellenicole80 at gmail.com (Janelle) Date: Thu, 02 Apr 2015 06:30:56 -0700 Subject: [Freeipa-users] pks error?? Message-ID: <551D4490.1090404@gmail.com> Hello, Just wondering how you get rid of this - just kind of annoying: p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute I understand it is related to not setting up DNS, is this correct? Thank you ~J From guertin at middlebury.edu Thu Apr 2 14:43:59 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 2 Apr 2015 14:43:59 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <551CB0CE.3040306@redhat.com> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> Message-ID: >Ah so you are using it with trust. Then you should change the configuration to >not use kerberos but rather LDAP instead. >More details are here. >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the --enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on all three IPA servers. I then cleared the sssd cache on the RHEL 5 client and restarted sssd, but users still couldn't log in. Originally I had run "ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried re-running that with "ipa-advise config-redhat-nss-ldap" instead, and ran the resulting script on the client. Still no success -- I'm still getting the same error. The current sssd.conf file on the client is: [sssd] services = nss, pam config_file_version = 2 domains = default re_expression = (?P.+) [domain/default] cache_credentials = True id_provider = ldap auth_provider = ldap ldap_uri = ldap://genet.ipa.middlebury.edu ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt David Guertin From jhrozek at redhat.com Thu Apr 2 14:54:21 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 2 Apr 2015 16:54:21 +0200 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> Message-ID: <20150402145421.GJ3668@hendrix.redhat.com> On Thu, Apr 02, 2015 at 02:43:59PM +0000, Guertin, David S. wrote: > >Ah so you are using it with trust. Then you should change the configuration to > >not use kerberos but rather LDAP instead. > >More details are here. > >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > > Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the --enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on all three IPA servers. I then cleared the sssd cache on the RHEL 5 client and restarted sssd, but users still couldn't log in. Originally I had run "ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried re-running that with "ipa-advise config-redhat-nss-ldap" instead, and ran the resulting script on the client. Still no success -- I'm still getting the same error. > > The current sssd.conf file on the client is: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = default > re_expression = (?P.+) > > [domain/default] > cache_credentials = True > id_provider = ldap > auth_provider = ldap > ldap_uri = ldap://genet.ipa.middlebury.edu > ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > > David Guertin Can you try searching the compat tree with ldapsearch to see if an entry turns up? IIRC you need to search for a particular entry, not for any (not ie cn=*), but if you crank up the debug_level in the domain section, then sssd should log the searches to /var/log/sssd/sssd_default.log From christoph.kaminski at biotronik.com Thu Apr 2 14:57:32 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Thu, 2 Apr 2015 16:57:32 +0200 Subject: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) Message-ID: Hi all! We have 6 IPA Servers here connected to each other. We want to upgrade all from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1. I have done it one of the 6 servers and got a problem. After upgrade if I want to login to Web UI I get: "IPA-Error 903: InternalError" after typing the credentials... I have activated debug output of IPA and see this in /var/log/httpd/error_log: [Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: non-public: KeyError: 'idnsforwardzone' [Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most recent call last): [Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020] result = self.Command[name](*args, **options) [Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020] ret = self.run(*args, **options) [Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020] return self.execute(*args, **options) [Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in execute [Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in [Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in json_serialize [Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020] return json_serialize(obj.__json__()) [Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 710, in __json__ [Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020] attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) [Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020] File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in attribute_types [Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020] object_class = self.sed[ObjectClass][object_class_oid] [Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: 'idnsforwardzone' I have found this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1180325 It should be fixed in the last version?! I have read there I should start: setup-ds.pl -d --update But Im afraid that it kills the date on the IPA Servers with version 3.3.3... does it? What can I do? how can I fix it? Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Apr 2 15:07:13 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 02 Apr 2015 17:07:13 +0200 Subject: [Freeipa-users] pks error?? In-Reply-To: <551D4490.1090404@gmail.com> References: <551D4490.1090404@gmail.com> Message-ID: <551D5B21.6010602@redhat.com> On 02/04/15 15:30, Janelle wrote: > Hello, > > Just wondering how you get rid of this - just kind of annoying: > > p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute > > I understand it is related to not setting up DNS, is this correct? > > Thank you > ~J > Hello, where is the origin of this message? Which log? Can you send the log? Martin -- Martin Basti From mbasti at redhat.com Thu Apr 2 15:25:10 2015 From: mbasti at redhat.com (Martin Basti) Date: Thu, 02 Apr 2015 17:25:10 +0200 Subject: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) In-Reply-To: References: Message-ID: <551D5F56.4050007@redhat.com> On 02/04/15 16:57, Christoph Kaminski wrote: > Hi all! > > We have 6 IPA Servers here connected to each other. We want to upgrade > all from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1. > > I have done it one of the 6 servers and got a problem. > > After upgrade if I want to login to Web UI I get: "*IPA-Error 903: > InternalError*" after typing the credentials... > I have activated debug output of IPA and see this in > /var/log/httpd/error_log: > > [Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: > non-public: KeyError: 'idnsforwardzone' > [Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most > recent call last): > [Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, > in wsgi_execute > [Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020] result = > self.Command[name](*args, **options) > [Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > __call__ > [Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020] ret = > self.run(*args, **options) > [Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > [Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020] return > self.execute(*args, **options) > [Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line > 123, in execute > [Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020] (o.name, > json_serialize(o)) for o in self.api.Object() > [Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line > 123, in > [Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020] (o.name, > json_serialize(o)) for o in self.api.Object() > [Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in > json_serialize > [Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020] return > json_serialize(obj.__json__()) > [Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line > 710, in __json__ > [Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020] attrs = > self.api.Backend.ldap2.schema.attribute_types(objectclasses) > [Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020] File > "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line > 377, in attribute_types > [Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020] > object_class = self.sed[ObjectClass][object_class_oid] > [Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: > 'idnsforwardzone' > > I have found this bug report: > https://bugzilla.redhat.com/show_bug.cgi?id=1180325 > It should be fixed in the last version?! > > I have read there I should start: setup-ds.pl -d --update > > But Im afraid that it kills the date on the IPA Servers with version > 3.3.3... does it? > > What can I do? how can I fix it? > > Greetz > Christoph Kaminski > > > Hello, was the ipa upgrade successful? Do you have any errors in /var/log/ipaupgrade.log? If you think it is 1180325 issue you can check if nsSchemaPolicy is in 01core389.ldif: grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Thu Apr 2 16:54:38 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Thu, 2 Apr 2015 18:54:38 +0200 Subject: [Freeipa-users] Antwort: Re: Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) In-Reply-To: <551D5F56.4050007@redhat.com> References: <551D5F56.4050007@redhat.com> Message-ID: see this in ipupgrade.log 2015-04-02T11:27:02Z ERROR Pre schema upgrade failed with [Errno 111] Connection refused 2015-04-02T11:27:02Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 128, in __pre_schema_upgrade ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, live_run=self.live_run, plugins=True) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 220, in __init__ self.create_connection() File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 783, in create_connection dm_password=self.dm_password, pw_name=self.pw_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect conn.do_external_bind(pw_name) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait self.__wait_for_connection(timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection wait_for_open_socket(lurl.hostport, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket raise e error: [Errno 111] Connection refused 2015-04-02T11:27:02Z DEBUG duration: 12 seconds 2015-04-02T11:27:02Z DEBUG [6/10]: updating schema 2015-04-02T11:27:12Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 145, in __update_schema dm_password='', ldapi=True, live_run=self.live_run) or self.modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 112, in update_schema fqdn=installutils.get_fqdn()) File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 65, in connect conn.do_external_bind(pw_name) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1761, in do_external_bind self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1747, in __bind_with_wait self.__wait_for_connection(timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1733, in __wait_for_connection wait_for_open_socket(lurl.hostport, timeout) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1173, in wait_for_open_socket raise e error: [Errno 111] Connection refused 2015-04-02T11:27:12Z DEBUG [error] error: [Errno 111] Connection refused 2015-04-02T11:27:12Z DEBUG [cleanup]: stopping directory server ... 2015-04-02T12:46:11Z DEBUG stderr= 2015-04-02T12:46:12Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 213, in run modified = ld.update(self.files, ordered=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line 874, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 123, in update (restart, apply_now, res) = self.run(update.name, **kw) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", line 146, in run return self.Updater[method](**kw) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1399, in __call__ return self.execute(**options) File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", line 76, in execute ldap.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1191, in error_handler raise errors.ObjectclassViolation(info=info) 2015-04-02T12:46:12Z DEBUG The ipa-ldap-updater command failed, exception: ObjectclassViolation: unknown object class "ipaKeyPolicy" 2015-04-02T12:46:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: ObjectclassViolation: unknown object class "ipaKeyPolicy" and: grep -i nsSchemaPolicy /etc/dirsrv/slapd-HSO/schema/01core389.ldif objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) Greetz Christoph Kaminski Von: Martin Basti An: Christoph Kaminski , freeipa-users at redhat.com Datum: 02.04.2015 17:25 Betreff: Re: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) On 02/04/15 16:57, Christoph Kaminski wrote: Hi all! We have 6 IPA Servers here connected to each other. We want to upgrade all from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1. I have done it one of the 6 servers and got a problem. After upgrade if I want to login to Web UI I get: "IPA-Error 903: InternalError" after typing the credentials... I have activated debug output of IPA and see this in /var/log/httpd/error_log: [Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: non-public: KeyError: 'idnsforwardzone' [Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most recent call last): [Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, in wsgi_execute [Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020] result = self.Command[name](*args, **options) [Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020] ret = self.run(*args, **options) [Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020] return self.execute(*args, **options) [Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in execute [Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 123, in [Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020] (o.name, json_serialize(o)) for o in self.api.Object() [Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in json_serialize [Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020] return json_serialize(obj.__json__()) [Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 710, in __json__ [Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020] attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) [Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020] File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in attribute_types [Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020] object_class = self.sed[ObjectClass][object_class_oid] [Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: 'idnsforwardzone' I have found this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1180325 It should be fixed in the last version?! I have read there I should start: setup-ds.pl -d --update But Im afraid that it kills the date on the IPA Servers with version 3.3.3... does it? What can I do? how can I fix it? Greetz Christoph Kaminski Hello, was the ipa upgrade successful? Do you have any errors in /var/log/ipaupgrade.log? If you think it is 1180325 issue you can check if nsSchemaPolicy is in 01core389.ldif: grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From luiz.vianna at tivit.com.br Thu Apr 2 17:41:30 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Thu, 2 Apr 2015 17:41:30 +0000 Subject: [Freeipa-users] RES: RES: FreeIPA integration with AIX and sudo In-Reply-To: <551D42A1.3080303@redhat.com> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> <551C24A6.9010605@degauquier.net> <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> <551D42A1.3080303@redhat.com> Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040D4A6D@rctr246> Hi Dmitri. Working on it right now. :) Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Dmitri Pal Enviada em: quinta-feira, 2 de abril de 2015 10:23 Para: freeipa-users at redhat.com Assunto: Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo?s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn?t work well with AIX?s LDAP fileset. That?s my guess why most sudo packages for AIX aren?t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX?s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions:  sudo >= 1.8.11  gettext >= 0.10.40  openldap >= 2.4.23  openssl >= 1.0.1j-1  zlib Make sure you don?t have the sudo fileset installed or another sudo rpm package. Don?t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won?t. Don?t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won?t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a ?rpm -ivh *.rpm --test? and if all goes well proceed without the ?--test?, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM?s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo?s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX?s LDAP, this is OpenLdap?s config only used by sudo. Don?t worry, this won?t conflict with AIX?s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that?s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running ?sudo -l?, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Would you mind creating a howto page on the IPA wiki? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: Yves Degauquier [mailto:yves at degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven?t figured out a way to make this work and I?ll send you the solution I came up with. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From guertin at middlebury.edu Thu Apr 2 20:14:55 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 2 Apr 2015 20:14:55 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <20150402145421.GJ3668@hendrix.redhat.com> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> Message-ID: <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> >Can you try searching the compat tree with ldapsearch to see if an entry turns >up? IIRC you need to search for a particular entry, not for any (not ie cn=*), >but if you crank up the debug_level in the domain section, then sssd should >log the searches to /var/log/sssd/sssd_default.log Here's the result of ldapsearch on the RHEL 5 client (the same command works on RHEL 6): # ldapsearch -h middlebury.edu -p 389 -D 'MIDD\admin' -W -b "dc=middlebury,dc=edu" -s sub "cn=juser,cn=users,dc=middlebury,dc=edu" Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) I don't see anything obvious in sssd_default.log, but here's what it contains: (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [server_setup] (3): CONFDB: /var/lib/sss/db/config.ldb (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [recreate_ares_channel] (4): Initializing new c-ares channel (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_fo_get_options] (7): Lookup order: ipv4_first (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [fo_context_init] (3): Created new fail over context, retry timeout is 30 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [confdb_get_domain_internal] (1): No enumeration for [default]! (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sysdb_domain_init_internal] (5): DB File for default: /var/lib/sss/db/cache_default.ldb (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1c361710 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1c361830 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Running timer event 0x1c361710 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Destroying timer event 0x1c361830 "ltdb_timeout" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Ending timer event 0x1c361710 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): trying to load memberof from /usr/lib64/ldb/memberof.so (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (6): asq: Unable to register control with rootdse! (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1c3615d0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1c364150 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Running timer event 0x1c3615d0 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Destroying timer event 0x1c364150 "ltdb_timeout" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Ending timer event 0x1c3615d0 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1c3645c0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1c364670 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Running timer event 0x1c3645c0 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Destroying timer event 0x1c364670 "ltdb_timeout" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldb] (9): tevent: Ending timer event 0x1c3645c0 "ltdb_callback" (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_init_connection] (5): Adding connection 1C3647A0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_add_watch] (8): 0x1c364e20/0x1c364c10 (14), -/W (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364460 (14), R/- (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [monitor_common_send_id] (4): Sending ID: (%BE_default,1) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_add_timeout] (8): 0x1c364730 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364460 (14), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364c10 (14), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [create_socket_symlink] (7): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_default.3747 to a link /var/lib/sss/pipes/private/sbus-dp_default (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_new_server] (3): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_default.3747,guid=328c69e20e501fdd6da0cb00551da16f (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_add_watch] (8): 0x1c365c50/0x1c365940 (15), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [load_backend_module] (7): Loading backend [ldap] with path [/usr/lib64/sssd/libsss_ldap.so]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_uri has value ldap://genet.ipa.middlebury.edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_search_base has value cn=compat,dc=ipa,dc=middlebury,dc=edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_default_bind_dn has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_default_authtok_type has value password (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_default_authtok has no binary value. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_search_timeout has value 6 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_network_timeout has value 6 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_opt_timeout has value 6 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_reqcert has value hard (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_user_search_base has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_user_search_scope has value sub (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_user_search_filter has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_group_search_base has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_group_search_scope has value sub (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_group_search_filter has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_schema has value rfc2307 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_offline_timeout has value 60 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_force_upper_case_realm is FALSE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_enumeration_refresh_timeout has value 300 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_purge_cache_timeout has value 10800 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option entry_cache_timeout has value 5400 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_cacert has value /etc/openldap/cacerts/ipa.crt (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_cacertdir has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_cert has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_key has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_tls_cipher_suite has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_id_use_start_tls is FALSE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_sasl_mech has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_sasl_authid has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_krb5_keytab has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_krb5_init_creds is TRUE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option krb5_server has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option krb5_realm has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_pwd_policy has value none (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_referrals is TRUE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option account_cache_expiration has value 0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_dns_service_name has value ldap (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_krb5_ticket_lifetime has value 86400 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_access_filter has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_netgroup_search_base has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_group_nesting_level has value 2 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_deref has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_account_expire_policy has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_access_order has value filter (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_chpass_uri has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_chpass_dns_service_name has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_enumeration_search_timeout has value 60 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_page_size has value 1000 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_sasl_canonicalize is FALSE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [dp_get_options] (6): Option ldap_disable_paging is FALSE (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldap_get_options] (6): Option ldap_user_search_base set to cn=compat,dc=ipa,dc=middlebury,dc=edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldap_get_options] (6): Option ldap_group_search_base set to cn=compat,dc=ipa,dc=middlebury,dc=edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldap_get_options] (6): Option ldap_netgroup_search_base set to cn=compat,dc=ipa,dc=middlebury,dc=edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_entry_usn has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_rootdse_last_usn has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_object_class has value posixAccount (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_name has value uid (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_pwd has value userPassword (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_uid_number has value uidNumber (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_gid_number has value gidNumber (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_gecos has value gecos (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_home_directory has value homeDirectory (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shell has value loginShell (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_principal has value krbPrincipalName (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_fullname has value cn (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_member_of has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_uuid has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_modify_timestamp has value modifyTimestamp (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_entry_usn has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_last_change has value shadowLastChange (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_min has value shadowMin (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_max has value shadowMax (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_warning has value shadowWarning (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_inactive has value shadowInactive (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_expire has value shadowExpire (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_shadow_flag has value shadowFlag (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_pwd_attribute has value pwdAttribute (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_authorized_service has value authorizedService (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_ad_account_expires has value accountExpires (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_user_ad_user_account_control has value userAccountControl (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_ns_account_lock has value nsAccountLock (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_object_class has value posixGroup (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_name has value cn (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_pwd has value userPassword (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_gid_number has value gidNumber (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_member has value memberuid (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_uuid has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_modify_timestamp has value modifyTimestamp (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_group_entry_usn has value (null) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_object_class has value nisNetgroup (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_name has value cn (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_member has value memberNisNetgroup (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_triple has value nisNetgroupTriple (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_uuid has value nsUniqueId (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_get_map] (5): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [krb5_try_kdcip] (4): No KDC found in configuration, trying legacy option (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sssm_ldap_id_init] (7): Service name for discovery set to ldap (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [fo_new_service] (3): Creating new service 'LDAP' (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sdap_service_init] (6): Added URI ldap://genet.ipa.middlebury.edu (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [fo_add_server] (3): Adding new server 'genet.ipa.middlebury.edu', to service 'LDAP' (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [ldap_id_cleanup_set_timer] (6): Scheduling next cleanup at 1428005241.887148 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_process_init] (9): ID backend target successfully loaded from provider [ldap]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [load_backend_module] (7): Backend [ldap] already loaded. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sssm_ldap_id_init] (8): Re-using sdap_id_ctx for this provider (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_process_init] (9): AUTH backend target successfully loaded from provider [ldap]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [load_backend_module] (5): no module name found in confdb, using [permit]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_process_init] (9): ACCESS backend target successfully loaded from provider [permit]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [load_backend_module] (5): no module name found in confdb, using [ldap]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [load_backend_module] (7): Backend [ldap] already loaded. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sssm_ldap_id_init] (8): Re-using sdap_id_ctx for this provider (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sssm_ldap_chpass_init] (9): ldap_chpass_uri and ldap_chpass_dns_service_name not set, using ldap_uri. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_process_init] (9): CHPASS backend target successfully loaded from provider [ldap]. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [main] (1): Backend provider (default) started! (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364460 (14), R/- (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364c10 (14), -/W (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364460 (14), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c364e20/0x1c364c10 (14), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_remove_timeout] (8): 0x1c364730 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [id_callback] (4): Got id ack and version (1) from Monitor (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Entering. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Adding connection 0x1c36ee90. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_init_connection] (5): Adding connection 1C36EE90 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_add_watch] (8): 0x1c36f740/0x1c3619d0 (16), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c36f740/0x1c364f60 (16), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Got a connection (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_client_init] (4): Set-up Backend ID timeout [0x1c36f9b0] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C36EE90 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Entering. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Adding connection 0x1c36ff20. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_init_connection] (5): Adding connection 1C36FF20 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_add_watch] (8): 0x1c3704d0/0x1c36f830 (17), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c3704d0/0x1c36f880 (17), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_server_init_new_connection] (5): Got a connection (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [be_client_init] (4): Set-up Backend ID timeout [0x1c370740] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C36FF20 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c36f740/0x1c364f60 (16), R/- (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c36f740/0x1c3619d0 (16), -/W (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c3704d0/0x1c36f880 (17), R/- (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c3704d0/0x1c36f830 (17), -/W (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c36f740/0x1c364f60 (16), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c36f740/0x1c3619d0 (16), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c3704d0/0x1c36f880 (17), R/- (enabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_toggle_watch] (8): 0x1c3704d0/0x1c36f830 (17), -/W (disabled) (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C36EE90 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_message_handler] (9): Received SBUS method [RegisterService] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [client_registration] (4): Cancel DP ID timeout [0x1c36f9b0] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [client_registration] (4): Added Frontend client [NSS] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C36FF20 (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [sbus_message_handler] (9): Received SBUS method [RegisterService] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [client_registration] (4): Cancel DP ID timeout [0x1c370740] (Thu Apr 2 16:07:11 2015) [sssd[be[default]]] [client_registration] (4): Added Frontend client [PAM] (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sbus_message_handler] (9): Received SBUS method [ping] (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [cleanup_users] (9): Cache expiration is set to 0 days (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sysdb_search_users] (6): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1428005241)(!(lastLogin=*)))) (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1c37dcc0 (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1c37dde0 (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Running timer event 0x1c37dcc0 "ltdb_callback" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Destroying timer event 0x1c37dde0 "ltdb_timeout" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Ending timer event 0x1c37dcc0 "ltdb_callback" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sysdb_search_users] (6): Error: 2 (No such file or directory) (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sysdb_search_groups] (6): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1428005241))) (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x1c37ecd0 (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x1c37edf0 (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Running timer event 0x1c37ecd0 "ltdb_callback" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Destroying timer event 0x1c37edf0 "ltdb_timeout" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldb] (9): tevent: Ending timer event 0x1c37ecd0 "ltdb_callback" (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [sysdb_search_groups] (6): Error: 2 (No such file or directory) (Thu Apr 2 16:07:21 2015) [sssd[be[default]]] [ldap_id_cleanup_set_timer] (6): Scheduling next cleanup at 1428016041.887199 (Thu Apr 2 16:07:31 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 (Thu Apr 2 16:07:31 2015) [sssd[be[default]]] [sbus_dispatch] (9): Dispatching. (Thu Apr 2 16:07:31 2015) [sssd[be[default]]] [sbus_message_handler] (9): Received SBUS method [ping] (Thu Apr 2 16:07:40 2015) [sssd[be[default]]] [sbus_dispatch] (9): dbus conn: 1C3647A0 David Guertin From abokovoy at redhat.com Thu Apr 2 20:53:53 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 2 Apr 2015 23:53:53 +0300 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> Message-ID: <20150402205353.GL3878@redhat.com> On Thu, 02 Apr 2015, Guertin, David S. wrote: >>Can you try searching the compat tree with ldapsearch to see if an entry turns >>up? IIRC you need to search for a particular entry, not for any (not ie cn=*), >>but if you crank up the debug_level in the domain section, then sssd should >>log the searches to /var/log/sssd/sssd_default.log > >Here's the result of ldapsearch on the RHEL 5 client (the same command >works on RHEL 6): > ># ldapsearch -h middlebury.edu -p 389 -D 'MIDD\admin' -W -b "dc=middlebury,dc=edu" -s sub "cn=juser,cn=users,dc=middlebury,dc=edu" >Enter LDAP Password: >SASL/GSSAPI authentication started >ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) This is wrong use of ldapsearch -- if you are using simple bind, make sure you tell ldapsearch about it. However, I'm not sure what you wanted to show as both hostname and base DN are different from what SSSD tries in the logs below. Also, unlike Active Directory, IPA LDAP does not (yet) accept short version of bind DN, you have to specify it fully. If you wanted to have Kerberos auth working on RHEL5, that is something that might or might not work for AD users depending on many circumstances, mostly related to the need to manually configure krb5.conf to know about AD realm and how to contact servers there but also due to possible issues with auth_to_local rulesets (if they even exist in that Kerberos library version). In case of AD users there is a sequence to follow for LDAP authentication if you want to repeat what SSSD does: 1. Search user with filter '(uid=username at domain)' to get the entry into compat tree. 2. Bind as uid=username at domain,cn=users,cn=compat,$BASEDN to trigger authentication check. This is how various LDAP-based NSS modules work, be it nss_ldap or pam-nss-ldapd, or SSSD. So, let's say, you have kerberos keytab with a host principal in /etc/krb5.keytba. The sequence to emulate what SSSD does would be kinit -k host/`hostname` ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ '(uid=admin at middlebury.edu)' As result, we have 'admin at middlebury.edu' inserted in the compat tree, and can do a bind as 'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ -D 'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' \ -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ '(uid=admin at middlebury.edu)' This would reproduce what SSSD was supposed to do. If you get these ldapsearches to work, we can look at what is SSSD doing. -- / Alexander Bokovoy From prasun.gera at gmail.com Thu Apr 2 21:33:46 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 2 Apr 2015 17:33:46 -0400 Subject: [Freeipa-users] Understanding the migration mode In-Reply-To: References: <55148136.8040003@redhat.com> <5514C804.4040207@redhat.com> <55156455.7090401@redhat.com> <5515C3DF.5020701@redhat.com> <551AA80F.5070807@redhat.com> Message-ID: I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks like it is hardcoded in crypt_pw_enc, which uses the default DES crypt method. This only affects the encoding. The verification of passwords works with any of MD5 or SHA-* schemes since the underlying crypt function in recent glibcs supports them. Would it make sense to add the other options to the encoding function ? On Thu, Apr 2, 2015 at 3:27 AM, Prasun Gera wrote: > I tried enabling crypt for experimentation, and things seem to work well > for both NIS and SSSD clients. I noticed that the crypt format that the NIS > plugin in IPA provides is the traditional crypt format with a 2 character > salt and 13 character hash. NIS clients can understand newer crypt > encodings which allow MD5, SHA256 and SHA512 ( > https://docs.python.org/3/library/crypt.html) . Is it possible to force > one of those as the storage scheme in the directory server ? > > On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera > wrote: > >> I've figured it out. You are right. SSSD triggers key generation. For >> migrated clients though, since ypbind still runs and the NIS-plugin serves >> maps, they authenticate first using NIS before SSSD. If ypbind is stopped, >> it is forced to use SSSD, and then it triggers the migration. Thanks for >> persisting with this. It's pretty clear how it works now. >> >> On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera >> wrote: >> >>> >>> >>>> ? SSSD does not seem to be involved as user is found in the /etc/passwd >>>> and this SSSD should not do anything. >>>> >>>> It's not a local user. There's no entry in /etc/passwd. Here's the >>> relevant sssd log >>> >>> >>> sssd_ssh >>> >>> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains] >>> (0x0200): name 'testuser2' matched without domain, user is testuser2 >>> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client >>> disconnected! >>> (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >>> Received client version [0]. >>> >>> sssd_pam >>> >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >>> domain: ipadomain >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user: >>> testuser2 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >>> service: sshd >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: >>> ssh >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: >>> not set >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: >>> host_ip >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >>> authtok type: 0 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >>> newauthtok type: 0 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >>> cli_pid: 23983 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon >>> name: testuser2 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): >>> pam_dp_send_req returned 0 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): >>> received: [0][ipadomain] >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply >>> called with result [0]. >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27 >>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client >>> disconnected! >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bpk678 at gmail.com Fri Apr 3 00:10:35 2015 From: bpk678 at gmail.com (Brendan Kearney) Date: Thu, 02 Apr 2015 20:10:35 -0400 Subject: [Freeipa-users] bind-dyndb-ldap and stub zones Message-ID: <1428019835.12967.22.camel@desktop.bpk2.com> i am wondering if bind-dyndb-ldap supports stub zones. below would be a use case for me. say i have a network with a lot of external client connectivity (over leased line, MPLS, VPN, etc). the clients connections are used for inbound, outbound or bi-directional traffic (file transfers, web traffic, data exchange, etc). because of the size of my network, my already large and complex routing scheme for my own needs does not need to be made more complex by having to route my client's address space, so i devote specific networks out of my address space to 1-to-1 or static NAT addresses. by doing this, i can push all that traffic to the vpn endpoints or routers that manage that connectivity, without having to route "foreign" networks in the core. to make life easier, i want to have DNS names assigned to the NAT addresses, but the names are not in my authoritative name space, and may be internet resolvable, should a recursive search be performed. say i have mydomain.tld registered, and i have 300.555.0.0/16 assigned (yes, i know that does not exist). i would devote 300.555.254.0/23 to these 1-to-1 NATs. client Example Corp has dedicated connectivity to me and i want to access their website over that connection. the site, www.example.com, is internet resolvable but i dont want to access the internet accessible site. i want DNS resolution to point to my NAT, and take the traffic to the VPN where the NAT occurs and the traffic is pushed across to the client. with stub zones, i could create a zone, example.com, put a record for www into that zone and assign it my 1-to-1 NAT address of 300.555.254.1. i push my internal requests for that resource towards my vpn or client connection router, and perform the NAT at that device. my routing stays free of "foreign" networks and the traffic ends up where i want it. can bind-dyndb-ldap manage stub zones? how would one create the necessary ldap entries? sub zones require some extra work, so i would imagine stub zones do too, if they are currently supported. From brian.topping at gmail.com Fri Apr 3 05:51:10 2015 From: brian.topping at gmail.com (Brian Topping) Date: Thu, 2 Apr 2015 23:51:10 -0600 Subject: [Freeipa-users] Proper configuration of service accounts Message-ID: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my replicated pair of IPA instances. Question about proper setup of service accounts: I see that the service accounts I set up under "cn=etc, cn=sysaccounts" are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html ) are the wrong way for services like Postfix to be doing LDAP queries. Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pspacek at redhat.com Fri Apr 3 08:14:18 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 03 Apr 2015 10:14:18 +0200 Subject: [Freeipa-users] bind-dyndb-ldap and stub zones In-Reply-To: <1428019835.12967.22.camel@desktop.bpk2.com> References: <1428019835.12967.22.camel@desktop.bpk2.com> Message-ID: <551E4BDA.7080009@redhat.com> On 3.4.2015 02:10, Brendan Kearney wrote: > i am wondering if bind-dyndb-ldap supports stub zones. below would be a > use case for me. TL;DR: No. bind-dyndb-ldap supports only 'master' and 'forward' zones and at the moment. Please see below. http://www.zytrax.com/books/dns/ch7/zone.html#type > say i have a network with a lot of external client connectivity (over > leased line, MPLS, VPN, etc). the clients connections are used for > inbound, outbound or bi-directional traffic (file transfers, web > traffic, data exchange, etc). > > because of the size of my network, my already large and complex routing > scheme for my own needs does not need to be made more complex by having > to route my client's address space, so i devote specific networks out of > my address space to 1-to-1 or static NAT addresses. by doing this, i > can push all that traffic to the vpn endpoints or routers that manage > that connectivity, without having to route "foreign" networks in the > core. to make life easier, i want to have DNS names assigned to the NAT > addresses, but the names are not in my authoritative name space, and may > be internet resolvable, should a recursive search be performed. > > say i have mydomain.tld registered, and i have 300.555.0.0/16 assigned > (yes, i know that does not exist). i would devote 300.555.254.0/23 to > these 1-to-1 NATs. client Example Corp has dedicated connectivity to me > and i want to access their website over that connection. the site, > www.example.com, is internet resolvable but i dont want to access the > internet accessible site. i want DNS resolution to point to my NAT, and > take the traffic to the VPN where the NAT occurs and the traffic is > pushed across to the client. > > with stub zones, i could create a zone, example.com, put a record for > www into that zone and assign it my 1-to-1 NAT address of 300.555.254.1. > i push my internal requests for that resource towards my vpn or client > connection router, and perform the NAT at that device. my routing stays > free of "foreign" networks and the traffic ends up where i want it. > > can bind-dyndb-ldap manage stub zones? how would one create the > necessary ldap entries? sub zones require some extra work, so i would > imagine stub zones do too, if they are currently supported. Basically you want to override/'shadow' a public DNS zone with an internal version, right? A stub zone is suitable if you already have some other server which hosts this internal/'shadow' version of the zone in question. Bind-dyndb-ldap does not support stub zones but you can use 'forward' zone with policy 'only' to get similar effect. You can create ordinary 'master' zone with the same name if you do not have an internal/'shadow' version of the zone on another server and this will override all data in given zone and sub-zones too. You will need to add NS records for sub-zones if you want to override just one zone and keep everything below it. BTW you should share DNSSEC keys between internal and external version of the zone when you enable DNSSEC signing for the zone. (Other approaches are technically possible but make validator configuration hard/almost impossible if you have mobile clients.) -- Petr^2 Spacek From jreg2k at gmail.com Fri Apr 3 09:39:05 2015 From: jreg2k at gmail.com (James James) Date: Fri, 3 Apr 2015 11:39:05 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate Message-ID: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bobby.prins at proxy.nl Fri Apr 3 10:28:31 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Fri, 3 Apr 2015 12:28:31 +0200 (CEST) Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <659115330.573607.1427125054781.JavaMail.zimbra@proxy.nl> <20150323154447.GR3878@redhat.com> <310050850.588679.1427202097917.JavaMail.zimbra@proxy.nl> <20150324141338.GT3878@redhat.com> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> Message-ID: <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> >> On Mar 24, 2015, at 17:11, Dmitri Pal wrote: >> >> Seems like 15 sec timeout on the AIX side. >> Can you try with a user that does not have that many groups and see if that works? >> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout. >I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I?m still waiting for my AD test account with lesser group memberships. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> So I finally found some time to do extra tests. I now have an AD account with lesser group memberships which seems to speed up the login process (with Linux LDAP auth against the compat tree), but still no success on AIX. Did some more digging and it looks like AIX invalidates the user before it even is authenticated. The output below shows the lookup that is performed after I enter the username en press enter (before entering the password). access: [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 sssd_unix.example.corp.log: (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sbus_dispatch] (0x4000): dbus conn: 0x7fae8e331c20 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sbus_dispatch] (0x4000): Dispatching. (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bprins] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [be_req_set_domain] (0x0400): Changing request domain from [unix.example.corp] to [unix.example.corp] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=unix,dc=example,dc=corp] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_print_server] (0x2000): Searching 192.168.140.133 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=bprins)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=unix,dc=example,dc=corp]. (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7fae91451360], connected[1], ops[0x7fae8f3883b0], ldap[0x7fae8f384e70] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_done] (0x4000): releasing operation connection (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7fae9171c0d0 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7fae91459fd0 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7fae9171c0d0 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7fae91459fd0 "ltdb_timeout" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7fae9171c0d0 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=bprins)) (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7fae913a30a0 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7fae91a6dc30 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7fae913a30a0 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7fae91a6dc30 "ltdb_timeout" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7fae913a30a0 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7fae918d7180 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7fae8e3512a0 (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7fae918d7180 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7fae8e3512a0 "ltdb_timeout" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7fae918d7180 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sysdb_search_by_name] (0x0400): No such entry (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7fae91451360], connected[1], ops[(nil)], ldap[0x7fae8f384e70] (Fri Apr 3 11:59:04 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! sssd_nss.log: (Fri Apr 3 11:59:04 2015) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[997] egid[995] pid[25016]. (Fri Apr 3 11:59:04 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f9b8338d3a0][20] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 3 11:59:04 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f9b8338d3a0][20] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 3 11:59:04 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f9b8338d3a0][20] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f9b8338d3a0][20] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [bprins]. (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'bprins' matched without domain, user is bprins (Fri Apr 3 11:59:04 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [bprins] from [] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/unix.example.corp/bprins] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bprins at unix.example.corp] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f9b8338df70 (Fri Apr 3 11:59:04 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f9b8338b520 (Fri Apr 3 11:59:04 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x7f9b8338df70 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x7f9b8338b520 "ltdb_timeout" (Fri Apr 3 11:59:04 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x7f9b8338df70 "ltdb_callback" (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f9b82d9be00:1:bprins at unix.example.corp] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [unix.example.corp][4097][1][name=bprins] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x7f9b83388fe0 (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f9b82d9be00:1:bprins at unix.example.corp] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x7f9b83388fe0 (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x7f9b83384680 (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed (Fri Apr 3 11:59:04 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Fri Apr 3 11:59:04 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f9b82d9be00:1:bprins at unix.example.corp] (Fri Apr 3 11:59:04 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7f9b8338d3a0][20] In the end the lookup is performed in unix.example.corp instead of example.corp and thus it cannot find the (aero.corp AD) user object. Any thoughts? From abokovoy at redhat.com Fri Apr 3 10:45:07 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Apr 2015 13:45:07 +0300 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <659115330.573607.1427125054781.JavaMail.zimbra@proxy.nl> <20150323154447.GR3878@redhat.com> <310050850.588679.1427202097917.JavaMail.zimbra@proxy.nl> <20150324141338.GT3878@redhat.com> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> Message-ID: <20150403104507.GM3878@redhat.com> On Fri, 03 Apr 2015, Bobby Prins wrote: >>> On Mar 24, 2015, at 17:11, Dmitri Pal wrote: >>> >>> Seems like 15 sec timeout on the AIX side. >>> Can you try with a user that does not have that many groups and see if that works? >>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout. >>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I?m still waiting for my AD test account with lesser group memberships. >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >So I finally found some time to do extra tests. I now have an AD >account with lesser group memberships which seems to speed up the login >process (with Linux LDAP auth against the compat tree), but still no >success on AIX. Did some more digging and it looks like AIX invalidates >the user before it even is authenticated. The output below shows the >lookup that is performed after I enter the username en press enter >(before entering the password). > >access: >[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 Above there are two lookups: - successful lookup for user bprings at example.com - unsuccessful lookup for user bprins What is causing to perform a lookup without @example.com? Compat tree presents AD users fully qualified, it is the only way it knows to trigger lookup via SSSD on IPA master for these users (because non-fully qualified users are in IPA LDAP tree already and copied to compat tree automatically). -- / Alexander Bokovoy From bobby.prins at proxy.nl Fri Apr 3 12:15:02 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Fri, 3 Apr 2015 14:15:02 +0200 (CEST) Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <20150403104507.GM3878@redhat.com> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <310050850.588679.1427202097917.JavaMail.zimbra@proxy.nl> <20150324141338.GT3878@redhat.com> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> Message-ID: <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> >----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" >Aan: "Bobby Prins" >Cc: dpal at redhat.com, freeipa-users at redhat.com >Verzonden: Vrijdag 3 april 2015 12:45:07 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode > >On Fri, 03 Apr 2015, Bobby Prins wrote: >>>> On Mar 24, 2015, at 17:11, Dmitri Pal wrote: >>>> >>>> Seems like 15 sec timeout on the AIX side. >>>> Can you try with a user that does not have that many groups and see if that works? >>>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout. >>>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I?m still waiting for my AD test account with lesser group memberships. >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>So I finally found some time to do extra tests. I now have an AD >>account with lesser group memberships which seems to speed up the login >>process (with Linux LDAP auth against the compat tree), but still no >>success on AIX. Did some more digging and it looks like AIX invalidates >>the user before it even is authenticated. The output below shows the >>lookup that is performed after I enter the username en press enter >>(before entering the password). >> >>access: >>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >Above there are two lookups: > >- successful lookup for user bprings at example.com >- unsuccessful lookup for user bprins > >What is causing to perform a lookup without @example.com? Compat tree >presents AD users fully qualified, it is the only way it knows to >trigger lookup via SSSD on IPA master for these users (because non-fully >qualified users are in IPA LDAP tree already and copied to compat tree >automatically). >-- >/ Alexander Bokovoy This seems to be (standard?) behaviour of the AIX LDAP client. Did some more tests with different accounts and always see the two lookups. I doubt if I can influence that.. From dpal at redhat.com Fri Apr 3 12:17:19 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Apr 2015 08:17:19 -0400 Subject: [Freeipa-users] Proper configuration of service accounts In-Reply-To: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> References: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> Message-ID: <551E84CF.4040709@redhat.com> On 04/03/2015 01:51 AM, Brian Topping wrote: > Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> > 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my > replicated pair of IPA instances. > > Question about proper setup of service accounts: I see that the > service accounts I set up under "cn=etc, cn=sysaccounts" are still > able to log in, but the permission changes have left them unable to > read anything. Previously, I hacked the ACLs on the domain root. I > would like to believe that's not how it should be done. > > That said, I was surprised that service accounts are not supported in > 4.x UI, so I wonder if service accounts > (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) are > the wrong way for services like Postfix to be doing LDAP queries. > The ACIs changed because we tightened them for the read permissions. I hope you would be able to change them so that your service account works again. Here is the root page of the changes that we implemented. http://www.freeipa.org/page/V4/Permissions_V2 System account is probably the right one for Postfix. It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri > Thanks, Brian > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 3 12:26:17 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Apr 2015 15:26:17 +0300 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <310050850.588679.1427202097917.JavaMail.zimbra@proxy.nl> <20150324141338.GT3878@redhat.com> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> Message-ID: <20150403122617.GN3878@redhat.com> On Fri, 03 Apr 2015, Bobby Prins wrote: >>----- Oorspronkelijk bericht ----- >>Van: "Alexander Bokovoy" >>Aan: "Bobby Prins" >>Cc: dpal at redhat.com, freeipa-users at redhat.com >>Verzonden: Vrijdag 3 april 2015 12:45:07 >>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >> >>On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>> On Mar 24, 2015, at 17:11, Dmitri Pal wrote: >>>>> >>>>> Seems like 15 sec timeout on the AIX side. >>>>> Can you try with a user that does not have that many groups and see if that works? >>>>> If it does then we should assume it is an AIX side timeout and focus on making sure the data gets over to IPA within this timeout. >>>>I need to do some more testing.. Did not have a lot of time today, but I tried to authenticate with an AD user against the compact tree using a Linux client with pam_ldap. I was able to log in but this would take up to a minute or so. I?m still waiting for my AD test account with lesser group memberships. >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>So I finally found some time to do extra tests. I now have an AD >>>account with lesser group memberships which seems to speed up the login >>>process (with Linux LDAP auth against the compat tree), but still no >>>success on AIX. Did some more digging and it looks like AIX invalidates >>>the user before it even is authenticated. The output below shows the >>>lookup that is performed after I enter the username en press enter >>>(before entering the password). >>> >>>access: >>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>Above there are two lookups: >> >>- successful lookup for user bprings at example.com >>- unsuccessful lookup for user bprins >> >>What is causing to perform a lookup without @example.com? Compat tree >>presents AD users fully qualified, it is the only way it knows to >>trigger lookup via SSSD on IPA master for these users (because non-fully >>qualified users are in IPA LDAP tree already and copied to compat tree >>automatically). >This seems to be (standard?) behaviour of the AIX LDAP client. Did some >more tests with different accounts and always see the two lookups. I >doubt if I can influence that.. No, this is not standard -- I haven't seen such behavior when testing FreeIPA with AIX last autumn. -- / Alexander Bokovoy From bobby.prins at proxy.nl Fri Apr 3 12:40:38 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Fri, 3 Apr 2015 14:40:38 +0200 (CEST) Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <20150403122617.GN3878@redhat.com> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> <20150403122617.GN3878@redhat.com> Message-ID: <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> >----- Oorspronkelijk bericht ----- >Van: "Alexander Bokovoy" >Aan: "Bobby Prins" >Cc: dpal at redhat.com, freeipa-users at redhat.com >Verzonden: Vrijdag 3 april 2015 14:26:17 >Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode > >On Fri, 03 Apr 2015, Bobby Prins wrote: >>>----- Oorspronkelijk bericht ----- >>>Van: "Alexander Bokovoy" >>>Aan: "Bobby Prins" >>>Cc: dpal at redhat.com, freeipa-users at redhat.com >>>Verzonden: Vrijdag 3 april 2015 12:45:07 >>>Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>> >>>On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>access: >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>[03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>[03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>>Above there are two lookups: >>> >>>- successful lookup for user bprings at example.com >>>- unsuccessful lookup for user bprins >>> >>>What is causing to perform a lookup without @example.com? Compat tree >>>presents AD users fully qualified, it is the only way it knows to >>>trigger lookup via SSSD on IPA master for these users (because non-fully >>>qualified users are in IPA LDAP tree already and copied to compat tree >>>automatically). >>This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>more tests with different accounts and always see the two lookups. I >>doubt if I can influence that.. >No, this is not standard -- I haven't seen such behavior when testing >FreeIPA with AIX last autumn. >-- >/ Alexander Bokovoy OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. From tompos at martos.bme.hu Fri Apr 3 12:48:46 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Fri, 03 Apr 2015 14:48:46 +0200 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 Message-ID: <551E8C2E.3020307@martos.bme.hu> hi All, I have CentOS 6.6 server and want to upgrade to 7.1. What is the upgrade path, can I do it directly or first I need to make it to 3.3? Also is there any known issue I should expect with workarounds? Thanks, tamas From guertin at middlebury.edu Fri Apr 3 12:58:55 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Fri, 3 Apr 2015 12:58:55 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <20150402205353.GL3878@redhat.com> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> Message-ID: <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> > The sequence to emulate what SSSD does would be > >kinit -k host/`hostname` >ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '(uid=admin at middlebury.edu)' > >As result, we have 'admin at middlebury.edu' inserted in the compat tree, and >can do a bind as >'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' > >ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ > -D >'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '(uid=admin at middlebury.edu)' > >This would reproduce what SSSD was supposed to do. If you get these >ldapsearches to work, we can look at what is SSSD doing. Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here): ----------------------------- # ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' SASL/GSSAPI authentication started SASL username: host/yakko.ipa.middlebury.edu at IPA.MIDDLEBURY.EDU SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=juser at middlebury.edu) # requesting: ALL # # juser at middlebury.edu, users, compat, ipa.middlebury.edu dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: juser at middlebury.edu # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- And I can bind as that user (after adding the -W flag to prompt for a password): ----------------------------- # ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D 'uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=juser at middlebury.edu) # requesting: ALL # # juser at middlebury.edu, users, compat, ipa.middlebury.edu dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: juser at middlebury.edu # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- But the user still cannot SSH in to the client: ----------------------------- $ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu MIDD\juser at yakko.ipa.middlebury.edu's password: Permission denied, please try again. MIDD\juser at yakko.ipa.middlebury.edu's password: Permission denied, please try again. MIDD\juser at yakko.ipa.middlebury.edu's password: Permission denied (publickey,gssapi-with-mic,password). ----------------------------- The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log David Guertin -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_default.log Type: application/octet-stream Size: 49172 bytes Desc: sssd_default.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_nss.log Type: application/octet-stream Size: 24475 bytes Desc: sssd_nss.log URL: From simo at redhat.com Fri Apr 3 13:06:18 2015 From: simo at redhat.com (Simo Sorce) Date: Fri, 03 Apr 2015 09:06:18 -0400 Subject: [Freeipa-users] Understanding the migration mode In-Reply-To: References: <55148136.8040003@redhat.com> <5514C804.4040207@redhat.com> <55156455.7090401@redhat.com> <5515C3DF.5020701@redhat.com> <551AA80F.5070807@redhat.com> Message-ID: <1428066378.19641.37.camel@willson.usersys.redhat.com> On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote: > I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks > like it is hardcoded in crypt_pw_enc, which uses the default DES crypt > method. This only affects the encoding. The verification of passwords works > with any of MD5 or SHA-* schemes since the underlying crypt function in > recent glibcs supports them. Would it make sense to add the other options > to the encoding function ? You should probably pose that question to the 389ds team. >From the IPA pov, these hashes are legacy and not needed because we *strongly* discourage users from distributing hashes around and recommend hashes are not made available. Rather users should use kerberos, or as a less desirable alternative LDAP simple binds to authenticate. Brute forcing weak passwords even w/o random tables is easy these days with the available on-demand computing power provided by cloud operators, so distributing hashes is riskier than ever, especially old hashes based on DES or MD5, but SHA-1 is not far down the list. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Fri Apr 3 13:35:57 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Apr 2015 16:35:57 +0300 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> Message-ID: <20150403133557.GA4899@redhat.com> On Fri, 03 Apr 2015, Guertin, David S. wrote: >> The sequence to emulate what SSSD does would be >> >>kinit -k host/`hostname` >>ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ >> -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ >> '(uid=admin at middlebury.edu)' >> >>As result, we have 'admin at middlebury.edu' inserted in the compat tree, and >>can do a bind as >>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >>=edu' >> >>ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ >> -D >>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >>=edu' \ >> -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ >> '(uid=admin at middlebury.edu)' >> >>This would reproduce what SSSD was supposed to do. If you get these >>ldapsearches to work, we can look at what is SSSD doing. > >Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here): > >----------------------------- ># ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' >SASL/GSSAPI authentication started >SASL username: host/yakko.ipa.middlebury.edu at IPA.MIDDLEBURY.EDU >SASL SSF: 56 >SASL installing layers ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (uid=juser at middlebury.edu) ># requesting: ALL ># > ># juser at middlebury.edu, users, compat, ipa.middlebury.edu >dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu >objectClass: posixAccount >objectClass: top >cn: juser >gidNumber: 435021613 >gecos: juser >uidNumber: 435021613 >homeDirectory: /home/middlebury.edu/juser >uid: juser at middlebury.edu > ># search result >search: 4 >result: 0 Success > ># numResponses: 2 ># numEntries: 1 >----------------------------- > >And I can bind as that user (after adding the -W flag to prompt for a password): > >----------------------------- ># ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D 'uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' -W >Enter LDAP Password: ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (uid=juser at middlebury.edu) ># requesting: ALL ># > ># juser at middlebury.edu, users, compat, ipa.middlebury.edu >dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu >objectClass: posixAccount >objectClass: top >cn: juser >gidNumber: 435021613 >gecos: juser >uidNumber: 435021613 >homeDirectory: /home/middlebury.edu/juser >uid: juser at middlebury.edu > ># search result >search: 2 >result: 0 Success > ># numResponses: 2 ># numEntries: 1 >----------------------------- > >But the user still cannot SSH in to the client: > >----------------------------- >$ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu >MIDD\juser at yakko.ipa.middlebury.edu's password: >Permission denied, please try again. >MIDD\juser at yakko.ipa.middlebury.edu's password: >Permission denied, please try again. >MIDD\juser at yakko.ipa.middlebury.edu's password: >Permission denied (publickey,gssapi-with-mic,password). >----------------------------- > >The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log I don't see any request going to sssd. Can you try with juser at middlebury.edu? Old SSSD is incapable to see MIDD\juser being the same as juser at middlebury.edu. -- / Alexander Bokovoy From brian.topping at gmail.com Fri Apr 3 13:36:06 2015 From: brian.topping at gmail.com (Brian Topping) Date: Fri, 3 Apr 2015 07:36:06 -0600 Subject: [Freeipa-users] Proper configuration of service accounts In-Reply-To: <551E84CF.4040709@redhat.com> References: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> <551E84CF.4040709@redhat.com> Message-ID: > On Apr 3, 2015, at 6:17 AM, Dmitri Pal wrote: > > On 04/03/2015 01:51 AM, Brian Topping wrote: >> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my replicated pair of IPA instances. >> >> Question about proper setup of service accounts: I see that the service accounts I set up under "cn=etc, cn=sysaccounts" are still able to log in, but the permission changes have left them unable to read anything. Previously, I hacked the ACLs on the domain root. I would like to believe that's not how it should be done. >> >> That said, I was surprised that service accounts are not supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html ) are the wrong way for services like Postfix to be doing LDAP queries. >> > > The ACIs changed because we tightened them for the read permissions. > I hope you would be able to change them so that your service account works again. > Here is the root page of the changes that we implemented. > http://www.freeipa.org/page/V4/Permissions_V2 > > System account is probably the right one for Postfix. > > It is not in the UI and CLI because other features take precedence. We acknowledge that it needs to be added, we just not have enough time and resources to do it. > When we looked at 4.2 we assessed it too and it was on the border line with a good chance of not happening, sorry. Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully appreciate what was going to happen until doing the upgrade. Once it was done, I was kind of surprised that the ACL changes replicated to the 3.x server. As luck would have it, I didn't snapshot both servers at the same time before upgrading either, and eventually, the ACLs managed to work their way back to both the 3.x snapshots (one of them was obviously snapshotted after the other one had been installed with 4.1). I couldn't find upgrade notes with "gotcha"s, this might be a good addition if there are somewhere. It was kind of humorous in all. As for the service feature itself, please don't apologize. I think you guys did a spectacular job with this feature set. What I was concerned about is making sure I am doing things as closely as possible to future patterns to reduce upgrade costs. I don't know if it's possible to document the pattern without committing to the feature, but it might be helpful. The one thing I would like to discover at this point is whether roles and privileges build in the UI can be used by system accounts. If so, I could stop editing ACLs directly in LDIF, which is error prone and not the kind of thing I remember too well. Kind regards, Brian > > Thanks > Dmitri > >> Thanks, Brian >> >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From brian.topping at gmail.com Fri Apr 3 13:46:50 2015 From: brian.topping at gmail.com (Brian Topping) Date: Fri, 3 Apr 2015 07:46:50 -0600 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <551E8C2E.3020307@martos.bme.hu> References: <551E8C2E.3020307@martos.bme.hu> Message-ID: <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> > On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: > > hi All, > > I have CentOS 6.6 server and want to upgrade to 7.1. > > What is the upgrade path, can I do it directly or first I need to make it to 3.3? > Also is there any known issue I should expect with workarounds? I just did this yesterday, so here's my experience. If you have a simple single-server installation with no custom LDAP DIT modifications, you should find "yum upgrade" does the right thing. If you do have DIT mods, you should ask yourself why they are there and whether the data will still be accessible after the ACLs are changed. In my case, I had Postfix using a LDAP hash and mail delivery stopped working (although the domain data was still there just fine). Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are replicated. To be safe, back up all replicas (snapshot or whatnot) before the first upgrade and if you decide to restore any of them, be sure everything is shut down and restore all of them to avoid 4.x schema contaminating 3.0 as they come up. Brian > > Thanks, > tamas > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dpal at redhat.com Fri Apr 3 14:41:45 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Apr 2015 10:41:45 -0400 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> Message-ID: <551EA6A9.6090104@redhat.com> On 04/03/2015 09:46 AM, Brian Topping wrote: >> On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: >> >> hi All, >> >> I have CentOS 6.6 server and want to upgrade to 7.1. >> >> What is the upgrade path, can I do it directly or first I need to make it to 3.3? >> Also is there any known issue I should expect with workarounds? > I just did this yesterday, so here's my experience. If you have a simple single-server installation with no custom LDAP DIT modifications, you should find "yum upgrade" does the right thing. > > If you do have DIT mods, you should ask yourself why they are there and whether the data will still be accessible after the ACLs are changed. In my case, I had Postfix using a LDAP hash and mail delivery stopped working (although the domain data was still there just fine). > > Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are replicated. To be safe, back up all replicas (snapshot or whatnot) before the first upgrade and if you decide to restore any of them, be sure everything is shut down and restore all of them to avoid 4.x schema contaminating 3.0 as they come up. The general recommendation for 3.3 -> 4.1 migration is to start introducing 4.1 replicas into your 3.3 environment and then turn your 3.3 replicas off. Do not forget to install the CA component with one of your 4.1 replicas before removing all the 3.3 instanced with CAs. With this procedure you would also need to move the CRL generation and cert tracking. See details in migration section https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > > Brian > >> Thanks, >> tamas >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tompos at martos.bme.hu Fri Apr 3 14:45:41 2015 From: tompos at martos.bme.hu (Tamas Papp) Date: Fri, 03 Apr 2015 16:45:41 +0200 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> Message-ID: <551EA795.60701@martos.bme.hu> On 04/03/2015 03:46 PM, Brian Topping wrote: >> On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: >> >> hi All, >> >> I have CentOS 6.6 server and want to upgrade to 7.1. >> >> What is the upgrade path, can I do it directly or first I need to make it to 3.3? >> Also is there any known issue I should expect with workarounds? > I just did this yesterday, so here's my experience. If you have a simple single-server installation with no custom LDAP DIT modifications, you should find "yum upgrade" does the right thing. > > If you do have DIT mods, you should ask yourself why they are there and whether the data will still be accessible after the ACLs are changed. In my case, I had Postfix using a LDAP hash and mail delivery stopped working (although the domain data was still there just fine). > > Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are replicated. To be safe, back up all replicas (snapshot or whatnot) before the first upgrade and if you decide to restore any of them, be sure everything is shut down and restore all of them to avoid 4.x schema contaminating 3.0 as they come up. Ouch, that must have hurt:) As far as I recall, we have just very small custom changes. Thanks, t From dpal at redhat.com Fri Apr 3 14:48:15 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Apr 2015 10:48:15 -0400 Subject: [Freeipa-users] Proper configuration of service accounts In-Reply-To: References: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> <551E84CF.4040709@redhat.com> Message-ID: <551EA82F.905@redhat.com> On 04/03/2015 09:36 AM, Brian Topping wrote: >> On Apr 3, 2015, at 6:17 AM, Dmitri Pal > > wrote: >> >> On 04/03/2015 01:51 AM, Brian Topping wrote: >>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x >>> -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on >>> my replicated pair of IPA instances. >>> >>> Question about proper setup of service accounts: I see that the >>> service accounts I set up under "cn=etc, cn=sysaccounts" are still >>> able to log in, but the permission changes have left them unable to >>> read anything. Previously, I hacked the ACLs on the domain root. I >>> would like to believe that's not how it should be done. >>> >>> That said, I was surprised that service accounts are not supported >>> in 4.x UI, so I wonder if service accounts >>> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) >>> are the wrong way for services like Postfix to be doing LDAP queries. >>> >> >> The ACIs changed because we tightened them for the read permissions. >> I hope you would be able to change them so that your service account >> works again. >> Here is the root page of the changes that we implemented. >> http://www.freeipa.org/page/V4/Permissions_V2 >> >> System account is probably the right one for Postfix. >> >> It is not in the UI and CLI because other features take precedence. >> We acknowledge that it needs to be added, we just not have enough >> time and resources to do it. >> When we looked at 4.2 we assessed it too and it was on the border >> line with a good chance of not happening, sorry. > > Thanks Dmitri. I had known in advance about the ACLs, but couldn't > fully appreciate what was going to happen until doing the upgrade. > Once it was done, I was kind of surprised that the ACL changes > replicated to the 3.x server. As luck would have it, I didn't snapshot > both servers at the same time before upgrading either, and eventually, > the ACLs managed to work their way back to both the 3.x snapshots (one > of them was obviously snapshotted after the other one had been > installed with 4.1). I couldn't find upgrade notes with "gotcha"s, > this might be a good addition if there are somewhere. It was kind of > humorous in all. > > As for the service feature itself, please don't apologize. I think you > guys did a spectacular job with this feature set. What I was concerned > about is making sure I am doing things as closely as possible to > future patterns to reduce upgrade costs. I don't know if it's possible > to document the pattern without committing to the feature, but it > might be helpful. > > The one thing I would like to discover at this point is whether roles > and privileges build in the UI can be used by system accounts. I am eager to know that too, please do not hesitate to share your findings. :-) > If so, I could stop editing ACLs directly in LDIF, which is error > prone and not the kind of thing I remember too well. > > Kind regards, Brian > >> >> Thanks >> Dmitri >> >>> Thanks, Brian >>> >>> >>> >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From guertin at middlebury.edu Fri Apr 3 17:13:56 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Fri, 3 Apr 2015 17:13:56 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <20150403133557.GA4899@redhat.com> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> <20150403133557.GA4899@redhat.com> Message-ID: <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> >I don't see any request going to sssd. > >Can you try with juser at middlebury.edu? Old SSSD is incapable to see >MIDD\juser being the same as juser at middlebury.edu. When I try: ssh -l 'juser at middlebury.edu' yakko.ipa.middlebury.edu There is no response for two minutes, followed by "Connection closed". I've attached the resulting sssd_default.log and sssd_nss.log. David Guertin -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_default.log Type: application/octet-stream Size: 109743 bytes Desc: sssd_default.log URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd_nss.log Type: application/octet-stream Size: 26613 bytes Desc: sssd_nss.log URL: From andrew.holway at gmail.com Fri Apr 3 17:19:22 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Fri, 3 Apr 2015 19:19:22 +0200 Subject: [Freeipa-users] Your session has expired. Please re-login. Message-ID: Hello, Trying to log into the Gui I just get "Your session has expired. Please re-login." Everything else appears to be working. I cannot find any useful logs. Cheers, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri Apr 3 17:53:43 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 3 Apr 2015 13:53:43 -0400 Subject: [Freeipa-users] Your session has expired. Please re-login. In-Reply-To: References: Message-ID: HI i was facing the same issue last week and it got fixed now. always user WUI from firefox. install Kerbros plugin and certificate from ipa help page check time(ntp) Destroy and recreate ticket (Kdestroy & kinit admin) restart krb5kdc,sssd & httpd services restart ipactl (ipactl restart) check ipactl status also. Regards, Ben On Fri, Apr 3, 2015 at 1:19 PM, Andrew Holway wrote: > Hello, > > Trying to log into the Gui I just get "Your session has expired. Please > re-login." Everything else appears to be working. > > I cannot find any useful logs. > > Cheers, > > Andrew > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Fri Apr 3 17:56:56 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 3 Apr 2015 13:56:56 -0400 Subject: [Freeipa-users] Understanding the migration mode In-Reply-To: <1428066378.19641.37.camel@willson.usersys.redhat.com> References: <55148136.8040003@redhat.com> <5514C804.4040207@redhat.com> <55156455.7090401@redhat.com> <5515C3DF.5020701@redhat.com> <551AA80F.5070807@redhat.com> <1428066378.19641.37.camel@willson.usersys.redhat.com> Message-ID: Thanks for the response. It looks like there is already a ticket for this which has been open for a while (https://fedorahosted.org/389/ticket/131). I understand that distributing hashes is a bad idea. I was considering it mainly to do a seamless migration of clients. What was slightly unsettling was that enabling (crypt + nis-plugin) is actually worse than plain old nis because of limited crypt support. From a migration standpoint, it makes it pretty much an all or nothing solution. i.e. Migrate all the NIS clients in some way at once, either to LDAP or completely to native IPA clients, or live with DES crypt if one wants to do a staged migration from NIS. On Fri, Apr 3, 2015 at 9:06 AM, Simo Sorce wrote: > On Thu, 2015-04-02 at 17:33 -0400, Prasun Gera wrote: > > I had a look at ldap/servers/plugins/pwdstorage/crypt_pwd.c, and it looks > > like it is hardcoded in crypt_pw_enc, which uses the default DES crypt > > method. This only affects the encoding. The verification of passwords > works > > with any of MD5 or SHA-* schemes since the underlying crypt function in > > recent glibcs supports them. Would it make sense to add the other options > > to the encoding function ? > > You should probably pose that question to the 389ds team. > From the IPA pov, these hashes are legacy and not needed because we > *strongly* discourage users from distributing hashes around and > recommend hashes are not made available. Rather users should use > kerberos, or as a less desirable alternative LDAP simple binds to > authenticate. Brute forcing weak passwords even w/o random tables is > easy these days with the available on-demand computing power provided by > cloud operators, so distributing hashes is riskier than ever, especially > old hashes based on DES or MD5, but SHA-1 is not far down the list. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Apr 3 18:00:46 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 3 Apr 2015 20:00:46 +0200 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> <20150403133557.GA4899@redhat.com> <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> Message-ID: <20150403180045.GA2150@mail.corp.redhat.com> On (03/04/15 17:13), Guertin, David S. wrote: >>I don't see any request going to sssd. >> >>Can you try with juser at middlebury.edu? Old SSSD is incapable to see >>MIDD\juser being the same as juser at middlebury.edu. > >When I try: > >ssh -l 'juser at middlebury.edu' yakko.ipa.middlebury.edu > >There is no response for two minutes, followed by "Connection closed". > >I've attached the resulting sssd_default.log and sssd_nss.log. > There seems to be problem with initgroups: [sdap_get_initgr_user] (9): Process user's groups [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(memberuid=juser at middlebury.edu)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=compat,dc=ipa,dc=middlebury,dc=edu]. [sdap_get_generic_step] (7): Requesting attrs: [objectClass] [sdap_get_generic_step] (7): Requesting attrs: [cn] [sdap_get_generic_step] (7): Requesting attrs: [userPassword] [sdap_get_generic_step] (7): Requesting attrs: [gidNumber] [sdap_get_generic_step] (7): Requesting attrs: [memberuid] [sdap_get_generic_step] (7): Requesting attrs: [modifyTimestamp] [sdap_get_generic_step] (7): Requesting attrs: [entryUSN] [sdap_get_generic_step] (8): ldap_search_ext called, msgid = 4 [sdap_process_result] (8): Trace: sh[0x1a204860], connected[1], ops[0x1a21c510], ldap[0x1a204310] [sdap_process_result] (8): Trace: ldap_result found nothing! [sbus_dispatch] (9): dbus conn: 1A1E97A0 [sbus_dispatch] (9): Dispatching. [sbus_message_handler] (9): Received SBUS method [ping] [sdap_get_initgr_done] (9): Initgroups done [sdap_get_initgr_done] (9): Error in initgroups: [110][Connection timed out] [sdap_id_op_done] (5): communication error on cached connection, moving to next server [sdap_id_op_done] (9): too many communication failures, giving up... [sdap_id_op_done] (9): releasing operation connection LS From jreg2k at gmail.com Fri Apr 3 18:03:25 2015 From: jreg2k at gmail.com (James James) Date: Fri, 3 Apr 2015 20:03:25 +0200 Subject: [Freeipa-users] ipa and external ca Message-ID: Hi everybody, sorry to repost my original question but this time my problem is better described. I want to install a ipa sever on centos 6 with an external ca. My problem is to add emailAddress in the subject field when I type the command : [root at ipa-dev ~]# ipa-server-install --external_ca --subject="O=orga,C=FR,OU=MyOU" Does somebody knows how to do ? Best. James -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Fri Apr 3 18:23:28 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Fri, 3 Apr 2015 20:23:28 +0200 Subject: [Freeipa-users] Your session has expired. Please re-login. In-Reply-To: References: Message-ID: On Friday, 3 April 2015, Ben .T.George wrote: > HI > > i was facing the same issue last week and it got fixed now. > > always user WUI from firefox. install Kerbros plugin and certificate from > ipa help page > Hi George, Thanks for the advice. Did you discover the root of the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 3 18:25:48 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 03 Apr 2015 14:25:48 -0400 Subject: [Freeipa-users] ipa and external ca In-Reply-To: References: Message-ID: <551EDB2C.10603@redhat.com> On 04/03/2015 02:03 PM, James James wrote: > Hi everybody, sorry to repost my original question but this time my > problem is better described. > > I want to install a ipa sever on centos 6 with an external ca. My > problem is to add emailAddress in the subject field when I type the > command : > > > [root at ipa-dev ~]# ipa-server-install --external_ca > --subject="O=orga,C=FR,OU=MyOU" > > Does somebody knows how to do ? Please wait till Tuesday next week. People who might be able to help are not available due to holidays in Europe. > > Best. > > James > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Fri Apr 3 18:25:43 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Fri, 3 Apr 2015 14:25:43 -0400 Subject: [Freeipa-users] Your session has expired. Please re-login. In-Reply-To: References: Message-ID: no, it's because of wrong ticket i guess. try the steps and let us know the output On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway wrote: > > > On Friday, 3 April 2015, Ben .T.George wrote: > >> HI >> >> i was facing the same issue last week and it got fixed now. >> >> always user WUI from firefox. install Kerbros plugin and certificate from >> ipa help page >> > > Hi George, > > Thanks for the advice. Did you discover the root of the problem? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 3 20:12:35 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Apr 2015 23:12:35 +0300 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> <20150403133557.GA4899@redhat.com> <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> Message-ID: <20150403201235.GB4899@redhat.com> On Fri, 03 Apr 2015, Guertin, David S. wrote: >>I don't see any request going to sssd. >> >>Can you try with juser at middlebury.edu? Old SSSD is incapable to see >>MIDD\juser being the same as juser at middlebury.edu. > >When I try: > >ssh -l 'juser at middlebury.edu' yakko.ipa.middlebury.edu > >There is no response for two minutes, followed by "Connection closed". > >I've attached the resulting sssd_default.log and sssd_nss.log. What slapi-nis and ipa packages are on the IPA master side? This all looks like IPA masters don't have RHEL 7.1 update 1 packages from https://rhn.redhat.com/errata/RHSA-2015-0728.html where exactly this problem with initgroups was fixed. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Apr 3 20:32:59 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Apr 2015 23:32:59 +0300 Subject: [Freeipa-users] Proper configuration of service accounts In-Reply-To: <551EA82F.905@redhat.com> References: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> <551E84CF.4040709@redhat.com> <551EA82F.905@redhat.com> Message-ID: <20150403203259.GC4899@redhat.com> On Fri, 03 Apr 2015, Dmitri Pal wrote: >On 04/03/2015 09:36 AM, Brian Topping wrote: >>>On Apr 3, 2015, at 6:17 AM, Dmitri Pal >>> wrote: >>> >>>On 04/03/2015 01:51 AM, Brian Topping wrote: >>>>Great work on 4.1.0! As a CentOS user, I am able to convey the >>>>3.x -> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 >>>>upgrade on my replicated pair of IPA instances. >>>> >>>>Question about proper setup of service accounts: I see that the >>>>service accounts I set up under "cn=etc, cn=sysaccounts" are >>>>still able to log in, but the permission changes have left them >>>>unable to read anything. Previously, I hacked the ACLs on the >>>>domain root. I would like to believe that's not how it should be >>>>done. >>>> >>>>That said, I was surprised that service accounts are not >>>>supported in 4.x UI, so I wonder if service accounts (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html) >>>>are the wrong way for services like Postfix to be doing LDAP >>>>queries. >>>> >>> >>>The ACIs changed because we tightened them for the read permissions. >>>I hope you would be able to change them so that your service >>>account works again. >>>Here is the root page of the changes that we implemented. >>>http://www.freeipa.org/page/V4/Permissions_V2 >>> >>>System account is probably the right one for Postfix. >>> >>>It is not in the UI and CLI because other features take >>>precedence. We acknowledge that it needs to be added, we just not >>>have enough time and resources to do it. >>>When we looked at 4.2 we assessed it too and it was on the border >>>line with a good chance of not happening, sorry. >> >>Thanks Dmitri. I had known in advance about the ACLs, but couldn't >>fully appreciate what was going to happen until doing the upgrade. >>Once it was done, I was kind of surprised that the ACL changes >>replicated to the 3.x server. As luck would have it, I didn't >>snapshot both servers at the same time before upgrading either, and >>eventually, the ACLs managed to work their way back to both the 3.x >>snapshots (one of them was obviously snapshotted after the other one >>had been installed with 4.1). I couldn't find upgrade notes with >>"gotcha"s, this might be a good addition if there are somewhere. It >>was kind of humorous in all. >> >>As for the service feature itself, please don't apologize. I think >>you guys did a spectacular job with this feature set. What I was >>concerned about is making sure I am doing things as closely as >>possible to future patterns to reduce upgrade costs. I don't know if >>it's possible to document the pattern without committing to the >>feature, but it might be helpful. >> >>The one thing I would like to discover at this point is whether >>roles and privileges build in the UI can be used by system accounts. > >I am eager to know that too, please do not hesitate to share your >findings. :-) I don't think you can achieve that with existing 'ipa permission-add' command because it limits memberof filter to existing IPA groups. We have an update plugin that updates managed permissions and it could be used as a basis to add more permissions declarative-style but right now it can't be used as it is. Definitely worth filing a ticket and fixing this ASAP. -- / Alexander Bokovoy From guertin at middlebury.edu Fri Apr 3 20:58:56 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Fri, 3 Apr 2015 20:58:56 +0000 Subject: [Freeipa-users] RHEL 5 client? In-Reply-To: <20150403201235.GB4899@redhat.com> References: <551C2C1B.2050006@redhat.com> <551CB0CE.3040306@redhat.com> <20150402145421.GJ3668@hendrix.redhat.com> <501a45b07d1c47d0a9177e218457523c@greyhound.middlebury.edu> <20150402205353.GL3878@redhat.com> <121bcc309a79454083839f61b38e0a5d@greyhound.middlebury.edu> <20150403133557.GA4899@redhat.com> <1d35ddcd39704af8a3611aba88c917b4@greyhound.middlebury.edu> <20150403201235.GB4899@redhat.com> Message-ID: <8e21d1c72f474024a7851dc4f7ee99f1@greyhound.middlebury.edu> >What slapi-nis and ipa packages are on the IPA master side? >This all looks like IPA masters don't have RHEL 7.1 update 1 packages from >https://rhn.redhat.com/errata/RHSA-2015-0728.html where exactly this >problem with initgroups was fixed. Yes, that was it! I had not applied those updates. I just ran "yum update" on the servers, and now I can log in to the RHEL 5 client. Thank you! David Guertin From andrew.holway at gmail.com Sat Apr 4 00:45:44 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Sat, 4 Apr 2015 02:45:44 +0200 Subject: [Freeipa-users] Your session has expired. Please re-login. In-Reply-To: References: Message-ID: I tried it in Firefox and I could log in fine. Firefox does not use the OSX Keychain so, on a whim I deleted the Cert from keychain and, et voila, It was working on chrome again. Weirdly, chrome is still trusting the certificate even though I deleted the cert from keychain so either there is some cache somewhere or the system is a bit borked. :) On 3 April 2015 at 20:25, Ben .T.George wrote: > no, it's because of wrong ticket i guess. > > try the steps and let us know the output > > > > On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway > wrote: > >> >> >> On Friday, 3 April 2015, Ben .T.George wrote: >> >>> HI >>> >>> i was facing the same issue last week and it got fixed now. >>> >>> always user WUI from firefox. install Kerbros plugin and certificate >>> from ipa help page >>> >> >> Hi George, >> >> Thanks for the advice. Did you discover the root of the problem? >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From coy.hile at coyhile.com Sat Apr 4 05:07:15 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Sat, 4 Apr 2015 01:07:15 -0400 Subject: [Freeipa-users] Question on freeipa-server-trust-ad Message-ID: Hi all, What purpose does this package serve? The way I?ve done Kerberos between Active Directory and AD, the trust was always one way (outgoing): the MIT realm is authoritative and AD ?shadow accounts? were mapped to ?real? principals via the alternateSecurityID attribute. Looking at what freeipa-server-trust-ad installs, it appears the dependencies installed are around letting someone a bidirectional trust (or at least let the AD users be authoritative). If one wants to setup his trust in the way I described, all he really needs to do in MIT land is create krbtgt/AD.REALM at MIT.REALM in the MIT Realm. Is there a ?supported? way to do something similar with FreeIPA? Time to break out kadmin.local -x ipa-setup-override-restrictions? Or would that not drop the principal in the right place in the LDAP tree? -- Coy Hile coy.hile at coyhile.com From simo at redhat.com Sat Apr 4 13:39:16 2015 From: simo at redhat.com (Simo Sorce) Date: Sat, 04 Apr 2015 09:39:16 -0400 Subject: [Freeipa-users] Question on freeipa-server-trust-ad In-Reply-To: References: Message-ID: <1428154756.19641.44.camel@willson.usersys.redhat.com> On Sat, 2015-04-04 at 01:07 -0400, Coy Hile wrote: > Hi all, > > What purpose does this package serve? The way I?ve done Kerberos > between Active Directory and AD, the trust was always one way > (outgoing): the MIT realm is authoritative and AD ?shadow accounts? > were mapped to ?real? principals via the alternateSecurityID > attribute. Looking at what freeipa-server-trust-ad installs, it > appears the dependencies installed are around letting someone a > bidirectional trust (or at least let the AD users be authoritative). > If one wants to setup his trust in the way I described, all he really > needs to do in MIT land is create > > krbtgt/AD.REALM at MIT.REALM > > in the MIT Realm. > > Is there a ?supported? way to do something similar with FreeIPA? Not yet. https://fedorahosted.org/freeipa/ticket/4917 > Time to break out kadmin.local -x ipa-setup-override-restrictions? You can do that, if you know what you are doing :) > Or would that not drop the principal in the right place in the LDAP > tree? Yeah kadmin will create that entry under the cn=kerberos subtree, but that is ok, the krbtgt principals are not users nor really services, so keeping it in cn=kerberos for now it is fine. However do not use kadmin.local to create actual user principals please. Simo. -- Simo Sorce * Red Hat, Inc * New York From janellenicole80 at gmail.com Sat Apr 4 14:55:13 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 04 Apr 2015 07:55:13 -0700 Subject: [Freeipa-users] load balancers? Message-ID: <551FFB51.2090508@gmail.com> Hello everyone, Probably a quiet weekend for any responses, but I will toss this out. I was wondering if anyone has had any issues with load balancers and IPA? Not with Kerberos, since I know the protocol is designed without load balancer support, but in the case of using the LDAP portion? I am curious because the load balancing within sssd is not really load balancing, but more fail-over. I am wondering what kind of experience and maybe suggestions for a good LB setup anyone might have. Thank You ~J From brian.topping at gmail.com Sat Apr 4 15:16:28 2015 From: brian.topping at gmail.com (Brian Topping) Date: Sat, 4 Apr 2015 22:16:28 +0700 Subject: [Freeipa-users] load balancers? In-Reply-To: <551FFB51.2090508@gmail.com> References: <551FFB51.2090508@gmail.com> Message-ID: I believe LDAP can be load balanced without any problem. It is a TCP based protocol without persistent state between transactions so it should be just fine. Sent from my iPhone > On Apr 4, 2015, at 21:55, Janelle wrote: > > Hello everyone, > > Probably a quiet weekend for any responses, but I will toss this out. I was wondering if anyone has had any issues with load balancers and IPA? Not with Kerberos, since I know the protocol is designed without load balancer support, but in the case of using the LDAP portion? I am curious because the load balancing within sssd is not really load balancing, but more fail-over. I am wondering what kind of experience and maybe suggestions for a good LB setup anyone might have. > > Thank You > ~J > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From simo at redhat.com Sat Apr 4 15:47:06 2015 From: simo at redhat.com (Simo Sorce) Date: Sat, 04 Apr 2015 11:47:06 -0400 Subject: [Freeipa-users] load balancers? In-Reply-To: References: <551FFB51.2090508@gmail.com> Message-ID: <1428162426.19641.50.camel@willson.usersys.redhat.com> We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server. If you want to load balance by using a common DNS name in front of all servers, you will need to deal with issues with krb5 authentication. At the very least you should add keys to all servers for a principal named after the common name. However we do not test this scenario and I am not 100% sure it works correctly when you factor in that we use GSSAPI also for replication. Simo. On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote: > I believe LDAP can be load balanced without any problem. It is a TCP > based protocol without persistent state between transactions so it > should be just fine. > > Sent from my iPhone > > > On Apr 4, 2015, at 21:55, Janelle wrote: > > > > Hello everyone, > > > > Probably a quiet weekend for any responses, but I will toss this > out. I was wondering if anyone has had any issues with load balancers > and IPA? Not with Kerberos, since I know the protocol is designed > without load balancer support, but in the case of using the LDAP > portion? I am curious because the load balancing within sssd is not > really load balancing, but more fail-over. I am wondering what kind of > experience and maybe suggestions for a good LB setup anyone might > have. > > > > Thank You > > ~J > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -- Simo Sorce * Red Hat, Inc * New York From nadav.mavor at gmail.com Sat Apr 4 16:30:02 2015 From: nadav.mavor at gmail.com (Nadav Mavor) Date: Sat, 4 Apr 2015 12:30:02 -0400 Subject: [Freeipa-users] load balancers? In-Reply-To: <1428162426.19641.50.camel@willson.usersys.redhat.com> References: <551FFB51.2090508@gmail.com> <1428162426.19641.50.camel@willson.usersys.redhat.com> Message-ID: i use F5 and 3 IPA servers no big issues but some notes : 1) as note you cant use it for kerberos 2) for the DNS we use group and not L/B do to the zone serial (the zone serial num is not geting sync so if you round robin you will get deferent zone num evey time and it will mess up zone sync to external dns servers) 3) for the GUI (443) make sure to use stickiness so the user wont get bounce after the login On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce wrote: > We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server. > If you want to load balance by using a common DNS name in front of all > servers, you will need to deal with issues with krb5 authentication. > > At the very least you should add keys to all servers for a principal > named after the common name. However we do not test this scenario and I > am not 100% sure it works correctly when you factor in that we use > GSSAPI also for replication. > > Simo. > > On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote: > > I believe LDAP can be load balanced without any problem. It is a TCP > > based protocol without persistent state between transactions so it > > should be just fine. > > > > Sent from my iPhone > > > > > On Apr 4, 2015, at 21:55, Janelle wrote: > > > > > > Hello everyone, > > > > > > Probably a quiet weekend for any responses, but I will toss this > > out. I was wondering if anyone has had any issues with load balancers > > and IPA? Not with Kerberos, since I know the protocol is designed > > without load balancer support, but in the case of using the LDAP > > portion? I am curious because the load balancing within sssd is not > > really load balancing, but more fail-over. I am wondering what kind of > > experience and maybe suggestions for a good LB setup anyone might > > have. > > > > > > Thank You > > > ~J > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Apr 4 18:44:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 04 Apr 2015 14:44:51 -0400 Subject: [Freeipa-users] load balancers? In-Reply-To: References: <551FFB51.2090508@gmail.com> <1428162426.19641.50.camel@willson.usersys.redhat.com> Message-ID: <55203123.1030703@redhat.com> On 04/04/2015 12:30 PM, Nadav Mavor wrote: > i use F5 and 3 IPA servers no big issues but some notes : > 1) as note you cant use it for kerberos > 2) for the DNS we use group and not L/B do to the zone serial (the > zone serial num is not geting sync so if you round robin you will get > deferent zone num evey time and it will mess up zone sync to external > dns servers) > 3) for the GUI (443) make sure to use stickiness so the user wont > get bounce after the login I did not quite get 2) above... Can you please describe it in more details? If you know how to make LB work with IPA's DNS and kerberos a nice HOWTO wiki page would be really welcome! > > On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce > wrote: > > We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server. > If you want to load balance by using a common DNS name in front of all > servers, you will need to deal with issues with krb5 authentication. > > At the very least you should add keys to all servers for a principal > named after the common name. However we do not test this scenario > and I > am not 100% sure it works correctly when you factor in that we use > GSSAPI also for replication. > > Simo. > > On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote: > > I believe LDAP can be load balanced without any problem. It is a TCP > > based protocol without persistent state between transactions so it > > should be just fine. > > > > Sent from my iPhone > > > > > On Apr 4, 2015, at 21:55, Janelle > wrote: > > > > > > Hello everyone, > > > > > > Probably a quiet weekend for any responses, but I will toss this > > out. I was wondering if anyone has had any issues with load > balancers > > and IPA? Not with Kerberos, since I know the protocol is designed > > without load balancer support, but in the case of using the LDAP > > portion? I am curious because the load balancing within sssd is not > > really load balancing, but more fail-over. I am wondering what > kind of > > experience and maybe suggestions for a good LB setup anyone might > > have. > > > > > > Thank You > > > ~J > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Sat Apr 4 19:04:10 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sat, 04 Apr 2015 12:04:10 -0700 Subject: [Freeipa-users] load balancers? In-Reply-To: <55203123.1030703@redhat.com> References: <551FFB51.2090508@gmail.com> <1428162426.19641.50.camel@willson.usersys.redhat.com> <55203123.1030703@redhat.com> Message-ID: <552035AA.6020901@gmail.com> On 4/4/15 11:44 AM, Dmitri Pal wrote: > On 04/04/2015 12:30 PM, Nadav Mavor wrote: >> i use F5 and 3 IPA servers no big issues but some notes : >> 1) as note you cant use it for kerberos >> 2) for the DNS we use group and not L/B do to the zone serial (the >> zone serial num is not geting sync so if you round robin you will get >> deferent zone num evey time and it will mess up zone sync to >> external dns servers) >> 3) for the GUI (443) make sure to use stickiness so the user wont >> get bounce after the login > > I did not quite get 2) above... > Can you please describe it in more details? > If you know how to make LB work with IPA's DNS and kerberos a nice > HOWTO wiki page would be really welcome! > > >> >> On Sat, Apr 4, 2015 at 11:47 AM, Simo Sorce > > wrote: >> >> We use SASL/GSSAPI/krb5 to authenticate clients to the LDAP server. >> If you want to load balance by using a common DNS name in front >> of all >> servers, you will need to deal with issues with krb5 authentication. >> >> At the very least you should add keys to all servers for a principal >> named after the common name. However we do not test this scenario >> and I >> am not 100% sure it works correctly when you factor in that we use >> GSSAPI also for replication. >> >> Simo. >> >> On Sat, 2015-04-04 at 22:16 +0700, Brian Topping wrote: >> > I believe LDAP can be load balanced without any problem. It is >> a TCP >> > based protocol without persistent state between transactions so it >> > should be just fine. >> > >> > >> The reason I brought this up - been doing some testing with different LBs and well, some of them seem to cause a lot of stuck/CLOSE_WAIT ports, while others don't. My guess is I am just incorrectly configuring the ones that are causing problems. But I guess too, I was wondering if there were any known bugs in some LBs for others, that would cause issues? ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: From danofsatx at gmail.com Sun Apr 5 04:10:35 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Sat, 04 Apr 2015 23:10:35 -0500 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) Message-ID: <5520B5BB.4000307@fedoraproject.org> I've recently deployed a new domain based on 4.1.2 in F21. We've noticed an issue and can't quite seem to nail it down. The problem is that logins are taking an inordinate amount of time to complete - the fastest logon we can get using LDAP credentials is 8 seconds. During our testing, even logons to the IPA server itself took over 30 seconds to complete. I've narrowed this down to sssd, but that is as far as I can get. When cranking up debugging for sshd and PAM, I see a minimum 2 second delay between ssh handing off the authentication request to sssd and the reply back. The only troubleshooting I've done is with ssh, but the area that causes the most grief is Apache logins. We configured Apache to use PAM for auth through IPA, vice directly calling IPA itself. Logging in to our Redmine site takes users a minimum of 34 seconds to complete. Following this, a simple webpage containing two hyperlinks and two small thumbnail images takes over a minute to load on a gigabit network. The *only* thing changed in this environment was the IPA server. We moved the Redmine from our old network that was using IPA 3.x (F20 branch) to the new one. My initial reaction was that it was the VM that was hosting Redmine, but we've run these tests against bare metal machines in the same network and have the same issue. It appears that sssd is taking a very, very long time to talk to FreeIPA - even on the IPA server itself. However, Kerberos logins into the IPA web GUI are near instantaneous, while Username/Password logins take more than a few seconds. I need to get this solved. My developers don't appreciate the glory days of XP taking 5 minutes to log into an IIS 2.1 web server on the local network. I don't have the budget to keep them at the coffee pot waiting on the network. So, what further information do you need from me to track this one down? Dan -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From john.obaterspok at gmail.com Sun Apr 5 06:14:45 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Sun, 5 Apr 2015 08:14:45 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5520B5BB.4000307@fedoraproject.org> References: <5520B5BB.4000307@fedoraproject.org> Message-ID: Hi Dan, I had a problem that login time increased by ~ 15 seconds from F20 -> F21. That was worked around by adding "selinux_provider = none" to the domain section in /etc/sssd/sssd.conf Have you checked that dns lookups + reverse lookups work on the ipa server? Is "id -G the_user_name" and "is the user_name_name" slow or fast? Did you check https://fedorahosted.org/sssd/wiki/Troubleshooting + -- john 2015-04-05 6:10 GMT+02:00 Dan Mossor : > I've recently deployed a new domain based on 4.1.2 in F21. We've noticed > an issue and can't quite seem to nail it down. The problem is that logins > are taking an inordinate amount of time to complete - the fastest logon we > can get using LDAP credentials is 8 seconds. During our testing, even > logons to the IPA server itself took over 30 seconds to complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the reply > back. The only troubleshooting I've done is with ssh, but the area that > causes the most grief is Apache logins. We configured Apache to use PAM for > auth through IPA, vice directly calling IPA itself. Logging in to our > Redmine site takes users a minimum of 34 seconds to complete. Following > this, a simple webpage containing two hyperlinks and two small thumbnail > images takes over a minute to load on a gigabit network. > > The *only* thing changed in this environment was the IPA server. We moved > the Redmine from our old network that was using IPA 3.x (F20 branch) to the > new one. My initial reaction was that it was the VM that was hosting > Redmine, but we've run these tests against bare metal machines in the same > network and have the same issue. It appears that sssd is taking a very, > very long time to talk to FreeIPA - even on the IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory days > of XP taking 5 minutes to log into an IIS 2.1 web server on the local > network. I don't have the budget to keep them at the coffee pot waiting on > the network. So, what further information do you need from me to track this > one down? > > Dan > > -- > Dan Mossor > Systems Engineer at Large > Fedora KDE WG | Fedora QA Team | Fedora Server SIG > Fedora Infrastructure Apprentice > FAS: dmossor IRC: danofsatx > San Antonio, Texas, USA > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at fahrendorf.de Sun Apr 5 09:51:47 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Sun, 05 Apr 2015 11:51:47 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5520B5BB.4000307@fedoraproject.org> References: <5520B5BB.4000307@fedoraproject.org> Message-ID: <552105B3.7010609@fahrendorf.de> Am 05.04.2015 um 06:10 schrieb Dan Mossor: > I've recently deployed a new domain based on 4.1.2 in F21. We've noticed > an issue and can't quite seem to nail it down. The problem is that > logins are taking an inordinate amount of time to complete - the fastest > logon we can get using LDAP credentials is 8 seconds. During our > testing, even logons to the IPA server itself took over 30 seconds to > complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the reply > back. The only troubleshooting I've done is with ssh, but the area that > causes the most grief is Apache logins. We configured Apache to use PAM > for auth through IPA, vice directly calling IPA itself. Logging in to > our Redmine site takes users a minimum of 34 seconds to complete. > Following this, a simple webpage containing two hyperlinks and two small > thumbnail images takes over a minute to load on a gigabit network. > > The *only* thing changed in this environment was the IPA server. We > moved the Redmine from our old network that was using IPA 3.x (F20 > branch) to the new one. My initial reaction was that it was the VM that > was hosting Redmine, but we've run these tests against bare metal > machines in the same network and have the same issue. It appears that > sssd is taking a very, very long time to talk to FreeIPA - even on the > IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory days > of XP taking 5 minutes to log into an IIS 2.1 web server on the local > network. I don't have the budget to keep them at the coffee pot waiting > on the network. So, what further information do you need from me to > track this one down? > > Dan > Hallo I have a similar issue. On login (graphic systems and ssh) and on the screen saver I have a delay from about 2 secons to 10 seconds. According to my logfile i have the following timeline at login: 0 pam_unix (auth) 3 pam_sss (auth) 3 pam_kwallet (sddm:auth) 4 pam_kwallet (sddm:setcred) 5 pam_unix (session) First collum is the number of seconds after the first action. On myl old server I had a pure kerberos (handmade) system, which reacted almost instandly. Regards Martin From simo at redhat.com Sun Apr 5 15:55:21 2015 From: simo at redhat.com (Simo Sorce) Date: Sun, 05 Apr 2015 11:55:21 -0400 Subject: [Freeipa-users] On Load Balancers and Kerberos Message-ID: <1428249321.19641.89.camel@willson.usersys.redhat.com> I wrote a blog post to clarify a little bit how load balancers and Kerberos interact: https://ssimo.org/blog/id_019.html HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From janellenicole80 at gmail.com Sun Apr 5 16:51:06 2015 From: janellenicole80 at gmail.com (Janelle) Date: Sun, 05 Apr 2015 09:51:06 -0700 Subject: [Freeipa-users] multihome - single interface? Message-ID: <552167FA.4040400@gmail.com> Hello, Trying to find a way on a multi-homed server to force IPA and its related apps to listen on a specific interface. I can find all kinds of info saying "the services listen on all interfaces by default" so there must be a way? Thank you ~J From dpal at redhat.com Sun Apr 5 17:51:38 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 05 Apr 2015 13:51:38 -0400 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5520B5BB.4000307@fedoraproject.org> References: <5520B5BB.4000307@fedoraproject.org> Message-ID: <5521762A.7040600@redhat.com> On 04/05/2015 12:10 AM, Dan Mossor wrote: > I've recently deployed a new domain based on 4.1.2 in F21. We've > noticed an issue and can't quite seem to nail it down. The problem is > that logins are taking an inordinate amount of time to complete - the > fastest logon we can get using LDAP credentials is 8 seconds. During > our testing, even logons to the IPA server itself took over 30 seconds > to complete. > > I've narrowed this down to sssd, but that is as far as I can get. When > cranking up debugging for sshd and PAM, I see a minimum 2 second delay > between ssh handing off the authentication request to sssd and the > reply back. The only troubleshooting I've done is with ssh, but the > area that causes the most grief is Apache logins. We configured Apache > to use PAM for auth through IPA, vice directly calling IPA itself. > Logging in to our Redmine site takes users a minimum of 34 seconds to > complete. Following this, a simple webpage containing two hyperlinks > and two small thumbnail images takes over a minute to load on a > gigabit network. > > The *only* thing changed in this environment was the IPA server. We > moved the Redmine from our old network that was using IPA 3.x (F20 > branch) to the new one. My initial reaction was that it was the VM > that was hosting Redmine, but we've run these tests against bare metal > machines in the same network and have the same issue. It appears that > sssd is taking a very, very long time to talk to FreeIPA - even on the > IPA server itself. > > However, Kerberos logins into the IPA web GUI are near instantaneous, > while Username/Password logins take more than a few seconds. > > I need to get this solved. My developers don't appreciate the glory > days of XP taking 5 minutes to log into an IIS 2.1 web server on the > local network. I don't have the budget to keep them at the coffee pot > waiting on the network. So, what further information do you need from > me to track this one down? > > Dan > Several tips. Please check your DNS configuration. Such delay is usually caused by the DNS lookups timing out. That means that the servers probably trying to resolve names against an old DNS server that is not around. Look at resolve.conf and make sure only valid DNS servers are there and they are in the proper order. If this does not help please turn on SSSD debug_level to 10, sanitize and send the SSSD domain logs and sssd.conf to the list. More hints can be found here: https://fedorahosted.org/sssd/wiki/Troubleshooting -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Sun Apr 5 18:02:23 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 05 Apr 2015 14:02:23 -0400 Subject: [Freeipa-users] On Load Balancers and Kerberos In-Reply-To: <1428249321.19641.89.camel@willson.usersys.redhat.com> References: <1428249321.19641.89.camel@willson.usersys.redhat.com> Message-ID: <552178AF.9010500@redhat.com> On 04/05/2015 11:55 AM, Simo Sorce wrote: > I wrote a blog post to clarify a little bit how load balancers and > Kerberos interact: https://ssimo.org/blog/id_019.html > > HTH, > Simo. > Nice article! Thanks for clarifying it. However the proxy case has also another option that is not mentioned. Proxy can terminate the connection but can use s4u2proxy to connect to real servers. Of cause this would mean that LB can impersonate anyone (which is definitely not good) but most of the solutions in the list except for aliasing have significant security implications so it might make sense to mention this one too. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Sun Apr 5 18:03:37 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 05 Apr 2015 14:03:37 -0400 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552167FA.4040400@gmail.com> References: <552167FA.4040400@gmail.com> Message-ID: <552178F9.7000403@redhat.com> On 04/05/2015 12:51 PM, Janelle wrote: > Hello, > > Trying to find a way on a multi-homed server to force IPA and its > related apps to listen on a specific interface. I can find all kinds > of info saying "the services listen on all interfaces by default" so > there must be a way? > > Thank you > ~J > Sounds familiar. I think there is a ticket open for that. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From prashant at apigee.com Mon Apr 6 14:38:46 2015 From: prashant at apigee.com (Prashant Bapat) Date: Mon, 6 Apr 2015 20:08:46 +0530 Subject: [Freeipa-users] Replication issues Message-ID: Hi, Seems like there is an issue with replication that I have encountered. I'm using a custom attribute and a slapi-plugin. Below is the attribute added. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'APIGEE FREEIPA EXTENSION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'APIGEE FREEIPA EXTENSION' MAY ipaSshSigTimestamp ) This is the only change. Problem: I'm using a python script calling the user_add and user_mod to add user and then add ssh key to the user. After this the custom attr (ipaSshSigTimestamp) is getting replicated to the other master but the standard ipaSshPubKey is not. This had happened once before in the exact same setup. I removed the second master and re-installed it and it was working. But same problem again. Any pointers appreciated. Regards. --Prashant -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Mon Apr 6 14:50:36 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 06 Apr 2015 09:50:36 -0500 Subject: [Freeipa-users] ipa-server setup with external CA fails In-Reply-To: <5500F227.3060601@redhat.com> References: <5500F227.3060601@redhat.com> Message-ID: <55229D3C.2050906@redhat.com> On 3/11/2015 8:55 PM, Endi Sukma Dewata wrote: > On 3/11/2015 10:13 PM, Gould, Joshua wrote: >> The selftests.log contradicts itself and I?m not really sure where to >> look >> next. Any ideas? > > There's an existing ticket about the confusing selftest messages: > https://fedorahosted.org/pki/ticket/1249 > > Could you post the full CA debug log (i.e. > /var/log/pki/pki-tomcat/ca/debug)? The error might have happened much > earlier. Thanks. > Hi, if this is still a problem please let us know. -- Endi S. Dewata From tbordaz at redhat.com Mon Apr 6 17:55:42 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 06 Apr 2015 19:55:42 +0200 Subject: [Freeipa-users] Replication issues In-Reply-To: References: Message-ID: <5522C89E.40903@redhat.com> Hello Prashant, If you are able to reproduce the problem (ipasshpubkey not replicated), would you enable replication and plugin logging (http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting) and provide the access/errors logs ? thanks thierry On 04/06/2015 04:38 PM, Prashant Bapat wrote: > Hi, > > Seems like there is an issue with replication that I have encountered. > > I'm using a custom attribute and a slapi-plugin. Below is the > attribute added. > > > dn: cn=schema > changetype: modify > add: attributeTypes > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME > 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' > EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 > X-ORIGIN 'APIGEE FREEIPA EXTENSION' ) > - > add: objectclasses > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' > SUP top AUXILIARY DESC 'APIGEE FREEIPA EXTENSION' MAY ipaSshSigTimestamp ) > > This is the only change. > > Problem: I'm using a python script calling the user_add and user_mod > to add user and then add ssh key to the user. After this the custom > attr (ipaSshSigTimestamp) is getting replicated to the other master > but the standard ipaSshPubKey is not. > > This had happened once before in the exact same setup. I removed the > second master and re-installed it and it was working. But same problem > again. > > Any pointers appreciated. > > Regards. > --Prashant > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mexigabacho at gmail.com Mon Apr 6 19:09:58 2015 From: mexigabacho at gmail.com (Christopher Young) Date: Mon, 6 Apr 2015 15:09:58 -0400 Subject: [Freeipa-users] Slave DNS on FreeIPA replica Message-ID: I have - what I believe to be - a couple of basic questions (I apologize in advance if these are answered elsewhere, though I've tried to do some searching ahead of time.): I recently added an IPA replica to an existing IPA server and noticed that everything appeared to succeed in the setup. One observation is that DNS (bind) was not set up on this new host. I was wondering if this is normal behavior, and if so, is there a set of instructions needed to add/create additional DNS servers for use with FreeIPA? Ideally, I would like to have DNS running on all IPA hosts. Additionally, I plan on adding a pair of caching/slave DNS servers running standing BIND on remote networks and was wondering what the procedure would be to slave those zones onto those. Would that be the same as allowing the transfer from those IPs and treating them just like any other BIND slave for the appropriate zones? I appreciate the clarifications and all the effort that goes into this! Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Apr 6 19:15:48 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 06 Apr 2015 15:15:48 -0400 Subject: [Freeipa-users] Slave DNS on FreeIPA replica In-Reply-To: References: Message-ID: <5522DB64.3050404@redhat.com> Christopher Young wrote: > I have - what I believe to be - a couple of basic questions (I apologize > in advance if these are answered elsewhere, though I've tried to do some > searching ahead of time.): > > I recently added an IPA replica to an existing IPA server and noticed > that everything appeared to succeed in the setup. One observation is > that DNS (bind) was not set up on this new host. I was wondering if > this is normal behavior, and if so, is there a set of instructions > needed to add/create additional DNS servers for use with FreeIPA? > > Ideally, I would like to have DNS running on all IPA hosts. > Additionally, I plan on adding a pair of caching/slave DNS servers > running standing BIND on remote networks and was wondering what the > procedure would be to slave those zones onto those. Would that be the > same as allowing the transfer from those IPs and treating them just like > any other BIND slave for the appropriate zones? > > I appreciate the clarifications and all the effort that goes into this! DNS and a CA are optional components in a replica. You can add them using ipa-dns-install and ipa-ca-install respectively. To install bind during the replica install process add the option --setup-dns. rob From luiz.vianna at tivit.com.br Mon Apr 6 19:16:39 2015 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Mon, 6 Apr 2015 19:16:39 +0000 Subject: [Freeipa-users] RES: RES: FreeIPA integration with AIX and sudo References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> <551C24A6.9010605@degauquier.net> <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> <551D42A1.3080303@redhat.com> Message-ID: <1B1DB5490C5E3A408CA3086D02CD34FA040E2C6B@rctr246> Hello Dmitri. I finally managed to write the wiki article on configuring sudo on AIX! Here is the URL: http://www.freeipa.org/page/SUDO_Integration_for_AIX I also added a reference to it on the http://www.freeipa.org/page/HowTos#General page as well as a topic on the http://www.freeipa.org/page/ConfiguringUnixClients page pointing to the article. I hope its format is up to code with FreeIPA?s formatting standards and that the language used is clear. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: Luiz Fernando Vianna da Silva Enviada em: quinta-feira, 2 de abril de 2015 14:41 Para: 'dpal at redhat.com'; freeipa-users at redhat.com Assunto: RES: [Freeipa-users] RES: FreeIPA integration with AIX and sudo Hi Dmitri. Working on it right now. :) Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] Em nome de Dmitri Pal Enviada em: quinta-feira, 2 de abril de 2015 10:23 Para: freeipa-users at redhat.com Assunto: Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: Hi Yves. First a little background information regarding sudo on AIX: Most sudo packages compiled for AIX are _NOT_ compiled with LDAP support. Although sudo?s documentation states that sudo supports different LDAP implementations, other than OpenLDAP, I suppose it doesn?t work well with AIX?s LDAP fileset. That?s my guess why most sudo packages for AIX aren?t compiled with LDAP support. [BTW, you can check this by running, as root, sudo -V | grep -i ldap]. The good news is that Michel Perzl, has successfully compiled a sudo package with LDAP support, although its compiled against OpenLDAP and not AIX?s LDAP fileset. So, here is how I did it: (1) Go to http://www.perzl.org/aix/ and download the following RPM packages on their latest versions:  sudo >= 1.8.11  gettext >= 0.10.40  openldap >= 2.4.23  openssl >= 1.0.1j-1  zlib Make sure you don?t have the sudo fileset installed or another sudo rpm package. Don?t worry about openssl from this RPM package conflicting with the OpenSSL fileset from AIX, they won?t. Don?t worry about openldap from this RPM package conflicting with the ldap fileset from AIX, they won?t. (2) Upload the rpm packages to you AIX LPAR and put them all in a directory, I used /tmp/sudopack. [From here on I assume you are root on your LPAR]. (3) From the directory where you put your packages run a ?rpm -ivh *.rpm --test? and if all goes well proceed without the ?--test?, otherwise sort out the dependencies and conflicts like the grown man you are :). (4) Once the rpms are installed, add the following line to the bottom of your /etc/netsvc.conf file: sudoers = files, ldap I know this is not expected syntax according to IBM?s netsvc.conf documentation, but sudo requires it to work with ldap. According to sudo?s documentation it uses that line on netsvc.conf to emulate what sudo would expect to find on /etc/nsswitch.conf on a Linux machine [hack much?]. (5) Create a file called /etc/ldap.conf . This has nothing to do with the /etc/security/ldap/ldap.cfg file you use to configure AIX?s LDAP, this is OpenLdap?s config only used by sudo. Don?t worry, this won?t conflict with AIX?s LDAP functionality. Add this to your /etc/ldap.conf: tls_cacert /etc/ipa/ca.crt uri ldap://youripaserver.domain.com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com bindpw yourclientpassword sudoers_base ou=sudoers,dc=domain,dc=com (6) Create a directory called /etc/ipa and download your ca certificate file and place it there. Make sure to permission the directory 755 and the ca.crt file 644. (7) And that?s pretty much it, no need to edit a single line on /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one that comes with the rpm, unchanged. Log into your LPAR with a domain user and try running ?sudo -l?, it should output the sudo rules you set on the IPA server. I hope this helps you and other AIX client users out there. Would you mind creating a howto page on the IPA wiki? Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. De: Yves Degauquier [mailto:yves at degauquier.net] Enviada em: quarta-feira, 1 de abril de 2015 14:03 Para: Luiz Fernando Vianna da Silva Assunto: Re: [Freeipa-users] FreeIPA integration with AIX and sudo Hi Luiz, I was not able to make it running, I was a bit lost with the LDAP, PAM, LAM configuration, and didn't found any idea with Google... If you can share the solution or point me to some important point to do, I will be happy. Thanks in advance, Best regards, Yves On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: Hello Yves. I was browsing the mailing list archives and found your email from December 2013 (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). I have successfully found a way to have sudo on AIX work with the sudo rules on IPA, just like Linux clients. Give me a reply if you haven?t figured out a way to make this work and I?ll send you the solution I came up with. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva ITM-I - Opera??o Cielo +55 (11) 3626-7126 luiz.vianna at tivit.com.br T I V I T Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar S?o Paulo - SP - CEP 05804-900 www.tivit.com.br Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha recebido por engano, queira, por favor, retorn?-la ao destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou dissemina??o desta mensagem ou parte dela ? expressamente proibido. A TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta informa??o. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 6 21:51:35 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 06 Apr 2015 17:51:35 -0400 Subject: [Freeipa-users] RES: RES: FreeIPA integration with AIX and sudo In-Reply-To: <1B1DB5490C5E3A408CA3086D02CD34FA040E2C6B@rctr246> References: <1B1DB5490C5E3A408CA3086D02CD34FA040CD658@rctr246> <551C24A6.9010605@degauquier.net> <1B1DB5490C5E3A408CA3086D02CD34FA040CDB9E@rctr246> <551D42A1.3080303@redhat.com> <1B1DB5490C5E3A408CA3086D02CD34FA040E2C6B@rctr246> Message-ID: <5522FFE7.6000604@redhat.com> On 04/06/2015 03:16 PM, Luiz Fernando Vianna da Silva wrote: > > Hello Dmitri. > > I finally managed to write the wiki article on configuring sudo on AIX! > > Here is the URL: http://www.freeipa.org/page/SUDO_Integration_for_AIX > > > I also added a reference to it on the > http://www.freeipa.org/page/HowTos#General page as well as a topic on > the http://www.freeipa.org/page/ConfiguringUnixClients page pointing > to the article. > > I hope its format is up to code with FreeIPA?s formatting standards > and that the language used is clear. > Very nice! Thanks a lot! Looks great! > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > *De:*Luiz Fernando Vianna da Silva > *Enviada em:* quinta-feira, 2 de abril de 2015 14:41 > *Para:* 'dpal at redhat.com'; freeipa-users at redhat.com > *Assunto:* RES: [Freeipa-users] RES: FreeIPA integration with AIX and sudo > > Hi Dmitri. > > Working on it right now. :) > > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > *De:*freeipa-users-bounces at redhat.com > > [mailto:freeipa-users-bounces at redhat.com] *Em nome de *Dmitri Pal > *Enviada em:* quinta-feira, 2 de abril de 2015 10:23 > *Para:* freeipa-users at redhat.com > *Assunto:* Re: [Freeipa-users] RES: FreeIPA integration with AIX and sudo > > On 04/01/2015 01:58 PM, Luiz Fernando Vianna da Silva wrote: > > Hi Yves. > > First a little background information regarding sudo on AIX: Most > sudo packages compiled for AIX are _/NOT/_ compiled with LDAP support. > > Although sudo?s documentation states that sudo supports different > LDAP implementations, other than OpenLDAP, I suppose it doesn?t > work well with AIX?s LDAP fileset. > > That?s my guess why most sudo packages for AIX aren?t compiled > with LDAP support. [BTW, you can check this by running, as root, > sudo -V| grep -i ldap]. > > The good news is that Michel Perzl, has successfully compiled a > sudo package with LDAP support, although its compiled against > OpenLDAP and not AIX?s LDAP fileset. > > So, here is how I did it: > > (1) Go to http://www.perzl.org/aix/ > and download the following RPM packages on their latest versions: > > sudo >= 1.8.11 > > gettext >= 0.10.40 > > openldap >= 2.4.23 > > openssl >= 1.0.1j-1 > > zlib > > Make sure you don?t have the sudo fileset installed or another > sudo rpm package. > > Don?t worry about openssl from this RPM package conflicting with > the OpenSSL fileset from AIX, they won?t. > > Don?t worry about openldap from this RPM package conflicting with > the ldap fileset from AIX, they won?t. > > (2) Upload the rpm packages to you AIX LPAR and put them all in a > directory, I used /tmp/sudopack. [From here on I assume you are > root on your LPAR]. > > (3) From the directory where you put your packages run a ?rpm -ivh > *.rpm --test? and if all goes well proceed without the ?--test?, > otherwise sort out the dependencies and conflicts like the grown > man you are :). > > (4) Once the rpms are installed, add the following line to the > bottom of your /etc/netsvc.conf file: sudoers = files, ldap > > I know this is not expected syntax according to IBM?s netsvc.conf > documentation, but sudo requires it to work with ldap. According > to sudo?s documentation it uses that line on netsvc.conf to > emulate what sudo would expect to find on /etc/nsswitch.conf on a > Linux machine [hack much?]. > > (5) Create a file called /etc/ldap.conf . This has nothing to do > with the /etc/security/ldap/ldap.cfg file you use to configure > AIX?s LDAP, this is OpenLdap?s config only used by sudo. Don?t > worry, this won?t conflict with AIX?s LDAP functionality. > > Add this to your /etc/ldap.conf: > > tls_cacert /etc/ipa/ca.crt > > uri ldap://youripaserver.domain.com > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=com > > bindpw yourclientpassword > > sudoers_base ou=sudoers,dc=domain,dc=com > > (6) Create a directory called /etc/ipa and download your ca > certificate file and place it there. Make sure to permission the > directory 755 and the ca.crt file 644. > > (7) And that?s pretty much it, no need to edit a single line on > /etc/sudoers. The /etc/sudoers file I have on my LPARs is the one > that comes with the rpm, unchanged. > > Log into your LPAR with a domain user and try running ?sudo -l?, > it should output the sudo rules you set on the IPA server. > > I hope this helps you and other AIX client users out there. > > > Would you mind creating a howto page on the IPA wiki? > > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e seu > conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a tenha > recebido por engano, queira, por favor, retorn?-la ao destinat?rio e > apag?-la de seus arquivos. Qualquer uso n?o autorizado, replica??o ou > dissemina??o desta mensagem ou parte dela ? expressamente proibido. A > TIVIT n?o se responsabilizar? pelo conte?do ou pela veracidade desta > informa??o. > > *De:*Yves Degauquier [mailto:yves at degauquier.net] > *Enviada em:* quarta-feira, 1 de abril de 2015 14:03 > *Para:* Luiz Fernando Vianna da Silva > *Assunto:* Re: [Freeipa-users] FreeIPA integration with AIX and sudo > > Hi Luiz, > > I was not able to make it running, I was a bit lost with the LDAP, > PAM, LAM configuration, and didn't found any idea with Google... > > If you can share the solution or point me to some important point to > do, I will be happy. > > Thanks in advance, > > Best regards, > > Yves > > On 01/04/15 18:57, Luiz Fernando Vianna da Silva wrote: > > Hello Yves. > > I was browsing the mailing list archives and found your email from > December 2013 > (https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html). > > I have successfully found a way to have sudo on AIX work with the > sudo rules on IPA, just like Linux clients. > > Give me a reply if you haven?t figured out a way to make this work > and I?ll send you the solution I came up with. > > Atenciosamente/Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > ITM-I - Opera??o Cielo > > +55 (11) 3626-7126 > > luiz.vianna at tivit.com.br > > *T I V I T > ** > *Av. Maria Coelho Aguiar, 215 - Bloco D - 5? Andar > > S?o Paulo - SP - CEP 05804-900 > > www.tivit.com.br > > Esta mensagem, incluindo seus anexos, tem car?ter confidencial e > seu conte?do ? restrito ao destinat?rio da mensagem. Caso voc? a > tenha recebido por engano, queira, por favor, retorn?-la ao > destinat?rio e apag?-la de seus arquivos. Qualquer uso n?o > autorizado, replica??o ou dissemina??o desta mensagem ou parte > dela ? expressamente proibido. A TIVIT n?o se responsabilizar? > pelo conte?do ou pela veracidade desta informa??o. > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mexigabacho at gmail.com Mon Apr 6 23:02:07 2015 From: mexigabacho at gmail.com (Christopher Young) Date: Mon, 6 Apr 2015 19:02:07 -0400 Subject: [Freeipa-users] Slave DNS on FreeIPA replica In-Reply-To: <5522DB64.3050404@redhat.com> References: <5522DB64.3050404@redhat.com> Message-ID: I clearly missed that. Thanks for the clarification. As far as adding additional DNS servers merely to slave the zones, is that more or less the same as configuring any other bind slave? On Mon, Apr 6, 2015 at 3:15 PM, Rob Crittenden wrote: > Christopher Young wrote: > > I have - what I believe to be - a couple of basic questions (I apologize > > in advance if these are answered elsewhere, though I've tried to do some > > searching ahead of time.): > > > > I recently added an IPA replica to an existing IPA server and noticed > > that everything appeared to succeed in the setup. One observation is > > that DNS (bind) was not set up on this new host. I was wondering if > > this is normal behavior, and if so, is there a set of instructions > > needed to add/create additional DNS servers for use with FreeIPA? > > > > Ideally, I would like to have DNS running on all IPA hosts. > > Additionally, I plan on adding a pair of caching/slave DNS servers > > running standing BIND on remote networks and was wondering what the > > procedure would be to slave those zones onto those. Would that be the > > same as allowing the transfer from those IPs and treating them just like > > any other BIND slave for the appropriate zones? > > > > I appreciate the clarifications and all the effort that goes into this! > > DNS and a CA are optional components in a replica. You can add them > using ipa-dns-install and ipa-ca-install respectively. > > To install bind during the replica install process add the option > --setup-dns. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbaird at follett.com Mon Apr 6 23:26:31 2015 From: jbaird at follett.com (Baird, Josh) Date: Mon, 6 Apr 2015 23:26:31 +0000 Subject: [Freeipa-users] Slave DNS on FreeIPA replica In-Reply-To: References: <5522DB64.3050404@redhat.com> Message-ID: Yes, but you need to allow zone transfers to your non-IPA servers: $ ipa dnszone-mod --allow-transfer="1.2.3.4" domain.com (where 1.2.3.4 is the IP of your new slave and domain.com is the zone name you want to transfer) Josh From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christopher Young Sent: Monday, April 06, 2015 7:02 PM To: Rob Crittenden Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Slave DNS on FreeIPA replica I clearly missed that. Thanks for the clarification. As far as adding additional DNS servers merely to slave the zones, is that more or less the same as configuring any other bind slave? On Mon, Apr 6, 2015 at 3:15 PM, Rob Crittenden > wrote: Christopher Young wrote: > I have - what I believe to be - a couple of basic questions (I apologize > in advance if these are answered elsewhere, though I've tried to do some > searching ahead of time.): > > I recently added an IPA replica to an existing IPA server and noticed > that everything appeared to succeed in the setup. One observation is > that DNS (bind) was not set up on this new host. I was wondering if > this is normal behavior, and if so, is there a set of instructions > needed to add/create additional DNS servers for use with FreeIPA? > > Ideally, I would like to have DNS running on all IPA hosts. > Additionally, I plan on adding a pair of caching/slave DNS servers > running standing BIND on remote networks and was wondering what the > procedure would be to slave those zones onto those. Would that be the > same as allowing the transfer from those IPs and treating them just like > any other BIND slave for the appropriate zones? > > I appreciate the clarifications and all the effort that goes into this! DNS and a CA are optional components in a replica. You can add them using ipa-dns-install and ipa-ca-install respectively. To install bind during the replica install process add the option --setup-dns. rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From danofsatx at gmail.com Tue Apr 7 01:01:46 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Mon, 06 Apr 2015 20:01:46 -0500 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5521762A.7040600@redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <5521762A.7040600@redhat.com> Message-ID: <55232C7A.8050805@fedoraproject.org> On 04/05/2015 12:51 PM, Dmitri Pal wrote: > On 04/05/2015 12:10 AM, Dan Mossor wrote: >> I've recently deployed a new domain based on 4.1.2 in F21. We've >> noticed an issue and can't quite seem to nail it down. The problem is >> that logins are taking an inordinate amount of time to complete - the >> fastest logon we can get using LDAP credentials is 8 seconds. During >> our testing, even logons to the IPA server itself took over 30 seconds >> to complete. >> >> I've narrowed this down to sssd, but that is as far as I can get. When >> cranking up debugging for sshd and PAM, I see a minimum 2 second delay >> between ssh handing off the authentication request to sssd and the >> reply back. The only troubleshooting I've done is with ssh, but the >> area that causes the most grief is Apache logins. We configured Apache >> to use PAM for auth through IPA, vice directly calling IPA itself. >> Logging in to our Redmine site takes users a minimum of 34 seconds to >> complete. Following this, a simple webpage containing two hyperlinks >> and two small thumbnail images takes over a minute to load on a >> gigabit network. >> >> The *only* thing changed in this environment was the IPA server. We >> moved the Redmine from our old network that was using IPA 3.x (F20 >> branch) to the new one. My initial reaction was that it was the VM >> that was hosting Redmine, but we've run these tests against bare metal >> machines in the same network and have the same issue. It appears that >> sssd is taking a very, very long time to talk to FreeIPA - even on the >> IPA server itself. >> >> However, Kerberos logins into the IPA web GUI are near instantaneous, >> while Username/Password logins take more than a few seconds. >> >> I need to get this solved. My developers don't appreciate the glory >> days of XP taking 5 minutes to log into an IIS 2.1 web server on the >> local network. I don't have the budget to keep them at the coffee pot >> waiting on the network. So, what further information do you need from >> me to track this one down? >> >> Dan >> > Several tips. > Please check your DNS configuration. > Such delay is usually caused by the DNS lookups timing out. That means > that the servers probably trying to resolve names against an old DNS > server that is not around. Look at resolve.conf and make sure only valid > DNS servers are there and they are in the proper order. > > If this does not help please turn on SSSD debug_level to 10, sanitize > and send the SSSD domain logs and sssd.conf to the list. > More hints can be found here: > https://fedorahosted.org/sssd/wiki/Troubleshooting > DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and reverse lookups on the IPA server, the target server, and the client. The only DNS server configured is the IPA server. I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I didn't have time to compare if any different information was caught. If you still need me to specify log level 10 or some other setting, let me know. The login that these logs are for took 15.371 seconds (checked via 'time ssh danofsatx at yoda.example.lcl exit' selinux_child.log: http://fpaste.org/207805/ sssd_sudo.log: http://fpaste.org/207806/ sssd_pac.log: http://fpaste.org/207807/ sssd_pam.log: http://fpaste.org/207808/67775142/ sssd_nss.log: http://fpaste.org/207809/ sssd.log: http://fpaste.org/207810/ sssd_example.lcl.log: http://fpaste.org/207811/36832514/ -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From coy.hile at coyhile.com Tue Apr 7 01:16:03 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Mon, 6 Apr 2015 21:16:03 -0400 Subject: [Freeipa-users] Creating arbitrary users? Message-ID: <9B54F3DB-49DE-40D7-9BE7-237363DCA971@coyhile.com> In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administratively one knows are the same set of eyeballs). For example, I might have my normal user (hile), and I might have another distinct MIT principal hile/admin used when I?m doing administrative work in the kerb database, or potentially yet another hile/vpn for remote access. Only the first of these is a ?real? user that needs to have a uid, gid, home directory, and shell; the others are just Kerberos principals that might have differing password policies applied to them. In FreeIPA, it appears all kerberos principals are tied to a user (or to a host in the case of host/ or another service definition). Is it possible to define a non-posix user? There is no good reason for hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never login directly using that principal. -- Coy Hile coy.hile at coyhile.com From pspacek at redhat.com Tue Apr 7 07:44:23 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 07 Apr 2015 09:44:23 +0200 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552178F9.7000403@redhat.com> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> Message-ID: <55238AD7.4040304@redhat.com> On 5.4.2015 20:03, Dmitri Pal wrote: > On 04/05/2015 12:51 PM, Janelle wrote: >> Hello, >> >> Trying to find a way on a multi-homed server to force IPA and its related >> apps to listen on a specific interface. I can find all kinds of info saying >> "the services listen on all interfaces by default" so there must be a way? It is not automated but you can reconfigure every single service on FreeIPA server manually. Please follow documentation for particular services (Apache, BIND, etc.). -- Petr^2 Spacek From jhrozek at redhat.com Tue Apr 7 08:05:23 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 10:05:23 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <55232C7A.8050805@fedoraproject.org> References: <5520B5BB.4000307@fedoraproject.org> <5521762A.7040600@redhat.com> <55232C7A.8050805@fedoraproject.org> Message-ID: <20150407080523.GC26979@hendrix.arn.redhat.com> On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: > On 04/05/2015 12:51 PM, Dmitri Pal wrote: > >On 04/05/2015 12:10 AM, Dan Mossor wrote: > >>I've recently deployed a new domain based on 4.1.2 in F21. We've > >>noticed an issue and can't quite seem to nail it down. The problem is > >>that logins are taking an inordinate amount of time to complete - the > >>fastest logon we can get using LDAP credentials is 8 seconds. During > >>our testing, even logons to the IPA server itself took over 30 seconds > >>to complete. > >> > >>I've narrowed this down to sssd, but that is as far as I can get. When > >>cranking up debugging for sshd and PAM, I see a minimum 2 second delay > >>between ssh handing off the authentication request to sssd and the > >>reply back. The only troubleshooting I've done is with ssh, but the > >>area that causes the most grief is Apache logins. We configured Apache > >>to use PAM for auth through IPA, vice directly calling IPA itself. > >>Logging in to our Redmine site takes users a minimum of 34 seconds to > >>complete. Following this, a simple webpage containing two hyperlinks > >>and two small thumbnail images takes over a minute to load on a > >>gigabit network. > >> > >>The *only* thing changed in this environment was the IPA server. We > >>moved the Redmine from our old network that was using IPA 3.x (F20 > >>branch) to the new one. My initial reaction was that it was the VM > >>that was hosting Redmine, but we've run these tests against bare metal > >>machines in the same network and have the same issue. It appears that > >>sssd is taking a very, very long time to talk to FreeIPA - even on the > >>IPA server itself. > >> > >>However, Kerberos logins into the IPA web GUI are near instantaneous, > >>while Username/Password logins take more than a few seconds. > >> > >>I need to get this solved. My developers don't appreciate the glory > >>days of XP taking 5 minutes to log into an IIS 2.1 web server on the > >>local network. I don't have the budget to keep them at the coffee pot > >>waiting on the network. So, what further information do you need from > >>me to track this one down? > >> > >>Dan > >> > >Several tips. > >Please check your DNS configuration. > >Such delay is usually caused by the DNS lookups timing out. That means > >that the servers probably trying to resolve names against an old DNS > >server that is not around. Look at resolve.conf and make sure only valid > >DNS servers are there and they are in the proper order. > > > >If this does not help please turn on SSSD debug_level to 10, sanitize > >and send the SSSD domain logs and sssd.conf to the list. > >More hints can be found here: > >https://fedorahosted.org/sssd/wiki/Troubleshooting > > > DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and > reverse lookups on the IPA server, the target server, and the client. The > only DNS server configured is the IPA server. > > I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I > didn't have time to compare if any different information was caught. If you > still need me to specify log level 10 or some other setting, let me know. > The login that these logs are for took 15.371 seconds (checked via 'time ssh > danofsatx at yoda.example.lcl exit' > > selinux_child.log: http://fpaste.org/207805/ > sssd_sudo.log: http://fpaste.org/207806/ > sssd_pac.log: http://fpaste.org/207807/ > sssd_pam.log: http://fpaste.org/207808/67775142/ > sssd_nss.log: http://fpaste.org/207809/ > sssd.log: http://fpaste.org/207810/ > sssd_example.lcl.log: http://fpaste.org/207811/36832514/ We've recently found a performance problem in the SELinux code. Can you check if setting: selinux_provider = none improves the performance anyhow? From wdh at dds.nl Tue Apr 7 08:05:54 2015 From: wdh at dds.nl (Winfried de Heiden) Date: Tue, 07 Apr 2015 10:05:54 +0200 Subject: [Freeipa-users] freeipa-server on Raspberry Pi 2 In-Reply-To: <551D2A2D.1020901@redhat.com> References: <551D1F8E.2080707@dds.nl> <551D2A2D.1020901@redhat.com> Message-ID: <55238FE2.9030902@dds.nl> An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 7 08:44:39 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Apr 2015 11:44:39 +0300 Subject: [Freeipa-users] Question on freeipa-server-trust-ad In-Reply-To: References: Message-ID: <20150407084439.GD4899@redhat.com> On Sat, 04 Apr 2015, Coy Hile wrote: >Hi all, > >What purpose does this package serve? The way I?ve done Kerberos >between Active Directory and AD, the trust was always one way >(outgoing): the MIT realm is authoritative and AD ?shadow accounts? >were mapped to ?real? principals via the alternateSecurityID attribute. >Looking at what freeipa-server-trust-ad installs, it appears the >dependencies installed are around letting someone a bidirectional trust >(or at least let the AD users be authoritative). If one wants to setup >his trust in the way I described, all he really needs to do in MIT land >is create > >krbtgt/AD.REALM at MIT.REALM > >in the MIT Realm. > >Is there a ?supported? way to do something similar with FreeIPA? Time >to break out kadmin.local -x ipa-setup-override-restrictions? Or would >that not drop the principal in the right place in the LDAP tree? Let me answer this mail as Simo didn't answer a key part of it and I feel with a growing number of subscribers and people looking at the archives it might bring a lot of misunderstanding. FreeIPA implements cross-forest trust to AD in terms of AD protocols. Part of it is Kerberos cross-realm trust, right, but not only that. In particular, FreeIPA side uses Samba to implement required NetLogon, LSA, and SAMR interfaces required by AD to validate the trust. This causes AD DCs to think that FreeIPA realm is a proper AD forest, not just 'external Kerberos realm'. As result, a proper set of trusted domain objects is created in AD and can be used by FreeIPA to perform lookups of AD users and groups and a proper information about internal FreeIPA realm structure is conveyed to AD DCs, including details of DNS ownership which are crucial to decide what KDCs are responsible in handling specific hosts and subdomains. We are deliberately not supporting external Kerberos trust with Active Directory because we believe this has very little value in an enterprise environment without additional means to deliver such topology details and SID to name and name to SID translation for Kerberos principals on each Windows client. Instead of focusing on a manual maintenance of such mappings on Windows side which would have required us to spend time on implementing software for Windows with obvious limitations due to need to rewrite half of LSA stack on Windows to support all features we want (look at pGINA story and how they failed with it), we chose to concentrate on improving Linux interoperability based on the protocols Microsoft has to support itself to make sure their own Windows clients would work. Right now FreeIPA only supports looking up AD users and groups and is not being able to provide a fully-compliant service so that AD DCs could look up FreeIPA users and groups. This results in Windows machines not being able to resolve SIDs of FreeIPA users and groups to human-friendly names and therefore inability to assign permissions in Windows user interfaces in Security tabs to allow or deny certain access rights to resources on Windows machines. We are working on implementing remaining components so that it will be possible to use FreeIPA users on Windows side too. Even with those components we are not going to implement all features required to present ourselves as Active Directory so no direct join of Windows machines to FreeIPA is planned. Instead, we are continuing to pursue an approach where FreeIPA is seen by AD as another AD forest and trust relationship is used to provide access to resources in both forests. Samba usage in FreeIPA, thus, is limited to being a 'NT4 member server', using LDAP store of FreeIPA to keep users, groups, and trusted domains' accounts. Samba's Active Directory Domain Controller mode is not used but we are working on making sure FreeIPA and Samba AD DC are capable to trust each other as cross-forest trust and, thus, Samba AD DC would be used to enroll Windows machines while Linux machines would be enrolled to FreeIPA. We are at a stage where there is a hope to demonstrate a working solution during SambaXP conference next month and have all the bits and pieces merged upstream Samba. A somewhat detailed overview how FreeIPA trust to AD works is available in the design section of http://www.freeipa.org/page/V4/One-way_trust -- what is described as 'FreeIPA v3.0 and v3.3' is applicable to v4.1 too, we plan to complete the changes by v4.2. -- / Alexander Bokovoy From mbasti at redhat.com Tue Apr 7 08:49:59 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 10:49:59 +0200 Subject: [Freeipa-users] Antwort: Re: Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) In-Reply-To: References: <551D5F56.4050007@redhat.com> Message-ID: <55239A37.6040103@redhat.com> Hello, comments inline Martin On 02/04/15 18:54, Christoph Kaminski wrote: > see this in ipupgrade.log > > 2015-04-02T11:27:02Z ERROR Pre schema upgrade failed with [Errno 111] > Connection refused > 2015-04-02T11:27:02Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 128, in __pre_schema_upgrade > ld = ldapupdate.LDAPUpdate(dm_password='', ldapi=True, > live_run=self.live_run, plugins=True) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 220, in __init__ > self.create_connection() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 783, in create_connection > dm_password=self.dm_password, pw_name=self.pw_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 65, in connect > conn.do_external_bind(pw_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1761, in do_external_bind > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1747, in __bind_with_wait > self.__wait_for_connection(timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1733, in __wait_for_connection > wait_for_open_socket(lurl.hostport, timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 1173, in wait_for_open_socket > raise e > error: [Errno 111] Connection refused This is the issue. Do you have any errors in DS error log? /var/log/dirsrv/slapd-INSTANCE/errors > > 2015-04-02T11:27:02Z DEBUG duration: 12 seconds > 2015-04-02T11:27:02Z DEBUG [6/10]: updating schema > 2015-04-02T11:27:12Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 382, in start_creation > run_step(full_msg, method) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 372, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", > line 145, in __update_schema > dm_password='', ldapi=True, live_run=self.live_run) or self.modified > File > "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", > line 112, in update_schema > fqdn=installutils.get_fqdn()) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 65, in connect > conn.do_external_bind(pw_name) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1761, in do_external_bind > self.conn.sasl_interactive_bind_s, timeout, None, auth_tokens) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1747, in __bind_with_wait > self.__wait_for_connection(timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1733, in __wait_for_connection > wait_for_open_socket(lurl.hostport, timeout) > File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line > 1173, in wait_for_open_socket > raise e > error: [Errno 111] Connection refused > > 2015-04-02T11:27:12Z DEBUG [error] error: [Errno 111] Connection refused > 2015-04-02T11:27:12Z DEBUG [cleanup]: stopping directory server > > ... Is this another upgrade? Or why is here this time gap? > > 2015-04-02T12:46:11Z DEBUG stderr= > 2015-04-02T12:46:12Z DEBUG File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > in execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", > line 213, in run > modified = ld.update(self.files, ordered=True) or modified > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", > line 874, in update > updates = api.Backend.updateclient.update(POST_UPDATE, > self.dm_password, self.ldapi, self.live_run) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 123, in update > (restart, apply_now, res) = self.run(update.name, **kw) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py", > line 146, in run > return self.Updater[method](**kw) > File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line > 1399, in __call__ > return self.execute(**options) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/upload_cacrt.py", > line 76, in execute > ldap.add_entry(entry) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1592, in add_entry > self.conn.add_s(entry.dn, attrs.items()) > File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ > self.gen.throw(type, value, traceback) > File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line > 1191, in error_handler > raise errors.ObjectclassViolation(info=info) > > 2015-04-02T12:46:12Z DEBUG The ipa-ldap-updater command failed, > exception: ObjectclassViolation: unknown object class "ipaKeyPolicy" > 2015-04-02T12:46:12Z ERROR Unexpected error - see > /var/log/ipaupgrade.log for details: > ObjectclassViolation: unknown object class "ipaKeyPolicy" > > and: > grep -i nsSchemaPolicy /etc/dirsrv/slapd-HSO/schema/01core389.ldif > > objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC > 'Netscape defined objectclass' SUP top MAY ( cn $ > schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ > schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN > 'Netscape Directory Server' ) > > grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif > objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC > 'Netscape defined objectclass' SUP top MAY ( cn $ > schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ > schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN > 'Netscape Directory Server' ) You have objectclass there, it should not be bz1180325. But send the errors from DS log if there are any. > > Greetz > Christoph Kaminski > > > > > Von: Martin Basti > An: Christoph Kaminski , > freeipa-users at redhat.com > Datum: 02.04.2015 17:25 > Betreff: Re: [Freeipa-users] Upgrade fail 3.3.3 (rhel7) to 4.1 (rhel7.1) > ------------------------------------------------------------------------ > > > > On 02/04/15 16:57, Christoph Kaminski wrote: > Hi all! > > We have 6 IPA Servers here connected to each other. We want to upgrade > all from RHEL 7 with IPA 3.3.3 to RHEL 7.1with IPA 4.1. > > I have done it one of the 6 servers and got a problem. > > After upgrade if I want to login to Web UI I get: "*IPA-Error 903: > InternalError*" after typing the credentials... > I have activated debug output of IPA and see this in > /var/log/httpd/error_log: > > [Thu Apr 02 14:39:38.848474 2015] [:error] [pid 18020] ipa: ERROR: > non-public: KeyError: 'idnsforwardzone' > [Thu Apr 02 14:39:38.848536 2015] [:error] [pid 18020] Traceback (most > recent call last): > [Thu Apr 02 14:39:38.848600 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 348, > in wsgi_execute > [Thu Apr 02 14:39:38.848607 2015] [:error] [pid 18020] result = > self.Command[name](*args, **options) > [Thu Apr 02 14:39:38.848612 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in > __call__ > [Thu Apr 02 14:39:38.848671 2015] [:error] [pid 18020] ret = > self.run(*args, **options) > [Thu Apr 02 14:39:38.848701 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run > [Thu Apr 02 14:39:38.848707 2015] [:error] [pid 18020] return > self.execute(*args, **options) > [Thu Apr 02 14:39:38.848776 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line > 123, in execute > [Thu Apr 02 14:39:38.848783 2015] [:error] [pid 18020] (o.name, > json_serialize(o)) for o in self.api.Object() > [Thu Apr 02 14:39:38.848789 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line > 123, in > [Thu Apr 02 14:39:38.848794 2015] [:error] [pid 18020] (o.name, > json_serialize(o)) for o in self.api.Object() > [Thu Apr 02 14:39:38.848799 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/util.py", line 60, in > json_serialize > [Thu Apr 02 14:39:38.848804 2015] [:error] [pid 18020] return > json_serialize(obj.__json__()) > [Thu Apr 02 14:39:38.848809 2015] [:error] [pid 18020] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line > 710, in __json__ > [Thu Apr 02 14:39:38.848814 2015] [:error] [pid 18020] attrs = > self.api.Backend.ldap2.schema.attribute_types(objectclasses) > [Thu Apr 02 14:39:38.848820 2015] [:error] [pid 18020] File > "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line > 377, in attribute_types > [Thu Apr 02 14:39:38.848825 2015] [:error] [pid 18020] object_class = > self.sed[ObjectClass][object_class_oid] > [Thu Apr 02 14:39:38.848830 2015] [:error] [pid 18020] KeyError: > 'idnsforwardzone' > > I have found this bug report: > _https://bugzilla.redhat.com/show_bug.cgi?id=1180325_ > It should be fixed in the last version?! > > I have read there I should start: setup-ds.pl -d --update > > But Im afraid that it kills the date on the IPA Servers with version > 3.3.3... does it? > > What can I do? how can I fix it? > > Greetz > Christoph Kaminski > > > > Hello, was the ipa upgrade successful? Do you have any errors in > /var/log/ipaupgrade.log? > > If you think it is 1180325 issue you can check if nsSchemaPolicy is in > 01core389.ldif: > grep -i nsSchemaPolicy /etc/dirsrv/slapd-INSTANCE/schema/01core389.ldif > grep -i nsSchemaPolicy /etc/dirsrv/schema/01core389.ldif > > Martin > > -- > Martin Basti > > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From prashant at apigee.com Tue Apr 7 08:51:33 2015 From: prashant at apigee.com (Prashant Bapat) Date: Tue, 7 Apr 2015 14:21:33 +0530 Subject: [Freeipa-users] Replication issues In-Reply-To: <5522C89E.40903@redhat.com> References: <5522C89E.40903@redhat.com> Message-ID: Hi Thierry, Thanks for the reply. Turned out that the slapi-plugin was not ignoring the replicated operations. Problem solved. Regards. --Prashant On 6 April 2015 at 23:25, thierry bordaz wrote: > Hello Prashant, > > If you are able to reproduce the problem (ipasshpubkey not replicated), > would you enable replication and plugin logging ( > http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting) > and provide the access/errors logs ? > > thanks > thierry > > On 04/06/2015 04:38 PM, Prashant Bapat wrote: > > Hi, > > Seems like there is an issue with replication that I have encountered. > > I'm using a custom attribute and a slapi-plugin. Below is the attribute > added. > > > dn: cn=schema > changetype: modify > add: attributeTypes > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' > DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'APIGEE FREEIPA EXTENSION' ) > - > add: objectclasses > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP > top AUXILIARY DESC 'APIGEE FREEIPA EXTENSION' MAY ipaSshSigTimestamp ) > > This is the only change. > > Problem: I'm using a python script calling the user_add and user_mod to > add user and then add ssh key to the user. After this the custom attr > (ipaSshSigTimestamp) is getting replicated to the other master but the > standard ipaSshPubKey is not. > > This had happened once before in the exact same setup. I removed the > second master and re-installed it and it was working. But same problem > again. > > Any pointers appreciated. > > Regards. > --Prashant > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Tue Apr 7 08:55:58 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 07 Apr 2015 10:55:58 +0200 Subject: [Freeipa-users] Replication issues In-Reply-To: References: <5522C89E.40903@redhat.com> Message-ID: <55239B9E.9000300@redhat.com> On 04/07/2015 10:51 AM, Prashant Bapat wrote: > Hi Thierry, > > Thanks for the reply. > > Turned out that the slapi-plugin was not ignoring the replicated > operations. Problem solved. Great news ! regards thierry > > Regards. > --Prashant > > On 6 April 2015 at 23:25, thierry bordaz > wrote: > > Hello Prashant, > > If you are able to reproduce the problem (ipasshpubkey not > replicated), would you enable replication and plugin logging > (http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting) > and provide the access/errors logs ? > > thanks > thierry > > On 04/06/2015 04:38 PM, Prashant Bapat wrote: >> Hi, >> >> Seems like there is an issue with replication that I have >> encountered. >> >> I'm using a custom attribute and a slapi-plugin. Below is the >> attribute added. >> >> >> dn: cn=schema >> changetype: modify >> add: attributeTypes >> attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME >> 'ipaSshSigTimestamp' DESC 'SSH public key signature and >> timestamp' EQUALITY octetStringMatch SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'APIGEE FREEIPA EXTENSION' ) >> - >> add: objectclasses >> objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME >> 'ApigeeUserAttr' SUP top AUXILIARY DESC 'APIGEE FREEIPA >> EXTENSION' MAY ipaSshSigTimestamp ) >> >> This is the only change. >> >> Problem: I'm using a python script calling the user_add and >> user_mod to add user and then add ssh key to the user. After this >> the custom attr (ipaSshSigTimestamp) is getting replicated to the >> other master but the standard ipaSshPubKey is not. >> >> This had happened once before in the exact same setup. I removed >> the second master and re-installed it and it was working. But >> same problem again. >> >> Any pointers appreciated. >> >> Regards. >> --Prashant >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Apr 7 09:00:17 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 11:00:17 +0200 Subject: [Freeipa-users] freeipa-server on Raspberry Pi 2 In-Reply-To: <55238FE2.9030902@dds.nl> References: <551D1F8E.2080707@dds.nl> <551D2A2D.1020901@redhat.com> <55238FE2.9030902@dds.nl> Message-ID: <55239CA1.5070709@redhat.com> I realize the default.conf is replaced during install, pausing IPA will not help. The easiest way is modify the source file. ipalib/constants.py: ('startup_timeout', 300), The file should be in /usr/lib/python2.7/site-packages/ipalib/constants.py Modify file and run ipa-server-install, it should work. HTH Martin On 07/04/15 10:05, Winfried de Heiden wrote: > Hi, > > I gave it a try, but neither ~/.ipa/default.conf or > /etc/ipa/default.conf did work. I also tried "to fool" the > ipa-server-install script by pausing it and wait for the CA to start. > After "un-pausing" the script the same error occurs: "CA did not start > in 300.0s" > > I might try to hack the services.py script but anyone got another > suggestion? > > Kind regards, > > Winfried > > Op 02-04-15 om 13:38 schreef Martin Basti: >> On 02/04/15 12:53, Winfried de Heiden wrote: >>> Hi all, >>> >>> "Because I can try" I gave a shot on installing freeipa-server on a >>> Raspberry Pi 2. I used Fedora 21 for this. Installing looks >>> promising, but fails somewhere halfway: >>> >>> [8/27]: starting certificate server instance >>> [error] RuntimeError: CA did not start in 300.0s >>> CA did not start in 300.0s >>> >>> >>> and the install log will tell: >>> >>> [root at ipa log]# tail /var/log/ipaserver-install.log >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 279, in start >>> self.service.start(instance_name, >>> capture_output=capture_output, wait=wait) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >>> line 229, in start >>> self.wait_until_running() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", >>> line 223, in wait_until_running >>> raise RuntimeError('CA did not start in %ss' % timeout) >>> >>> 2015-04-02T09:58:36Z DEBUG The ipa-server-install command >>> failed, exception: RuntimeError: CA did not start in 300.0s >>> >>> >>> I 'm wondering if this is a timing issue... Of course the Pi2 tends >>> to be slow and no wonder starting things will takes "some time"... >>> (Yep, I 'm trying to move tons of stones using only a 2CV car...) >>> The catalina log (that's the CA (Tomcat) log right?) >>> tells it needs some more time to start: >>> >>> [root at ipa pki-tomcat]# tail >>> /var/log/pki/pki-tomcat/catalina.2015-04-02.log >>> Apr 02, 2015 11:59:20 AM org.apache.catalina.startup.HostConfig >>> deployDescriptor >>> INFO: Deployment of configuration descriptor >>> /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in >>> 84,815 ms >>> Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start >>> INFO: Starting ProtocolHandler ["http-bio-8080"] >>> Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start >>> INFO: Starting ProtocolHandler ["http-bio-8443"] >>> Apr 02, 2015 11:59:20 AM org.apache.coyote.AbstractProtocol start >>> INFO: Starting ProtocolHandler ["ajp-bio-127.0.0.1-8009"] >>> Apr 02, 2015 11:59:20 AM org.apache.catalina.startup.Catalina start >>> INFO: Server startup in 355603 ms >>> >>> Anyone got an idea how to set the time out for the CA to start to 10 >>> or 15 minuten? Any other sugestion what is causing this problem? >>> (no, I am not upgrading from an older version, this is a fresh install) >>> >>> Kind regards, >>> >>> Winfried >>> >>> >>> >>> >> Hello, >> you can try: >> >> https://www.redhat.com/archives/freeipa-users/2015-April/msg00076.html >> >> >> >> -- >> Martin Basti > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at fahrendorf.de Tue Apr 7 09:12:40 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Tue, 07 Apr 2015 11:12:40 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <552105B3.7010609@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> Message-ID: <55239F88.5030206@fahrendorf.de> Am 05.04.2015 um 11:51 schrieb Martin (Lists): > > Hallo > > I have a similar issue. On login (graphic systems and ssh) and on the > screen saver I have a delay from about 2 secons to 10 seconds. > > According to my logfile i have the following timeline at login: > > 0 pam_unix (auth) > 3 pam_sss (auth) > 3 pam_kwallet (sddm:auth) > 4 pam_kwallet (sddm:setcred) > 5 pam_unix (session) > > First collum is the number of seconds after the first action. On myl old > server I had a pure kerberos (handmade) system, which reacted almost > instandly. > > Regards > Martin > Hallo I enabled debugging (set to level 6). selinux provider is set to none. During a login I got data accorting to my attachment. Regards Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: login.log Type: text/x-log Size: 8028 bytes Desc: not available URL: From jhrozek at redhat.com Tue Apr 7 09:21:45 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 11:21:45 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <55239F88.5030206@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> Message-ID: <20150407092145.GF26979@hendrix.arn.redhat.com> On Tue, Apr 07, 2015 at 11:12:40AM +0200, Martin (Lists) wrote: > Am 05.04.2015 um 11:51 schrieb Martin (Lists): > > > > Hallo > > > > I have a similar issue. On login (graphic systems and ssh) and on the > > screen saver I have a delay from about 2 secons to 10 seconds. > > > > According to my logfile i have the following timeline at login: > > > > 0 pam_unix (auth) > > 3 pam_sss (auth) > > 3 pam_kwallet (sddm:auth) > > 4 pam_kwallet (sddm:setcred) > > 5 pam_unix (session) > > > > First collum is the number of seconds after the first action. On myl old > > server I had a pure kerberos (handmade) system, which reacted almost > > instandly. > > > > Regards > > Martin > > > Hallo > > I enabled debugging (set to level 6). selinux provider is set to none. > During a login I got data accorting to my attachment. > > Regards > Martin If that's all the data, then the login seems quite fast (3 seconds). The slowdown seems to happen when the krb5 provider is initializing the krb5 ccache for the user. krb5_child.log with a high debug level would show what's happening in particular. > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [be_req_set_domain] (0x0400): Changing request domain from [mittelerde.de] to [mittelerde.de] > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [be_pam_handler] (0x0100): Got request with the following data > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): domain: mittelerde.de > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): user: frodo > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): service: sddm > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): tty: > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): ruser: > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): rhost: > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): authtok type: 1 > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): priv: 1 > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): cli_pid: 6409 > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): logon name: not set > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [be_resolve_server_process] (0x0200): Found address for server gandalf.mittelerde.de: [10.2.33.5] TTL 1200 > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://gandalf.mittelerde.de' > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] [write_pipe_handler] (0x0400): All data has been sent! Here we sent data to krb5_child > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [child_sig_handler] (0x0100): child [6410] finished successfully. Here the krb5_child process finished > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [read_pipe_handler] (0x0400): EOF received, client finished > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'gandalf.mittelerde.de' as 'working' > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [set_server_common_status] (0x0100): Marking server 'gandalf.mittelerde.de' as 'working' > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'gandalf.mittelerde.de' as 'working' > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [be_pam_handler_callback] (0x0100): Sending result [0][mittelerde.de] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [be_pam_handler_callback] (0x0100): Sent result [0][mittelerde.de] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [be_req_set_domain] (0x0400): Changing request domain from [mittelerde.de] to [mittelerde.de] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [be_pam_handler] (0x0100): Got request with the following data > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): domain: mittelerde.de > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): user: frodo > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): service: sddm > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): tty: > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): ruser: > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): rhost: > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): authtok type: 0 > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): priv: 1 > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): cli_pid: 6409 > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [pam_print_data] (0x0100): logon name: not set > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_access_send] (0x0400): Performing access check for user [frodo] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [frodo] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=kate.mittelerde.de))][cn=accounts,dc=mittelerde,dc=de]. > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de] using OpenLDAP deref > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de]. > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: work-pc > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mittelerde,dc=de][2][(objectClass=ipaHBACService)] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=mittelerde,dc=de]. > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mittelerde,dc=de][2][(objectClass=ipaHBACServiceGroup)] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=mittelerde,dc=de]. > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=mittelerde,dc=de][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=hostgroups,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=ng,cn=alt,dc=mittelerde,dc=de)))] > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=hostgroups,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=ng,cn=alt,dc=mittelerde,dc=de)))][cn=hbac,dc=mittelerde,dc=de]. > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From chamambom at afri-com.net Tue Apr 7 09:58:35 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Tue, 7 Apr 2015 11:58:35 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 Message-ID: <003701d07119$69d2fb20$3d78f160$@afri-com.net> I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine except when I try to configure SUDO. All my clients are all centos 6 and RedHat 6 clients and have the below config . I have followed every how-to and I just can't seem to get it.I have configured the sudo commands and rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading log files /etc/nssswitch sudoers: files sss cat /etc/sssd/sssd.conf [root at nemo ~]# cat /etc/sssd/sssd.conf [domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = XX.XX.XX krb5_server = XX.XX.XX.XX:88 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts [domain/ai.co.zw] debug_level = 0x07F0 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = XX.XX.XX.XX chpass_provider = ipa ipa_server = _srv_, XX.XX.XX.XX ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, autofs, ssh config_file_version = 2 domains = default, XX.XX.XX [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Apr 7 10:28:14 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 12:28:14 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <003701d07119$69d2fb20$3d78f160$@afri-com.net> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> Message-ID: <20150407102814.GA11481@hendrix.arn.redhat.com> On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote: > I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine > except when I try to configure SUDO. All my clients are all centos 6 and > RedHat 6 clients and have the below config . I have followed every how-to > and I just can't seem to get it.I have configured the sudo commands and > rules mostly for reading files /usr/bin/vim and /usr/bin/less for reading > log files > > > > /etc/nssswitch > > > > sudoers: files sss > > > > cat /etc/sssd/sssd.conf > > > > > > [root at nemo ~]# cat /etc/sssd/sssd.conf > > [domain/default] it is really strange that you have a domain called default (that's the name authconfig normally uses) set to ldap provider. Where does this come from, did you add it manually? This really sounds wrong and I would suggest to remove this domain, but I'd also like to know why did you add it in the first place? > > > > autofs_provider = ldap > > cache_credentials = True > > krb5_realm = XX.XX.XX > > krb5_server = XX.XX.XX.XX:88 > > id_provider = ldap > > auth_provider = ldap > > chpass_provider = ldap > > ldap_id_use_start_tls = False > > ldap_tls_cacertdir = /etc/openldap/cacerts > > [domain/ai.co.zw] > > > > debug_level = 0x07F0 > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = ai.co.zw > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = XX.XX.XX.XX > > chpass_provider = ipa > > ipa_server = _srv_, XX.XX.XX.XX > > ldap_tls_cacert = /etc/ipa/ca.crt What RHEL/CentOS version are you running in particular? Starting with 6.6, it should be enough to do: sudo_provider = ipa > > > > [sssd] > > services = nss, sudo, pam, autofs, ssh > > config_file_version = 2 > > > > domains = default, XX.XX.XX > > [nss] > > > > homedir_substring = /home > > > > [pam] > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From chamambom at afri-com.net Tue Apr 7 10:48:37 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Tue, 7 Apr 2015 12:48:37 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <20150407102814.GA11481@hendrix.arn.redhat.com> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> Message-ID: <005701d07120$66f52b60$34df8220$@afri-com.net> Sorry for the confusion about that one ,that client I used to aunthenticate to a pure 389 directory server and I have since changed it to free ipa and below is the correct configuration. I managed to add the line sudo_provider = ipa and im getting the below error on my client [admin at ironhide postfix]$ sudo vim access [sudo] password for admin: Sorry, user admin is not allowed to execute '/usr/bin/vim access' as root on ironhide.ai.co.zw. [admin at ironhide postfix]$ [root at ironhide ~]# cat /etc/sssd/sssd.conf [domain/ai.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [root at ironhide ~]# From pvoborni at redhat.com Tue Apr 7 10:49:17 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 07 Apr 2015 12:49:17 +0200 Subject: [Freeipa-users] IPA Web UI - blank screen In-Reply-To: <551C3C13.2020901@gmail.com> References: <551C1E47.7050501@redhat.com> <551C3C13.2020901@gmail.com> Message-ID: <5523B62D.90702@redhat.com> On 04/01/2015 08:42 PM, Janelle wrote: > the example of a blank screen -- anyone seen this before? Seems to be very > random, but across all browsers. > > ~J > Hello Janelle, Do you see any errors in browser console (part of browser developer tools, usually opened by F12 key) when this happen? https://pvoborni.fedorapeople.org/doc/#!/guide/Debugging -- Petr Vobornik From mkosek at redhat.com Tue Apr 7 10:51:35 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 12:51:35 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: References: Message-ID: <5523B6B7.7080402@redhat.com> On 04/03/2015 11:39 AM, James James wrote: > Hello, > > I want to initialize a new replica with an external CA. My Certificate > Authority wants a CSR with the field emailAddress in the subject like : > > /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com I am not a bit confused. Do you plan to have FreeIPA *without* a CA or with own CA signed by external CA? FreeIPA supports these kinds of setups right now: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > How can I do with the ipa-server-install command ? I have been trying for > few days but I still can't. > > Thanks for your help. CCing Honza who should know the definitive answer. However, FreeIPA was not very flexible in configuring special subjects for it's CA certificate (i.e. cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. From mkosek at redhat.com Tue Apr 7 10:54:02 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 12:54:02 +0200 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <551EA795.60701@martos.bme.hu> References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> <551EA795.60701@martos.bme.hu> Message-ID: <5523B74A.6000900@redhat.com> On 04/03/2015 04:45 PM, Tamas Papp wrote: > > > On 04/03/2015 03:46 PM, Brian Topping wrote: >>> On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: >>> >>> hi All, >>> >>> I have CentOS 6.6 server and want to upgrade to 7.1. >>> >>> What is the upgrade path, can I do it directly or first I need to make it to >>> 3.3? >>> Also is there any known issue I should expect with workarounds? >> I just did this yesterday, so here's my experience. If you have a simple >> single-server installation with no custom LDAP DIT modifications, you should >> find "yum upgrade" does the right thing. >> >> If you do have DIT mods, you should ask yourself why they are there and >> whether the data will still be accessible after the ACLs are changed. In my >> case, I had Postfix using a LDAP hash and mail delivery stopped working >> (although the domain data was still there just fine). >> >> Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are >> replicated. To be safe, back up all replicas (snapshot or whatnot) before the >> first upgrade and if you decide to restore any of them, be sure everything is >> shut down and restore all of them to avoid 4.x schema contaminating 3.0 as >> they come up. > > Ouch, that must have hurt:) > As far as I recall, we have just very small custom changes. Then you should be able to follow the standard migration path without too much issue. To check the biggest changes in FreeIPA 4.1, compared to the old FreeIPA 3.x versions, see http://www.freeipa.org/page/Releases/4.0.0 http://www.freeipa.org/page/Releases/4.1.0 Martin From mkosek at redhat.com Tue Apr 7 10:54:48 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 12:54:48 +0200 Subject: [Freeipa-users] ipa and external ca In-Reply-To: <551EDB2C.10603@redhat.com> References: <551EDB2C.10603@redhat.com> Message-ID: <5523B778.5040206@redhat.com> On 04/03/2015 08:25 PM, Dmitri Pal wrote: > On 04/03/2015 02:03 PM, James James wrote: >> Hi everybody, sorry to repost my original question but this time my problem >> is better described. >> >> I want to install a ipa sever on centos 6 with an external ca. My problem is >> to add emailAddress in the subject field when I type the command : >> >> >> [root at ipa-dev ~]# ipa-server-install --external_ca >> --subject="O=orga,C=FR,OU=MyOU" >> >> Does somebody knows how to do ? > > Please wait till Tuesday next week. > People who might be able to help are not available due to holidays in Europe. I just replied to the original thread, let us discuss the topic there. From jhrozek at redhat.com Tue Apr 7 10:57:55 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 12:57:55 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <005701d07120$66f52b60$34df8220$@afri-com.net> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> <005701d07120$66f52b60$34df8220$@afri-com.net> Message-ID: <20150407105755.GB11481@hendrix.arn.redhat.com> On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to aunthenticate > to a pure 389 directory server and I have since changed it to free ipa and > below is the correct configuration. > > I managed to add the line sudo_provider = ipa and im getting the below error > on my client I don't see it added to the config. If it's added, the next steps would be to add debug_level to the sudo and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting has some notes on gathering the debug logs. From sanju.a at tcs.com Tue Apr 7 11:13:44 2015 From: sanju.a at tcs.com (Sanju A) Date: Tue, 7 Apr 2015 16:43:44 +0530 Subject: [Freeipa-users] Replication failed Message-ID: Dear All, Replication was working fine for the last 1 month and recently the replica server (ipa2) is having some hardware issue and it was down for a week. Replication is not working once the machine is up. Please help. [root at ipa etc]# service dirsrv status dirsrv PKI-IPA (pid 29954) is running... dirsrv DOMAIN-COM (pid 30023) is running... [root at ipa2 ~]# service dirsrv status dirsrv DOMAIN-COM (pid 1892) is running... [root at ipa2 ~]# [root at ipa etc]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors [07/Apr/2015:16:25:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:25:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:28:10 +051800] ipa_range_check_pre_op - [file ipa_range_check.c, line 235]: Missing entry to modify. [07/Apr/2015:16:30:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:30:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:35:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:35:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:35:57 +051800] ipa_range_check_pre_op - [file ipa_range_check.c, line 235]: Missing entry to modify. [07/Apr/2015:16:40:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:40:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) ^C [root at ipa2 ~]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors [07/Apr/2015:21:58:49 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:58:49 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:21:59:01 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:59:01 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:21:59:25 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:59:25 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:22:00:13 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:22:00:13 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:22:01:49 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:22:01:49 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Regards Sanju Abraham Linux Admin =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 7 11:18:10 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 13:18:10 +0200 Subject: [Freeipa-users] Proper configuration of service accounts In-Reply-To: References: <654DC42D-4FB4-44AE-97D5-05C8414B97D9@gmail.com> <551E84CF.4040709@redhat.com> Message-ID: <5523BCF2.3080601@redhat.com> On 04/03/2015 03:36 PM, Brian Topping wrote: >> On Apr 3, 2015, at 6:17 AM, Dmitri Pal wrote: >> >> On 04/03/2015 01:51 AM, Brian Topping wrote: >>> Great work on 4.1.0! As a CentOS user, I am able to convey the 3.x -> >>> 4.1.0 upgrade went smoothly via the CentOS 7.0 -> 7.1 upgrade on my >>> replicated pair of IPA instances. >>> >>> Question about proper setup of service accounts: I see that the service >>> accounts I set up under "cn=etc, cn=sysaccounts" are still able to log >>> in, but the permission changes have left them unable to read anything. >>> Previously, I hacked the ACLs on the domain root. I would like to >>> believe that's not how it should be done. >>> >>> That said, I was surprised that service accounts are not supported in >>> 4.x UI, so I wonder if service accounts >>> (https://www.redhat.com/archives/freeipa-users/2012-June/msg00011.html >>> ) >>> are the wrong way for services like Postfix to be doing LDAP queries. >>> >> >> The ACIs changed because we tightened them for the read permissions. I >> hope you would be able to change them so that your service account works >> again. Here is the root page of the changes that we implemented. >> http://www.freeipa.org/page/V4/Permissions_V2 >> >> >> System account is probably the right one for Postfix. >> >> It is not in the UI and CLI because other features take precedence. We >> acknowledge that it needs to be added, we just not have enough time and >> resources to do it. When we looked at 4.2 we assessed it too and it was on >> the border line with a good chance of not happening, sorry. > > Thanks Dmitri. I had known in advance about the ACLs, but couldn't fully > appreciate what was going to happen until doing the upgrade. Once it was > done, I was kind of surprised that the ACL changes replicated to the 3.x > server. As luck would have it, I didn't snapshot both servers at the same > time before upgrading either, and eventually, the ACLs managed to work their > way back to both the 3.x snapshots (one of them was obviously snapshotted > after the other one had been installed with 4.1). I couldn't find upgrade > notes with "gotcha"s, this might be a good addition if there are somewhere. > It was kind of humorous in all. Interesting, I sort of thought this is automatically implied, given that FreeIPA has a fully replicated environment. Based on your recommendation, I added a note to https://www.freeipa.org/page/Upgrade#Words_of_caution > As for the service feature itself, please don't apologize. I think you guys > did a spectacular job with this feature set. What I was concerned about is > making sure I am doing things as closely as possible to future patterns to > reduce upgrade costs. I don't know if it's possible to document the pattern > without committing to the feature, but it might be helpful. > > The one thing I would like to discover at this point is whether roles and > privileges build in the UI can be used by system accounts. If so, I could > stop editing ACLs directly in LDIF, which is error prone and not the kind of > thing I remember too well. FreeIPA 4.x permission system can now assign privileges and new permission ACIs to users, groups, hosts, host groups and services. System accounts are not covered, they should be covered when we have API for them. I added this requirement to the respective RFE: https://fedorahosted.org/freeipa/ticket/2801 Brian, what exactly would you like to achieve? There were changes to the default permissions, some objects are only readable by authenticated users - which should apply also to system users. If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new role, make the new/updated privileges members of that role 4) Use ldapmodify to make the system account DN member of that role (you just add a new member attribute value) 5) Profit - you should be now able to control permissions to your system account with FreeIPA CLI/UI From mbasti at redhat.com Tue Apr 7 11:23:28 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 13:23:28 +0200 Subject: [Freeipa-users] Replication failed In-Reply-To: References: Message-ID: <5523BE30.6020808@redhat.com> On 07/04/15 13:13, Sanju A wrote: > Dear All, > > Replication was working fine for the last 1 month and recently the > replica server (ipa2) is having some hardware issue and it was down > for a week. > Replication is not working once the machine is up. Please help. > > > [root at ipa etc]# service dirsrv status > dirsrv PKI-IPA (pid 29954) is running... > dirsrv DOMAIN-COM (pid 30023) is running... > > > [root at ipa2 ~]# service dirsrv status > dirsrv DOMAIN-COM (pid 1892) is running... > [root at ipa2 ~]# > > > > [root at ipa etc]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors > > [07/Apr/2015:16:25:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:25:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:28:10 +051800] ipa_range_check_pre_op - [file > ipa_range_check.c, line 235]: Missing entry to modify. > [07/Apr/2015:16:30:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:30:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:35:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:35:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:35:57 +051800] ipa_range_check_pre_op - [file > ipa_range_check.c, line 235]: Missing entry to modify. > [07/Apr/2015:16:40:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:40:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > ^C > > > [root at ipa2 ~]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors > > [07/Apr/2015:21:58:49 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:58:49 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:21:59:01 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:59:01 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:21:59:25 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:59:25 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:22:00:13 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:22:00:13 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:22:01:49 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:22:01:49 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > > > > > Regards > Sanju Abraham > Linux Admin > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > Hello, do you have synchronized time on both servers? Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 7 11:29:16 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 13:29:16 +0200 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552178F9.7000403@redhat.com> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> Message-ID: <5523BF8C.7090403@redhat.com> On 04/05/2015 08:03 PM, Dmitri Pal wrote: > On 04/05/2015 12:51 PM, Janelle wrote: >> Hello, >> >> Trying to find a way on a multi-homed server to force IPA and its related >> apps to listen on a specific interface. I can find all kinds of info saying >> "the services listen on all interfaces by default" so there must be a way? >> >> Thank you >> ~J >> > Sounds familiar. > I think there is a ticket open for that. This is the RFE: https://fedorahosted.org/freeipa/ticket/3338 Just in case anybody would like to help us extend FreeIPA installers :-) From david.dejaeghere at gmail.com Tue Apr 7 11:34:33 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Tue, 7 Apr 2015 13:34:33 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing Message-ID: Hello, I am trying to setup a replica for my master which has been setup with an external CA to use our godaddy wildcard certificate. The ipa-replica-prepare is failing with the following debug information. I am using --http-cert and --dirsrv-cert with my pk12 server certificate. What can I verify to get an idea of what is going wrong? ipa: DEBUG: stderr= ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in execute self.ask_for_options() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 276, in ask_for_options options.http_cert_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", line 176, in load_pkcs12 host_name=self.replica_fqdn) File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 785, in load_pkcs12 nss_cert = x509.load_certificate(cert, x509.DER) File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate return nss.Certificate(buffer(data)) ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The ipa-replica-prepare command failed, exception: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Regards, D -------------- next part -------------- An HTML attachment was scrubbed... URL: From bobby.prins at proxy.nl Tue Apr 7 11:41:32 2015 From: bobby.prins at proxy.nl (Bobby Prins) Date: Tue, 7 Apr 2015 13:41:32 +0200 Subject: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode In-Reply-To: <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> References: <1233558204.521669.1426778523088.JavaMail.zimbra@proxy.nl> <286451019.593771.1427211953268.JavaMail.zimbra@proxy.nl> <55118CA8.3080507@redhat.com> <69137159-8386-47E2-ABB4-A3E415D77582@proxy.nl> <1998127278.39814.1428056911430.JavaMail.zimbra@proxy.nl> <20150403104507.GM3878@redhat.com> <1281199799.42149.1428063302868.JavaMail.zimbra@proxy.nl> <20150403122617.GN3878@redhat.com> <1912938263.42737.1428064838642.JavaMail.zimbra@proxy.nl> Message-ID: > On Apr 3, 2015, at 14:40, Bobby Prins wrote: > >> ----- Oorspronkelijk bericht ----- >> Van: "Alexander Bokovoy" >> Aan: "Bobby Prins" >> Cc: dpal at redhat.com, freeipa-users at redhat.com >> Verzonden: Vrijdag 3 april 2015 14:26:17 >> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >> >> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>> ----- Oorspronkelijk bericht ----- >>>> Van: "Alexander Bokovoy" >>>> Aan: "Bobby Prins" >>>> Cc: dpal at redhat.com, freeipa-users at redhat.com >>>> Verzonden: Vrijdag 3 april 2015 12:45:07 >>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode >>>> >>>> On Fri, 03 Apr 2015, Bobby Prins wrote: >>>>> access: >>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 >>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn="" method=128 version=3 >>>>> [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins at example.corp))" attrs=ALL >>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 >>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base="cn=users,cn=compat,dc=unix,dc=example,dc=corp" scope=2 filter="(&(objectClass=posixaccount)(uid=bprins))" attrs=ALL >>>>> [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 >>>> Above there are two lookups: >>>> >>>> - successful lookup for user bprings at example.com >>>> - unsuccessful lookup for user bprins >>>> >>>> What is causing to perform a lookup without @example.com? Compat tree >>>> presents AD users fully qualified, it is the only way it knows to >>>> trigger lookup via SSSD on IPA master for these users (because non-fully >>>> qualified users are in IPA LDAP tree already and copied to compat tree >>>> automatically). >>> This seems to be (standard?) behaviour of the AIX LDAP client. Did some >>> more tests with different accounts and always see the two lookups. I >>> doubt if I can influence that.. >> No, this is not standard -- I haven't seen such behavior when testing >> FreeIPA with AIX last autumn. >> -- >> / Alexander Bokovoy > OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. Did some tests with AIX5.3 and then I don?t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on.. From jreg2k at gmail.com Tue Apr 7 11:44:23 2015 From: jreg2k at gmail.com (James James) Date: Tue, 7 Apr 2015 13:44:23 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: <5523B6B7.7080402@redhat.com> References: <5523B6B7.7080402@redhat.com> Message-ID: ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? 2015-04-07 12:51 GMT+02:00 Martin Kosek : > On 04/03/2015 11:39 AM, James James wrote: > > Hello, > > > > I want to initialize a new replica with an external CA. My Certificate > > Authority wants a CSR with the field emailAddress in the subject like : > > > > /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com > > I am not a bit confused. Do you plan to have FreeIPA *without* a CA or > with own > CA signed by external CA? > > FreeIPA supports these kinds of setups right now: > http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > > > How can I do with the ipa-server-install command ? I have been trying > for > > few days but I still can't. > > > > Thanks for your help. > > CCing Honza who should know the definitive answer. However, FreeIPA was not > very flexible in configuring special subjects for it's CA certificate (i.e. > cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 7 11:48:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 13:48:00 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: References: <5523B6B7.7080402@redhat.com> Message-ID: <5523C3F0.5090807@redhat.com> On 04/07/2015 01:44 PM, James James wrote: > ok. > > Is there a way to migrate from an external CA to a CA-less or a self-signed > CA ? Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal https://www.freeipa.org/page/V4/CA_certificate_renewal (Although I am still not sure about your use case and if this would help you) > > 2015-04-07 12:51 GMT+02:00 Martin Kosek : > >> On 04/03/2015 11:39 AM, James James wrote: >>> Hello, >>> >>> I want to initialize a new replica with an external CA. My Certificate >>> Authority wants a CSR with the field emailAddress in the subject like : >>> >>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com >> >> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >> with own >> CA signed by external CA? >> >> FreeIPA supports these kinds of setups right now: >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >> >>> How can I do with the ipa-server-install command ? I have been trying >> for >>> few days but I still can't. >>> >>> Thanks for your help. >> >> CCing Honza who should know the definitive answer. However, FreeIPA was not >> very flexible in configuring special subjects for it's CA certificate (i.e. >> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >> > From chamambom at afri-com.net Tue Apr 7 11:55:43 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Tue, 7 Apr 2015 13:55:43 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <20150407105755.GB11481@hendrix.arn.redhat.com> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> <005701d07120$66f52b60$34df8220$@afri-com.net> <20150407105755.GB11481@hendrix.arn.redhat.com> Message-ID: <008101d07129$c6f27280$54d75780$@afri-com.net> Thanx Jakub for pointing me to the right direction .This is what I have now and I have increased the debug level during troubleshooting [domain/ai.co.zw] debug_level=3 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa sudo_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] Error messages from /var/log/sssd/sssd_ai.co.zw when debug level is set at 4 [root at ironhide ~]# tail -f /var/log/sssd/sssd_ai.co.zw.log (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them. (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found! (Tue Apr 7 13:53:42 2015) [sssd[be[ai.co.zw]]] [ipa_subdomains_handler_master_done] (0x0020): Master domain record not found! (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=postfix] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:43 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=postfix] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:58 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_get_account_info] (0x0100): Got request for [3][1][name=admin] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:53:59 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (0x0100): child [2379] finished successfully. (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Tue Apr 7 13:54:00 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 2377 (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Tue Apr 7 13:54:01 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] ^C -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Tuesday, April 07, 2015 12:58 PM To: Chamambo Martin Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: > Sorry for the confusion about that one ,that client I used to > aunthenticate to a pure 389 directory server and I have since changed > it to free ipa and below is the correct configuration. > > I managed to add the line sudo_provider = ipa and im getting the below > error on my client I don't see it added to the config. If it's added, the next steps would be to add debug_level to the sudo and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting has some notes on gathering the debug logs. From sanju.a at tcs.com Tue Apr 7 11:56:18 2015 From: sanju.a at tcs.com (Sanju A) Date: Tue, 7 Apr 2015 17:26:18 +0530 Subject: [Freeipa-users] Replication failed In-Reply-To: <5523BE30.6020808@redhat.com> References: <5523BE30.6020808@redhat.com> Message-ID: Dear Martin, Thanks for your help and the replication issue got resolved after syncing the time. But I am not able to login to the replica server web ui. Keep on getting "Your session has expired. Please re-login.". Please find the logs. [07/Apr/2015:17:24:49 +051800] csngen_new_csn - Warning: too much time skew (-20287 secs). Current seqnum=1 [07/Apr/2015:17:24:49 +051800] csngen_new_csn - Warning: too much time skew (-20288 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20288 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20289 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20290 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20291 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20292 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20293 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20294 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20295 secs). Current seqnum=1 [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time skew (-20296 secs). Current seqnum=1 [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time skew (-20296 secs). Current seqnum=1 [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time skew (-20297 secs). Current seqnum=1 [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time skew (-20298 secs). Current seqnum=1 [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time skew (-20299 secs). Current seqnum=1 [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time skew (-20299 secs). Current seqnum=1 [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time skew (-20300 secs). Current seqnum=1 [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time skew (-20301 secs). Current seqnum=1 [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time skew (-20302 secs). Current seqnum=1 [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time skew (-20301 secs). Current seqnum=1 [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time skew (-20302 secs). Current seqnum=1 [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time skew (-20303 secs). Current seqnum=1 Regards Sanju Abraham Linux Admin From: Martin Basti To: Sanju A , freeipa-users at redhat.com Date: 07-04-2015 16:53 Subject: Re: [Freeipa-users] Replication failed On 07/04/15 13:13, Sanju A wrote: Dear All, Replication was working fine for the last 1 month and recently the replica server (ipa2) is having some hardware issue and it was down for a week. Replication is not working once the machine is up. Please help. [root at ipa etc]# service dirsrv status dirsrv PKI-IPA (pid 29954) is running... dirsrv DOMAIN-COM (pid 30023) is running... [root at ipa2 ~]# service dirsrv status dirsrv DOMAIN-COM (pid 1892) is running... [root at ipa2 ~]# [root at ipa etc]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors [07/Apr/2015:16:25:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:25:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:28:10 +051800] ipa_range_check_pre_op - [file ipa_range_check.c, line 235]: Missing entry to modify. [07/Apr/2015:16:30:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:30:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:35:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:35:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:16:35:57 +051800] ipa_range_check_pre_op - [file ipa_range_check.c, line 235]: Missing entry to modify. [07/Apr/2015:16:40:50 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:16:40:50 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) ^C [root at ipa2 ~]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors [07/Apr/2015:21:58:49 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:58:49 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:21:59:01 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:59:01 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:21:59:25 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:21:59:25 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:22:00:13 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:22:00:13 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) [07/Apr/2015:22:01:49 +051800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) [07/Apr/2015:22:01:49 +051800] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials) Regards Sanju Abraham Linux Admin =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you Hello, do you have synchronized time on both servers? Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Tue Apr 7 12:04:47 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 14:04:47 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <008101d07129$c6f27280$54d75780$@afri-com.net> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> <005701d07120$66f52b60$34df8220$@afri-com.net> <20150407105755.GB11481@hendrix.arn.redhat.com> <008101d07129$c6f27280$54d75780$@afri-com.net> Message-ID: <20150407120447.GF11481@hendrix.arn.redhat.com> On Tue, Apr 07, 2015 at 01:55:43PM +0200, Chamambo Martin wrote: > Thanx Jakub for pointing me to the right direction .This is what I have now > and I have increased the debug level during troubleshooting > > [domain/ai.co.zw] > > debug_level=3 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > sudo_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ironhide.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > > domains = ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > Error messages from /var/log/sssd/sssd_ai.co.zw when debug level is set at 4 This snippet just shows successfull authentication, which I guess is when sudo asked for the password. Anything interesting in the sudo log? /var/log/sssd/sssd_sudo.log You might need a higher debug_level, though (6?) From jreg2k at gmail.com Tue Apr 7 12:08:49 2015 From: jreg2k at gmail.com (James James) Date: Tue, 7 Apr 2015 14:08:49 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: <5523C3F0.5090807@redhat.com> References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> Message-ID: I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon. I have created a test server (ipa-dev) with the same configuration (centos 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever to be installed with an external CA. In the same time my external CA has changed and wants the emailAddress field in the certificate request 's subject. If it is not possible to add emailAddress in the subject, is it possible to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek : > On 04/07/2015 01:44 PM, James James wrote: > > ok. > > > > Is there a way to migrate from an external CA to a CA-less or a > self-signed > > CA ? > > Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > https://www.freeipa.org/page/V4/CA_certificate_renewal > > (Although I am still not sure about your use case and if this would help > you) > > > > > 2015-04-07 12:51 GMT+02:00 Martin Kosek : > > > >> On 04/03/2015 11:39 AM, James James wrote: > >>> Hello, > >>> > >>> I want to initialize a new replica with an external CA. My Certificate > >>> Authority wants a CSR with the field emailAddress in the subject like : > >>> > >>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com > >> > >> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or > >> with own > >> CA signed by external CA? > >> > >> FreeIPA supports these kinds of setups right now: > >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure > >> > >>> How can I do with the ipa-server-install command ? I have been trying > >> for > >>> few days but I still can't. > >>> > >>> Thanks for your help. > >> > >> CCing Honza who should know the definitive answer. However, FreeIPA was > not > >> very flexible in configuring special subjects for it's CA certificate > (i.e. > >> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. > >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Tue Apr 7 12:16:06 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 7 Apr 2015 14:16:06 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <20150407105755.GB11481@hendrix.arn.redhat.com> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> <005701d07120$66f52b60$34df8220$@afri-com.net> <20150407105755.GB11481@hendrix.arn.redhat.com> Message-ID: <20150407121605.GA29423@mail.corp.redhat.com> On (07/04/15 12:57), Jakub Hrozek wrote: >On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: >> Sorry for the confusion about that one ,that client I used to aunthenticate >> to a pure 389 directory server and I have since changed it to free ipa and >> below is the correct configuration. >> >> I managed to add the line sudo_provider = ipa and im getting the below error >> on my client > >I don't see it added to the config. > It's not necessary to add "sudo_provider = ipa" into domain section. because if sudo_provider is not specified then it is automatically inherited from "id_provider". It is described in documentation [1] (point 4) and also in the manual page sssd-sudo. IIRC ipa-client-install should configure all necessary things on rhel 7.1 >If it's added, the next steps would be to add debug_level to the sudo >and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting >has some notes on gathering the debug logs. > +1 LS [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Services.html#configuring-sssd-sudo From mbasti at redhat.com Tue Apr 7 12:21:12 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 07 Apr 2015 14:21:12 +0200 Subject: [Freeipa-users] Replication failed In-Reply-To: References: <5523BE30.6020808@redhat.com> Message-ID: <5523CBB8.90507@redhat.com> Great! additional comments inline Martin On 07/04/15 13:56, Sanju A wrote: > Dear Martin, > > Thanks for your help and the replication issue got resolved after > syncing the time. But I am not able to login to the replica server web > ui. Keep on getting "Your session has expired. Please re-login.". > Please find the logs. > Does CLI command works on the server? What do you use, form based authentication or kerberos to login to webUI? Did you try to clean browser cache (or kdestroy)? You can find something useful in this thread, https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html > > [07/Apr/2015:17:24:49 +051800] csngen_new_csn - Warning: too much time > skew (-20287 secs). Current seqnum=1 > [07/Apr/2015:17:24:49 +051800] csngen_new_csn - Warning: too much time > skew (-20288 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20288 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20289 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20290 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20291 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20292 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20293 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20294 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20295 secs). Current seqnum=1 > [07/Apr/2015:17:24:50 +051800] csngen_new_csn - Warning: too much time > skew (-20296 secs). Current seqnum=1 > [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time > skew (-20296 secs). Current seqnum=1 > [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time > skew (-20297 secs). Current seqnum=1 > [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time > skew (-20298 secs). Current seqnum=1 > [07/Apr/2015:17:24:51 +051800] csngen_new_csn - Warning: too much time > skew (-20299 secs). Current seqnum=1 > [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time > skew (-20299 secs). Current seqnum=1 > [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time > skew (-20300 secs). Current seqnum=1 > [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time > skew (-20301 secs). Current seqnum=1 > [07/Apr/2015:17:24:52 +051800] csngen_new_csn - Warning: too much time > skew (-20302 secs). Current seqnum=1 > [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time > skew (-20301 secs). Current seqnum=1 > [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time > skew (-20302 secs). Current seqnum=1 > [07/Apr/2015:17:24:54 +051800] csngen_new_csn - Warning: too much time > skew (-20303 secs). Current seqnum=1 From which log is this? > > > Regards > Sanju Abraham > Linux Admin > > > > > From: Martin Basti > To: Sanju A , freeipa-users at redhat.com > Date: 07-04-2015 16:53 > Subject: Re: [Freeipa-users] Replication failed > ------------------------------------------------------------------------ > > > > On 07/04/15 13:13, Sanju A wrote: > Dear All, > > Replication was working fine for the last 1 month and recently the > replica server (ipa2) is having some hardware issue and it was down > for a week. > Replication is not working once the machine is up. Please help. > > > [root at ipa etc]# service dirsrv status > dirsrv PKI-IPA (pid 29954) is running... > dirsrv DOMAIN-COM (pid 30023) is running... > > > [root at ipa2 ~]# service dirsrv status > dirsrv DOMAIN-COM (pid 1892) is running... > [root at ipa2 ~]# > > > > [root at ipa etc]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors > > [07/Apr/2015:16:25:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:25:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:28:10 +051800] ipa_range_check_pre_op - [file > ipa_range_check.c, line 235]: Missing entry to modify. > [07/Apr/2015:16:30:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:30:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:35:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:35:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:16:35:57 +051800] ipa_range_check_pre_op - [file > ipa_range_check.c, line 235]: Missing entry to modify. > [07/Apr/2015:16:40:50 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:16:40:50 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > ^C > > > [root at ipa2 ~]# tail -f /var/log/dirsrv/slapd-TCS-MOBILITY-COM/errors > > [07/Apr/2015:21:58:49 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:58:49 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:21:59:01 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:59:01 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:21:59:25 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:21:59:25 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:22:00:13 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:22:00:13 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > [07/Apr/2015:22:01:49 +051800] slapd_ldap_sasl_interactive_bind - > Error: could not perform interactive bind for id [] mech [GSSAPI]: > LDAP error 49 (Invalid credentials) (SASL(-13): authentication > failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) > [07/Apr/2015:22:01:49 +051800] slapi_ldap_bind - Error: could not > perform interactive bind for id [] mech [GSSAPI]: error 49 (Invalid > credentials) > > > > > Regards > Sanju Abraham > Linux Admin > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > Hello, > > do you have synchronized time on both servers? > > > Martin > > -- > Martin Basti > -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Tue Apr 7 12:47:02 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Tue, 7 Apr 2015 14:47:02 +0200 Subject: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 In-Reply-To: <20150407121605.GA29423@mail.corp.redhat.com> References: <003701d07119$69d2fb20$3d78f160$@afri-com.net> <20150407102814.GA11481@hendrix.arn.redhat.com> <005701d07120$66f52b60$34df8220$@afri-com.net> <20150407105755.GB11481@hendrix.arn.redhat.com> <20150407121605.GA29423@mail.corp.redhat.com> Message-ID: <009201d07130$f1eeeac0$d5ccc040$@afri-com.net> Thanx for the feedback ,let me read a bit and will share how I managed to resolve it -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Tuesday, April 07, 2015 2:16 PM To: Jakub Hrozek Cc: Chamambo Martin; freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA sudo configuration on FreeIPA, version: 4.1.0 On (07/04/15 12:57), Jakub Hrozek wrote: >On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote: >> Sorry for the confusion about that one ,that client I used to >> aunthenticate to a pure 389 directory server and I have since changed >> it to free ipa and below is the correct configuration. >> >> I managed to add the line sudo_provider = ipa and im getting the >> below error on my client > >I don't see it added to the config. > It's not necessary to add "sudo_provider = ipa" into domain section. because if sudo_provider is not specified then it is automatically inherited from "id_provider". It is described in documentation [1] (point 4) and also in the manual page sssd-sudo. IIRC ipa-client-install should configure all necessary things on rhel 7.1 >If it's added, the next steps would be to add debug_level to the sudo >and domain sections. https://fedorahosted.org/sssd/wiki/Troubleshooting >has some notes on gathering the debug logs. > +1 LS [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Services.html#configuring-sssd-sudo From simo at redhat.com Tue Apr 7 12:52:14 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2015 08:52:14 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <9B54F3DB-49DE-40D7-9BE7-237363DCA971@coyhile.com> References: <9B54F3DB-49DE-40D7-9BE7-237363DCA971@coyhile.com> Message-ID: <1428411134.19641.145.camel@willson.usersys.redhat.com> On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > In MIT land, one can potentially have multiple instances tied (by > convention) to a given user (that is, that administratively one knows > are the same set of eyeballs). For example, I might have my normal > user (hile), and I might have another distinct MIT principal > hile/admin used when I?m doing administrative work in the kerb > database, or potentially yet another hile/vpn for remote access. Only > the first of these is a ?real? user that needs to have a uid, gid, > home directory, and shell; the others are just Kerberos principals > that might have differing password policies applied to them. In > FreeIPA, it appears all kerberos principals are tied to a user (or to > a host in the case of host/ or another service definition). Is it > possible to define a non-posix user? There is no good reason for > hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never > login directly using that principal. Early on when we created FreeIPA we decided against providing alternative principals for the same user as it made things a lot more complex for little gain. To this day we still do not support them. Keep in mind that adding a principal is not the whole story, once you do that then you probably still want to associate it to some user, and assign privileges and allow alternative principal names to ssh into some machines, which means distributing k5login files or providing explicit support in the new aname2lname plugin. To do all this means adding new objects and configuration facilities to handle these special non-users, we haven't yet found enough benefit in adding support for these to warrant the work involved. Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Tue Apr 7 13:31:27 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 07 Apr 2015 15:31:27 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> Message-ID: <5523DC2F.2080104@redhat.com> On 04/07/2015 02:08 PM, James James wrote: > I will try to give a better explanation : > > > I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been > installed with an external CA about 3 years ago and I will have to renew > the certificate soon. > > I have created a test server (ipa-dev) with the same configuration (centos > 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever > to be installed with an external CA. > > In the same time my external CA has changed and wants the emailAddress > field in the certificate request 's subject. CSR during installation with external CA is produced by Dogtag, so you are constrained with the options and capabilities provided by ipa-server-install. Maybe it would be possible to modify the CSR and update the Subject manually, but I expect it would crash the installer later (JanC may know more (CCed)) > If it is not possible to add emailAddress in the subject, is it possible to > migrate my ipa-master CA system from an external CA to a CA-less or > self-signed CA ? It is, with ipa-cacert-manage - see links below. > Thanks. > > 2015-04-07 13:48 GMT+02:00 Martin Kosek : > >> On 04/07/2015 01:44 PM, James James wrote: >>> ok. >>> >>> Is there a way to migrate from an external CA to a CA-less or a >> self-signed >>> CA ? >> >> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: >> >> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >> https://www.freeipa.org/page/V4/CA_certificate_renewal >> >> (Although I am still not sure about your use case and if this would help >> you) >> >>> >>> 2015-04-07 12:51 GMT+02:00 Martin Kosek : >>> >>>> On 04/03/2015 11:39 AM, James James wrote: >>>>> Hello, >>>>> >>>>> I want to initialize a new replica with an external CA. My Certificate >>>>> Authority wants a CSR with the field emailAddress in the subject like : >>>>> >>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com >>>> >>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >>>> with own >>>> CA signed by external CA? >>>> >>>> FreeIPA supports these kinds of setups right now: >>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >>>> >>>>> How can I do with the ipa-server-install command ? I have been trying >>>> for >>>>> few days but I still can't. >>>>> >>>>> Thanks for your help. >>>> >>>> CCing Honza who should know the definitive answer. However, FreeIPA was >> not >>>> very flexible in configuring special subjects for it's CA certificate >> (i.e. >>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >>>> >>> >> >> > From awilisch at gmail.com Tue Apr 7 14:04:28 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Tue, 7 Apr 2015 10:04:28 -0400 Subject: [Freeipa-users] FreeIPA 4 AD Integration issue Message-ID: Hey all, I?m having a problem with integrating a FreeIPA4 infrastructure to an AD environment. AD Domain is fioptics.int FreeIPA infrastructure is preprod.fioptics.int The AD Controller in this environment is at 10.32.145.134 The FreeIPA 4 server is at 10.32.146.40 I?m attaching the procedure that I?m using below for review. Everything works perfectly, even the DNS testing, up until I run the command to initiate the trust. Then it ALWAYS c comes back with unable to find server. The DNS tests I?ve done from AD and from IPA are also listed below. This procedure works flawlessly in the virtual test environment every time. There are NO firewalls between the IPA box and the AD box. Software firewalls on both boxes are down. Selinux is disabled. The only differences are 1. They are on different subnets but I don?t see how that should matter, and 2. There is a load balancer between them, but again DNS resolves and a nmap shows all the necessary ports are available. If anyone has any advice it would be greatly appreciated. I have to get this working asap for the deployment of the project. Thanks in advance. ????????? DNS Results ????????? Active Directory ? Server: ppad01.fioptics.int Address: 10.32.145.134 _ldap._tcp.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = mtad01.fioptics.int _ldap._tcp.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ppad01.fioptics.int _ldap._tcp.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = p1ad01.fioptics.int _ldap._tcp.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = mtad02.fioptics.int _ldap._tcp.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = stad01.fioptics.int mtad01.fioptics.int internet address = 10.32.162.182 ppad01.fioptics.int internet address = 10.32.145.134 p1ad01.fioptics.int internet address = 10.32.129.134 mtad02.fioptics.int internet address = 10.32.130.182 stad01.fioptics.int internet address = 10.32.161.134 > _ldap._tcp.preprod.fioptics.int Server: ppad01.fioptics.int Address: 10.32.145.134 Non-authoritative answer: _ldap._tcp.preprod.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ppip01.preprod.fioptics.int _ldap._tcp.preprod.fioptics.int SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ppip02.preprod.fioptics.int ppip01.preprod.fioptics.int internet address = 10.32.146.40 ppip01.preprod.fioptics.int internet address = 10.32.146.40 > ???? FreeIPA ???? [root at ppip01 ~]# dig srv _ldap._tcp.fioptics.int ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv _ldap._tcp.fioptics.int ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26858 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 13, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.fioptics.int. IN SRV ;; ANSWER SECTION: _ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 p1ad01.fioptics.int. _ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 stad01.fioptics.int. _ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 ppad01.fioptics.int. _ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad02.fioptics.int. _ldap._tcp.fioptics.int. 600 IN SRV 0 100 389 mtad01.fioptics.int. ;; AUTHORITY SECTION: . 11558 IN NS g.root-servers.net. . 11558 IN NS e.root-servers.net. . 11558 IN NS i.root-servers.net. . 11558 IN NS f.root-servers.net. . 11558 IN NS a.root-servers.net. . 11558 IN NS c.root-servers.net. . 11558 IN NS j.root-servers.net. . 11558 IN NS k.root-servers.net. . 11558 IN NS h.root-servers.net. . 11558 IN NS l.root-servers.net. . 11558 IN NS d.root-servers.net. . 11558 IN NS b.root-servers.net. . 11558 IN NS m.root-servers.net. ;; ADDITIONAL SECTION: ppad01.fioptics.int. 3057 IN A 10.32.145.134 p1ad01.fioptics.int. 3600 IN A 10.32.129.134 mtad02.fioptics.int. 3600 IN A 10.32.130.182 stad01.fioptics.int. 3600 IN A 10.32.161.134 mtad01.fioptics.int. 3600 IN A 10.32.162.182 ;; Query time: 1 msec ;; SERVER: 10.32.146.40#53(10.32.146.40) ;; WHEN: Tue Apr 07 09:56:29 EDT 2015 ;; MSG SIZE rcvd: 538 [root at ppip01 ~]# dig srv _ldap._tcp.preprod.fioptics.int ; <<>> DiG 9.9.4-RedHat-9.9.4-20.el7.centos.pkcs11 <<>> srv _ldap._tcp.preprod.fioptics.int ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28466 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.preprod.fioptics.int. IN SRV ;; ANSWER SECTION: _ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389 ppip02.preprod.fioptics.int. _ldap._tcp.preprod.fioptics.int. 86400 IN SRV 0 100 389 ppip01.preprod.fioptics.int. ;; AUTHORITY SECTION: preprod.fioptics.int. 86400 IN NS ppip02.preprod.fioptics.int. preprod.fioptics.int. 86400 IN NS ppip01.preprod.fioptics.int. ;; ADDITIONAL SECTION: ppip01.preprod.fioptics.int. 1200 IN A 10.32.146.40 ppip02.preprod.fioptics.int. 1200 IN A 10.32.146.41 ;; Query time: 0 msec ;; SERVER: 10.32.146.40#53(10.32.146.40) ;; WHEN: Tue Apr 07 09:56:44 EDT 2015 ;; MSG SIZE rcvd: 214 [root at ppip01 ~]# ???????????????????? Error Message ???????????????????? [root at ppip01 ~]# ipa trust-add --type=ad fioptics.int --server=ppad01.fioptics.int --admin serviceipa --password Active Directory domain administrator's password: ipa: ERROR: Cannot find specified domain or server name [root at ppip01 ~]# * Note - I have tried this with the Administrator account and that didn?t work either. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com From coy.hile at coyhile.com Tue Apr 7 14:16:45 2015 From: coy.hile at coyhile.com (coy.hile at coyhile.com) Date: Tue, 07 Apr 2015 14:16:45 +0000 Subject: [Freeipa-users] Creating arbitrary users? Message-ID: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> Quoting Simo Sorce > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: >> In MIT land, one can potentially have multiple instances tied (by >> convention) to a given user (that is, that administratively one knows >> are the same set of eyeballs). For example, I might have my normal >> user (hile), and I might have another distinct MIT principal >> hile/admin used when I?m doing administrative work in the kerb >> database, or potentially yet another hile/vpn for remote access. Only >> the first of these is a ?real? user that needs to have a uid, gid, >> home directory, and shell; the others are just Kerberos principals >> that might have differing password policies applied to them. In >> FreeIPA, it appears all kerberos principals are tied to a user (or to >> a host in the case of host/ or another service definition). Is it >> possible to define a non-posix user? There is no good reason for >> hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never >> login directly using that principal. > > Early on when we created FreeIPA we decided against providing > alternative principals for the same user as it made things a lot more > complex for little gain. To this day we still do not support them. > > Keep in mind that adding a principal is not the whole story, once you do > that then you probably still want to associate it to some user, and > assign privileges and allow alternative principal names to ssh into some > machines, which means distributing k5login files or providing explicit > support in the new aname2lname plugin. > > To do all this means adding new objects and configuration facilities to > handle these special non-users, we haven't yet found enough benefit in > adding support for these to warrant the work involved. > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes ?defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly.? Does that question make more sense?? Sent via the Samsung GALAXY S? 5, an AT&T 4G LTE smartphone -------- Original message -------- From: Simo Sorce Date:04/07/2015 08:52 (GMT-05:00) To: coy.hile at coyhile.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Creating arbitrary users? From simo at redhat.com Tue Apr 7 14:22:13 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2015 10:22:13 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> Message-ID: <1428416533.19641.148.camel@willson.usersys.redhat.com> On Tue, 2015-04-07 at 14:16 +0000, coy.hile at coyhile.com wrote: > Quoting Simo Sorce > > > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > >> In MIT land, one can potentially have multiple instances tied (by > >> convention) to a given user (that is, that administratively one knows > >> are the same set of eyeballs). For example, I might have my normal > >> user (hile), and I might have another distinct MIT principal > >> hile/admin used when I?m doing administrative work in the kerb > >> database, or potentially yet another hile/vpn for remote access. Only > >> the first of these is a ?real? user that needs to have a uid, gid, > >> home directory, and shell; the others are just Kerberos principals > >> that might have differing password policies applied to them. In > >> FreeIPA, it appears all kerberos principals are tied to a user (or to > >> a host in the case of host/ or another service definition). Is it > >> possible to define a non-posix user? There is no good reason for > >> hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never > >> login directly using that principal. > > > > Early on when we created FreeIPA we decided against providing > > alternative principals for the same user as it made things a lot more > > complex for little gain. To this day we still do not support them. > > > > Keep in mind that adding a principal is not the whole story, once you do > > that then you probably still want to associate it to some user, and > > assign privileges and allow alternative principal names to ssh into some > > machines, which means distributing k5login files or providing explicit > > support in the new aname2lname plugin. > > > > To do all this means adding new objects and configuration facilities to > > handle these special non-users, we haven't yet found enough benefit in > > adding support for these to warrant the work involved. > > > > Simo. > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > I guess that makes sense. Is it possible to add a user that simply > doesn't have the posix attributes defined? In the particular case of > */admin, I would expect that user to login to the ipa ui or to be > kinit'd to prior to running ipa administrative commands, but I should > hope that it should never login directly. > > Does that question make more sense? It does, but we do not have such a feature, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York From lists at fahrendorf.de Tue Apr 7 15:57:49 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Tue, 07 Apr 2015 17:57:49 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <20150407092145.GF26979@hendrix.arn.redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> Message-ID: <5523FE7D.50902@fahrendorf.de> Hallo attached you can find the data from krb_child.log. As far as I can see it, the three seconds are due to the communication with the kerberos server. (1.2.3.4 is my server). regards Martin Am 07.04.2015 um 11:21 schrieb Jakub Hrozek: > On Tue, Apr 07, 2015 at 11:12:40AM +0200, Martin (Lists) wrote: > > Am 05.04.2015 um 11:51 schrieb Martin (Lists): > >> > >> Hallo > >> > >> I have a similar issue. On login (graphic systems and ssh) and on the > >> screen saver I have a delay from about 2 secons to 10 seconds. > >> > >> According to my logfile i have the following timeline at login: > >> > >> 0 pam_unix (auth) > >> 3 pam_sss (auth) > >> 3 pam_kwallet (sddm:auth) > >> 4 pam_kwallet (sddm:setcred) > >> 5 pam_unix (session) > >> > >> First collum is the number of seconds after the first action. On > myl old > >> server I had a pure kerberos (handmade) system, which reacted almost > >> instandly. > >> > >> Regards > >> Martin > >> > > Hallo > > > > I enabled debugging (set to level 6). selinux provider is set to none. > > During a login I got data accorting to my attachment. > > > > Regards > > Martin > > If that's all the data, then the login seems quite fast (3 seconds). > The slowdown seems to happen when the krb5 provider is initializing the > krb5 ccache for the user. krb5_child.log with a high debug level would > show what's happening in particular. > > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [be_req_set_domain] (0x0400): Changing request domain from > [mittelerde.de] to [mittelerde.de] > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [be_pam_handler] (0x0100): Got request with the following data > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): domain: mittelerde.de > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): user: frodo > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): service: sddm > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): tty: > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): ruser: > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): rhost: > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): authtok type: 1 > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): newauthtok type: 0 > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): priv: 1 > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): cli_pid: 6409 > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): logon name: not set > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [be_resolve_server_process] (0x0200): Found address for server > gandalf.mittelerde.de: [10.2.33.5] TTL 1200 > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [ipa_resolve_callback] (0x0400): Constructed uri > 'ldap://gandalf.mittelerde.de' > > (Tue Apr 7 10:52:38 2015) [sssd[be[mittelerde.de]]] > [write_pipe_handler] (0x0400): All data has been sent! > > Here we sent data to krb5_child > > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [child_sig_handler] (0x0100): child [6410] finished successfully. > > Here the krb5_child process finished > > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [read_pipe_handler] (0x0400): EOF received, client finished > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [fo_set_port_status] (0x0100): Marking port 0 of server > 'gandalf.mittelerde.de' as 'working' > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [set_server_common_status] (0x0100): Marking server > 'gandalf.mittelerde.de' as 'working' > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [fo_set_port_status] (0x0400): Marking port 0 of duplicate server > 'gandalf.mittelerde.de' as 'working' > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [be_pam_handler_callback] (0x0100): Sending result [0][mittelerde.de] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [be_pam_handler_callback] (0x0100): Sent result [0][mittelerde.de] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [be_req_set_domain] (0x0400): Changing request domain from > [mittelerde.de] to [mittelerde.de] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [be_pam_handler] (0x0100): Got request with the following data > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): domain: mittelerde.de > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): user: frodo > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): service: sddm > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): tty: > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): ruser: > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): rhost: > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): authtok type: 0 > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): newauthtok type: 0 > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): priv: 1 > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): cli_pid: 6409 > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [pam_print_data] (0x0100): logon name: not set > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_access_send] (0x0400): Performing access check for user [frodo] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for > user [frodo] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=kate.mittelerde.de))][cn=accounts,dc=mittelerde,dc=de]. > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_has_deref_support] (0x0400): The server supports deref method > OpenLDAP > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry > [fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de] > using OpenLDAP deref > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de]. > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: work-pc > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: [cn=hbac,dc=mittelerde,dc=de][2][(objectClass=ipaHBACService)] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=mittelerde,dc=de]. > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next > search base: > [cn=hbac,dc=mittelerde,dc=de][2][(objectClass=ipaHBACServiceGroup)] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=mittelerde,dc=de]. > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search > base: > [cn=hbac,dc=mittelerde,dc=de][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=hostgroups,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=ng,cn=alt,dc=mittelerde,dc=de)))] > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn=kate.mittelerde.de,cn=computers,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=hostgroups,cn=accounts,dc=mittelerde,dc=de)(memberHost=cn=work-pc,cn=ng,cn=alt,dc=mittelerde,dc=de)))][cn=hbac,dc=mittelerde,dc=de]. > > (Tue Apr 7 10:52:41 2015) [sssd[be[mittelerde.de]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > errmsg set > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- A non-text attachment was scrubbed... Name: krb5_child.log Type: text/x-log Size: 19601 bytes Desc: not available URL: From jhrozek at redhat.com Tue Apr 7 16:19:11 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 18:19:11 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5523FE7D.50902@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> Message-ID: <20150407161911.GQ11481@hendrix.arn.redhat.com> On Tue, Apr 07, 2015 at 05:57:49PM +0200, Martin (Lists) wrote: > Hallo > > attached you can find the data from krb_child.log. As far as I can see > it, the three seconds are due to the communication with the kerberos > server. (1.2.3.4 is my server). > > regards > Martin Yes. It looks like kinit takes two seconds and validation one second. You might be interested in: https://fedorahosted.org/sssd/ticket/1807 From simo at redhat.com Tue Apr 7 16:27:37 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2015 12:27:37 -0400 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5523FE7D.50902@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> Message-ID: <1428424057.19641.149.camel@willson.usersys.redhat.com> On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: > Hallo > > attached you can find the data from krb_child.log. As far as I can see > it, the three seconds are due to the communication with the kerberos > server. (1.2.3.4 is my server). Do you experience the same latency if you kinit manually ? Simo. -- Simo Sorce * Red Hat, Inc * New York From APtashnik at cccis.com Tue Apr 7 17:56:22 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Tue, 7 Apr 2015 17:56:22 +0000 Subject: [Freeipa-users] Two way trust vs one way trust and IPA features Message-ID: <7E2F4B60-647B-454E-A612-55E153A8A644@cccis.com> Hello, I?m wondering if establishing two way trust or one way trust in upcoming 4.2 release somehow is going to affect FreeIPA feature set, like ability to add windows groups to external groups or anything else I may not think of right now? Our Windows security team is expressing concerns about two way trust and we are planning to switch to one way when it becomes available. I?m trying to find out what could be affected. Regards, Andrey -------------- next part -------------- An HTML attachment was scrubbed... URL: From danofsatx at gmail.com Tue Apr 7 18:15:46 2015 From: danofsatx at gmail.com (Dan Mossor) Date: Tue, 07 Apr 2015 13:15:46 -0500 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <20150407080523.GC26979@hendrix.arn.redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <5521762A.7040600@redhat.com> <55232C7A.8050805@fedoraproject.org> <20150407080523.GC26979@hendrix.arn.redhat.com> Message-ID: <55241ED2.5030901@fedoraproject.org> On 04/07/2015 03:05 AM, Jakub Hrozek wrote: > On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: >> On 04/05/2015 12:51 PM, Dmitri Pal wrote: >>> Several tips. >>> Please check your DNS configuration. >>> Such delay is usually caused by the DNS lookups timing out. That means >>> that the servers probably trying to resolve names against an old DNS >>> server that is not around. Look at resolve.conf and make sure only valid >>> DNS servers are there and they are in the proper order. >>> >>> If this does not help please turn on SSSD debug_level to 10, sanitize >>> and send the SSSD domain logs and sssd.conf to the list. >>> More hints can be found here: >>> https://fedorahosted.org/sssd/wiki/Troubleshooting >>> >> DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and >> reverse lookups on the IPA server, the target server, and the client. The >> only DNS server configured is the IPA server. >> >> I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I >> didn't have time to compare if any different information was caught. If you >> still need me to specify log level 10 or some other setting, let me know. >> The login that these logs are for took 15.371 seconds (checked via 'time ssh >> danofsatx at yoda.example.lcl exit' >> >> selinux_child.log: http://fpaste.org/207805/ >> sssd_sudo.log: http://fpaste.org/207806/ >> sssd_pac.log: http://fpaste.org/207807/ >> sssd_pam.log: http://fpaste.org/207808/67775142/ >> sssd_nss.log: http://fpaste.org/207809/ >> sssd.log: http://fpaste.org/207810/ >> sssd_example.lcl.log: http://fpaste.org/207811/36832514/ > > We've recently found a performance problem in the SELinux code. Can you > check if setting: > selinux_provider = none > improves the performance anyhow? > Adding "selinux_provider = none" to the domain section of /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The Apache authentications are faster, but we're still hitting a performance issue somewhere in that chain. It may be with Apache itself, so stand by...but otherwise, I'm calling this fixed. Thanks! -- Dan Mossor Systems Engineer at Large Fedora KDE WG | Fedora QA Team | Fedora Server SIG Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA From abokovoy at redhat.com Tue Apr 7 18:25:11 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Apr 2015 21:25:11 +0300 Subject: [Freeipa-users] Two way trust vs one way trust and IPA features In-Reply-To: <7E2F4B60-647B-454E-A612-55E153A8A644@cccis.com> References: <7E2F4B60-647B-454E-A612-55E153A8A644@cccis.com> Message-ID: <20150407182511.GG4899@redhat.com> On Tue, 07 Apr 2015, Andrey Ptashnik wrote: >Hello, > >I?m wondering if establishing two way trust or one way trust in >upcoming 4.2 release somehow is going to affect FreeIPA feature set, >like ability to add windows groups to external groups or anything else >I may not think of right now? No, it should not affect existing feature set. There will be some tightening of access controls for how administrative tasks would be done to some degree but they already required admin privileges anyway so it is not a change in functionality. >Our Windows security team is expressing concerns about two way trust >and we are planning to switch to one way when it becomes available. I?m >trying to find out what could be affected. Nothing really changes between current use of two-way trust and a future one-way trust in a sense of what is already available to IPA side to look up on AD side. -- / Alexander Bokovoy From coy.hile at coyhile.com Tue Apr 7 18:54:14 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Tue, 07 Apr 2015 18:54:14 +0000 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <1428416533.19641.148.camel@willson.usersys.redhat.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> <1428416533.19641.148.camel@willson.usersys.redhat.com> Message-ID: <20150407185414.Horde.P29_LKvOz6ucEuodOPZucA3@webmail01.coyhile.com> Quoting Simo Sorce : >> > >> > >> I guess that makes sense. Is it possible to add a user that simply >> doesn't have the posix attributes defined? In the particular case of >> */admin, I would expect that user to login to the ipa ui or to be >> kinit'd to prior to running ipa administrative commands, but I should >> hope that it should never login directly. >> >> Does that question make more sense? > > It does, but we do not have such a feature, sorry. > > Simo. > Could one hypothetically remove the posix attributes (via some scripted process that validates that what it's doing is inline with organizational norms/goals) without breaking freeIPA, or are the posix attributes MUST in the IPA object classes? I'm sorry for so many endless questions, but having finally got my personal setup/lab using something other than Active Directory, I'm looking to migrate to something that is easier to manage, so I'm trying to draw comparisons between what I had been used to in previous vanilla krb/ldap shops. Thanks, -c -- Coy Hile coy.hile at coyhile.com -- Coy Hile coy.hile at coyhile.com From simo at redhat.com Tue Apr 7 18:58:20 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2015 14:58:20 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <20150407185414.Horde.P29_LKvOz6ucEuodOPZucA3@webmail01.coyhile.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> <1428416533.19641.148.camel@willson.usersys.redhat.com> <20150407185414.Horde.P29_LKvOz6ucEuodOPZucA3@webmail01.coyhile.com> Message-ID: <1428433100.19641.156.camel@willson.usersys.redhat.com> On Tue, 2015-04-07 at 18:54 +0000, Coy Hile wrote: > Quoting Simo Sorce : > > >> > > >> > > >> I guess that makes sense. Is it possible to add a user that simply > >> doesn't have the posix attributes defined? In the particular case of > >> */admin, I would expect that user to login to the ipa ui or to be > >> kinit'd to prior to running ipa administrative commands, but I should > >> hope that it should never login directly. > >> > >> Does that question make more sense? > > > > It does, but we do not have such a feature, sorry. > > > > Simo. > > > > Could one hypothetically remove the posix attributes (via some scripted > process that validates that what it's doing is inline with organizational > norms/goals) without breaking freeIPA, or are the posix attributes MUST in > the IPA object classes? I'm sorry for so many endless questions, but having > finally got my personal setup/lab using something other than Active Directory, > I'm looking to migrate to something that is easier to manage, so I'm trying to > draw comparisons between what I had been used to in previous vanilla krb/ldap > shops. Removing attributes will probably not work well, but let me ask: Do you require different passwords for these principals ? Or do you merely want to have the alternative names but would be ok if the credentials were identical ? Because you could (manually for now) add aliases so that hile@ hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical name but you can use aliases too (just make sure not to request canonicalization at kinit time. Simo. Simo. -- Simo Sorce * Red Hat, Inc * New York From jhrozek at redhat.com Tue Apr 7 19:01:03 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 7 Apr 2015 21:01:03 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <55241ED2.5030901@fedoraproject.org> References: <5520B5BB.4000307@fedoraproject.org> <5521762A.7040600@redhat.com> <55232C7A.8050805@fedoraproject.org> <20150407080523.GC26979@hendrix.arn.redhat.com> <55241ED2.5030901@fedoraproject.org> Message-ID: <20150407190103.GC6511@Jakubs-MacBook-Pro.local> On Tue, Apr 07, 2015 at 01:15:46PM -0500, Dan Mossor wrote: > On 04/07/2015 03:05 AM, Jakub Hrozek wrote: > >On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote: > >>On 04/05/2015 12:51 PM, Dmitri Pal wrote: > >>>Several tips. > >>>Please check your DNS configuration. > >>>Such delay is usually caused by the DNS lookups timing out. That means > >>>that the servers probably trying to resolve names against an old DNS > >>>server that is not around. Look at resolve.conf and make sure only valid > >>>DNS servers are there and they are in the proper order. > >>> > >>>If this does not help please turn on SSSD debug_level to 10, sanitize > >>>and send the SSSD domain logs and sssd.conf to the list. > >>>More hints can be found here: > >>>https://fedorahosted.org/sssd/wiki/Troubleshooting > >>> > >>DNS lookups are good - 'dig' and 'dig -x' return instantaneous forward and > >>reverse lookups on the IPA server, the target server, and the client. The > >>only DNS server configured is the IPA server. > >> > >>I did catch some sssd logs. I set logging to 0x0450 instead of 10, and I > >>didn't have time to compare if any different information was caught. If you > >>still need me to specify log level 10 or some other setting, let me know. > >>The login that these logs are for took 15.371 seconds (checked via 'time ssh > >>danofsatx at yoda.example.lcl exit' > >> > >>selinux_child.log: http://fpaste.org/207805/ > >>sssd_sudo.log: http://fpaste.org/207806/ > >>sssd_pac.log: http://fpaste.org/207807/ > >>sssd_pam.log: http://fpaste.org/207808/67775142/ > >>sssd_nss.log: http://fpaste.org/207809/ > >>sssd.log: http://fpaste.org/207810/ > >>sssd_example.lcl.log: http://fpaste.org/207811/36832514/ > > > >We've recently found a performance problem in the SELinux code. Can you > >check if setting: > > selinux_provider = none > >improves the performance anyhow? > > > > Adding "selinux_provider = none" to the domain section of > /etc/sssd/sssd.conf seems to have drastically improved ssh logins. The > Apache authentications are faster, but we're still hitting a performance > issue somewhere in that chain. It may be with Apache itself, so stand > by...but otherwise, I'm calling this fixed. Not fixed, merely worked around. > > Thanks! Thank you for confirming the problem and the workaround. I do have a WIP patch, I "just" need to finish testing it. From natxo.asenjo at gmail.com Tue Apr 7 19:04:39 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 7 Apr 2015 21:04:39 +0200 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <551EA6A9.6090104@redhat.com> References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> <551EA6A9.6090104@redhat.com> Message-ID: hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal wrote: > On 04/03/2015 09:46 AM, Brian Topping wrote: > > On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: > > hi All, > > I have CentOS 6.6 server and want to upgrade to 7.1. > > What is the upgrade path, can I do it directly or first I need to make it to 3.3? > Also is there any known issue I should expect with workarounds? > > I just did this yesterday, so here's my experience. If you have a simple single-server installation with no custom LDAP DIT modifications, you should find "yum upgrade" does the right thing. > > If you do have DIT mods, you should ask yourself why they are there and whether the data will still be accessible after the ACLs are changed. In my case, I had Postfix using a LDAP hash and mail delivery stopped working (although the domain data was still there just fine). > > Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are replicated. To be safe, back up all replicas (snapshot or whatnot) before the first upgrade and if you decide to restore any of them, be sure everything is shut down and restore all of them to avoid 4.x schema contaminating 3.0 as they come up. > > > > The general recommendation for 3.3 -> 4.1 migration is to start > introducing 4.1 replicas into your 3.3 environment and then turn your 3.3 > replicas off. Do not forget to install the CA component with one of your > 4.1 replicas before removing all the 3.3 instanced with CAs. With this > procedure you would also need to move the CRL generation and cert tracking. > > See details in migration section > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > Will this excellent documentation work too on the migration from 3.0x (rhel 6) to 4.1.x (rhel 7.1)? I will be migrating the coming months to 7.1 or 7.2 (whichever is the current stable then), so just wondering. Thanks! -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Joshua.Gould at osumc.edu Tue Apr 7 20:17:30 2015 From: Joshua.Gould at osumc.edu (Gould, Joshua) Date: Tue, 7 Apr 2015 16:17:30 -0400 Subject: [Freeipa-users] Troubleshooting SSO In-Reply-To: References: <20150330150829.GR4696@redhat.com> <5519723D.5060704@redhat.com> <551A3725.10602@redhat.com> <20150331073047.GG8895@p.redhat.com> <20150331144049.GM8895@p.redhat.com> <20150404135709.GF29385@p.redhat.com> Message-ID: On 4/6/15, 2:26 PM, "Gould, Joshua" wrote: On 4/4/15, 9:57 AM, "Sumit Bose" wrote: Really strange but SSO is working from the test Windows box to both the IPA server and client. No changes were made other than I added the linux client to the IPA domain. (It was with ipa-client-install, it auto-discovered the values, which I used and I enrolled it with the admin ad-user). Note: ssh connection from Windows test machine to IPA client and IPA server used the exact same saved putty config other than changing the hostname. SSO from Windows to our two IPA clients seems to work intermittently today. (no config changes on either end) In both cases, the first attempted to connect via Putty/SSO failed but signin to password worked. We then disconnected the ssh session and immediately tried SSO via SSH to the same client SSO worked. We were able to replicate this for both clients. SSH output from the failed SSO logins: (Sorry but the kvno and other command were not captured) To Test Client01: -sh-4.2$ export KRB5_TRACE=/dev/stdout -sh-4.2$ kinit ad-user at TEST.OSUWMC [23557] 1428416095.525107: Getting initial credentials for ad-user at TEST.OSUWMC [23557] 1428416095.527977: Sending request (170 bytes) to TEST.OSUWMC [23557] 1428416095.529496: Resolving hostname test-dc-vt01.test.osuwmc. [23557] 1428416095.530694: Sending initial UDP request to dgram 10.0.0.239:88 [23557] 1428416095.531745: Received answer (187 bytes) from dgram 10.0.0.239:88 [23557] 1428416095.531978: Response was not from master KDC [23557] 1428416095.532006: Received error from KDC: -1765328359/Additional pre-authentication required [23557] 1428416095.532039: Processing preauth types: 16, 15, 19, 2 [23557] 1428416095.532053: Selected etype info: etype aes256-cts, salt "TEST.OSUWMCad-user", params "" [23557] 1428416095.532094: PKINIT client has no configured identity; giving up [23557] 1428416095.532111: PKINIT client has no configured identity; giving up [23557] 1428416095.532122: Preauth module pkinit (16) (real) returned: 22/Invalid argument [23557] 1428416095.532132: PKINIT client has no configured identity; giving up [23557] 1428416095.532139: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for ad-user at TEST.OSUWMC: [23557] 1428416098.700510: AS key obtained for encrypted timestamp: aes256-cts/BA80 [23557] 1428416098.700574: Encrypted timestamp (for 1428416098.622522): plain 301AA011180F32303135303430373134313435385AA1050203097FBA, encrypted DDE7C80B8F1F1B5877E7E05764895E024E65D83CA6BFB633E4281384E03D60F27AB6A6EDF68 C161720933FD481FF881BE203238F816D4393 [23557] 1428416098.700600: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [23557] 1428416098.700605: Produced preauth for next request: 2 [23557] 1428416098.700626: Sending request (248 bytes) to TEST.OSUWMC [23557] 1428416098.701350: Resolving hostname test-dc-vt01.test.osuwmc. [23557] 1428416098.701661: Sending initial UDP request to dgram 10.0.0.239:88 [23557] 1428416098.703161: Received answer (94 bytes) from dgram 10.0.0.239:88 [23557] 1428416098.703374: Response was not from master KDC [23557] 1428416098.703397: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [23557] 1428416098.703403: Request or response is too big for UDP; retrying with TCP [23557] 1428416098.703408: Sending request (248 bytes) to TEST.OSUWMC (tcp only) [23557] 1428416098.703735: Resolving hostname test-dc-vt01.test.osuwmc. [23557] 1428416098.704667: Initiating TCP connection to stream 10.0.0.239:88 [23557] 1428416098.705090: Sending TCP request to stream 10.0.0.239:88 [23557] 1428416098.706260: Received answer (1649 bytes) from stream 10.0.0.239:88 [23557] 1428416098.706268: Terminating TCP connection to stream 10.0.0.239:88 [23557] 1428416098.706486: Response was not from master KDC [23557] 1428416098.706522: Processing preauth types: 19 [23557] 1428416098.706530: Selected etype info: etype aes256-cts, salt "TEST.OSUWMCad-user", params "" [23557] 1428416098.706538: Produced preauth for next request: (empty) [23557] 1428416098.706546: AS key determined by preauth: aes256-cts/BA80 [23557] 1428416098.706600: Decrypted AS reply; session key is: aes256-cts/21BF [23557] 1428416098.706605: FAST negotiation: unavailable [23557] 1428416098.706629: Initializing KEYRING:persistent:2398410:krb_ccache_v8K2ML2 with default princ ad-user at TEST.OSUWMC [23557] 1428416098.706675: Removing ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23557] 1428416098.706683: Storing ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23557] 1428416098.706754: Storing config in KEYRING:persistent:2398410:krb_ccache_v8K2ML2 for krbtgt/TEST.OSUWMC at TEST.OSUWMC: pa_type: 2 [23557] 1428416098.706771: Removing ad-user at TEST.OSUWMC -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.OSUWMC\@TEST.OSUWMC at X-CACHECONF: from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23557] 1428416098.706778: Storing ad-user at TEST.OSUWMC -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.OSUWMC\@TEST.OSUWMC at X-CACHECONF: in KEYRING:persistent:2398410:krb_ccache_v8K2ML2 -sh-4.2$ kvno host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [23558] 1428416110.253431: Getting credentials ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC using ccache KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23558] 1428416110.253762: Retrieving ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 with result: -1765328243/Matching credential not found [23558] 1428416110.253818: Retrieving ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at UNIX.TEST.OSUWMCfrom KEYRING:persistent:2398410:krb_ccache_v8K2ML2 with result: -1765328243/Matching credential not found [23558] 1428416110.253884: Retrieving ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 with result: 0/Success [23558] 1428416110.253893: Starting with TGT for client realm: ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC [23558] 1428416110.253938: Retrieving ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at UNIX.TEST.OSUWMCfrom KEYRING:persistent:2398410:krb_ccache_v8K2ML2 with result: -1765328243/Matching credential not found [23558] 1428416110.253950: Requesting TGT krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC using TGT krbtgt/TEST.OSUWMC at TEST.OSUWMC [23558] 1428416110.253993: Generated subkey for TGS request: aes256-cts/254A [23558] 1428416110.254042: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [23558] 1428416110.254198: Encoding request body and padata into FAST request [23558] 1428416110.254278: Sending request (1847 bytes) to TEST.OSUWMC [23558] 1428416110.255292: Resolving hostname test-dc-vt01.test.osuwmc. [23558] 1428416110.255979: Sending initial UDP request to dgram 10.0.0.239:88 [23558] 1428416110.257177: Received answer (99 bytes) from dgram 10.0.0.239:88 [23558] 1428416110.257431: Response was not from master KDC [23558] 1428416110.257454: Request or response is too big for UDP; retrying with TCP [23558] 1428416110.257460: Sending request (1847 bytes) to TEST.OSUWMC (tcp only) [23558] 1428416110.257728: Resolving hostname test-dc-vt02.test.osuwmc. [23558] 1428416110.258043: Initiating TCP connection to stream 10.0.0.240:88 [23558] 1428416110.258388: Sending TCP request to stream 10.0.0.240:88 [23558] 1428416110.259470: Received answer (1581 bytes) from stream 10.0.0.240:88 [23558] 1428416110.259479: Terminating TCP connection to stream 10.0.0.240:88 [23558] 1428416110.259733: Response was not from master KDC [23558] 1428416110.259763: Decoding FAST response [23558] 1428416110.259866: TGS reply is for ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMCwith session key aes256-cts/B18C [23558] 1428416110.259892: TGS request result: 0/Success [23558] 1428416110.259902: Removing ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23558] 1428416110.259909: Storing ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23558] 1428416110.259993: Received TGT for service realm: krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC [23558] 1428416110.260000: Requesting tickets for host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC, referrals on [23558] 1428416110.260017: Generated subkey for TGS request: aes256-cts/7B9B [23558] 1428416110.260048: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [23558] 1428416110.260112: Encoding request body and padata into FAST request [23558] 1428416110.260175: Sending request (1883 bytes) to UNIX.TEST.OSUWMC (tcp only) [23558] 1428416110.260222: Initiating TCP connection to stream 10.127.26.73:88 [23558] 1428416110.260275: Sending TCP request to stream 10.127.26.73:88 [23558] 1428416110.270716: Received answer (1837 bytes) from stream 10.127.26.73:88 [23558] 1428416110.270731: Terminating TCP connection to stream 10.127.26.73:88 [23558] 1428416110.270787: Response was from master KDC [23558] 1428416110.270802: Decoding FAST response [23558] 1428416110.270883: FAST reply key: aes256-cts/84BD [23558] 1428416110.270917: TGS reply is for ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC with session key aes256-cts/52FE [23558] 1428416110.270938: TGS request result: 0/Success [23558] 1428416110.270943: Received creds for desired service host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [23558] 1428416110.270951: Removing ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_v8K2ML2 [23558] 1428416110.270958: Storing ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_v8K2ML2 host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC: kvno = 2 -sh-4.2$ ssh -v -l ad-user at test.osuwmc ipa-vp01.unix.test.osuwmc OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ipa-vp01.unix.test.osuwmc debug1: SELinux support enabled debug1: permanently_drop_suid: 2398410 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_rsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_rsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_dsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_dsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ecdsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ed25519 type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA a2:57:a3:0f:09:87:d3:de:d5:9f:34:30:55:7b:2b:2f The authenticity of host 'ipa-vp01.unix.test.osuwmc ()' can't be established. ECDSA key fingerprint is a2:57:a3:0f:09:87:d3:de:d5:9f:34:30:55:7b:2b:2f. Are you sure you want to continue connecting (yes/no)? Host key verification failed. -sh-4.2$ To Test Client 02: -sh-4.2$ export KRB5_TRACE=/dev/stdout -sh-4.2$ kinit ad-user at TEST.OSUWMC [18737] 1428416089.475861: Getting initial credentials for ad-user at TEST.OSUWMC [18737] 1428416089.476283: Sending request (170 bytes) to TEST.OSUWMC [18737] 1428416089.478142: Resolving hostname test-dc-vt01.test.osuwmc. [18737] 1428416089.479506: Sending initial UDP request to dgram 10.0.0.239:88 [18737] 1428416089.481046: Received answer (187 bytes) from dgram 10.0.0.239:88 [18737] 1428416089.481416: Response was not from master KDC [18737] 1428416089.481449: Received error from KDC: -1765328359/Additional pre-authentication required [18737] 1428416089.481502: Processing preauth types: 16, 15, 19, 2 [18737] 1428416089.481520: Selected etype info: etype aes256-cts, salt "TEST.OSUWMCad-user", params "" Password for ad-user at TEST.OSUWMC: [18737] 1428416093.323345: AS key obtained for encrypted timestamp: aes256-cts/BA80 [18737] 1428416093.323414: Encrypted timestamp (for 1428416093.258716): plain 301AA011180F32303135303430373134313435335AA105020303F29C, encrypted 87E3A643A6E79049617EB83F143B6EA7A4D81E938FD9F1554BF168FB217D46A4D622D47E6CD 5A18F82835113BA3109900EACBBDEAEAE023E [18737] 1428416093.323443: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [18737] 1428416093.323448: Produced preauth for next request: 2 [18737] 1428416093.323569: Sending request (248 bytes) to TEST.OSUWMC [18737] 1428416093.324696: Resolving hostname test-dc-vt02.test.osuwmc. [18737] 1428416093.325245: Sending initial UDP request to dgram 10.0.0.240:88 [18737] 1428416093.328637: Received answer (94 bytes) from dgram 10.0.0.240:88 [18737] 1428416093.328999: Response was not from master KDC [18737] 1428416093.329024: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [18737] 1428416093.329030: Request or response is too big for UDP; retrying with TCP [18737] 1428416093.329035: Sending request (248 bytes) to TEST.OSUWMC (tcp only) [18737] 1428416093.329431: Resolving hostname test-dc-vt02.test.osuwmc. [18737] 1428416093.330588: Initiating TCP connection to stream 10.0.0.240:88 [18737] 1428416093.331004: Sending TCP request to stream 10.0.0.240:88 [18737] 1428416093.332070: Received answer (1649 bytes) from stream 10.0.0.240:88 [18737] 1428416093.332079: Terminating TCP connection to stream 10.0.0.240:88 [18737] 1428416093.332468: Response was not from master KDC [18737] 1428416093.332523: Processing preauth types: 19 [18737] 1428416093.332532: Selected etype info: etype aes256-cts, salt "TEST.OSUWMCad-user", params "" [18737] 1428416093.332539: Produced preauth for next request: (empty) [18737] 1428416093.332548: AS key determined by preauth: aes256-cts/BA80 [18737] 1428416093.332601: Decrypted AS reply; session key is: aes256-cts/82EC [18737] 1428416093.332605: FAST negotiation: unavailable [18737] 1428416093.332630: Initializing KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with default princ ad-user at TEST.OSUWMC [18737] 1428416093.332683: Removing ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18737] 1428416093.332692: Storing ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18737] 1428416093.332764: Storing config in KEYRING:persistent:2398410:krb_ccache_6FRGCV2 for krbtgt/TEST.OSUWMC at TEST.OSUWMC: pa_type: 2 [18737] 1428416093.332782: Removing ad-user at TEST.OSUWMC -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.OSUWMC\@TEST.OSUWMC at X-CACHECONF: from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18737] 1428416093.332790: Storing ad-user at TEST.OSUWMC -> krb5_ccache_conf_data/pa_type/krbtgt\/TEST.OSUWMC\@TEST.OSUWMC at X-CACHECONF: in KEYRING:persistent:2398410:krb_ccache_6FRGCV2 -sh-4.2$ kvno host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18738] 1428416107.49615: Getting credentials ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC using ccache KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18738] 1428416107.49815: Retrieving ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: -1765328243/Matching credential not found [18738] 1428416107.49865: Retrieving ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at UNIX.TEST.OSUWMCfrom KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: -1765328243/Matching credential not found [18738] 1428416107.49928: Retrieving ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: 0/Success [18738] 1428416107.49937: Starting with TGT for client realm: ad-user at TEST.OSUWMC -> krbtgt/TEST.OSUWMC at TEST.OSUWMC [18738] 1428416107.49977: Retrieving ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at UNIX.TEST.OSUWMCfrom KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: -1765328243/Matching credential not found [18738] 1428416107.49985: Requesting TGT krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC using TGT krbtgt/TEST.OSUWMC at TEST.OSUWMC [18738] 1428416107.50025: Generated subkey for TGS request: aes256-cts/F437 [18738] 1428416107.50074: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [18738] 1428416107.50201: Encoding request body and padata into FAST request [18738] 1428416107.50272: Sending request (1847 bytes) to TEST.OSUWMC [18738] 1428416107.51530: Resolving hostname test-dc-vt01.test.osuwmc. [18738] 1428416107.52259: Sending initial UDP request to dgram 10.0.0.239:88 [18738] 1428416107.53561: Received answer (99 bytes) from dgram 10.0.0.239:88 [18738] 1428416107.53964: Response was not from master KDC [18738] 1428416107.53985: Request or response is too big for UDP; retrying with TCP [18738] 1428416107.53990: Sending request (1847 bytes) to TEST.OSUWMC (tcp only) [18738] 1428416107.54364: Resolving hostname test-dc-vt01.test.osuwmc. [18738] 1428416107.54756: Initiating TCP connection to stream 10.0.0.239:88 [18738] 1428416107.55031: Sending TCP request to stream 10.0.0.239:88 [18738] 1428416107.56052: Received answer (1581 bytes) from stream 10.0.0.239:88 [18738] 1428416107.56063: Terminating TCP connection to stream 10.0.0.239:88 [18738] 1428416107.56436: Response was not from master KDC [18738] 1428416107.56495: Decoding FAST response [18738] 1428416107.56567: TGS reply is for ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMCwith session key aes256-cts/7E5C [18738] 1428416107.56589: TGS request result: 0/Success [18738] 1428416107.56598: Removing ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18738] 1428416107.56605: Storing ad-user at TEST.OSUWMC -> krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18738] 1428416107.56680: Received TGT for service realm: krbtgt/UNIX.TEST.OSUWMC at TEST.OSUWMC [18738] 1428416107.56687: Requesting tickets for host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC, referrals on [18738] 1428416107.56702: Generated subkey for TGS request: aes256-cts/5751 [18738] 1428416107.56734: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [18738] 1428416107.56787: Encoding request body and padata into FAST request [18738] 1428416107.56845: Sending request (1883 bytes) to UNIX.TEST.OSUWMC (tcp only) [18738] 1428416107.56892: Initiating TCP connection to stream 10.127.26.73:88 [18738] 1428416107.57108: Sending TCP request to stream 10.127.26.73:88 [18738] 1428416107.72793: Received answer (1837 bytes) from stream 10.127.26.73:88 [18738] 1428416107.72806: Terminating TCP connection to stream 10.127.26.73:88 [18738] 1428416107.72874: Response was from master KDC [18738] 1428416107.72892: Decoding FAST response [18738] 1428416107.73008: FAST reply key: aes256-cts/24D0 [18738] 1428416107.73047: TGS reply is for ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC with session key aes256-cts/7A6C [18738] 1428416107.73071: TGS request result: 0/Success [18738] 1428416107.73075: Received creds for desired service host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18738] 1428416107.73083: Removing ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18738] 1428416107.73090: Storing ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC in KEYRING:persistent:2398410:krb_ccache_6FRGCV2 host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC: kvno = 2 -sh-4.2$ ssh -v -l ad-user at test.osuwmc ipa-vp01.unix.test.osuwmc OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 ipa-vp01.unix.test.osuwmc debug1: SELinux support enabled Could not create directory '/home/test.osuwmc/ad-user/.ssh'. debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_rsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_rsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_dsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_dsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ecdsa type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ed25519 type -1 debug1: identity file /home/test.osuwmc/ad-user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: permanently_drop_suid: 2398410 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA a2:57:a3:0f:09:87:d3:de:d5:9f:34:30:55:7b:2b:2f debug1: Host 'ipa-vp01.unix.test.osuwmc' is known and matches the ECDSA host key. debug1: Found key in /var/lib/sss/pubconf/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic [18739] 1428416121.60316: Convert service host (service with host as instance) on host ipa-vp01.unix.test.osuwmc to principal [18739] 1428416121.63528: Remote host after forward canonicalization: ipa-vp01.unix.test.osuwmc [18739] 1428416121.63576: Remote host after reverse DNS processing: ipa-vp01.unix.test.osuwmc [18739] 1428416121.63615: Got service principal host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18739] 1428416121.64537: ccselect can't find appropriate cache for server principal host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18739] 1428416121.64660: Getting credentials ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC using ccache KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18739] 1428416121.64760: Retrieving ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: 0/Success [18739] 1428416121.64860: Creating authenticator for ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC, seqnum 357380851, subkey aes256-cts/C722, session key aes256-cts/7A6C [18739] 1428416121.68510: Convert service host (service with host as instance) on host ipa-vp01.unix.test.osuwmc to principal [18739] 1428416121.69117: Remote host after forward canonicalization: ipa-vp01.unix.test.osuwmc [18739] 1428416121.69131: Remote host after reverse DNS processing: ipa-vp01.unix.test.osuwmc [18739] 1428416121.69144: Got service principal host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18739] 1428416121.69854: ccselect can't find appropriate cache for server principal host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18739] 1428416121.69921: Getting credentials ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC using ccache KEYRING:persistent:2398410:krb_ccache_6FRGCV2 [18739] 1428416121.69983: Retrieving ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC from KEYRING:persistent:2398410:krb_ccache_6FRGCV2 with result: 0/Success [18739] 1428416121.70043: Creating authenticator for ad-user at TEST.OSUWMC -> host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC, seqnum 103136204, subkey aes256-cts/1442, session key aes256-cts/7A6C [18739] 1428416123.217669: Convert service host (service with host as instance) on host ipa-vp01.unix.test.osuwmc to principal [18739] 1428416123.218358: Remote host after forward canonicalization: ipa-vp01.unix.test.osuwmc [18739] 1428416123.218373: Remote host after reverse DNS processing: ipa-vp01.unix.test.osuwmc [18739] 1428416123.218392: Got service principal host/ipa-vp01.unix.test.osuwmc at UNIX.TEST.OSUWMC [18739] 1428416123.218509: Read AP-REP, time 1428416121.70050, subkey aes256-cts/519A, seqnum 855383497 debug1: Authentication succeeded (gssapi-with-mic). Authenticated to ipa-vp01.unix.test.osuwmc (via proxy). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Last login: Tue Apr 7 10:14:30 2015 from 10.0.5 -sh-4.2$ From dpal at redhat.com Tue Apr 7 21:29:28 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Apr 2015 17:29:28 -0400 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> <551EA6A9.6090104@redhat.com> Message-ID: <55244C38.3090601@redhat.com> On 04/07/2015 03:04 PM, Natxo Asenjo wrote: > hi, > > On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal > wrote: > > On 04/03/2015 09:46 AM, Brian Topping wrote: >>> On Apr 3, 2015, at 6:48 AM, Tamas Papp wrote: >>> >>> hi All, >>> >>> I have CentOS 6.6 server and want to upgrade to 7.1. >>> >>> What is the upgrade path, can I do it directly or first I need to make it to 3.3? >>> Also is there any known issue I should expect with workarounds? >> I just did this yesterday, so here's my experience. If you have a simple single-server installation with no custom LDAP DIT modifications, you should find "yum upgrade" does the right thing. >> >> If you do have DIT mods, you should ask yourself why they are there and whether the data will still be accessible after the ACLs are changed. In my case, I had Postfix using a LDAP hash and mail delivery stopped working (although the domain data was still there just fine). >> >> Note that the ACLs will propagate from the 4.1 server to your 3.0 if they are replicated. To be safe, back up all replicas (snapshot or whatnot) before the first upgrade and if you decide to restore any of them, be sure everything is shut down and restore all of them to avoid 4.x schema contaminating 3.0 as they come up. > > > The general recommendation for 3.3 -> 4.1 migration is to start > introducing 4.1 replicas into your 3.3 environment and then turn > your 3.3 replicas off. Do not forget to install the CA component > with one of your 4.1 replicas before removing all the 3.3 > instanced with CAs. With this procedure you would also need to > move the CRL generation and cert tracking. > > See details in migration section > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > > > Will this excellent documentation work too on the migration from 3.0x > (rhel 6) to 4.1.x (rhel 7.1)? > > I will be migrating the coming months to 7.1 or 7.2 (whichever is the > current stable then), so just wondering. Yes, though it is recommended to get to the latest 6.x first before you start introducing 7.x replicas. > > Thanks! > > -- > Groeten, > natxo > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 7 21:40:04 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 07 Apr 2015 17:40:04 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <1428416533.19641.148.camel@willson.usersys.redhat.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> <1428416533.19641.148.camel@willson.usersys.redhat.com> Message-ID: <55244EB4.8080300@redhat.com> On 04/07/2015 10:22 AM, Simo Sorce wrote: > On Tue, 2015-04-07 at 14:16 +0000, coy.hile at coyhile.com wrote: >> Quoting Simo Sorce >> >>> On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: >>>> In MIT land, one can potentially have multiple instances tied (by >>>> convention) to a given user (that is, that administratively one knows >>>> are the same set of eyeballs). For example, I might have my normal >>>> user (hile), and I might have another distinct MIT principal >>>> hile/admin used when I?m doing administrative work in the kerb >>>> database, or potentially yet another hile/vpn for remote access. Only >>>> the first of these is a ?real? user that needs to have a uid, gid, >>>> home directory, and shell; the others are just Kerberos principals >>>> that might have differing password policies applied to them. In >>>> FreeIPA, it appears all kerberos principals are tied to a user (or to >>>> a host in the case of host/ or another service definition). Is it >>>> possible to define a non-posix user? There is no good reason for >>>> hile/admin at MY.REALM to have a uidNumber or gidNumber; one should never >>>> login directly using that principal. >>> Early on when we created FreeIPA we decided against providing >>> alternative principals for the same user as it made things a lot more >>> complex for little gain. To this day we still do not support them. >>> >>> Keep in mind that adding a principal is not the whole story, once you do >>> that then you probably still want to associate it to some user, and >>> assign privileges and allow alternative principal names to ssh into some >>> machines, which means distributing k5login files or providing explicit >>> support in the new aname2lname plugin. >>> >>> To do all this means adding new objects and configuration facilities to >>> handle these special non-users, we haven't yet found enough benefit in >>> adding support for these to warrant the work involved. >>> >>> Simo. >>> >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >> I guess that makes sense. Is it possible to add a user that simply >> doesn't have the posix attributes defined? In the particular case of >> */admin, I would expect that user to login to the ipa ui or to be >> kinit'd to prior to running ipa administrative commands, but I should >> hope that it should never login directly. >> >> Does that question make more sense? > It does, but we do not have such a feature, sorry. > > Simo. > > Would setting shell to NULL help? What do you want to prevent? SSH logins? You can have host based access control rules for that. May be a better explanation of why you need this user to not have posix would be beneficial. You can have posix users and still prevent them from logging where they should not be able to log in. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From coy.hile at coyhile.com Wed Apr 8 02:01:35 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Tue, 7 Apr 2015 22:01:35 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <1428433100.19641.156.camel@willson.usersys.redhat.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> <1428416533.19641.148.camel@willson.usersys.redhat.com> <20150407185414.Horde.P29_LKvOz6ucEuodOPZucA3@webmail01.coyhile.com> <1428433100.19641.156.camel@willson.usersys.redhat.com> Message-ID: <0DD76898-D9CD-4D24-9A66-B56F66C43129@coyhile.com> > On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > On Tue, 2015-04-07 at 18:54 +0000, Coy Hile wrote: >> Quoting Simo Sorce : >> >>>>> >>>>> >>>> I guess that makes sense. Is it possible to add a user that simply >>>> doesn't have the posix attributes defined? In the particular case of >>>> */admin, I would expect that user to login to the ipa ui or to be >>>> kinit'd to prior to running ipa administrative commands, but I should >>>> hope that it should never login directly. >>>> >>>> Does that question make more sense? >>> >>> It does, but we do not have such a feature, sorry. >>> >>> Simo. >>> >> >> Could one hypothetically remove the posix attributes (via some scripted >> process that validates that what it's doing is inline with organizational >> norms/goals) without breaking freeIPA, or are the posix attributes MUST in >> the IPA object classes? I'm sorry for so many endless questions, but having >> finally got my personal setup/lab using something other than Active Directory, >> I'm looking to migrate to something that is easier to manage, so I'm trying to >> draw comparisons between what I had been used to in previous vanilla krb/ldap >> shops. > > Removing attributes will probably not work well, but let me ask: > Do you require different passwords for these principals ? > Or do you merely want to have the alternative names but would be ok if > the credentials were identical ? > > Because you could (manually for now) add aliases so that hile@ > hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical > name but you can use aliases too (just make sure not to request > canonicalization at kinit time. > My intent was that they have different passwords (and perhaps differing password policies.) For example, a /admin principal might enforce password expiry with a shorter lifespan than a normal principal, or might have a shorter maximum ticket lifetime before kinit -R is necessary. It?s merely convenient that these other instances not necessarily be posix accounts to enforce there?s no possible way that, for example, someone logs in and is running a full GNOME session as an admin. But I can live with them being posix accounts since it?s baked in. We?ve all heard the horror stories of the Microsoft shops where some genius decided to login to his workstation with his juser_domainadmin account, or worse Administrator?. -- Coy Hile coy.hile at coyhile.com From simo at redhat.com Wed Apr 8 04:49:15 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2015 00:49:15 -0400 Subject: [Freeipa-users] Creating arbitrary users? In-Reply-To: <0DD76898-D9CD-4D24-9A66-B56F66C43129@coyhile.com> References: <20150407141645.Horde.GJgvxdUX0IesWneiFVsXtA1@webmail01.coyhile.com> <1428416533.19641.148.camel@willson.usersys.redhat.com> <20150407185414.Horde.P29_LKvOz6ucEuodOPZucA3@webmail01.coyhile.com> <1428433100.19641.156.camel@willson.usersys.redhat.com> <0DD76898-D9CD-4D24-9A66-B56F66C43129@coyhile.com> Message-ID: <1428468555.19641.158.camel@willson.usersys.redhat.com> On Tue, 2015-04-07 at 22:01 -0400, Coy Hile wrote: > > On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > > > On Tue, 2015-04-07 at 18:54 +0000, Coy Hile wrote: > >> Quoting Simo Sorce : > >> > >>>>> > >>>>> > >>>> I guess that makes sense. Is it possible to add a user that simply > >>>> doesn't have the posix attributes defined? In the particular case of > >>>> */admin, I would expect that user to login to the ipa ui or to be > >>>> kinit'd to prior to running ipa administrative commands, but I should > >>>> hope that it should never login directly. > >>>> > >>>> Does that question make more sense? > >>> > >>> It does, but we do not have such a feature, sorry. > >>> > >>> Simo. > >>> > >> > >> Could one hypothetically remove the posix attributes (via some scripted > >> process that validates that what it's doing is inline with organizational > >> norms/goals) without breaking freeIPA, or are the posix attributes MUST in > >> the IPA object classes? I'm sorry for so many endless questions, but having > >> finally got my personal setup/lab using something other than Active Directory, > >> I'm looking to migrate to something that is easier to manage, so I'm trying to > >> draw comparisons between what I had been used to in previous vanilla krb/ldap > >> shops. > > > > Removing attributes will probably not work well, but let me ask: > > Do you require different passwords for these principals ? > > Or do you merely want to have the alternative names but would be ok if > > the credentials were identical ? > > > > Because you could (manually for now) add aliases so that hile@ > > hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical > > name but you can use aliases too (just make sure not to request > > canonicalization at kinit time. > > > > My intent was that they have different passwords (and perhaps > differing password policies.) For example, a /admin principal might > enforce password expiry with a shorter lifespan than a normal > principal, or might have a shorter maximum ticket lifetime before > kinit -R is necessary. It?s merely convenient that these other > instances not necessarily be posix accounts to enforce there?s no > possible way that, for example, someone logs in and is running a full > GNOME session as an admin. But I can live with them being posix > accounts since it?s baked in. > > We?ve all heard the horror stories of the Microsoft shops where some > genius decided to login to his workstation with his juser_domainadmin > account, or worse Administrator?. > You can use HBAC to prevent these users from logging in via gdm/ssh/login etc... Simo. -- Simo Sorce * Red Hat, Inc * New York From jcholast at redhat.com Wed Apr 8 05:27:49 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 08 Apr 2015 07:27:49 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: <5523DC2F.2080104@redhat.com> References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> <5523DC2F.2080104@redhat.com> Message-ID: <5524BC55.10301@redhat.com> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): > On 04/07/2015 02:08 PM, James James wrote: >> I will try to give a better explanation : >> >> >> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been >> installed with an external CA about 3 years ago and I will have to renew >> the certificate soon. >> >> I have created a test server (ipa-dev) with the same configuration (centos >> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever >> to be installed with an external CA. >> >> In the same time my external CA has changed and wants the emailAddress >> field in the certificate request 's subject. > > CSR during installation with external CA is produced by Dogtag, so you are > constrained with the options and capabilities provided by ipa-server-install. > Maybe it would be possible to modify the CSR and update the Subject manually, > but I expect it would crash the installer later (JanC may know more (CCed)) The subject name identifies the CA in server (and other) certificates. If you change it, you break the trust chain from the CA certificate to the server certificates and that will break all SSL in IPA. > >> If it is not possible to add emailAddress in the subject, is it possible to >> migrate my ipa-master CA system from an external CA to a CA-less or >> self-signed CA ? > > It is, with ipa-cacert-manage - see links below. You can change your external CA to self-signed CA in IPA 4.1 or newer by running: # ipa-cacert-manage renew --self-signed You can't change external CA to CA-less. > >> Thanks. >> >> 2015-04-07 13:48 GMT+02:00 Martin Kosek : >> >>> On 04/07/2015 01:44 PM, James James wrote: >>>> ok. >>>> >>>> Is there a way to migrate from an external CA to a CA-less or a >>> self-signed >>>> CA ? >>> >>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: >>> >>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >>> https://www.freeipa.org/page/V4/CA_certificate_renewal >>> >>> (Although I am still not sure about your use case and if this would help >>> you) >>> >>>> >>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek : >>>> >>>>> On 04/03/2015 11:39 AM, James James wrote: >>>>>> Hello, >>>>>> >>>>>> I want to initialize a new replica with an external CA. My Certificate >>>>>> Authority wants a CSR with the field emailAddress in the subject like : >>>>>> >>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com >>>>> >>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >>>>> with own >>>>> CA signed by external CA? >>>>> >>>>> FreeIPA supports these kinds of setups right now: >>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >>>>> >>>>>> How can I do with the ipa-server-install command ? I have been trying >>>>> for >>>>>> few days but I still can't. >>>>>> >>>>>> Thanks for your help. >>>>> >>>>> CCing Honza who should know the definitive answer. However, FreeIPA was >>> not >>>>> very flexible in configuring special subjects for it's CA certificate >>> (i.e. >>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >>>>> >>>> >>> >>> >> > -- Jan Cholasta From markus at die5roths.de Wed Apr 8 05:57:18 2015 From: markus at die5roths.de (Markus Roth) Date: Wed, 8 Apr 2015 07:57:18 +0200 (CEST) Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <551C69A3.3050202@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> Message-ID: <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> > Endi Sukma Dewata hat am 1. April 2015 um 23:56 > geschrieben: > > > On 4/1/2015 4:29 PM, Markus Roth wrote: > > Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > >> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > >>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: > >>>>>> Hi all, > >>>>>> > >>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > >>> > >>>>>> The ipa-server-install shows the following output: > >>> ... > >>> > >>>>>> Done configuring directory server (dirsrv). > >>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 > >>>>>> minutes 30 > >>>>>> seconds > >>>>>> > >>>>>> [1/27]: creating certificate server user > >>>>>> [2/27]: configuring certificate server instance > >>>>>> [3/27]: stopping certificate server instance to update CS.cfg > >>>>>> [4/27]: backing up CS.cfg > >>>>>> [5/27]: disabling nonces > >>>>>> [6/27]: set up CRL publishing > >>>>>> [7/27]: enable PKIX certificate path discovery and validation > >>>>>> [8/27]: starting certificate server instance > >>>>>> [error] RuntimeError: CA did not start in 300.0s > >>>>>> > >>>>>> CA did not start in 300.0s > >>>>>> > >>>>>> The ipa server install log shows this: > >>>>>> > >>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > >>> > >>> ... > >>> > >>>>>> I uninstalled the ipa server completely several times and installed > >>>>>> it again. > >>>>>> But it always stops at the same step with the setup. > >>>>>> > >>>>>> Can anybody help? > >>> > >>> Based on the IPA install log alone it looks like the DS is already > >>> started, and the Dogtag is already started too in step [3/27]. It's the > >>> restart on step [8/27] that is failing. > >>> > >>> We will need to see the Dogtag debug log in order to know if Dogtag is > >>> indeed failing to restart or the installer for some reason cannot > >>> connect to Dogtag. > >> > >> Hi Markus, > >> > >> Based on the logs that you sent me, the Dogtag took a really long time > >> to start: > >> > >> INFORMATION: Server startup in 739700 ms > >> > >> More than half of that time was spent starting the CA subsystem alone: > >> > >> INFORMATION: Deployment of configuration descriptor /etc/pki > >> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms > >> > >> The whole (failed) IPA installation took about 38 minutes. Is this correct? > >> > >> It's possible the system was running out of entropy. You might want to > >> install haveged or rngd. See: > >> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ > >> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent > >> ropy-for-cloud-servers-using-haveged > >> > >> However, the system seems to be running very slowly in general. How > >> powerful is this machine? > > > > Hi Endi > > > > the system is a banana pi system. Seems that this ARM CPU based system isn't > > suitable for FreeIPA.... > > The installation might still succeed if IPA doesn't have the 300s time > limit. If you want to try, you probably can specify a larger > startup_timeout in ~/.ipa/default.conf, or change the code in > ipaplatform/redhat/services.py to wait indefinitely, and see what > happens. I don't know if it will be usable though. > > -- > Endi S. Dewata > Yersterday I did the installation of freeipa on my banana Pi with modifying the source file ipalib/constants.py: ('startup_timeout', 300). I changed it to 900 s. And the setup process was successful! The start of the CA had a duration of 630s! But after the installation freeipa is usable on the banana Pi. Thanks to Endi for help. Markus Roth -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 8 06:41:22 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 08:41:22 +0200 Subject: [Freeipa-users] upgrade 3.0 -> 4.1 In-Reply-To: <55244C38.3090601@redhat.com> References: <551E8C2E.3020307@martos.bme.hu> <484EB904-9CD2-4616-8A3C-0CB7835AD8BC@gmail.com> <551EA6A9.6090104@redhat.com> <55244C38.3090601@redhat.com> Message-ID: <5524CD92.6050106@redhat.com> On 04/07/2015 11:29 PM, Dmitri Pal wrote: > On 04/07/2015 03:04 PM, Natxo Asenjo wrote: >> hi, >> >> On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal > > wrote: >> >> On 04/03/2015 09:46 AM, Brian Topping wrote: >>>> On Apr 3, 2015, at 6:48 AM, Tamas Papp >>>> wrote: >>>> >>>> hi All, >>>> >>>> I have CentOS 6.6 server and want to upgrade to 7.1. >>>> >>>> What is the upgrade path, can I do it directly or first I need to make >>>> it to 3.3? >>>> Also is there any known issue I should expect with workarounds? >>> I just did this yesterday, so here's my experience. If you have a simple >>> single-server installation with no custom LDAP DIT modifications, you should >>> find "yum upgrade" does the right thing. >>> >>> If you do have DIT mods, you should ask yourself why they are there and >>> whether the data will still be accessible after the ACLs are changed. In my >>> case, I had Postfix using a LDAP hash and mail delivery stopped working >>> (although the domain data was still there just fine). >>> >>> Note that the ACLs will propagate from the 4.1 server to your 3.0 if >>> they are replicated. To be safe, back up all replicas (snapshot or whatnot) >>> before the first upgrade and if you decide to restore any of them, be sure >>> everything is shut down and restore all of them to avoid 4.x schema >>> contaminating 3.0 as they come up. >> >> >> The general recommendation for 3.3 -> 4.1 migration is to start >> introducing 4.1 replicas into your 3.3 environment and then turn >> your 3.3 replicas off. Do not forget to install the CA component >> with one of your 4.1 replicas before removing all the 3.3 >> instanced with CAs. With this procedure you would also need to >> move the CRL generation and cert tracking. >> >> See details in migration section >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc >> >> >> >> Will this excellent documentation work too on the migration from 3.0x (rhel >> 6) to 4.1.x (rhel 7.1)? >> >> I will be migrating the coming months to 7.1 or 7.2 (whichever is the current >> stable then), so just wondering. > > Yes, though it is recommended to get to the latest 6.x first before you start > introducing 7.x replicas. Strongly recommended I would say. Before adding RHEL-7.1 replica, please update to RHEL-6.6 + all it's z-streams to avoid compatibility issues in Directory Server or bind-dyndb-ldap if you are using DNS forward zones. HTH, Martin From chamambom at afri-com.net Wed Apr 8 07:25:33 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Wed, 8 Apr 2015 09:25:33 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration Message-ID: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> Good day I am running FreeIPA, version: 4.1.0 and everything is working well except SUDO configuration. I have 3 questions 1: I have configured the bare minimum sudo configuration without hostgroups and netgroups , just sudo commands and sudo command groups that have been added as sudo rules .....this should work right 2: I have centos 6.6 and redhat 6.6 clients using the sssd service ,is that enough for sudo to work if the configs are as below cat /etc/nsswitch.conf sudoers: files sss cat /etc/sssd/sssd.conf [domain/ai.co.zw] debug_level=6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ironhide.ai.co.zw chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ai.co.zw [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] From jhrozek at redhat.com Wed Apr 8 07:40:24 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 09:40:24 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> Message-ID: <20150408074024.GV11481@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: > Good day > > I am running FreeIPA, version: 4.1.0 and everything is working well except > SUDO configuration. > > I have 3 questions > > 1: I have configured the bare minimum sudo configuration without > hostgroups and netgroups , just sudo commands and sudo command groups that > have been added as sudo rules .....this should work right > 2: I have centos 6.6 and redhat 6.6 clients using the sssd > service ,is that enough for sudo to work if the configs are as below Didn't you start exactly the same thread yesterday? :-) Can you provide the sudo responder logs as we asked yesterday? > > > cat /etc/nsswitch.conf > > sudoers: files sss > > cat /etc/sssd/sssd.conf > > [domain/ai.co.zw] > > debug_level=6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ironhide.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > > domains = ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lslebodn at redhat.com Wed Apr 8 07:43:06 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 8 Apr 2015 09:43:06 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> Message-ID: <20150408074305.GA27962@mail.corp.redhat.com> On (08/04/15 09:25), Chamambo Martin wrote: >Good day > >I am running FreeIPA, version: 4.1.0 and everything is working well except >SUDO configuration. > ipa-client-install on CentOS 7.1 should configure sudo by default. >I have 3 questions > > 1: I have configured the bare minimum sudo configuration without >hostgroups and netgroups , just sudo commands and sudo command groups that >have been added as sudo rules .....this should work right yes. and sudo rules with netgroups shuld work on CentOS 7.1 as well because nisdomainname should be configured. > 2: I have centos 6.6 and redhat 6.6 clients using the sssd >service ,is that enough for sudo to work if the configs are as below > > >cat /etc/nsswitch.conf > >sudoers: files sss > >cat /etc/sssd/sssd.conf > >[domain/ai.co.zw] > >debug_level=6 >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = ai.co.zw >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = ironhide.ai.co.zw >chpass_provider = ipa >ipa_server = _srv_, cyclops.ai.co.zw >ldap_tls_cacert = /etc/ipa/ca.crt > >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > > >domains = ai.co.zw >[nss] >homedir_substring = /home The default value of this option is "/home" You can remove it. Where did you find it? > >[pam] > >[sudo] > >[autofs] > >[ssh] > If you do not use netgroups (or hostgroups) in sudo rules then this configuration should work on rhel 6.6 (sssd >= 1.10) The same steps are decribed in manual page sssd-sudo. LS From chamambom at afri-com.net Wed Apr 8 08:00:50 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Wed, 8 Apr 2015 10:00:50 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <20150408074024.GV11481@hendrix.arn.redhat.com> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> Message-ID: <003d01d071d2$212ccf40$63866dc0$@afri-com.net> I have these logs and cant seem to make sense of them I have created the hostgroup mailservers and have added the sudo rule that allows the users to execute sudo vim anyfile (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_process] (0x0200): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300 (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://cyclops.ai.co.zw' (Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (0x0100): Marking server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'cyclops.ai.co.zw' as 'working' (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200): Switch user to [1468200000][1468200000]. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [switch_creds] (0x0200): Switch user to [0][0]. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] (Wed Apr 8 09:58:47 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (0x0100): child [1794] finished successfully. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_req_set_domain] (0x0400): Changing request domain from [ai.co.zw] to [ai.co.zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): domain: ai.co.zw (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): user: admin (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): ruser: admin (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): rhost: (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (0x0100): cli_pid: 1793 (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (0x0400): Performing access check for user [admin] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [admin] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=ironhide.ai.co.zw))][cn=accounts,dc=ai,dc=co,d c=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw] using OpenLDAP deref (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: mailservers (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACService)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(objectClass=ipaHBACServiceGroup)] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=ai,dc=co,dc=zw][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TR UE)(|(hostCategory=all)(memberHost=fqdn=ironhide.ai.co.zw,cn=computers,cn=ac counts,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=hostgroups,cn=account s,dc=ai,dc=co,dc=zw)(memberHost=ipaUniqueID=bacaa788-dac0-11e4-93fe-52540014 3fc1,cn=sudorules,cn=sudo,dc=ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng ,cn=alt,dc=ai,dc=co,dc=zw)))] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member Host=fqdn=ironhide.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(memb erHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHos t=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc=a i,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)))][ cn=hbac,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=ai,dc=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=a i,dc=co,dc=zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=ai,d c=co,dc=zw]. (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sending result [0][ai.co.zw] (Wed Apr 8 09:58:48 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (0x0100): Sent result [0][ai.co.zw] -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Wednesday, April 08, 2015 9:40 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote: > Good day > > I am running FreeIPA, version: 4.1.0 and everything is working well > except SUDO configuration. > > I have 3 questions > > 1: I have configured the bare minimum sudo configuration without > hostgroups and netgroups , just sudo commands and sudo command groups > that have been added as sudo rules .....this should work right > 2: I have centos 6.6 and redhat 6.6 clients using the > sssd service ,is that enough for sudo to work if the configs are as > below Didn't you start exactly the same thread yesterday? :-) Can you provide the sudo responder logs as we asked yesterday? > > > cat /etc/nsswitch.conf > > sudoers: files sss > > cat /etc/sssd/sssd.conf > > [domain/ai.co.zw] > > debug_level=6 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ironhide.ai.co.zw > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > > domains = ai.co.zw > [nss] > homedir_substring = /home > > [pam] > > [sudo] > > [autofs] > > [ssh] > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Wed Apr 8 08:06:40 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 10:06:40 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <003d01d071d2$212ccf40$63866dc0$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> Message-ID: <20150408080640.GW11481@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote: > I have these logs and cant seem to make sense of them These are not the logs we asked for. What we need is debug_level=6 in the sudo section, then run sudo, then attach /var/log/sssd/sssd_sudo.log. It would also be nice if you could install ldb-tools and run: ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb To see if the sudo rules were cached at all by the sudo full refresh (see man sssd-sudo for description of the different refreshes sssd does). From lists at fahrendorf.de Wed Apr 8 08:11:01 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Wed, 08 Apr 2015 10:11:01 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <1428424057.19641.149.camel@willson.usersys.redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> Message-ID: <5524E295.8090003@fahrendorf.de> Am 07.04.2015 um 18:27 schrieb Simo Sorce: > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: >> Hallo >> >> attached you can find the data from krb_child.log. As far as I can see >> it, the three seconds are due to the communication with the kerberos >> server. (1.2.3.4 is my server). > > Do you experience the same latency if you kinit manually ? > > Simo. > No, kinit completes almost instantly after entering the password. Martin From chamambom at afri-com.net Wed Apr 8 08:17:59 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Wed, 8 Apr 2015 10:17:59 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <20150408080640.GW11481@hendrix.arn.redhat.com> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> Message-ID: <004001d071d4$86317ce0$929476a0$@afri-com.net> I have this log after doing a debug_level=6 in the sudo section and have attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb [root at ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for ai.co.zw: /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40c900:domains at ai.co.zw] (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ai.co.zw][forced][] (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40c900:domains at ai.co.zw] (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Apr 8 10:10:03 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Apr 8 10:10:04 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40c900:domains at ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [admin] from [] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [admin at ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [admin at ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [admin] from [ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892))) ] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [admin] from [] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [admin at ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [admin at ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [admin] from [ai.co.zw] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892))) ] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [admin at ai.co.zw] (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 10:07 AM To: Chamambo Martin Cc: freeipa-users at redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote: > I have these logs and cant seem to make sense of them These are not the logs we asked for. What we need is debug_level=6 in the sudo section, then run sudo, then attach /var/log/sssd/sssd_sudo.log. It would also be nice if you could install ldb-tools and run: ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb To see if the sudo rules were cached at all by the sudo full refresh (see man sssd-sudo for description of the different refreshes sssd does). -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sudosearchlogfile.txt URL: From jhrozek at redhat.com Wed Apr 8 08:27:26 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 10:27:26 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5524E295.8090003@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> <5524E295.8090003@fahrendorf.de> Message-ID: <20150408082726.GX11481@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 10:11:01AM +0200, Martin (Lists) wrote: > Am 07.04.2015 um 18:27 schrieb Simo Sorce: > > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: > >> Hallo > >> > >> attached you can find the data from krb_child.log. As far as I can see > >> it, the three seconds are due to the communication with the kerberos > >> server. (1.2.3.4 is my server). > > > > Do you experience the same latency if you kinit manually ? > > > > Simo. > > > > No, kinit completes almost instantly after entering the password. > > Martin Can you run: KRB5_TRACE=/dev/stderr kinit yourprinc at YOUR.REALM So that we can compare with the krb5_child.log you sent earlier? I wonder if SSSD talks to a KDC that is slower or far away from your client.. From jhrozek at redhat.com Wed Apr 8 08:35:18 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 10:35:18 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <004001d071d4$86317ce0$929476a0$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> Message-ID: <20150408083518.GY11481@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and have > attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb > > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud > oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480892))) > ] > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 > 00)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [admin at ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option "Debug". That will show you how exactly sudo matches the rules. > (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! From lists at fahrendorf.de Wed Apr 8 08:43:10 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Wed, 08 Apr 2015 10:43:10 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <20150408082726.GX11481@hendrix.arn.redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> <5524E295.8090003@fahrendorf.de> <20150408082726.GX11481@hendrix.arn.redhat.com> Message-ID: <5524EA1E.5030702@fahrendorf.de> Am 08.04.2015 um 10:27 schrieb Jakub Hrozek: > Can you run: > KRB5_TRACE=/dev/stderr kinit yourprinc at YOUR.REALM > > So that we can compare with the krb5_child.log you sent earlier? I > wonder if SSSD talks to a KDC that is slower or far away from your > client.. > This is my trace from kinit: [2422] 1428482081.62208: AS key obtained for encrypted timestamp: aes256-cts/61D1 [2422] 1428482081.62288: Encrypted timestamp (for 1428482081.868994): plain ***, encrypted *** [2422] 1428482081.62328: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [2422] 1428482081.62342: Produced preauth for next request: 133, 2 [2422] 1428482081.62379: Sending request (265 bytes) to MITTELERDE.DE [2422] 1428482081.62484: Sending initial UDP request to dgram 1.2.3.4:88 [2422] 1428482081.201814: Received answer (740 bytes) from dgram 1.2.3.4:88 [2422] 1428482081.201872: Response was from master KDC [2422] 1428482081.201905: Processing preauth types: 19 [2422] 1428482081.201914: Selected etype info: etype aes256-cts, salt "***", params "" [2422] 1428482081.201920: Produced preauth for next request: (empty) [2422] 1428482081.201929: AS key determined by preauth: aes256-cts/61D1 [2422] 1428482081.201973: Decrypted AS reply; session key is: aes256-cts/C464 [2422] 1428482081.201991: FAST negotiation: available [2422] 1428482081.202014: Initializing KEYRING:persistent:0:0 with default princ frodo at MITTELERDE.DE [2422] 1428482081.202058: Removing frodo at MITTELERDE.DE -> krbtgt/MITTELERDE.DE at MITTELERDE.DE from KEYRING:persistent:0:0 [2422] 1428482081.202065: Storing frodo at MITTELERDE.DE -> krbtgt/MITTELERDE.DE at MITTELERDE.DE in KEYRING:persistent:0:0 [2422] 1428482081.202110: Storing config in KEYRING:persistent:0:0 for krbtgt/MITTELERDE.DE at MITTELERDE.DE: fast_avail: yes [2422] 1428482081.202126: Removing frodo at MITTELERDE.DE -> krb5_ccache_conf_data/fast_avail/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: from KEYRING:persistent:0:0 [2422] 1428482081.202133: Storing frodo at MITTELERDE.DE -> krb5_ccache_conf_data/fast_avail/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: in KEYRING:persistent:0:0 [2422] 1428482081.202166: Storing config in KEYRING:persistent:0:0 for krbtgt/MITTELERDE.DE at MITTELERDE.DE: pa_type: 2 [2422] 1428482081.202177: Removing frodo at MITTELERDE.DE -> krb5_ccache_conf_data/pa_type/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: from KEYRING:persistent:0:0 [2422] 1428482081.202184: Storing frodo at MITTELERDE.DE -> krb5_ccache_conf_data/pa_type/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: in KEYRING:persistent:0:0 Most of the host can only communicate in the local net, which has not that much hosts (10). The wired ones are connected via GBit Network, wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All Systems have Fedora 21 installed Martin. From natxo.asenjo at gmail.com Wed Apr 8 08:44:20 2015 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 8 Apr 2015 10:44:20 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> Message-ID: On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth wrote: > > Yersterday I did the installation of freeipa on my banana Pi with > modifying the source file ipalib/constants.py: ('startup_timeout', 300). > I changed it to 900 s. And the setup process was successful! The start of > the CA had a duration of 630s! But after the installation freeipa is usable > on the banana Pi. > > Thanks to Endi for help. > this is really cooll :-) Thanks for sharing, If only one could get a small ssd on it starting up would be much faster. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Wed Apr 8 08:48:39 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Wed, 8 Apr 2015 10:48:39 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <20150408083518.GY11481@hendrix.arn.redhat.com> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> <20150408083518.GY11481@hendrix.arn.redhat.com> Message-ID: <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root at ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw) (nemo.ai.co.zw,-,ai.co.zw) [root at ironhide ~]# -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 10:35 AM To: Chamambo Martin Cc: freeipa-users at redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and > have attached a txt file for the ldbsearch -H > /var/lib/sss/db/cache_ai.co.zw.ldb > > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi > n)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480 > 892))) > ] > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14 > 682000 > 00)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [admin at ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option "Debug". That will show you how exactly sudo matches the rules. > (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! From jhrozek at redhat.com Wed Apr 8 08:57:59 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 10:57:59 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5524EA1E.5030702@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> <5524E295.8090003@fahrendorf.de> <20150408082726.GX11481@hendrix.arn.redhat.com> <5524EA1E.5030702@fahrendorf.de> Message-ID: <20150408085759.GA11481@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 10:43:10AM +0200, Martin (Lists) wrote: > Am 08.04.2015 um 10:27 schrieb Jakub Hrozek: > > Can you run: > > KRB5_TRACE=/dev/stderr kinit yourprinc at YOUR.REALM > > > > So that we can compare with the krb5_child.log you sent earlier? I > > wonder if SSSD talks to a KDC that is slower or far away from your > > client.. > > > This is my trace from kinit: > > [2422] 1428482081.62208: AS key obtained for encrypted timestamp: > aes256-cts/61D1 > [2422] 1428482081.62288: Encrypted timestamp (for 1428482081.868994): > plain ***, encrypted *** > [2422] 1428482081.62328: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [2422] 1428482081.62342: Produced preauth for next request: 133, 2 > [2422] 1428482081.62379: Sending request (265 bytes) to MITTELERDE.DE > [2422] 1428482081.62484: Sending initial UDP request to dgram 1.2.3.4:88 > [2422] 1428482081.201814: Received answer (740 bytes) from dgram 1.2.3.4:88 > [2422] 1428482081.201872: Response was from master KDC > [2422] 1428482081.201905: Processing preauth types: 19 > [2422] 1428482081.201914: Selected etype info: etype aes256-cts, salt > "***", params "" > [2422] 1428482081.201920: Produced preauth for next request: (empty) > [2422] 1428482081.201929: AS key determined by preauth: aes256-cts/61D1 > [2422] 1428482081.201973: Decrypted AS reply; session key is: > aes256-cts/C464 > [2422] 1428482081.201991: FAST negotiation: available > [2422] 1428482081.202014: Initializing KEYRING:persistent:0:0 with > default princ frodo at MITTELERDE.DE > [2422] 1428482081.202058: Removing frodo at MITTELERDE.DE -> > krbtgt/MITTELERDE.DE at MITTELERDE.DE from KEYRING:persistent:0:0 > [2422] 1428482081.202065: Storing frodo at MITTELERDE.DE -> > krbtgt/MITTELERDE.DE at MITTELERDE.DE in KEYRING:persistent:0:0 > [2422] 1428482081.202110: Storing config in KEYRING:persistent:0:0 for > krbtgt/MITTELERDE.DE at MITTELERDE.DE: fast_avail: yes > [2422] 1428482081.202126: Removing frodo at MITTELERDE.DE -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: > from KEYRING:persistent:0:0 > [2422] 1428482081.202133: Storing frodo at MITTELERDE.DE -> > krb5_ccache_conf_data/fast_avail/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: > in KEYRING:persistent:0:0 > [2422] 1428482081.202166: Storing config in KEYRING:persistent:0:0 for > krbtgt/MITTELERDE.DE at MITTELERDE.DE: pa_type: 2 > [2422] 1428482081.202177: Removing frodo at MITTELERDE.DE -> > krb5_ccache_conf_data/pa_type/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: > from > KEYRING:persistent:0:0 > > [2422] 1428482081.202184: Storing frodo at MITTELERDE.DE -> > krb5_ccache_conf_data/pa_type/krbtgt\/MITTELERDE.DE\@MITTELERDE.DE at X-CACHECONF: > in > KEYRING:persistent:0:0 > > > Most of the host can only communicate in the local net, which has not > that much hosts (10). The wired ones are connected via GBit Network, > wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All > Systems have Fedora 21 installed Does it communicate with the same KDC as krb5_child? From mkosek at redhat.com Wed Apr 8 08:59:53 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 10:59:53 +0200 Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> Message-ID: <5524EE09.8040703@redhat.com> On 04/08/2015 07:57 AM, Markus Roth wrote: > >> Endi Sukma Dewata hat am 1. April 2015 um 23:56 >> geschrieben: >> >> >> On 4/1/2015 4:29 PM, Markus Roth wrote: >>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: >>>> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: >>>>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. >>>>> >>>>>>>> The ipa-server-install shows the following output: >>>>> ... >>>>> >>>>>>>> Done configuring directory server (dirsrv). >>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 >>>>>>>> minutes 30 >>>>>>>> seconds >>>>>>>> >>>>>>>> [1/27]: creating certificate server user >>>>>>>> [2/27]: configuring certificate server instance >>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>>>>> [4/27]: backing up CS.cfg >>>>>>>> [5/27]: disabling nonces >>>>>>>> [6/27]: set up CRL publishing >>>>>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>>>>> [8/27]: starting certificate server instance >>>>>>>> [error] RuntimeError: CA did not start in 300.0s >>>>>>>> >>>>>>>> CA did not start in 300.0s >>>>>>>> >>>>>>>> The ipa server install log shows this: >>>>>>>> >>>>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted >>>>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... >>>>> >>>>> ... >>>>> >>>>>>>> I uninstalled the ipa server completely several times and installed >>>>>>>> it again. >>>>>>>> But it always stops at the same step with the setup. >>>>>>>> >>>>>>>> Can anybody help? >>>>> >>>>> Based on the IPA install log alone it looks like the DS is already >>>>> started, and the Dogtag is already started too in step [3/27]. It's the >>>>> restart on step [8/27] that is failing. >>>>> >>>>> We will need to see the Dogtag debug log in order to know if Dogtag is >>>>> indeed failing to restart or the installer for some reason cannot >>>>> connect to Dogtag. >>>> >>>> Hi Markus, >>>> >>>> Based on the logs that you sent me, the Dogtag took a really long time >>>> to start: >>>> >>>> INFORMATION: Server startup in 739700 ms >>>> >>>> More than half of that time was spent starting the CA subsystem alone: >>>> >>>> INFORMATION: Deployment of configuration descriptor /etc/pki >>>> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms >>>> >>>> The whole (failed) IPA installation took about 38 minutes. Is this correct? >>>> >>>> It's possible the system was running out of entropy. You might want to >>>> install haveged or rngd. See: >>>> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ >>>> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent >>>> ropy-for-cloud-servers-using-haveged >>>> >>>> However, the system seems to be running very slowly in general. How >>>> powerful is this machine? >>> >>> Hi Endi >>> >>> the system is a banana pi system. Seems that this ARM CPU based system isn't >>> suitable for FreeIPA.... >> >> The installation might still succeed if IPA doesn't have the 300s time >> limit. If you want to try, you probably can specify a larger >> startup_timeout in ~/.ipa/default.conf, or change the code in >> ipaplatform/redhat/services.py to wait indefinitely, and see what >> happens. I don't know if it will be usable though. >> >> -- >> Endi S. Dewata >> > > Yersterday I did the installation of freeipa on my banana Pi with modifying the > source file ipalib/constants.py: ('startup_timeout', 300). I changed it to > 900 s. And the setup process was successful! The start of the CA had a duration > of 630s! But after the installation freeipa is usable on the banana Pi. > > Thanks to Endi for help. That's cool! Do you think that your experience from making it work could form a nice HOWTO article on http://www.freeipa.org/page/HowTos ? Maybe it would help others who would want to follow your example on FreeIPA at *Pi devices :-) From lists at fahrendorf.de Wed Apr 8 09:08:45 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Wed, 08 Apr 2015 11:08:45 +0200 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <20150408085759.GA11481@hendrix.arn.redhat.com> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> <5524E295.8090003@fahrendorf.de> <20150408082726.GX11481@hendrix.arn.redhat.com> <5524EA1E.5030702@fahrendorf.de> <20150408085759.GA11481@hendrix.arn.redhat.com> Message-ID: <5524F01D.7010306@fahrendorf.de> Am 08.04.2015 um 10:57 schrieb Jakub Hrozek: > > > > > > > Most of the host can only communicate in the local net, which has not > > that much hosts (10). The wired ones are connected via GBit Network, > > wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All > > Systems have Fedora 21 installed > > Does it communicate with the same KDC as krb5_child? > Yep, same host, same port number. Currently I have only one IPA server running. Replication is on my todo list though. Martin From markus at die5roths.de Wed Apr 8 09:13:56 2015 From: markus at die5roths.de (Markus Roth) Date: Wed, 8 Apr 2015 11:13:56 +0200 (CEST) Subject: [Freeipa-users] Setup of freeipa 4.1.3 failed In-Reply-To: <5524EE09.8040703@redhat.com> References: <2588793.PXhtNmgmCt@shdehenw2471> <551C2346.3040808@redhat.com> <551C5D76.2080509@redhat.com> <4593147.Vqzm0ENHAm@eeepc.roth.lan> <551C69A3.3050202@redhat.com> <1432502321.571.1428472638716.JavaMail.open-xchange@app02.ox.hosteurope.de> <5524EE09.8040703@redhat.com> Message-ID: <2085598006.5948.1428484436806.JavaMail.open-xchange@app02.ox.hosteurope.de> > Martin Kosek hat am 8. April 2015 um 10:59 geschrieben: > > > On 04/08/2015 07:57 AM, Markus Roth wrote: > > > >> Endi Sukma Dewata hat am 1. April 2015 um 23:56 > >> geschrieben: > >> > >> > >> On 4/1/2015 4:29 PM, Markus Roth wrote: > >>> Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie: > >>>> On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote: > >>>>>>> On 03/31/2015 01:54 PM, Markus Roth wrote: > >>>>>>>> Hi all, > >>>>>>>> > >>>>>>>> I want setup freeipa 4.1.3 on a fresh installed fedora 21. > >>>>> > >>>>>>>> The ipa-server-install shows the following output: > >>>>> ... > >>>>> > >>>>>>>> Done configuring directory server (dirsrv). > >>>>>>>> Configuring certificate server (pki-tomcatd): Estimated time 3 > >>>>>>>> minutes 30 > >>>>>>>> seconds > >>>>>>>> > >>>>>>>> [1/27]: creating certificate server user > >>>>>>>> [2/27]: configuring certificate server instance > >>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg > >>>>>>>> [4/27]: backing up CS.cfg > >>>>>>>> [5/27]: disabling nonces > >>>>>>>> [6/27]: set up CRL publishing > >>>>>>>> [7/27]: enable PKIX certificate path discovery and validation > >>>>>>>> [8/27]: starting certificate server instance > >>>>>>>> [error] RuntimeError: CA did not start in 300.0s > >>>>>>>> > >>>>>>>> CA did not start in 300.0s > >>>>>>>> > >>>>>>>> The ipa server install log shows this: > >>>>>>>> > >>>>>>>> 2015-03-31T17:39:35Z DEBUG The CA status is: check interrupted > >>>>>>>> 2015-03-31T17:39:35Z DEBUG Waiting for CA to start... > >>>>> > >>>>> ... > >>>>> > >>>>>>>> I uninstalled the ipa server completely several times and installed > >>>>>>>> it again. > >>>>>>>> But it always stops at the same step with the setup. > >>>>>>>> > >>>>>>>> Can anybody help? > >>>>> > >>>>> Based on the IPA install log alone it looks like the DS is already > >>>>> started, and the Dogtag is already started too in step [3/27]. It's the > >>>>> restart on step [8/27] that is failing. > >>>>> > >>>>> We will need to see the Dogtag debug log in order to know if Dogtag is > >>>>> indeed failing to restart or the installer for some reason cannot > >>>>> connect to Dogtag. > >>>> > >>>> Hi Markus, > >>>> > >>>> Based on the logs that you sent me, the Dogtag took a really long time > >>>> to start: > >>>> > >>>> INFORMATION: Server startup in 739700 ms > >>>> > >>>> More than half of that time was spent starting the CA subsystem alone: > >>>> > >>>> INFORMATION: Deployment of configuration descriptor /etc/pki > >>>> /pki-tomcat/Catalina/localhost/ca.xml has finished in 393,390 ms > >>>> > >>>> The whole (failed) IPA installation took about 38 minutes. Is this > >>>> correct? > >>>> > >>>> It's possible the system was running out of entropy. You might want to > >>>> install haveged or rngd. See: > >>>> http://blog-ftweedal.rhcloud.com/2014/05/more-entropy-with-haveged/ > >>>> https://www.digitalocean.com/community/tutorials/how-to-setup-additional-ent > >>>> ropy-for-cloud-servers-using-haveged > >>>> > >>>> However, the system seems to be running very slowly in general. How > >>>> powerful is this machine? > >>> > >>> Hi Endi > >>> > >>> the system is a banana pi system. Seems that this ARM CPU based system > >>> isn't > >>> suitable for FreeIPA.... > >> > >> The installation might still succeed if IPA doesn't have the 300s time > >> limit. If you want to try, you probably can specify a larger > >> startup_timeout in ~/.ipa/default.conf, or change the code in > >> ipaplatform/redhat/services.py to wait indefinitely, and see what > >> happens. I don't know if it will be usable though. > >> > >> -- > >> Endi S. Dewata > >> > > > > Yersterday I did the installation of freeipa on my banana Pi with modifying > > the > > source file ipalib/constants.py: ('startup_timeout', 300). I changed it to > > 900 s. And the setup process was successful! The start of the CA had a > > duration > > of 630s! But after the installation freeipa is usable on the banana Pi. > > > > Thanks to Endi for help. > > That's cool! Do you think that your experience from making it work could form > a > nice HOWTO article on > > http://www.freeipa.org/page/HowTos > > ? Maybe it would help others who would want to follow your example on FreeIPA > at *Pi devices :-) > Of course, I can write this HowTo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bentech4you at gmail.com Wed Apr 8 09:39:16 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 8 Apr 2015 12:39:16 +0300 Subject: [Freeipa-users] krb5kdc: Server error Message-ID: HI i am getting krb5kdc: Server error on ligs: krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL and the ipactl status is taking long time. Web interface is not able to athenticate. If i issue ipactl restart, noting is happening to solve this issue currently i am restarting full server.. How can i fix this? Regards, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Apr 8 09:52:21 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 09:52:21 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 Message-ID: Hello! We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). Now it is broken globally, in logs I see these: [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr="ipaProtectedOperation;write_keys [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. What can I do to fix this catastrophe, or it is fatal? As it seems from the client servers, hbac is not working at all, maybe all other things as well :( With best regards, Alexander Frolushkin ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 8 10:04:21 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 12:04:21 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: References: Message-ID: <5524FD25.8010200@redhat.com> On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: > Hello! > We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). > Now it is broken globally, in logs I see these: > > [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr="ipaProtectedOperation;write_keys > [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. > > What can I do to fix this catastrophe, or it is fatal? > As it seems from the client servers, hbac is not working at all, maybe all other things as well :( > > With best regards, > Alexander Frolushkin AFAIK, this particular error message should not be fatal to the function and new ACI should just be ignored. Maybe the new schema did not replicate properly. Do you see other DS errors? (CCing DS guys) Non-working HBAC is also strange, SSSD developers will want logs to analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. From Alexander.Frolushkin at megafon.ru Wed Apr 8 10:12:43 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 10:12:43 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <5524FD25.8010200@redhat.com> References: <5524FD25.8010200@redhat.com> Message-ID: <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Wednesday, April 08, 2015 4:04 PM To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >> Hello! >> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). >> Now it is broken globally, in logs I see these: >> >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): >> (targetattr="ipaProtectedOperation;write_keys >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. >> >> What can I do to fix this catastrophe, or it is fatal? >> As it seems from the client servers, hbac is not working at all, maybe >> all other things as well :( >> >> With best regards, >> Alexander Frolushkin >AFAIK, this particular error message should not be fatal to the function and new ACI should just be ignored. Maybe the new schema did not replicate properly. Do you see other DS errors? (CCing DS guys) >Non-working HBAC is also strange, SSSD developers will want logs to analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting >In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. Also about hbac: [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read replication agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=ad,dc=com] ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From lkrispen at redhat.com Wed Apr 8 10:18:09 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 08 Apr 2015 12:18:09 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <5524FD25.8010200@redhat.com> References: <5524FD25.8010200@redhat.com> Message-ID: <55250061.5060806@redhat.com> On 04/08/2015 12:04 PM, Martin Kosek wrote: > On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >> Hello! >> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). >> Now it is broken globally, in logs I see these: >> >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): (targetattr="ipaProtectedOperation;write_keys >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. >> >> What can I do to fix this catastrophe, or it is fatal? >> As it seems from the client servers, hbac is not working at all, maybe all other things as well :( >> >> With best regards, >> Alexander Frolushkin > AFAIK, this particular error message should not be fatal to the function and > new ACI should just be ignored. yes, but I don't know if any IPA component would rely on access granted by this aci. > Maybe the new schema did not replicate is this message logged on all servers ? > properly. Do you see other DS errors? (CCing DS guys) > > Non-working HBAC is also strange, SSSD developers will want logs to analyze, > see https://fedorahosted.org/sssd/wiki/Troubleshooting > > In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a > recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. From traiano at gmail.com Wed Apr 8 10:27:01 2015 From: traiano at gmail.com (Traiano Welcome) Date: Wed, 8 Apr 2015 13:27:01 +0300 Subject: [Freeipa-users] krb5kdc: Server error In-Reply-To: References: Message-ID: Hi Ben On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George wrote: > HI > > i am getting krb5kdc: Server error on ligs: > > krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL > > and the ipactl status is taking long time. Web interface is not able to > athenticate. > > If i issue ipactl restart, noting is happening > > to solve this issue currently i am restarting full server.. > > > How can i fix this? > Check the tail-end of this thread: https://www.redhat.com/archives/freeipa-users/2015-April/msg00011.html You may want to begin by checking /etc/hosts for the right format ( ). DNS is probably the very next thing you want to check... thoroughly. > Regards, > Ben > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From Alexander.Frolushkin at megafon.ru Wed Apr 8 10:36:32 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 10:36:32 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55250061.5060806@redhat.com> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> Message-ID: -----Original Message----- From: Ludwig Krispenz [mailto:lkrispen at redhat.com] Sent: Wednesday, April 08, 2015 4:18 PM To: Martin Kosek Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 12:04 PM, Martin Kosek wrote: > On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >> Hello! >> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). >> Now it is broken globally, in logs I see these: >> >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): >> (targetattr="ipaProtectedOperation;write_keys >> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. >> >> What can I do to fix this catastrophe, or it is fatal? >> As it seems from the client servers, hbac is not working at all, >> maybe all other things as well :( >> >> With best regards, >> Alexander Frolushkin > AFAIK, this particular error message should not be fatal to the > function and new ACI should just be ignored. yes, but I don't know if any IPA component would rely on access granted by this aci. > Maybe the new schema did not replicate is this message logged on all servers ? > properly. Do you see other DS errors? (CCing DS guys) > > Non-working HBAC is also strange, SSSD developers will want logs to > analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting > > In any case, upgrade from 3.3 to 4.1 should just work, you just need > to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. Error messages are differs on 7.0 and 7.1 servers. On one of accidently upgraded server I have following error in dirsrv logs: [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From mkosek at redhat.com Wed Apr 8 10:46:41 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 12:46:41 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> Message-ID: <55250711.1020103@redhat.com> On 04/08/2015 12:12 PM, Alexander Frolushkin wrote: > > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 08, 2015 4:04 PM > To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >>> Hello! >>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). >>> Now it is broken globally, in logs I see these: >>> >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): >>> (targetattr="ipaProtectedOperation;write_keys >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. >>> >>> What can I do to fix this catastrophe, or it is fatal? >>> As it seems from the client servers, hbac is not working at all, maybe >>> all other things as well :( >>> >>> With best regards, >>> Alexander Frolushkin > >> AFAIK, this particular error message should not be fatal to the function and new ACI should just be ignored. Maybe the new schema did not replicate properly. Do you see other DS errors? (CCing DS guys) > >> Non-working HBAC is also strange, SSSD developers will want logs to analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting > >> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. > > Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. > Also about hbac: > > [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read replication agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=ad,dc=com] CCing Jakub, but this looks like https://bugzilla.redhat.com/show_bug.cgi?id=1135433 that is fixed in sssd-1.12.1-1.el7. From bentech4you at gmail.com Wed Apr 8 10:54:46 2015 From: bentech4you at gmail.com (Ben .T.George) Date: Wed, 8 Apr 2015 13:54:46 +0300 Subject: [Freeipa-users] krb5kdc: Server error In-Reply-To: References: Message-ID: HI Traino, thanks for the info i have checked the hots and confirmed that entry was format And the DNS everything is working [root at kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ""; dig @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v "^;" | egrep _ _ldap._tcp.SUN.LOCAL. 21965 IN SRV 0 100 389 kwtprsolipa01.sun.local. _kerberos._tcp.SUN.LOCAL. 1957 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos._udp.SUN.LOCAL. 86400 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._tcp.SUN.LOCAL. 86400 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._udp.SUN.LOCAL. 9112 IN SRV 0 100 88 kwtprsolipa01.sun.local. _ntp._udp.SUN.LOCAL. 86400 IN SRV 0 100 123 kwtprsolipa01.sun.local. [root at kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ""; dig @mha.local ${i}.MHA.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v "^;" | egrep _ _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 dxbprdc002.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 kwtprdc001.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 dxbprdc001.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 rusmosprdc002.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 kwtprdc002.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc001.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc002.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc001.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc001.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc001.mha.local. [root at kwtprsolipa01 slapd-SUN-LOCAL]# host 172.16.99.99 99.99.16.172.in-addr.arpa domain name pointer kwtprsolipa01.sun.local. [root at kwtprsolipa01 slapd-SUN-LOCAL]# host kwtprsolipa01.sun.local kwtprsolipa01.sun.local has address 172.16.99.99 [root at kwtprsolipa01 slapd-SUN-LOCAL]# host mha.local mha.local has address 172.16.98.171 mha.local has address 172.16.100.180 mha.local has address 10.10.10.11 mha.local has address 10.10.10.10 [root at kwtprsolipa01 slapd-SUN-LOCAL]# dig kwtprsolipa01.sun.local ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> kwtprsolipa01.sun.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;kwtprsolipa01.sun.local. IN A ;; ANSWER SECTION: kwtprsolipa01.sun.local. 38 IN A 172.16.99.99 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 08 13:54:02 AST 2015 ;; MSG SIZE rcvd: 68 On Wed, Apr 8, 2015 at 1:27 PM, Traiano Welcome wrote: > Hi Ben > > > > On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George > wrote: > > HI > > > > i am getting krb5kdc: Server error on ligs: > > > > krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL > > > > and the ipactl status is taking long time. Web interface is not able to > > athenticate. > > > > If i issue ipactl restart, noting is happening > > > > to solve this issue currently i am restarting full server.. > > > > > > How can i fix this? > > > > Check the tail-end of this thread: > > https://www.redhat.com/archives/freeipa-users/2015-April/msg00011.html > > You may want to begin by checking /etc/hosts for the right format ( address> ). > DNS is probably the very next thing you want to check... thoroughly. > > > > > > > > Regards, > > Ben > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Wed Apr 8 11:07:25 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 11:07:25 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55250711.1020103@redhat.com> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> <55250711.1020103@redhat.com> Message-ID: <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Wednesday, April 08, 2015 4:47 PM To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz; Jakub Hrozek Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. >> >> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. >> Also about hbac: >> >> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read >> replication >> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=ad, >> dc=com] >CCing Jakub, but this looks like >https://bugzilla.redhat.com/show_bug.cgi?id=1135433 >that is fixed in sssd-1.12.1-1.el7. I have one test server with 7.1 and sssd-1.12.2-58.el7_1.6.x86_64 But it is not works also. And on 6.6 servers (with the latest sssd-1.11.6-30.el6_6.4.x86_64) situation is the same. ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From jhrozek at redhat.com Wed Apr 8 11:12:19 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 13:12:19 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> <55250711.1020103@redhat.com> <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> Message-ID: <20150408111219.GE27581@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote: > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 08, 2015 4:47 PM > To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz; Jakub Hrozek > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > >> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. > >> > >> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. > >> Also about hbac: > >> > >> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read > >> replication > >> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc=ad, > >> dc=com] > > >CCing Jakub, but this looks like > > >https://bugzilla.redhat.com/show_bug.cgi?id=1135433 This is actually https://fedorahosted.org/sssd/ticket/2603 According to the RDN: "agreements+nsuniqueid=" there is a replication conflict on the servers. Latest SSSD builds are able to handle those, but you should fix the server anyway. From chamambom at afri-com.net Wed Apr 8 11:39:44 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Wed, 8 Apr 2015 13:39:44 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> <20150408083518.GY11481@hendrix.arn.redhat.com> <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> Message-ID: <000001d071f0$b6e9a6c0$24bcf440$@afri-com.net> Sudo seems to be configured correctly but somehow it's not working Even if I do a sudo -l under the admin user [admin at ironhide tmp]$ sudo -l [sudo] password for admin: Matching Defaults entries for admin on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User admin may run the following commands on this host: (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, /usr/bin/less [admin at ironhide tmp]$ tail -f /var/log/sssd/sssd_sudo.log [root at ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for ai.co.zw: /var/lib/sss/db/cache_ai.co.zw.ldb (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40c900:domains at ai.co.zw] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [ai.co.zw][forced][] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40c900:domains at ai.co.zw] (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Wed Apr 8 13:35:27 2015) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Wed Apr 8 13:35:28 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40c900:domains at ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [admin] from [] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [admin at ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [admin at ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving default options for [admin] from [ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937))) ] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [@ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [admin] from [] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [admin at ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [admin at ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [admin] from [ai.co.zw] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admin)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428492937))) ] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14682000 00)(sudoUser=%admins)(sudoUser=%trust admins)(sudoUser=%admins)(sudoUser=+*)))] (Wed Apr 8 13:35:37 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [admin at ai.co.zw] (Wed Apr 8 13:35:44 2015) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Chamambo Martin Sent: Wednesday, April 08, 2015 10:49 AM To: 'Jakub Hrozek' Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration I have done below and its giving me the correct results and at the moment LET ME enable debugging in sudo itself and see if that will get me somewhere [root at ironhide ~]# getent netgroup mailservers mailservers (ironhide.ai.co.zw,-,ai.co.zw) (alvin.ai.co.zw,-,ai.co.zw) (madagascar.ai.co.zw,-,ai.co.zw) (nemo.ai.co.zw,-,ai.co.zw) [root at ironhide ~]# -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 10:35 AM To: Chamambo Martin Cc: freeipa-users at redhat.com; 'Lukas Slebodnik' Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote: > I have this log after doing a debug_level=6 in the sudo section and > have attached a txt file for the ldbsearch -H > /var/lib/sss/db/cache_ai.co.zw.ldb > > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=admi > n)(sud oUser=#1468200000)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*))(&(dataExpireTimestamp<=1428480 > 892))) > ] > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=admin)(sudoUser=#14 > 682000 > 00)(sudoUser=%admins)(sudoUser=%trust > admins)(sudoUser=%admins)(sudoUser=+*)))] The above are the cache searches sssd ran. This is how the sudo rule looks in your cache: # record 29 dn: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sysdb cn: file-commands dataExpireTimestamp: 1428486013 entryUSN: 28714 name: file-commands objectClass: sudoRule originalDN: cn=file-commands,ou=sudoers,dc=ai,dc=co,dc=zw sudoCommand: /usr/bin/vim sudoCommand: /usr/bin/less sudoHost: +mailservers sudoRunAsGroup: ALL sudoRunAsUser: admin sudoRunAsUser: chamambom sudoRunAsUser: kamoyob sudoRunAsUser: kumalop sudoRunAsUser: machangeteb sudoRunAsUser: masaitit sudoRunAsUser: masvivic sudoRunAsUser: matangiraa sudoRunAsUser: nyahumap sudoRunAsUser: pedzisail sudoRunAsUser: tayengwaj sudoUser: ALL distinguishedName: name=file-commands,cn=sudorules,cn=custom,cn=ai.co.zw,cn=sy sdb > (Wed Apr 8 10:14:52 2015) [sssd[sudo]] > [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 1 rules for [admin at ai.co.zw] And here we see that the sudo rule was returned from SSSD to sudo. But then in sudo, it didn't match for some reason. I expect it's because of the netgroup, can you check if nisdomainname is really set correctly and getent netgroup mailservers reports the FQDN of your client? Also, you can enable debugging in sudo itself. See man sudo.conf and search for the option "Debug". That will show you how exactly sudo matches the rules. > (Wed Apr 8 10:15:02 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From Alexander.Frolushkin at megafon.ru Wed Apr 8 11:40:08 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 11:40:08 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <20150408111219.GE27581@hendrix.arn.redhat.com> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> <55250711.1020103@redhat.com> <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> <20150408111219.GE27581@hendrix.arn.redhat.com> Message-ID: <9937c2d215d84094b8082c11bebb0f76@sib-ums01.Megafon.ru> -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 5:12 PM To: Alexander Frolushkin (SIB) Cc: 'Martin Kosek'; freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote: > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 08, 2015 4:47 PM > To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig > Krispenz; Thierry Bordaz; Jakub Hrozek > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > >> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. > >> > >> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. > >> Also about hbac: > >> > >> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read > >> replication > >> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc= > >> agreements+ad, > >> dc=com] > > >CCing Jakub, but this looks like > > >https://bugzilla.redhat.com/show_bug.cgi?id=1135433 >This is actually https://fedorahosted.org/sssd/ticket/2603 >According to the RDN: "agreements+nsuniqueid=" there is a replication conflict on the servers. Latest SSSD builds are able to handle those, but you should fix the server anyway. Thank You! Conflict already has been resolved: # ldapsearch -D "uid=admin,cn=users,cn=accounts,dc=unix,dc=ad,dc=com" -W -b "nsds5ReplConflict=*" \* nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: * nsds5ReplConflict # # search result search: 2 result: 32 No such object # numResponses: 1 After that, client are able to login via ssh on servers connected to 7.1 servers, but still no login on client servers connected to 7.0 IPA servers... ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From jhrozek at redhat.com Wed Apr 8 12:01:22 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 14:01:22 +0200 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <000001d071f0$b6e9a6c0$24bcf440$@afri-com.net> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> <20150408083518.GY11481@hendrix.arn.redhat.com> <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> <000001d071f0$b6e9a6c0$24bcf440$@afri-com.net> Message-ID: <20150408120121.GF27581@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: > Sudo seems to be configured correctly but somehow it's not working > > Even if I do a sudo -l under the admin user > > [admin at ironhide tmp]$ sudo -l > [sudo] password for admin: > Matching Defaults entries for admin on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User admin may run the following commands on this host: > (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, > matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~~~~~~~~~ > /usr/bin/less ~~~~~~~~~~~~~ According to this output, admin can run both vim and less... ?? From mkosek at redhat.com Wed Apr 8 12:01:56 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 08 Apr 2015 14:01:56 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <9937c2d215d84094b8082c11bebb0f76@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> <55250711.1020103@redhat.com> <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> <20150408111219.GE27581@hendrix.arn.redhat.com> <9937c2d215d84094b8082c11bebb0f76@sib-ums01.Megafon.ru> Message-ID: <552518B4.3000006@redhat.com> On 04/08/2015 01:40 PM, Alexander Frolushkin wrote: > > -----Original Message----- > From: Jakub Hrozek [mailto:jhrozek at redhat.com] > Sent: Wednesday, April 08, 2015 5:12 PM > To: Alexander Frolushkin (SIB) > Cc: 'Martin Kosek'; freeipa-users at redhat.com; Ludwig Krispenz; Thierry Bordaz > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On Wed, Apr 08, 2015 at 11:07:25AM +0000, Alexander Frolushkin wrote: >> -----Original Message----- >> From: Martin Kosek [mailto:mkosek at redhat.com] >> Sent: Wednesday, April 08, 2015 4:47 PM >> To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Ludwig >> Krispenz; Thierry Bordaz; Jakub Hrozek >> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> >>>> In any case, upgrade from 3.3 to 4.1 should just work, you just need to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. >>>> >>>> Please note, we currently have a three servers with IPA 4.1.0, and 13 servers with IPA 3.3.3 working simultaneously. >>>> Also about hbac: >>>> >>>> [hbac_eval_user_element] (0x0080): Parse error on [cn=system: read >>>> replication >>>> agreements+nsuniqueid=..........,cn=permissions,cn=pbac,dc=unix,dc= >>>> agreements+ad, >>>> dc=com] >> >>> CCing Jakub, but this looks like >> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1135433 > >> This is actually https://fedorahosted.org/sssd/ticket/2603 > >> According to the RDN: "agreements+nsuniqueid=" there is a replication conflict on the servers. Latest SSSD builds are able to handle those, but you should fix the server anyway. > > Thank You! > Conflict already has been resolved: > > # ldapsearch -D "uid=admin,cn=users,cn=accounts,dc=unix,dc=ad,dc=com" -W -b "nsds5ReplConflict=*" \* nsds5ReplConflict > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: * nsds5ReplConflict > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > After that, client are able to login via ssh on servers connected to 7.1 servers, but still no login on client servers connected to 7.0 IPA servers... Good! Does it only happen for users that have any RBAC role assigned or are non-privileged users able to log in? I suspect you may be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1140888 fixed in RHEL-7.1 DS and IPA. From jhrozek at redhat.com Wed Apr 8 12:02:42 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 8 Apr 2015 14:02:42 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <9937c2d215d84094b8082c11bebb0f76@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <1c5d48b451c24b80af7e6b95bb12b109@sib-ums01.Megafon.ru> <55250711.1020103@redhat.com> <127b8c1c26c04ee98725dbbe94965b26@sib-ums01.Megafon.ru> <20150408111219.GE27581@hendrix.arn.redhat.com> <9937c2d215d84094b8082c11bebb0f76@sib-ums01.Megafon.ru> Message-ID: <20150408120242.GG27581@hendrix.arn.redhat.com> On Wed, Apr 08, 2015 at 11:40:08AM +0000, Alexander Frolushkin wrote: > After that, client are able to login via ssh on servers connected to 7.1 servers, but still no login on client servers connected to 7.0 IPA servers... There we might be a problem with ACIs, can you check the logs on the clients? From tbordaz at redhat.com Wed Apr 8 12:09:23 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 08 Apr 2015 14:09:23 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> Message-ID: <55251A73.305@redhat.com> On 04/08/2015 12:36 PM, Alexander Frolushkin wrote: > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 08, 2015 4:18 PM > To: Martin Kosek > Cc: Alexander Frolushkin (SIB); freeipa-users at redhat.com; Thierry Bordaz > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > > On 04/08/2015 12:04 PM, Martin Kosek wrote: >> On 04/08/2015 11:52 AM, Alexander Frolushkin wrote: >>> Hello! >>> We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64). >>> Now it is broken globally, in logs I see these: >>> >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5): >>> (targetattr="ipaProtectedOperation;write_keys >>> [08/Apr/2015:13:06:47 +0600] NSACLPlugin - __aclp__init_targetattr: targetattr "ipaProtectedOperation;write_keys" does not exist in schema. Please add attributeTypes "ipaProtectedOperation;write_keys" to schema if necessary. >>> >>> What can I do to fix this catastrophe, or it is fatal? >>> As it seems from the client servers, hbac is not working at all, >>> maybe all other things as well :( >>> >>> With best regards, >>> Alexander Frolushkin >> AFAIK, this particular error message should not be fatal to the >> function and new ACI should just be ignored. > yes, but I don't know if any IPA component would rely on access granted by this aci. >> Maybe the new schema did not replicate > is this message logged on all servers ? >> properly. Do you see other DS errors? (CCing DS guys) >> >> Non-working HBAC is also strange, SSSD developers will want logs to >> analyze, see https://fedorahosted.org/sssd/wiki/Troubleshooting >> >> In any case, upgrade from 3.3 to 4.1 should just work, you just need >> to have a recent enough RHEL-6 servers - at least RHEL-6.6+z-streams. > Error messages are differs on 7.0 and 7.1 servers. > On one of accidently upgraded server I have following error in dirsrv logs: > > [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. This message is logged if the received message was too large. But here max size was 200Mb. I can not imagine a such large message. Being log at the same second, it could be transient error. Have you seen others messages like these ? > [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv > > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 From chamambom at afri-com.net Wed Apr 8 12:14:26 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Wed, 8 Apr 2015 12:14:26 +0000 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <20150408120121.GF27581@hendrix.arn.redhat.com> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> <20150408083518.GY11481@hendrix.arn.redhat.com> <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> <000001d071f0$b6e9a6c0$24bcf440$@afri-com.net>, <20150408120121.GF27581@hendrix.arn.redhat.com> Message-ID: ________________________________________ From: Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: > Sudo seems to be configured correctly but somehow it's not working > > Even if I do a sudo -l under the admin user > > [admin at ironhide tmp]$ sudo -l > [sudo] password for admin: > Matching Defaults entries for admin on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User admin may run the following commands on this host: > (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, > matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~~~~~~~~~ > /usr/bin/less ~~~~~~~~~~~~~ According to this output, admin can run both vim and less... ?? From Alexander.Frolushkin at megafon.ru Wed Apr 8 12:19:57 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 8 Apr 2015 12:19:57 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55251A73.305@redhat.com> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> Message-ID: <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> >> On one of accidently upgraded server I have following error in dirsrv logs: >> >> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >This message is logged if the received message was too large. But here max size was 200Mb. >I can not imagine a such large message. >Being log at the same second, it could be transient error. Have you seen others messages like these ? Yes, it still here. [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? BTW: # ipa-replica-manage list-ruv Directory Manager password: sib-rhidm03.unix.ad.com:389: 5 dv-rhidm01.unix.ad.com:389: 17 sib-rhidm02.unix.ad.com:389: 3 sib-rhidm01.unix.ad.com:389: 4 url-rhidm01.unix.ad.com:389: 6 url-rhidm02.unix.ad.com:389: 7 .... nw-rhidm01.unix.ad.com:389: 19 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From tbordaz at redhat.com Wed Apr 8 12:35:30 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 08 Apr 2015 14:35:30 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> Message-ID: <55252092.6010506@redhat.com> On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>> On one of accidently upgraded server I have following error in dirsrv logs: >>> >>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> This message is logged if the received message was too large. But here max size was 200Mb. >> I can not imagine a such large message. >> Being log at the same second, it could be transient error. Have you seen others messages like these ? > Yes, it still here. > > [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. Those logs mean the connection (e.g. conn=1125) got closed. Would you grep conn=1125 in access log ? > [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. > > >>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv > Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? > > BTW: > # ipa-replica-manage list-ruv > Directory Manager password: > > sib-rhidm03.unix.ad.com:389: 5 > dv-rhidm01.unix.ad.com:389: 17 > sib-rhidm02.unix.ad.com:389: 3 > sib-rhidm01.unix.ad.com:389: 4 > url-rhidm01.unix.ad.com:389: 6 > url-rhidm02.unix.ad.com:389: 7 > .... > nw-rhidm01.unix.ad.com:389: 19 > This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. This should not occur, but replication is smart enough to just log this warning and continue working. I would not recommend cleanup right now. Just clarification of the status. Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). thanks theirry > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 From jpazdziora at redhat.com Wed Apr 8 12:42:38 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Wed, 8 Apr 2015 14:42:38 +0200 Subject: [Freeipa-users] FreeIPA server in Docker container improved Message-ID: <20150408124238.GA5498@redhat.com> Hello world! The ability to run FreeIPA server in a container was recently improved by adding support for storing the server configuration and data in a volume, making it easier to backup the server, upgrade it to newer versions, as well as adding the ability to start a container as a replica of existing (containerized or non-containerized) IPA server. Using IPA in a container can be an easy way to try IPA or test things on different OSes (there are multiple per-OS branches in the GitHub repo and multiple images built), as well as running IPA on a machine where it would otherwise clash with other software. It it still an unsupported release but working in multiple tests on our side, so we encourage our community members to try it out. We will welcome your comments about your experience with the code at https://github.com/adelton/docker-freeipa or automated build images at https://registry.hub.docker.com/u/adelton/freeipa-server/ README was amended to describe the new usage options. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From sprokhorov at intech-global.com Wed Apr 8 11:12:57 2015 From: sprokhorov at intech-global.com (=?UTF-8?B?0J/RgNC+0YXQvtGA0L7QsiDQodC10YDQs9C10Lk=?=) Date: Wed, 08 Apr 2015 14:12:57 +0300 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server Message-ID: <55250D39.2080702@intech-global.com> Hello, I have self-signed freeipa replica. The problem is that I lose my freeipa primary server after hdd error. Now I need to create new replication server but I can't without primary server. I read this documentation and a lot of community correspondence but don't find my issue: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA How can I resolve it or migrate my kerberos/ldap schema to the new primary server? I'm using ipa-server-3.0.0-42.el6.x86_64 from base oracle linux 6.5 repository. -- Best regards, Prokhorov Sergey Senior System Engineer of INTECH LTD e-mail: sprokhorov at intech-global.com From simo at redhat.com Wed Apr 8 13:22:56 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 08 Apr 2015 09:22:56 -0400 Subject: [Freeipa-users] Slow logins on FreeIPA 4.1.2 (F21) In-Reply-To: <5524E295.8090003@fahrendorf.de> References: <5520B5BB.4000307@fedoraproject.org> <552105B3.7010609@fahrendorf.de> <55239F88.5030206@fahrendorf.de> <20150407092145.GF26979@hendrix.arn.redhat.com> <5523FE7D.50902@fahrendorf.de> <1428424057.19641.149.camel@willson.usersys.redhat.com> <5524E295.8090003@fahrendorf.de> Message-ID: <1428499376.19641.168.camel@willson.usersys.redhat.com> On Wed, 2015-04-08 at 10:11 +0200, Martin (Lists) wrote: > Am 07.04.2015 um 18:27 schrieb Simo Sorce: > > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote: > >> Hallo > >> > >> attached you can find the data from krb_child.log. As far as I can see > >> it, the three seconds are due to the communication with the kerberos > >> server. (1.2.3.4 is my server). > > > > Do you experience the same latency if you kinit manually ? > > > > Simo. > > > > No, kinit completes almost instantly after entering the password. Any chance you can take a network trace when authenticating via sssd and when authenticating via kinit ? It would be nice to see what differs there and what operation exactly is taking longer. Looking at the server krb5kdc.log may also shed some light. Simo. -- Simo Sorce * Red Hat, Inc * New York From coy.hile at coyhile.com Wed Apr 8 13:42:41 2015 From: coy.hile at coyhile.com (Coy Hile) Date: Wed, 08 Apr 2015 13:42:41 +0000 Subject: [Freeipa-users] ID Ranges in FreeIPA Message-ID: <20150408134241.Horde.hGZKvfGoM9Rqw33jM_IcBA1@webmail01.coyhile.com> Hi all, When I installed FreeIPA, it created a default ID range (of which user admin is currently the only user existing). Through the UI, I've found that one can create additional ranges (and that the ipa tools will complain if a user has a uid assigned manually that falls outside the defined range.) That makes sense. Is there a way that one can instruct the tools which particular range it should use for a particular operation? Say one wants different classes of users to be allocated from different ranges (For example, faculty/staff vs students, FTE vs contractors, or 'eyeball' users vs role accounts like jdoe vs appteambuildbot)? Thanks, -c -- Coy Hile coy.hile at coyhile.com From rcritten at redhat.com Wed Apr 8 13:49:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2015 09:49:30 -0400 Subject: [Freeipa-users] ID Ranges in FreeIPA In-Reply-To: <20150408134241.Horde.hGZKvfGoM9Rqw33jM_IcBA1@webmail01.coyhile.com> References: <20150408134241.Horde.hGZKvfGoM9Rqw33jM_IcBA1@webmail01.coyhile.com> Message-ID: <552531EA.1060509@redhat.com> Coy Hile wrote: > Hi all, > > When I installed FreeIPA, it created a default ID range (of which user > admin > is currently the only user existing). Through the UI, I've found that > one can > create additional ranges (and that the ipa tools will complain if a user > has a > uid assigned manually that falls outside the defined range.) That makes > sense. > Is there a way that one can instruct the tools which particular range it > should > use for a particular operation? Say one wants different classes of > users to be > allocated from different ranges (For example, faculty/staff vs students, > FTE vs > contractors, or 'eyeball' users vs role accounts like jdoe vs > appteambuildbot)? > No. And right now there is little correlation between the ranges assigned when users and groups are created and the ID range. An ID range is created for the user/group POSIX range, but any changes made to it have no affect on the actual values assigned (IIRC there is a ticket to make this immutable to avoid confusion). Users and groups ids are generated using the Distributed Numeric Plugin (DNA) in 389-ds which has its own configuration in cn=config. rob From APtashnik at cccis.com Wed Apr 8 15:31:53 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Wed, 8 Apr 2015 15:31:53 +0000 Subject: [Freeipa-users] Private key management Message-ID: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> Hello Team, I know that FreeIPA server supports management of public keys for each user and it is a very convenient feature. Are there any possible way to manage private keys as well including features like re-issuing the key pair if it gets compromised? Regards, Andrey -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Wed Apr 8 15:43:40 2015 From: jreg2k at gmail.com (James James) Date: Wed, 8 Apr 2015 17:43:40 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: <5524BC55.10301@redhat.com> References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> <5523DC2F.2080104@redhat.com> <5524BC55.10301@redhat.com> Message-ID: It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run : # ipa-cacert-manage renew --self-signed I've got this message : [root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured on this system If I want to install the CA I've got this message : [root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U CA is already installed. Should I have to promote the replica to a standalone master before installing the CA ? Any hints will be appreciated... James 2015-04-08 7:27 GMT+02:00 Jan Cholasta : > Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): > >> On 04/07/2015 02:08 PM, James James wrote: >> >>> I will try to give a better explanation : >>> >>> >>> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been >>> installed with an external CA about 3 years ago and I will have to renew >>> the certificate soon. >>> >>> I have created a test server (ipa-dev) with the same configuration >>> (centos >>> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev >>> sever >>> to be installed with an external CA. >>> >>> In the same time my external CA has changed and wants the emailAddress >>> field in the certificate request 's subject. >>> >> >> CSR during installation with external CA is produced by Dogtag, so you are >> constrained with the options and capabilities provided by >> ipa-server-install. >> Maybe it would be possible to modify the CSR and update the Subject >> manually, >> but I expect it would crash the installer later (JanC may know more >> (CCed)) >> > > The subject name identifies the CA in server (and other) certificates. If > you change it, you break the trust chain from the CA certificate to the > server certificates and that will break all SSL in IPA. > > >> If it is not possible to add emailAddress in the subject, is it possible >>> to >>> migrate my ipa-master CA system from an external CA to a CA-less or >>> self-signed CA ? >>> >> >> It is, with ipa-cacert-manage - see links below. >> > > You can change your external CA to self-signed CA in IPA 4.1 or newer by > running: > > # ipa-cacert-manage renew --self-signed > > You can't change external CA to CA-less. > > > >> Thanks. >>> >>> 2015-04-07 13:48 GMT+02:00 Martin Kosek : >>> >>> On 04/07/2015 01:44 PM, James James wrote: >>>> >>>>> ok. >>>>> >>>>> Is there a way to migrate from an external CA to a CA-less or a >>>>> >>>> self-signed >>>> >>>>> CA ? >>>>> >>>> >>>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: >>>> >>>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >>>> https://www.freeipa.org/page/V4/CA_certificate_renewal >>>> >>>> (Although I am still not sure about your use case and if this would help >>>> you) >>>> >>>> >>>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek : >>>>> >>>>> On 04/03/2015 11:39 AM, James James wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I want to initialize a new replica with an external CA. My >>>>>>> Certificate >>>>>>> Authority wants a CSR with the field emailAddress in the subject >>>>>>> like : >>>>>>> >>>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com >>>>>>> >>>>>> >>>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >>>>>> with own >>>>>> CA signed by external CA? >>>>>> >>>>>> FreeIPA supports these kinds of setups right now: >>>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >>>>>> >>>>>> How can I do with the ipa-server-install command ? I have been >>>>>>> trying >>>>>>> >>>>>> for >>>>>> >>>>>>> few days but I still can't. >>>>>>> >>>>>>> Thanks for your help. >>>>>>> >>>>>> >>>>>> CCing Honza who should know the definitive answer. However, FreeIPA >>>>>> was >>>>>> >>>>> not >>>> >>>>> very flexible in configuring special subjects for it's CA certificate >>>>>> >>>>> (i.e. >>>> >>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mheslin at redhat.com Wed Apr 8 15:59:02 2015 From: mheslin at redhat.com (Mark Heslin) Date: Wed, 08 Apr 2015 11:59:02 -0400 Subject: [Freeipa-users] FreeIPA server in Docker container improved In-Reply-To: <20150408124238.GA5498@redhat.com> References: <20150408124238.GA5498@redhat.com> Message-ID: <55255046.6010508@redhat.com> On 04/08/2015 08:42 AM, Jan Pazdziora wrote: > Hello world! > > The ability to run FreeIPA server in a container was recently > improved by adding support for storing the server configuration and > data in a volume, making it easier to backup the server, upgrade it to > newer versions, as well as adding the ability to start a container > as a replica of existing (containerized or non-containerized) IPA > server. > > Using IPA in a container can be an easy way to try IPA or test things > on different OSes (there are multiple per-OS branches in the GitHub > repo and multiple images built), as well as running IPA on a machine > where it would otherwise clash with other software. It it still > an unsupported release but working in multiple tests on our side, so > we encourage our community members to try it out. > > We will welcome your comments about your experience with the code at > > https://github.com/adelton/docker-freeipa > > or automated build images at > > https://registry.hub.docker.com/u/adelton/freeipa-server/ > > README was amended to describe the new usage options. > Hi Jan, Nice work. Has this been tested on Atomic host yet (just curious)? -m From awilisch at gmail.com Wed Apr 8 16:42:04 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Wed, 8 Apr 2015 12:42:04 -0400 Subject: [Freeipa-users] Freeipa 4 and AD Message-ID: I?m having issues with getting my RHEL 7 server running Freeipa 4 to join my Windows 2012R2 domain. DNS checks out fine. When I try to establish the join I get the below listed errors popping up. I?ve tried both creating the trust from Freeipa and just this morning I setup the trust on the AD side and tried to use the ?trust-secret option. There are no firewalls between them, but they are on different subnets. Any help would be great. This is holding up a project and I?m not able to figure out what?s going on. Thanks in advance. finddcs: Skipping DC 10.32.145.134 with server_type=0x0000f17c - required 0x00000119 finddcs: No matching CLDAP server found [Wed Apr 08 12:39:48.359684 2015] [:error] [pid 8402] ipa: INFO: [jsonserver_session] admin at PREPROD.FIOPTICS.INT : trust_add(u'fioptics.int', trust_type=u'ad', realm_server=u'ppad01', trust_secret=u'********', all=False, raw=False, version=u'2.114'): NotFound Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 8 17:54:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 13:54:51 -0400 Subject: [Freeipa-users] Private key management In-Reply-To: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> References: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> Message-ID: <55256B6B.5040606@redhat.com> On 04/08/2015 11:31 AM, Andrey Ptashnik wrote: > Hello Team, > > I know that FreeIPA server supports management of public keys for each > user and it is a very convenient feature. First of all IPA does not support user certs yet. It supports SSH public keys if this is what you are referring to. > Are there any possible way to manage private keys as well including > features like re-issuing the key pair if it gets compromised? I am not sure how you envision the management aspect. If a private key gets compromised you need to generate the new private key and upload your public key to IPA (if we are talking about SSH) or use CA to sign a CSR if we are talking about certs that will be supported for users in 4.2. The only management for private keys that one can envision is being able to escrow them. IPA will provide a vault facility for that matter in 4.2. What other use cases do you have in mind? > > Regards, > Andrey > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 8 17:59:29 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2015 13:59:29 -0400 Subject: [Freeipa-users] Private key management In-Reply-To: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> References: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> Message-ID: <55256C81.5030508@redhat.com> Andrey Ptashnik wrote: > Hello Team, > > I know that FreeIPA server supports management of public keys for each > user and it is a very convenient feature. > Are there any possible way to manage private keys as well including > features like re-issuing the key pair if it gets compromised? I assume you mean SSH keys. IPA doesn't issue keys, so re-issuing is out and AFAIK no plans to do this. There are plans for a Key Recovery vault which can store a private key, see https://fedorahosted.org/freeipa/ticket/3872 . This doesn't help in the case of compromise but it does mean that keys aren't lost. rob From abokovoy at redhat.com Wed Apr 8 17:59:55 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Apr 2015 20:59:55 +0300 Subject: [Freeipa-users] Freeipa 4 and AD In-Reply-To: References: Message-ID: <20150408175955.GI4899@redhat.com> On Wed, 08 Apr 2015, Aric Wilisch wrote: >I?m having issues with getting my RHEL 7 server running Freeipa 4 to >join my Windows 2012R2 domain. > >DNS checks out fine. When I try to establish the join I get the below >listed errors popping up. I?ve tried both creating the trust from >Freeipa and just this morning I setup the trust on the AD side and >tried to use the ?trust-secret option. There are no firewalls between >them, but they are on different subnets. > >Any help would be great. This is holding up a project and I?m not able >to figure out what?s going on. > >Thanks in advance. > >finddcs: Skipping DC 10.32.145.134 with server_type=0x0000f17c - required 0x00000119 You need to establish trust using a PDC of the forest root domain. Your DC is not a PDC (lacks bit 1 in the server type), thus it is not possible to establish cross-forest trust. This is Active Directory requirement. -- / Alexander Bokovoy From dpal at redhat.com Wed Apr 8 18:00:33 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 14:00:33 -0400 Subject: [Freeipa-users] Freeipa 4 and AD In-Reply-To: References: Message-ID: <55256CC1.8060605@redhat.com> On 04/08/2015 12:42 PM, Aric Wilisch wrote: > I'm having issues with getting my RHEL 7 server running Freeipa 4 to > join my Windows 2012R2 domain. > > DNS checks out fine. When I try to establish the join I get the below > listed errors popping up. I've tried both creating the trust from > Freeipa and just this morning I setup the trust on the AD side and > tried to use the ---trust-secret option. There are no firewalls > between them, but they are on different subnets. > > Any help would be great. This is holding up a project and I'm not able > to figure out what's going on. > > Thanks in advance. > > finddcs: Skipping DC 10.32.145.134 with server_type=0x0000f17c - > required 0x00000119 > finddcs: No matching CLDAP server found > [Wed Apr 08 12:39:48.359684 2015] [:error] [pid 8402] ipa: INFO: > [jsonserver_session] admin at PREPROD.FIOPTICS.INT > : trust_add(u'fioptics.int', > trust_type=u'ad', > realm_server=u'ppad01', trust_secret=u'********', all=False, > raw=False, version=u'2.114'): NotFound > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com > > > > > > It seems that IPA could not detect the valid AD DC. What is the version and the type of the DC with mentioned IP? Is it a primary DC? If not where is the primary one? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 8 18:07:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2015 14:07:50 -0400 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server In-Reply-To: <55250D39.2080702@intech-global.com> References: <55250D39.2080702@intech-global.com> Message-ID: <55256E76.8000803@redhat.com> ???????? ?????? wrote: > Hello, I have self-signed freeipa replica. The problem is that I lose my > freeipa primary server after hdd error. > Now I need to create new replication server but I can't without primary > server. I read this documentation and a lot of community correspondence > but don't find my issue: > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html Ouch. This is really old. > http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA I assume you can't do this because the original host is lost, right? > How can I resolve it or migrate my kerberos/ldap schema to the new > primary server? > I'm using ipa-server-3.0.0-42.el6.x86_64 from base oracle linux 6.5 > repository. > Promote is such a terrible word, I really wish I'd never used it. Every IPA master is a equal, some are just more equal than others. The key bit that distinguishes them is whether there is a CA installed. The other bit has to do with CRL generation and renewal which in your version can only be done on one host (neither of which apply to --selfsign anyway). If you installed originally using --selfsign and that initial host is gone and you have no backups you're in for some trouble. It is a single point of failure and the reason we no longer support it. The docs contain a bit of warning about that. You mention migrating. What new primary server? So I'd start digging around to see if you have the original CA private key somewhere. The end of the IPA server install would have recommending backing up cacert.p12. rob From dpal at redhat.com Wed Apr 8 18:08:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 14:08:51 -0400 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server In-Reply-To: <55250D39.2080702@intech-global.com> References: <55250D39.2080702@intech-global.com> Message-ID: <55256EB3.7090402@redhat.com> On 04/08/2015 07:12 AM, ???????? ?????? wrote: > Hello, I have self-signed freeipa replica. The problem is that I lose > my freeipa primary server after hdd error. > Now I need to create new replication server but I can't without > primary server. I read this documentation and a lot of community > correspondence but don't find my issue: > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html > > http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA > > How can I resolve it or migrate my kerberos/ldap schema to the new > primary server? > I'm using ipa-server-3.0.0-42.el6.x86_64 from base oracle linux 6.5 > repository. > By self-signed you mean you had a self signed CA as a part of the first IPA server, right? Did you install replica with the CA component or not? If you lost your first server that had CA and have replica that does not have CA you are not in a best situation. There are several options that you can explore. But before we dive into that please answer following questions. 1. Is the situation described correctly? 2. Do you take advantage of the cert capabilities of IPA? 3. Did you make any backups of the first server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Wed Apr 8 18:11:24 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 14:11:24 -0400 Subject: [Freeipa-users] krb5kdc: Server error In-Reply-To: References: Message-ID: <55256F4C.8060303@redhat.com> On 04/08/2015 06:54 AM, Ben .T.George wrote: > HI Traino, > > thanks for the info > > i have checked the hots and confirmed that entry was > format > > And the DNS everything is working > > [root at kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp > _kerberos._tcp _kerberos._udp _kerberos-master._tcp > _kerberos-master._udp _ntp._udp; do echo ""; dig @mha.local > ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa > +noadditional +noauthority; done | egrep -v "^;" | egrep _ > > _ldap._tcp.SUN.LOCAL. 21965 IN SRV 0 100 389 > kwtprsolipa01.sun.local. > _kerberos._tcp.SUN.LOCAL. 1957 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos._udp.SUN.LOCAL. 86400 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos-master._tcp.SUN.LOCAL. 86400 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _kerberos-master._udp.SUN.LOCAL. 9112 IN SRV 0 100 88 > kwtprsolipa01.sun.local. > _ntp._udp.SUN.LOCAL. 86400 IN SRV 0 100 123 > kwtprsolipa01.sun.local. > > [root at kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp > _kerberos._tcp _kerberos._udp _kerberos-master._tcp > _kerberos-master._udp _ntp._udp; do echo ""; dig @mha.local > ${i}.MHA.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa > +noadditional +noauthority; done | egrep -v "^;" | egrep _ > > _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 > dxbprdc002.mha.local. > _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 > kwtprdc001.mha.local. > _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 > dxbprdc001.mha.local. > _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 > rusmosprdc002.mha.local. > _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 > kwtprdc002.mha.local. > _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 > kwtprdc001.mha.local. > _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 > dxbprdc002.mha.local. > _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 > dxbprdc001.mha.local. > _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 > kwtprdc002.mha.local. > _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 > kwtprdc002.mha.local. > _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 > dxbprdc002.mha.local. > _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 > kwtprdc001.mha.local. > _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 > dxbprdc001.mha.local. > > [root at kwtprsolipa01 slapd-SUN-LOCAL]# host 172.16.99.99 > 99.99.16.172.in-addr.arpa domain name pointer kwtprsolipa01.sun.local. > [root at kwtprsolipa01 slapd-SUN-LOCAL]# host kwtprsolipa01.sun.local > kwtprsolipa01.sun.local has address 172.16.99.99 > > [root at kwtprsolipa01 slapd-SUN-LOCAL]# host mha.local > mha.local has address 172.16.98.171 > mha.local has address 172.16.100.180 > mha.local has address 10.10.10.11 > mha.local has address 10.10.10.10 > > > [root at kwtprsolipa01 slapd-SUN-LOCAL]# dig kwtprsolipa01.sun.local > > ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> kwtprsolipa01.sun.local > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23767 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4000 > ;; QUESTION SECTION: > ;kwtprsolipa01.sun.local. IN A > > ;; ANSWER SECTION: > kwtprsolipa01.sun.local. 38 IN A 172.16.99.99 > > ;; Query time: 0 msec > ;; SERVER: 172.16.100.180#53(172.16.100.180) > ;; WHEN: Wed Apr 08 13:54:02 AST 2015 > ;; MSG SIZE rcvd: 68 > > > > On Wed, Apr 8, 2015 at 1:27 PM, Traiano Welcome > wrote: > > Hi Ben > > > > On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George > > wrote: > > HI > > > > i am getting krb5kdc: Server error on ligs: > > > > krb5kdc: Server error - while fetching master key K/M for realm > SUN.LOCAL > > > > and the ipactl status is taking long time. Web interface is not > able to > > athenticate. > > > > If i issue ipactl restart, noting is happening > > > > to solve this issue currently i am restarting full server.. > > > > > > How can i fix this? > > > > Check the tail-end of this thread: > > https://www.redhat.com/archives/freeipa-users/2015-April/msg00011.html > > You may want to begin by checking /etc/hosts for the right format ( address> ). > DNS is probably the very next thing you want to check... thoroughly. > > > > > > > > Regards, > > Ben > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > Anything in the DS logs? The DS might not be starting because there is not enough space or some file corruption. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From APtashnik at cccis.com Wed Apr 8 18:38:09 2015 From: APtashnik at cccis.com (Andrey Ptashnik) Date: Wed, 8 Apr 2015 18:38:09 +0000 Subject: [Freeipa-users] Private key management In-Reply-To: <55256C81.5030508@redhat.com> References: <806543BB-F29A-4D08-B984-8BCAB87734DE@cccis.com> <55256C81.5030508@redhat.com> Message-ID: It looks like Vault is the functionality I was looking for. Thank you Rob and Dmitri for your responses. Regards, Andrey On 4/8/15, 5:59 PM, "Rob Crittenden" wrote: >Andrey Ptashnik wrote: >> Hello Team, >> >> I know that FreeIPA server supports management of public keys for each >> user and it is a very convenient feature. >> Are there any possible way to manage private keys as well including >> features like re-issuing the key pair if it gets compromised? > >I assume you mean SSH keys. IPA doesn't issue keys, so re-issuing is out >and AFAIK no plans to do this. > >There are plans for a Key Recovery vault which can store a private key, >see https://fedorahosted.org/freeipa/ticket/3872 . This doesn't help in >the case of compromise but it does mean that keys aren't lost. > >rob > From john.1209 at yahoo.com Wed Apr 8 18:59:19 2015 From: john.1209 at yahoo.com (John Williams) Date: Wed, 8 Apr 2015 18:59:19 +0000 (UTC) Subject: [Freeipa-users] Expired Certs on 3.0.0 IPA host Message-ID: <1264884165.2657644.1428519559614.JavaMail.yahoo@mail.yahoo.com> I'm looking at the following link for recovering expired certificates on FreeeIPA 3.0.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal ? Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do not find one. ?I see the other three: auditSigningCert cert-pki-ca => ?updatedocspSigningCert cert-pki-ca => updatedServer-Cert cert-pki-ca ?=> no cert heresubsystemCert cert-pki-ca => updated? Has anyone ever run across this? ?Any suggestions or hints would be appreciated. ?If I role the clock back on my system I can login to IPA, but if the time is updated, I cannot login. Please help.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 8 19:48:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2015 15:48:25 -0400 Subject: [Freeipa-users] Expired Certs on 3.0.0 IPA host In-Reply-To: <1264884165.2657644.1428519559614.JavaMail.yahoo@mail.yahoo.com> References: <1264884165.2657644.1428519559614.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55258609.1000303@redhat.com> John Williams wrote: > I'm looking at the following link for recovering expired certificates on > FreeeIPA 3.0.0: > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > > Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a > subsystemCert I do not find one. I see the other three: > > auditSigningCert cert-pki-ca => updated > ocspSigningCert cert-pki-ca => updated > Server-Cert cert-pki-ca => no cert here > subsystemCert cert-pki-ca => updated > > Has anyone ever run across this? Any suggestions or hints would be > appreciated. If I role the clock back on my system I can login to IPA, > but if the time is updated, I cannot login. > > Please help. Why do you need this value? For the record it is ca.sslserver.cert. rob From guertin at middlebury.edu Wed Apr 8 20:04:33 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Wed, 8 Apr 2015 20:04:33 +0000 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers Message-ID: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA servers (one master and two duplicates). I'm trying to ensure that if one server goes down, the remain server(s) will still allow logins. With the RHEL 6 clients this is easy -- the line ipa_server = _srv_, server1.ipa.middlebury.edu in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is fine. But with the RHEL 5 clients, this doesn't work. If server 1 goes down, logins fail. Since RHEL 5 is using LDAP, I figured it was probably in the ldap_uri line in the sssd.conf file. I discovered that I could add multiple servers, which I did: ldap_uri = ldap://server1.ipa.middlebury.edu, ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu But this still failed. However, if I do something similar in /etc/ldap.conf: uri ldap://server1.ipa.middlebury.edu ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu then logins work. In fact, I don't even need the change in sssd.conf. I can put that back the way it was, and logins still work. It's only the line in /etc/ldap.conf that seems to be necessary. So, I have two questions: 1. Am I understanding this correctly? 2. If so, is there a way to automate this so that when I run ipa-client-install on my RHEL 5 clients, they get the correct LDAP settings from the beginning, and I don't have to go and manually edit the ldap.conf file? David Guertin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 8 20:09:26 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 08 Apr 2015 16:09:26 -0400 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers In-Reply-To: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> References: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> Message-ID: <55258AF6.2010206@redhat.com> Guertin, David S. wrote: > I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL > 7 IPA servers (one master and two duplicates). I'm trying to ensure that > if one server goes down, the remain server(s) will still allow logins. > With the RHEL 6 clients this is easy -- the line > > > > ipa_server = _srv_, server1.ipa.middlebury.edu > > > > in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything is > fine. > > > > But with the RHEL 5 clients, this doesn't work. If server 1 goes down, > logins fail. Since RHEL 5 is using LDAP, I figured it was probably in > the ldap_uri line in the sssd.conf file. I discovered that I could add > multiple servers, which I did: > > > > ldap_uri = ldap://server1.ipa.middlebury.edu, > ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu > > > > But this still failed. However, if I do something similar in /etc/ldap.conf: > > > > uri ldap://server1.ipa.middlebury.edu > ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu > > > > then logins work. In fact, I don't even need the change in sssd.conf. I > can put that back the way it was, and logins still work. It's only the > line in /etc/ldap.conf that seems to be necessary. > > > > So, I have two questions: > > > > 1. Am I understanding this correctly? > > > > 2. If so, is there a way to automate this so that when I run > ipa-client-install on my RHEL 5 clients, they get the correct LDAP > settings from the beginning, and I don't have to go and manually edit > the ldap.conf file? I think the SSSD guys are going to want to see your full sssd.conf. An ipaclient-install.log for one of these clients might be handy too so we can discern how you are configuring the client. rob From dpal at redhat.com Wed Apr 8 20:12:30 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 16:12:30 -0400 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers In-Reply-To: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> References: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> Message-ID: <55258BAE.4050404@redhat.com> On 04/08/2015 04:04 PM, Guertin, David S. wrote: > > I have a mixed environment of RHEL 5 and RHEL 6 clients, and three > RHEL 7 IPA servers (one master and two duplicates). I'm trying to > ensure that if one server goes down, the remain server(s) will still > allow logins. With the RHEL 6 clients this is easy -- the line > > ipa_server = _srv_, server1.ipa.middlebury.edu > > in /etc/sssd/sssd.conf does this with the _srv_ entry, and everything > is fine. > > But with the RHEL 5 clients, this doesn't work. If server 1 goes down, > logins fail. Since RHEL 5 is using LDAP, I figured it was probably in > the ldap_uri line in the sssd.conf file. I discovered that I could add > multiple servers, which I did: > > ldap_uri = ldap://server1.ipa.middlebury.edu, > ldap://server2.ipa.middlebury.edu, ldap://server3.ipa.middlebury.edu > > But this still failed. However, if I do something similar in > /etc/ldap.conf: > > uri ldap://server1.ipa.middlebury.edu > ldap://server2.ipa.middlebury.edu ldap://server3.ipa.middlebury.edu > > then logins work. In fact, I don't even need the change in sssd.conf. > I can put that back the way it was, and logins still work. It's only > the line in /etc/ldap.conf that seems to be necessary. > If that works it means that you are not using SSSD on RHEL5 clients. Please check your nsswitch and pam.conf to see what modules are actually used. Which RHEL5 versions do you use? If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) you should be able to use ipa-client-install to configure sssd and pass the list of the servers in the --server option. > So, I have two questions: > > 1. Am I understanding this correctly? > > 2. If so, is there a way to automate this so that when I run > ipa-client-install on my RHEL 5 clients, they get the correct LDAP > settings from the beginning, and I don't have to go and manually edit > the ldap.conf file? > > David Guertin > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From CWhite at skytouchtechnology.com Wed Apr 8 23:52:50 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Wed, 8 Apr 2015 23:52:50 +0000 Subject: [Freeipa-users] granular sudo commands Message-ID: rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user at app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user at app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su - weblogic How should the actual command be entered? I have tried... Su - weblogic (ignore autocapitilization) /bin/su - weblogic Sudo su - weblogic Sudo /bin/su - weblogic But none seem to actually work Craig White -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Thu Apr 9 00:45:04 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Thu, 9 Apr 2015 00:45:04 +0000 Subject: [Freeipa-users] granular sudo commands In-Reply-To: References: Message-ID: For all my sudo commands i do sudo command_name_here ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Craig White [CWhite at skytouchtechnology.com] Sent: Thursday, April 09, 2015 1:52 AM To: freeipa-users at redhat.com Subject: [Freeipa-users] granular sudo commands rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user at app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user at app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su ? weblogic How should the actual command be entered? I have tried? Su ? weblogic (ignore autocapitilization) /bin/su ? weblogic Sudo su ? weblogic Sudo /bin/su ? weblogic But none seem to actually work Craig White From chamambom at afri-com.net Thu Apr 9 00:52:40 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Thu, 9 Apr 2015 00:52:40 +0000 Subject: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration In-Reply-To: <20150408120121.GF27581@hendrix.arn.redhat.com> References: <003a01d071cd$335d6ee0$9a184ca0$@afri-com.net> <20150408074024.GV11481@hendrix.arn.redhat.com> <003d01d071d2$212ccf40$63866dc0$@afri-com.net> <20150408080640.GW11481@hendrix.arn.redhat.com> <004001d071d4$86317ce0$929476a0$@afri-com.net> <20150408083518.GY11481@hendrix.arn.redhat.com> <004a01d071d8$cf05e8d0$6d11ba70$@afri-com.net> <000001d071f0$b6e9a6c0$24bcf440$@afri-com.net>, <20150408120121.GF27581@hendrix.arn.redhat.com> Message-ID: Good day I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6 clients. somehow i managed to change the sudo rules ,sudo comands and sudo groups to be less restrictive ,thats when i managed to access root owned files using sudo thanx for your help My advice when configuring sudo , when configuring your sudo rules , start with a less restrictive access control e.g where they say Access this host ---- say any where they say Run Commands ---say any command and when its working ,thats when you can then fine tune your access policies ________________________________________ From: Jakub Hrozek [jhrozek at redhat.com] Sent: Wednesday, April 08, 2015 2:01 PM To: Martin Chamambo Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote: > Sudo seems to be configured correctly but somehow it's not working > > Even if I do a sudo -l under the admin user > > [admin at ironhide tmp]$ sudo -l > [sudo] password for admin: > Matching Defaults entries for admin on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User admin may run the following commands on this host: > (admin, chamambom, kamoyob, kumalop, machangeteb, masaitit, masvivic, > matangiraa, nyahumap, pedzisail, tayengwaj : ALL) /usr/bin/vim, ~~~~~~~~~~~ > /usr/bin/less ~~~~~~~~~~~~~ According to this output, admin can run both vim and less... ?? From chamambom at afri-com.net Thu Apr 9 01:04:54 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Thu, 9 Apr 2015 01:04:54 +0000 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients Message-ID: I managed to install my ipa client on centos 5 using this command below ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw and it worked perfectly , i can getent passwd xxxx for users in the freeIPA server which is good. I am now trying to configure SUDO on centos and there seem to be mixed views on how i can get it working but i have actually embraced the following Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in the name and here are my configs cat /etc/nsswitch sudoers: files sss cat /etc/sssd/sssd.conf [root at pinnochio ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = ai.co.zw [nss] [sudo] [pam] [domain/ai.co.zw] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt wanted to add sudo services and ssh services on the Line services = nss, pam and kept getting error (Thu Apr 9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:04:36 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:08:27 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:08:59 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid service ssh i guess there is a different way of configuring SUDO on RHEL 5 or centos 5 From dpal at redhat.com Thu Apr 9 01:46:42 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Apr 2015 21:46:42 -0400 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: References: Message-ID: <5525DA02.7060101@redhat.com> On 04/08/2015 09:04 PM, Martin Chamambo wrote: > I managed to install my ipa client on centos 5 using this command below > > ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw > > > and it worked perfectly , i can getent passwd xxxx for users in the freeIPA server which is good. > > I am now trying to configure SUDO on centos and there seem to be mixed views on how i can get it working but i have actually embraced the following > > Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in the name > > and here are my configs > > cat /etc/nsswitch > > sudoers: files sss > > > cat /etc/sssd/sssd.conf > > [root at pinnochio ~]# cat /etc/sssd/sssd.conf > [sssd] > config_file_version = 2 > services = nss, pam > > > domains = ai.co.zw > [nss] > > [sudo] > > [pam] > > > [domain/ai.co.zw] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > > wanted to add sudo services and ssh services on the Line services = nss, pam and kept getting error > > (Thu Apr 9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:04:36 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:08:27 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:08:59 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid service ssh > > > i guess there is a different way of configuring SUDO on RHEL 5 or centos 5 > > The sudo and ssh support was added later than the version of SSSD that runs on CentOS5. Also the version of the sudo on 5 does not have integration with SSSD yet. The recommended approach is to configure sudo using its own LDAP capabilities as documented in the sudo manuals and man pages for that version. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From Alexander.Frolushkin at megafon.ru Thu Apr 9 03:59:13 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 9 Apr 2015 03:59:13 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55252092.6010506@redhat.com> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> <55252092.6010506@redhat.com> Message-ID: <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> -----Original Message----- From: thierry bordaz [mailto:tbordaz at redhat.com] Sent: Wednesday, April 08, 2015 6:36 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>>> On one of accidently upgraded server I have following error in dirsrv logs: >>>> >>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> This message is logged if the received message was too large. But here max size was 200Mb. >>> I can not imagine a such large message. >>> Being log at the same second, it could be transient error. Have you seen others messages like these ? >> Yes, it still here. >> >> [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >Those logs mean the connection (e.g. conn=1125) got closed. >Would you grep conn=1125 in access log ? [08/Apr/2015:14:55:00 +0300] conn=1125 fd=130 slot=130 connection from 10.99.111.42 to 10.163.129.91 [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry dsservicename namingContexts defaultnamingcontext schemanamingcontext configuratio nnamingcontext rootdomainnamingcontext supportedControl supportedLDAPVersion supportedldappolicies supportedSASLMechanisms dnshostname ldapservicename servername supportedcapabilities" [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >> >> >>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >>> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv >> Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? >> >> BTW: >> # ipa-replica-manage list-ruv >> Directory Manager password: >> >> sib-rhidm03.unix.ad.com:389: 5 >> dv-rhidm01.unix.ad.com:389: 17 >> sib-rhidm02.unix.ad.com:389: 3 >> sib-rhidm01.unix.ad.com:389: 4 >> url-rhidm01.unix.ad.com:389: 6 >> url-rhidm02.unix.ad.com:389: 7 >> .... >> nw-rhidm01.unix.ad.com:389: 19 >> >This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. >This should not occur, but replication is smart enough to just log this warning and continue working. >I would not recommend cleanup right now. Just clarification of the status. >Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). Here the full command output from the IPA 4.1 server: # ipa-replica-manage list-ruv Directory Manager password: nw-rhidm01.unix.ad.com:389: 19 dv-rhidm02.unix.ad.com:389: 18 vlg-rhidm03.unix.ad.com:389: 12 sib-rhidm01.unix.ad.com:389: 4 dv-rhidm01.unix.ad.com:389: 17 url-rhidm01.unix.ad.com:389: 6 url-rhidm02.unix.ad.com:389: 7 cnt-rhidm01.unix.ad.com:389: 14 sib-rhidm03.unix.ad.com:389: 5 vlg-rhidm02.unix.ad.com:389: 13 msk-rhidm-03.unix.ad.com:389: 10 msk-rhidm-01.unix.ad.com:389: 9 vlg-rhidm01.unix.ad.com:389: 8 cnt-rhidm02.unix.ad.com:389: 15 sib-rhidm02.unix.ad.com:389: 3 msk-rhidm-02.unix.ad.com:389: 11 I'm planning to upgrade all the remaining IPA 3.3.3 to IPA 4.1. Am I undersanding correctly, that upper messages does not mean something is terribly wrong in IPA for now? ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From jcholast at redhat.com Thu Apr 9 05:17:40 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 09 Apr 2015 07:17:40 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> <5523DC2F.2080104@redhat.com> <5524BC55.10301@redhat.com> Message-ID: <55260B74.8010604@redhat.com> Dne 8.4.2015 v 17:43 James James napsal(a): > It's a little bit more clear. Thanks. > > I have created a new ipa 4.1 replica but when I want run : > > # ipa-cacert-manage renew --self-signed > > I've got this message : > > [root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed > CA is not configured on this system You can run ipa-cacert-manage only on IPA servers with CA installed. > > If I want to install the CA I've got this message : > > [root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U > CA is already installed. This command is used to install CA in CA-less IPA environment. The error message is a bit misleading and we have a ticket for that: . > > Should I have to promote the replica to a standalone master before > installing the CA ? You need to run ipa-ca-install with the replica info file used to create the replica to install the CA: # ipa-ca-install > > Any hints will be appreciated... > > > James > > > 2015-04-08 7:27 GMT+02:00 Jan Cholasta >: > > Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): > > On 04/07/2015 02:08 PM, James James wrote: > > I will try to give a better explanation : > > > I have a CentOS 6.6 with ipa 3.0 named ipa-master. > ipa-master has been > installed with an external CA about 3 years ago and I will > have to renew > the certificate soon. > > I have created a test server (ipa-dev) with the same > configuration (centos > 6.6 and ipa 3.0) to test the renewal process. I want the new > ipa-dev sever > to be installed with an external CA. > > In the same time my external CA has changed and wants the > emailAddress > field in the certificate request 's subject. > > > CSR during installation with external CA is produced by Dogtag, > so you are > constrained with the options and capabilities provided by > ipa-server-install. > Maybe it would be possible to modify the CSR and update the > Subject manually, > but I expect it would crash the installer later (JanC may know > more (CCed)) > > > The subject name identifies the CA in server (and other) > certificates. If you change it, you break the trust chain from the > CA certificate to the server certificates and that will break all > SSL in IPA. > > > If it is not possible to add emailAddress in the subject, is > it possible to > migrate my ipa-master CA system from an external CA to a > CA-less or > self-signed CA ? > > > It is, with ipa-cacert-manage - see links below. > > > You can change your external CA to self-signed CA in IPA 4.1 or > newer by running: > > # ipa-cacert-manage renew --self-signed > > You can't change external CA to CA-less. > > > > Thanks. > > 2015-04-07 13:48 GMT+02:00 Martin Kosek >: > > On 04/07/2015 01:44 PM, James James wrote: > > ok. > > Is there a way to migrate from an external CA to a > CA-less or a > > self-signed > > CA ? > > > Yes, you can use ipa-cacert-manage tool introduced in > FreeIPA 4.1.0: > > https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal > > https://www.freeipa.org/page/__V4/CA_certificate_renewal > > > (Although I am still not sure about your use case and if > this would help > you) > > > 2015-04-07 12:51 GMT+02:00 Martin Kosek > >: > > On 04/03/2015 11:39 AM, James James wrote: > > Hello, > > I want to initialize a new replica with an > external CA. My Certificate > Authority wants a CSR with the field > emailAddress in the subject like : > > /C=FR/O=TESTO/OU=TESTOU/CN=*.e__xample.com/emailAddress=none at __none.com > > > > I am not a bit confused. Do you plan to have > FreeIPA *without* a CA or > with own > CA signed by external CA? > > FreeIPA supports these kinds of setups right now: > http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure > > > How can I do with the ipa-server-install > command ? I have been trying > > for > > few days but I still can't. > > Thanks for your help. > > > CCing Honza who should know the definitive > answer. However, FreeIPA was > > not > > very flexible in configuring special subjects > for it's CA certificate > > (i.e. > > cn=Certificate Authority, ou=...) or hosts in > case of CA-less setup. > > > > > > > > > -- > Jan Cholasta > > -- Jan Cholasta From mkosek at redhat.com Thu Apr 9 05:51:03 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 09 Apr 2015 07:51:03 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> <55252092.6010506@redhat.com> <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> Message-ID: <55261347.2050509@redhat.com> On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: > -----Original Message----- > From: thierry bordaz [mailto:tbordaz at redhat.com] > Sent: Wednesday, April 08, 2015 6:36 PM > To: Alexander Frolushkin (SIB) > Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>>>> On one of accidently upgraded server I have following error in dirsrv logs: >>>>> >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> This message is logged if the received message was too large. But here max size was 200Mb. >>>> I can not imagine a such large message. >>>> Being log at the same second, it could be transient error. Have you seen others messages like these ? >>> Yes, it still here. >>> >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > >> Those logs mean the connection (e.g. conn=1125) got closed. >> Would you grep conn=1125 in access log ? > > [08/Apr/2015:14:55:00 +0300] conn=1125 fd=130 slot=130 connection from 10.99.111.42 to 10.163.129.91 > [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry dsservicename namingContexts defaultnamingcontext schemanamingcontext configuratio > nnamingcontext rootdomainnamingcontext supportedControl supportedLDAPVersion supportedldappolicies supportedSASLMechanisms dnshostname ldapservicename servername supportedcapabilities" > [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 RESULT err=0 tag=101 nentries=1 etime=0 > >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> >>> >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >>>> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv >>> Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? >>> >>> BTW: >>> # ipa-replica-manage list-ruv >>> Directory Manager password: >>> >>> sib-rhidm03.unix.ad.com:389: 5 >>> dv-rhidm01.unix.ad.com:389: 17 >>> sib-rhidm02.unix.ad.com:389: 3 >>> sib-rhidm01.unix.ad.com:389: 4 >>> url-rhidm01.unix.ad.com:389: 6 >>> url-rhidm02.unix.ad.com:389: 7 >>> .... >>> nw-rhidm01.unix.ad.com:389: 19 >>> > >> This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. >> This should not occur, but replication is smart enough to just log this warning and continue working. > >> I would not recommend cleanup right now. Just clarification of the status. >> Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). > > Here the full command output from the IPA 4.1 server: > > # ipa-replica-manage list-ruv > Directory Manager password: > > nw-rhidm01.unix.ad.com:389: 19 > dv-rhidm02.unix.ad.com:389: 18 > vlg-rhidm03.unix.ad.com:389: 12 > sib-rhidm01.unix.ad.com:389: 4 > dv-rhidm01.unix.ad.com:389: 17 > url-rhidm01.unix.ad.com:389: 6 > url-rhidm02.unix.ad.com:389: 7 > cnt-rhidm01.unix.ad.com:389: 14 > sib-rhidm03.unix.ad.com:389: 5 > vlg-rhidm02.unix.ad.com:389: 13 > msk-rhidm-03.unix.ad.com:389: 10 > msk-rhidm-01.unix.ad.com:389: 9 > vlg-rhidm01.unix.ad.com:389: 8 > cnt-rhidm02.unix.ad.com:389: 15 > sib-rhidm02.unix.ad.com:389: 3 > msk-rhidm-02.unix.ad.com:389: 11 > > I'm planning to upgrade all the remaining IPA 3.3.3 to IPA 4.1. Ok, that should help. > Am I undersanding correctly, that upper messages does not mean something is terribly wrong in IPA for now? If you are asking about the attrlist_replace warnings, they should be benign, caused by the uncleaned RUVs as Thierry indicated. Although the list above looks OK, without duplicate RUVs. Thierry, does this needs to be checked on every IPA server, or are RUVs also replicated? Martin From Alexander.Frolushkin at megafon.ru Thu Apr 9 05:59:15 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 9 Apr 2015 05:59:15 +0000 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55261347.2050509@redhat.com> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> <55252092.6010506@redhat.com> <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> <55261347.2050509@redhat.com> Message-ID: -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Thursday, April 09, 2015 11:51 AM To: Alexander Frolushkin (SIB); 'thierry bordaz' Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: > -----Original Message----- > From: thierry bordaz [mailto:tbordaz at redhat.com] > Sent: Wednesday, April 08, 2015 6:36 PM > To: Alexander Frolushkin (SIB) > Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>>>> On one of accidently upgraded server I have following error in dirsrv logs: >>>>> >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> This message is logged if the received message was too large. But here max size was 200Mb. >>>> I can not imagine a such large message. >>>> Being log at the same second, it could be transient error. Have you seen others messages like these ? >>> Yes, it still here. >>> >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. > >> Those logs mean the connection (e.g. conn=1125) got closed. >> Would you grep conn=1125 in access log ? > > [08/Apr/2015:14:55:00 +0300] conn=1125 fd=130 slot=130 connection from > 10.99.111.42 to 10.163.129.91 > [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="subschemaSubentry dsservicename namingContexts defaultnamingcontext schemanamingcontext configuratio nnamingcontext rootdomainnamingcontext supportedControl supportedLDAPVersion supportedldappolicies supportedSASLMechanisms dnshostname ldapservicename servername supportedcapabilities" > [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 RESULT err=0 tag=101 > nentries=1 etime=0 > >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>> >>> >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >>>> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv >>> Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? >>> >>> BTW: >>> # ipa-replica-manage list-ruv >>> Directory Manager password: >>> >>> sib-rhidm03.unix.ad.com:389: 5 >>> dv-rhidm01.unix.ad.com:389: 17 >>> sib-rhidm02.unix.ad.com:389: 3 >>> sib-rhidm01.unix.ad.com:389: 4 >>> url-rhidm01.unix.ad.com:389: 6 >>> url-rhidm02.unix.ad.com:389: 7 >>> .... >>> nw-rhidm01.unix.ad.com:389: 19 >>> > >> This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. >> This should not occur, but replication is smart enough to just log this warning and continue working. > >> I would not recommend cleanup right now. Just clarification of the status. >> Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). > > Here the full command output from the IPA 4.1 server: > > # ipa-replica-manage list-ruv > Directory Manager password: > > nw-rhidm01.unix.ad.com:389: 19 > dv-rhidm02.unix.ad.com:389: 18 > vlg-rhidm03.unix.ad.com:389: 12 > sib-rhidm01.unix.ad.com:389: 4 > dv-rhidm01.unix.ad.com:389: 17 > url-rhidm01.unix.ad.com:389: 6 > url-rhidm02.unix.ad.com:389: 7 > cnt-rhidm01.unix.ad.com:389: 14 > sib-rhidm03.unix.ad.com:389: 5 > vlg-rhidm02.unix.ad.com:389: 13 > msk-rhidm-03.unix.ad.com:389: 10 > msk-rhidm-01.unix.ad.com:389: 9 > vlg-rhidm01.unix.ad.com:389: 8 > cnt-rhidm02.unix.ad.com:389: 15 > sib-rhidm02.unix.ad.com:389: 3 > msk-rhidm-02.unix.ad.com:389: 11 > >> I'm planning to upgrade all the remaining IPA 3.3.3 to IPA 4.1. >Ok, that should help. >> Am I undersanding correctly, that upper messages does not mean something is terribly wrong in IPA for now? >If you are asking about the attrlist_replace warnings, they should be benign, caused by the uncleaned RUVs as Thierry indicated. Although the list above looks OK, without duplicate RUVs. >Thierry, does this needs to be checked on every IPA server, or are RUVs also replicated? I'm worry about this: "Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase" It appears in logs before the accident upgrade, and only on a part of our IPA servers. ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From tbordaz at redhat.com Thu Apr 9 07:10:49 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 09 Apr 2015 09:10:49 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: <55261347.2050509@redhat.com> References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> <55252092.6010506@redhat.com> <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> <55261347.2050509@redhat.com> Message-ID: <552625F9.4080309@redhat.com> On 04/09/2015 07:51 AM, Martin Kosek wrote: > On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: >> -----Original Message----- >> From: thierry bordaz [mailto:tbordaz at redhat.com] >> Sent: Wednesday, April 08, 2015 6:36 PM >> To: Alexander Frolushkin (SIB) >> Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> >> On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>>>>> On one of accidently upgraded server I have following error in dirsrv logs: >>>>>> >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> This message is logged if the received message was too large. But here max size was 200Mb. >>>>> I can not imagine a such large message. >>>>> Being log at the same second, it could be transient error. Have you seen others messages like these ? >>>> Yes, it still here. >>>> >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> Those logs mean the connection (e.g. conn=1125) got closed. >>> Would you grep conn=1125 in access log ? >> [08/Apr/2015:14:55:00 +0300] conn=1125 fd=130 slot=130 connection from 10.99.111.42 to 10.163.129.91 >> [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="subschemaSubentry dsservicename namingContexts defaultnamingcontext schemanamingcontext configuratio >> nnamingcontext rootdomainnamingcontext supportedControl supportedLDAPVersion supportedldappolicies supportedSASLMechanisms dnshostname ldapservicename servername supportedcapabilities" >> [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 RESULT err=0 tag=101 nentries=1 etime=0 No closure log ? Possibly the next op=1, triggered the error and the closure of the connection. Do you know if it exists a kind of keep alive mechanism, that would ping the instance with op=0 and then could send some dummy data ? Looking for periodicity on the 'Incoming BER Element' event could help to know who opened that connection >> >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> >>>> >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >>>>> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv >>>> Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? >>>> >>>> BTW: >>>> # ipa-replica-manage list-ruv >>>> Directory Manager password: >>>> >>>> sib-rhidm03.unix.ad.com:389: 5 >>>> dv-rhidm01.unix.ad.com:389: 17 >>>> sib-rhidm02.unix.ad.com:389: 3 >>>> sib-rhidm01.unix.ad.com:389: 4 >>>> url-rhidm01.unix.ad.com:389: 6 >>>> url-rhidm02.unix.ad.com:389: 7 >>>> .... >>>> nw-rhidm01.unix.ad.com:389: 19 >>>> >>> This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. >>> This should not occur, but replication is smart enough to just log this warning and continue working. >>> I would not recommend cleanup right now. Just clarification of the status. >>> Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). >> Here the full command output from the IPA 4.1 server: >> >> # ipa-replica-manage list-ruv >> Directory Manager password: >> >> nw-rhidm01.unix.ad.com:389: 19 >> dv-rhidm02.unix.ad.com:389: 18 >> vlg-rhidm03.unix.ad.com:389: 12 >> sib-rhidm01.unix.ad.com:389: 4 >> dv-rhidm01.unix.ad.com:389: 17 >> url-rhidm01.unix.ad.com:389: 6 >> url-rhidm02.unix.ad.com:389: 7 >> cnt-rhidm01.unix.ad.com:389: 14 >> sib-rhidm03.unix.ad.com:389: 5 >> vlg-rhidm02.unix.ad.com:389: 13 >> msk-rhidm-03.unix.ad.com:389: 10 >> msk-rhidm-01.unix.ad.com:389: 9 >> vlg-rhidm01.unix.ad.com:389: 8 >> cnt-rhidm02.unix.ad.com:389: 15 >> sib-rhidm02.unix.ad.com:389: 3 >> msk-rhidm-02.unix.ad.com:389: 11 >> >> I'm planning to upgrade all the remaining IPA 3.3.3 to IPA 4.1. > Ok, that should help. > >> Am I undersanding correctly, that upper messages does not mean something is terribly wrong in IPA for now? > If you are asking about the attrlist_replace warnings, they should be benign, > caused by the uncleaned RUVs as Thierry indicated. Although the list above > looks OK, without duplicate RUVs. I agree, those warnings means something needs to be cleaned but not that things are broken. Replication should work fine. > > Thierry, does this needs to be checked on every IPA server, or are RUVs also > replicated? I am unsure if list-ruv command is hidding something. The following command will dump the RUV of the local instance: ldapsearch -D "cn=directory manager" -W -b "$SUFFIX" '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' The 'attrlist_replace' message means that the local instance received a RUV from a remote instance and that remote RUV contained duplicated referral. If you want to know which server need to be cleaned, you would do list-ruv (or the ldapsearch command) on each instance. I would expect to see duplicates on some instances RUV, like for example: nw-rhidm01.unix.ad.com:389: 19 dv-rhidm02.unix.ad.com:389: 18 vlg-rhidm03.unix.ad.com:389: 12 sib-rhidm01.unix.ad.com:389: 4 dv-rhidm01.unix.ad.com:389: 17 url-rhidm01.unix.ad.com:389: 6 url-rhidm02.unix.ad.com:389: 7 *cnt-rhidm01.unix.ad.com:389: 14** **cnt-rhidm01.unix.ad.com:389: 24* sib-rhidm03.unix.ad.com:389: 5 vlg-rhidm02.unix.ad.com:389: 13 msk-rhidm-03.unix.ad.com:389: 10 msk-rhidm-01.unix.ad.com:389: 9 vlg-rhidm01.unix.ad.com:389: 8 cnt-rhidm02.unix.ad.com:389: 15 sib-rhidm02.unix.ad.com:389: 3 msk-rhidm-02.unix.ad.com:389: 11 > > Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Thu Apr 9 07:14:33 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 09 Apr 2015 09:14:33 +0200 Subject: [Freeipa-users] Accident upgrade 3.3 to 4.1 In-Reply-To: References: <5524FD25.8010200@redhat.com> <55250061.5060806@redhat.com> <55251A73.305@redhat.com> <49aeaae6ca82483eb29551540bb8ca91@sib-ums01.Megafon.ru> <55252092.6010506@redhat.com> <5ffe1b9ed0b04960b42afc497110c5e2@sib-ums01.Megafon.ru> <55261347.2050509@redhat.com> Message-ID: <552626D9.1050306@redhat.com> On 04/09/2015 07:59 AM, Alexander Frolushkin wrote: > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Thursday, April 09, 2015 11:51 AM > To: Alexander Frolushkin (SIB); 'thierry bordaz' > Cc: 'Ludwig Krispenz'; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 > > On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: >> -----Original Message----- >> From: thierry bordaz [mailto:tbordaz at redhat.com] >> Sent: Wednesday, April 08, 2015 6:36 PM >> To: Alexander Frolushkin (SIB) >> Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> >> On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: >>>>>> On one of accidently upgraded server I have following error in dirsrv logs: >>>>>> >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1094 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1096 fd=124 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>>> [08/Apr/2015:13:24:12 +0300] connection - conn=1097 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>>> This message is logged if the received message was too large. But here max size was 200Mb. >>>>> I can not imagine a such large message. >>>>> Being log at the same second, it could be transient error. Have you seen others messages like these ? >>>> Yes, it still here. >>>> >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1125 fd=130 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1124 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>>> [08/Apr/2015:14:55:01 +0300] connection - conn=1126 fd=126 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. >>> Those logs mean the connection (e.g. conn=1125) got closed. >>> Would you grep conn=1125 in access log ? >> [08/Apr/2015:14:55:00 +0300] conn=1125 fd=130 slot=130 connection from >> 10.99.111.42 to 10.163.129.91 >> [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="subschemaSubentry dsservicename namingContexts defaultnamingcontext schemanamingcontext configuratio nnamingcontext rootdomainnamingcontext supportedControl supportedLDAPVersion supportedldappolicies supportedSASLMechanisms dnshostname ldapservicename servername supportedcapabilities" >> [08/Apr/2015:14:55:00 +0300] conn=1125 op=0 RESULT err=0 tag=101 >> nentries=1 etime=0 >> >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> [08/Apr/2015:14:55:26 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://cnt-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>> >>>> >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:11 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://sib-rhidm01.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>>> [08/Apr/2015:13:25:15 +0300] attrlist_replace - attr_replace (nsslapd-referral, ldap://vlg-rhidm02.unix.ad.com:389/o%3Dipaca) failed. >>>>> Here it is likely trigger by RUV containing duplicated values (multiple replica install ?). You may have to use cleanruv after the upgrade. >>>>> ipa-replica-manage list-ruv and ipa-replica-manager clean-ruv >>>> Do You mean we need to upgrade all 3.3.3 IPA servers to 4.1 first? Or this can be cleaned right now on remaining servers? >>>> >>>> BTW: >>>> # ipa-replica-manage list-ruv >>>> Directory Manager password: >>>> >>>> sib-rhidm03.unix.ad.com:389: 5 >>>> dv-rhidm01.unix.ad.com:389: 17 >>>> sib-rhidm02.unix.ad.com:389: 3 >>>> sib-rhidm01.unix.ad.com:389: 4 >>>> url-rhidm01.unix.ad.com:389: 6 >>>> url-rhidm02.unix.ad.com:389: 7 >>>> .... >>>> nw-rhidm01.unix.ad.com:389: 19 >>>> >>> This message is harmless. It means that some values of nsds50ruv in the RUV have identical referral. >>> This should not occur, but replication is smart enough to just log this warning and continue working. >>> I would not recommend cleanup right now. Just clarification of the status. >>> Would you send all the ruv values returned by 'list-ruv' (here there is no duplicate). >> Here the full command output from the IPA 4.1 server: >> >> # ipa-replica-manage list-ruv >> Directory Manager password: >> >> nw-rhidm01.unix.ad.com:389: 19 >> dv-rhidm02.unix.ad.com:389: 18 >> vlg-rhidm03.unix.ad.com:389: 12 >> sib-rhidm01.unix.ad.com:389: 4 >> dv-rhidm01.unix.ad.com:389: 17 >> url-rhidm01.unix.ad.com:389: 6 >> url-rhidm02.unix.ad.com:389: 7 >> cnt-rhidm01.unix.ad.com:389: 14 >> sib-rhidm03.unix.ad.com:389: 5 >> vlg-rhidm02.unix.ad.com:389: 13 >> msk-rhidm-03.unix.ad.com:389: 10 >> msk-rhidm-01.unix.ad.com:389: 9 >> vlg-rhidm01.unix.ad.com:389: 8 >> cnt-rhidm02.unix.ad.com:389: 15 >> sib-rhidm02.unix.ad.com:389: 3 >> msk-rhidm-02.unix.ad.com:389: 11 >> >>> I'm planning to upgrade all the remaining IPA 3.3.3 to IPA 4.1. >> Ok, that should help. >>> Am I undersanding correctly, that upper messages does not mean something is terribly wrong in IPA for now? >> If you are asking about the attrlist_replace warnings, they should be benign, caused by the uncleaned RUVs as Thierry indicated. Although the list above looks OK, without duplicate RUVs. >> Thierry, does this needs to be checked on every IPA server, or are RUVs also replicated? > I'm worry about this: > > "Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase" > > It appears in logs before the accident upgrade, and only on a part of our IPA servers. I understand. I wonder if the server received a malformed REQ, but it is not transient as it occurs from time to time. With ip address of the failing connection and periodicity, could you determine which application opened those connections and look at their logs. > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 From chamambom at afri-com.net Thu Apr 9 07:33:25 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Thu, 9 Apr 2015 09:33:25 +0200 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: <5525DA02.7060101@redhat.com> References: <5525DA02.7060101@redhat.com> Message-ID: <006d01d07297$7714bba0$653e32e0$@afri-com.net> Good day I have managed to follow this guide https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm l/Deployment_Guide/SSSD-Troubleshooting.html#idp21135920 and I have configured my sssd.conf file as follows PLEASE NOTE THAT THE SAME USER IS WORKING ON RHEL 6 AND CENTOS 6 CLIENTS so sudo is working on the other clients except this centos 5 machine [root at pinnochio db]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = ai.co.zw [nss] [sudo] [pam] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ai.co.zw id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, cyclops.ai.co.zw ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://cyclops.ai.co.zw ldap_sudo_search_base = ou=sudoers,dc=cyclops,dc=ai,dc=co,dc=zw ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/pinnochio.ai.co.zw ldap_sasl_realm = AI.CO.ZW krb5_server = cyclops.ai.co.zw [root at pinnochio db]# And im still getting [admin at pinnochio ~]$ sudo -l [sudo] password for admin: Sorry, user admin may not run sudo on pinnochio. [admin at pinnochio ~]$ Error message below when debug level is set at 6 (Thu Apr 9 09:32:01 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(uid=admin)(objectclass=posixAccount))][cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_save_user] (6): Storing info for user admin (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=admins,cn=groups,cn=accounts,dc=ai,dc =co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Replication Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Replication Administrators,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read DNA Range,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=Host Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=Host Enrollment,cn=privileges,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=trust admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [sdap_initgr_nested_search] (2): Search for group cn=trust admins,cn=groups,cn=accounts,dc=ai,dc=co,dc=zw, returned 0 results. Skipping (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got request with the following data (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): domain: ai.co.zw (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user: admin (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): service: sudo (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty: /dev/pts/3 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser: (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost: (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok type: 1 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok size: 10 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok type: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok size: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv: 0 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): cli_pid: 3809 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [check_for_valid_tgt] (3): TGT is valid. (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send] (4): Trying to resolve service 'IPA' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [get_server_status] (4): Hostname resolution expired, resetting the server status of 'cyclops.ai.co.zw' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'name not resolved' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_files_send] (4): Trying to resolve A record of 'cyclops.ai.co.zw' in files (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'resolving name' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_files_send] (4): Trying to resolve AAAA record of 'cyclops.ai.co.zw' in files (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_next] (5): No more address families to retry (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [resolv_gethostbyname_dns_query] (4): Trying to resolve A record of 'cyclops.ai.co.zw' in DNS (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'name resolved' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [be_resolve_server_done] (4): Found address for server cyclops.ai.co.zw: [41.57.64.54] TTL 300 (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [ipa_resolve_callback] (6): Constructed uri 'ldap://cyclops.ai.co.zw' (Thu Apr 9 09:32:02 2015) [sssd[be[ai.co.zw]]] [write_pipe_handler] (6): All data has been sent! (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [read_pipe_handler] (6): EOF received, client finished (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [fo_set_port_status] (4): Marking port 0 of server 'cyclops.ai.co.zw' as 'working' (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [set_server_common_status] (4): Marking server 'cyclops.ai.co.zw' as 'working' (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, ) [Success] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sending result [0][ai.co.zw] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sent result [0][ai.co.zw] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [child_sig_handler] (4): child [3842] finished successfully. (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [be_pam_handler] (4): Got request with the following data (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): command: PAM_ACCT_MGMT (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): domain: ai.co.zw (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): user: admin (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): service: sudo (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): tty: /dev/pts/3 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): ruser: (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): rhost: (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok type: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): authtok size: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok type: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): newauthtok size: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): priv: 0 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [pam_print_data] (4): cli_pid: 3809 (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_access_send] (6): Performing access check for user [admin] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_account_expired_rhds] (6): Performing RHDS access check for user [admin] (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=pinnochio.ai.co.zw))][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:04 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(null)][cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(objectClass=ipaHBACService)][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_step] (6): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(member Host=fqdn=pinnochio.ai.co.zw,cn=computers,cn=accounts,dc=ai,dc=co,dc=zw)(mem berHost=cn=mailservers,cn=hostgroups,cn=accounts,dc=ai,dc=co,dc=zw)(memberHo st=ipaUniqueID=bacaa788-dac0-11e4-93fe-525400143fc1,cn=sudorules,cn=sudo,dc= ai,dc=co,dc=zw)(memberHost=cn=mailservers,cn=ng,cn=alt,dc=ai,dc=co,dc=zw)(me mberHost=ipaUniqueID=53caae2a-ddf4-11e4-b324-525400143fc1,cn=sudorules,cn=su do,dc=ai,dc=co,dc=zw)))][dc=ai,dc=co,dc=zw]. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [hbac_get_category] (5): Category is set to 'all'. (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Backend returned: (0, 0, ) [Success] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sending result [0][ai.co.zw] (Thu Apr 9 09:32:05 2015) [sssd[be[ai.co.zw]]] [be_pam_handler_callback] (4): Sent result [0][ai.co.zw] -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Thursday, April 09, 2015 3:47 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients On 04/08/2015 09:04 PM, Martin Chamambo wrote: > I managed to install my ipa client on centos 5 using this command > below > > ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw > > > and it worked perfectly , i can getent passwd xxxx for users in the freeIPA server which is good. > > I am now trying to configure SUDO on centos and there seem to be mixed > views on how i can get it working but i have actually embraced the > following > > Use SSSD, don't use nslcd or anything that has pam_ldap or ldapd in > the name > > and here are my configs > > cat /etc/nsswitch > > sudoers: files sss > > > cat /etc/sssd/sssd.conf > > [root at pinnochio ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version > = 2 services = nss, pam > > > domains = ai.co.zw > [nss] > > [sudo] > > [pam] > > > [domain/ai.co.zw] > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = ai.co.zw > id_provider = ipa > auth_provider = ipa > access_provider = ipa > chpass_provider = ipa > ipa_server = _srv_, cyclops.ai.co.zw > ldap_tls_cacert = /etc/ipa/ca.crt > > > wanted to add sudo services and ssh services on the Line services = > nss, pam and kept getting error > > (Thu Apr 9 02:04:35 2015) [sssd] [get_monitor_config] (0): Invalid > service sudo (Thu Apr 9 02:04:36 2015) [sssd] [get_monitor_config] > (0): Invalid service sudo (Thu Apr 9 02:08:27 2015) [sssd] > [get_monitor_config] (0): Invalid service sudo (Thu Apr 9 02:08:59 > 2015) [sssd] [get_monitor_config] (0): Invalid service sudo (Thu Apr > 9 02:09:35 2015) [sssd] [get_monitor_config] (0): Invalid service sudo > (Thu Apr 9 02:10:05 2015) [sssd] [get_monitor_config] (0): Invalid > service ssh > > > i guess there is a different way of configuring SUDO on RHEL 5 or > centos 5 > > The sudo and ssh support was added later than the version of SSSD that runs on CentOS5. Also the version of the sudo on 5 does not have integration with SSSD yet. The recommended approach is to configure sudo using its own LDAP capabilities as documented in the sudo manuals and man pages for that version. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Thu Apr 9 07:55:57 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Apr 2015 09:55:57 +0200 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: <006d01d07297$7714bba0$653e32e0$@afri-com.net> References: <5525DA02.7060101@redhat.com> <006d01d07297$7714bba0$653e32e0$@afri-com.net> Message-ID: <20150409075557.GC2718@hendrix> On Thu, Apr 09, 2015 at 09:33:25AM +0200, Chamambo Martin wrote: > Good day > > I have managed to follow this guide > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm > l/Deployment_Guide/SSSD-Troubleshooting.html#idp21135920 and I have > configured my sssd.conf file as follows > > > PLEASE NOTE THAT THE SAME USER IS WORKING ON RHEL 6 AND CENTOS 6 CLIENTS so > sudo is working on the other clients except this centos 5 machine Please note that Dmitri already replied correctly previously. There is no sudo provider on RHEL-5 nor is there SSSD support in sudo in RHEL-5. You need to use "ldap" for "sudoers" in nsswitch.conf and configure sudo individually for sudoers LDAP access. Sorry, but RHEL-5 is obsolete, don't expect shiny new features there. From lslebodn at redhat.com Thu Apr 9 08:46:09 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 9 Apr 2015 10:46:09 +0200 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: References: Message-ID: <20150409084608.GA894@mail.corp.redhat.com> On (09/04/15 01:04), Martin Chamambo wrote: >I managed to install my ipa client on centos 5 using this command below > > ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw > Pease follow instruction for rhel 5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/configuring-rhel5.html#Setting_up_sudo_Rules-Client_Configuration_for_sudo_Rules LS From david.dejaeghere at gmail.com Thu Apr 9 12:43:46 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Thu, 9 Apr 2015 14:43:46 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: Message-ID: Hi, Does somebody have any pointers for me regarding this issue? Regards, D 2015-04-07 13:34 GMT+02:00 David Dejaeghere : > Hello, > > I am trying to setup a replica for my master which has been setup with an > external CA to use our godaddy wildcard certificate. > The ipa-replica-prepare is failing with the following debug information. > I am using --http-cert and --dirsrv-cert with my pk12 server certificate. > What can I verify to get an idea of what is going wrong? > > ipa: DEBUG: stderr= > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in > execute > self.ask_for_options() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 276, in ask_for_options > options.http_cert_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 176, in load_pkcs12 > host_name=self.replica_fqdn) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 785, in load_pkcs12 > nss_cert = x509.load_certificate(cert, x509.DER) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in > load_certificate > return nss.Certificate(buffer(data)) > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The > ipa-replica-prepare command failed, exception: NSPRError: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > Regards, > > D > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 9 14:01:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 10:01:06 -0400 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server In-Reply-To: <552647E4.7010405@intech-global.com> References: <55250D39.2080702@intech-global.com> <55256E76.8000803@redhat.com> <552647E4.7010405@intech-global.com> Message-ID: <55268622.1010300@redhat.com> ???????? ?????? wrote: > Thank you, Rob for your response > > On 08.04.2015 21:07, Rob Crittenden wrote: >> I assume you can't do this because the original host is lost, right? > Year, you right. > >> Every IPA master is a equal, some are just more equal than others. The >> key bit that distinguishes them is whether there is a CA installed. The >> other bit has to do with CRL generation and renewal which in your >> version can only be done on one host (neither of which apply to >> --selfsign anyway). > > I want to clarify, I didn't use --selfsign key during primery server > installation. I suppose it's default key for CA, am I wrong? > On mycurrent ipa server (replica) I haven't CA. > >> You mention migrating. What new primary server? > I'm telling about installation of new freeipa server and copy all data > there. That may be your best bet, but right now only users and groups are migrated, so that may not be adequate. >> So I'd start digging around to see if you have the original CA private >> key somewhere. The end of the IPA server install would have recommending >> backing up cacert.p12. >> > I have backup of cacert.p12 key. Theoretically it is possible to stand up a new CA instance using cacert.p12 but AFAIK nobody has worked out all the details. It would be a less-than-perfect solution anyway since knowledge of all currently-issued certs is lost. I'd suggest looking into migration. rob From rcritten at redhat.com Thu Apr 9 14:16:37 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 10:16:37 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: Message-ID: <552689C5.40405@redhat.com> David Dejaeghere wrote: > Hi, > > Does somebody have any pointers for me regarding this issue? It would help very much if you'd include the version you're working with. Based on line numbers I'll assume IPA 4.1. It's hard to say since you don't include the command-line you're using, or what those files consist of. It looks like it is blowing up trying to verify that the whole certificate chain is available. NSS unfortunately doesn't always provide the best error messages so it's hard to say why this particular cert can't be loaded. rob > > Regards, > > D > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere >: > > Hello, > > I am trying to setup a replica for my master which has been setup > with an external CA to use our godaddy wildcard certificate. > The ipa-replica-prepare is failing with the following debug information. > I am using --http-cert and --dirsrv-cert with my pk12 server > certificate. > What can I verify to get an idea of what is going wrong? > > ipa: DEBUG: stderr= > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > 169, in execute > self.ask_for_options() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 276, in ask_for_options > options.http_cert_name) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > line 176, in load_pkcs12 > host_name=self.replica_fqdn) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > 785, in load_pkcs12 > nss_cert = x509.load_certificate(cert, x509.DER) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, > in load_certificate > return nss.Certificate(buffer(data)) > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The > ipa-replica-prepare command failed, exception: NSPRError: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > Regards, > > D > > > > From david.dejaeghere at gmail.com Thu Apr 9 14:21:21 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Thu, 9 Apr 2015 16:21:21 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <552689C5.40405@redhat.com> References: <552689C5.40405@redhat.com> Message-ID: Hi, Sorry for the lack of details! You are indeed correct about the version its 4.1 The command I am using is this: ipa-replica-prepare ipa-r1.myobscureddomain.com --http-cert-file /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 --ip-address 172.31.16.31 -v Regards, D 2015-04-09 16:16 GMT+02:00 Rob Crittenden : > David Dejaeghere wrote: > > Hi, > > > > Does somebody have any pointers for me regarding this issue? > > It would help very much if you'd include the version you're working > with. Based on line numbers I'll assume IPA 4.1. > > It's hard to say since you don't include the command-line you're using, > or what those files consist of. > > It looks like it is blowing up trying to verify that the whole > certificate chain is available. NSS unfortunately doesn't always provide > the best error messages so it's hard to say why this particular cert > can't be loaded. > > rob > > > > > Regards, > > > > D > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > >: > > > > Hello, > > > > I am trying to setup a replica for my master which has been setup > > with an external CA to use our godaddy wildcard certificate. > > The ipa-replica-prepare is failing with the following debug > information. > > I am using --http-cert and --dirsrv-cert with my pk12 server > > certificate. > > What can I verify to get an idea of what is going wrong? > > > > ipa: DEBUG: stderr= > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > 169, in execute > > self.ask_for_options() > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > line 276, in ask_for_options > > options.http_cert_name) > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > line 176, in load_pkcs12 > > host_name=self.replica_fqdn) > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line > > 785, in load_pkcs12 > > nss_cert = x509.load_certificate(cert, x509.DER) > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, > > in load_certificate > > return nss.Certificate(buffer(data)) > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The > > ipa-replica-prepare command failed, exception: NSPRError: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > Regards, > > > > D > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From guertin at middlebury.edu Thu Apr 9 15:19:32 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 9 Apr 2015 15:19:32 +0000 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers In-Reply-To: <55258BAE.4050404@redhat.com> References: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> <55258BAE.4050404@redhat.com> Message-ID: >If that works it means that you are not using SSSD on RHEL5 clients. >Please check your nsswitch and pam.conf to see what modules are actually >used. Hmm. /etc/nsswitch.conf contains: -------------------------- passwd: files sss ldap shadow: files sss ldap group: files sss ldap -------------------------- And /etc/pam.d/system-auth contains: -------------------------- auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so -------------------------- i.e. they both contain both sss and ldap, with sss first. The client was installed with the script generated by running "ipa-advise config-redhat-sssd-before-1-9" on the server. This script contains: # Use the authconfig to configure nsswitch.conf and the PAM stack authconfig --updateall --enablesssd --enablesssdauth and it also updates the /etc/sssd/sssd.conf file: So why would client not be using sssd? >Which RHEL5 versions do you use? >If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) >you should be able to use ipa-client-install to configure sssd and pass the list >of the servers in the --server option. Most of them are RHEL 5.11 with sssd 1.5.1. I'll try reinstalling and passing the list of servers with the --server option. David Guertin From dpal at redhat.com Thu Apr 9 15:55:18 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Apr 2015 11:55:18 -0400 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers In-Reply-To: References: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> <55258BAE.4050404@redhat.com> Message-ID: <5526A0E6.4010309@redhat.com> On 04/09/2015 11:19 AM, Guertin, David S. wrote: >> If that works it means that you are not using SSSD on RHEL5 clients. >> Please check your nsswitch and pam.conf to see what modules are actually >> used. > Hmm. /etc/nsswitch.conf contains: > > -------------------------- > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldap > -------------------------- > > And /etc/pam.d/system-auth contains: > > -------------------------- > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok > password sufficient pam_sss.so use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > session optional pam_ldap.so > -------------------------- > > i.e. they both contain both sss and ldap, with sss first. The client was installed with the script generated by running "ipa-advise config-redhat-sssd-before-1-9" on the server. This script contains: > > # Use the authconfig to configure nsswitch.conf and the PAM stack > authconfig --updateall --enablesssd --enablesssdauth > > and it also updates the /etc/sssd/sssd.conf file: So why would client not be using sssd? This only means that pam_sss/nss_sss fails and LDAP takes over and works. You need to look at the sssd logs to see why it fails. It probably does not find the right servers and falls though to LDAP. > >> Which RHEL5 versions do you use? >> If memory does not fail me if you have SSSD 1.5 (I think it was starting 5.8) >> you should be able to use ipa-client-install to configure sssd and pass the list >> of the servers in the --server option. > Most of them are RHEL 5.11 with sssd 1.5.1. I'll try reinstalling and passing the list of servers with the --server option. > > David Guertin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From guertin at middlebury.edu Thu Apr 9 16:00:38 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 9 Apr 2015 16:00:38 +0000 Subject: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers In-Reply-To: References: <067fd5d58d194dff8b2a8b47b5aaa348@greyhound.middlebury.edu> <55258BAE.4050404@redhat.com> Message-ID: <8a17cdd60dac48e09087aa41fec2de9b@greyhound.middlebury.edu> >i.e. they both contain both sss and ldap, with sss first. The client was >installed with the script generated by running "ipa-advise config-redhat- >sssd-before-1-9" on the server. This script contains: > ># Use the authconfig to configure nsswitch.conf and the PAM stack >authconfig --updateall --enablesssd --enablesssdauth > >and it also updates the /etc/sssd/sssd.conf file: So why would client not be >using sssd? I figured out where the problem was, and it was operator error. I had written a script to install the client, and the script was running the output of ipa-advise before running ipa-client-install. Oops. I switched the order of those two lines, and now sssd is working correctly, and the client is failing over to alternate servers. Thanks for the help. David Guertin From guertin at middlebury.edu Thu Apr 9 16:34:12 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 9 Apr 2015 16:34:12 +0000 Subject: [Freeipa-users] How to set the home directory for AD users? Message-ID: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> We have a trust relationship set up between our IPA domain and our AD domain. When ad AD user logs in to an IPA client, they are given a home directory of /home//. I would like to change this to /home/. (I'm not interested in automatically creating the home firectory on login, I just want to change the directory name.) The users are not assigned a home directory in AD, so it's up to IPA to set it. In the [nss] section of /etc/sssd/sssd.conf, I have homedir_substring = /home but that doesn't do it. Neither does: fallback_homedir = /home/%u Where can this variable be set? Thanks, David Guertin From dpal at redhat.com Thu Apr 9 16:39:07 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 09 Apr 2015 12:39:07 -0400 Subject: [Freeipa-users] How to set the home directory for AD users? In-Reply-To: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> References: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> Message-ID: <5526AB2B.3070407@redhat.com> On 04/09/2015 12:34 PM, Guertin, David S. wrote: > We have a trust relationship set up between our IPA domain and our AD domain. When ad AD user logs in to an IPA client, they are given a home directory of /home//. I would like to change this to /home/. (I'm not interested in automatically creating the home firectory on login, I just want to change the directory name.) The users are not assigned a home directory in AD, so it's up to IPA to set it. > > In the [nss] section of /etc/sssd/sssd.conf, I have > > homedir_substring = /home > > but that doesn't do it. Neither does: > > fallback_homedir = /home/%u > > Where can this variable be set? > > Thanks, > David Guertin > On which version of the SSSD? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From CWhite at skytouchtechnology.com Thu Apr 9 16:47:29 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Thu, 9 Apr 2015 16:47:29 +0000 Subject: [Freeipa-users] granular sudo commands In-Reply-To: References: Message-ID: From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Craig White Sent: Wednesday, April 08, 2015 4:53 PM To: freeipa-users at redhat.com Subject: [Freeipa-users] granular sudo commands rpm -q sssd sssd-1.11.6-30.el6_6.4.x86_64 rpm -q ipa-client ipa-client-3.0.0-42.el6.x86_64 [test2.user at app001 ~]$ sudo su - weblogic [sudo] password for test2.user: Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root on app001.stt.local. [test2.user at app001 ~]$ sudo -l [sudo] password for test2.user: Matching Defaults entries for test2.user on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User test2.user may run the following commands on this host: (ALL) sudo su - tomcat, sudo su - weblogic How should the actual command be entered? I have tried... Su - weblogic (ignore autocapitilization) /bin/su - weblogic Sudo su - weblogic Sudo /bin/su - weblogic But none seem to actually work Answering my own question - really complicated testing because sss_cache has no way of clearing cached sudo rules in the version I am using, I found that keeping a root shell on the test system and... rm /var/lib/sss/db/cache*.ldb And Restarting sssd Allowed me to actually change rules for testing purposes. /bin/su - weblogic Was the rule that actually worked -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Apr 9 16:52:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Apr 2015 19:52:01 +0300 Subject: [Freeipa-users] How to set the home directory for AD users? In-Reply-To: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> References: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> Message-ID: <20150409165056.GB8433@redhat.com> On Thu, 09 Apr 2015, Guertin, David S. wrote: >We have a trust relationship set up between our IPA domain and our AD >domain. When ad AD user logs in to an IPA client, they are given a home >directory of /home//. I would like to change this >to /home/. (I'm not interested in automatically creating the >home firectory on login, I just want to change the directory name.) The >users are not assigned a home directory in AD, so it's up to IPA to set >it. > >In the [nss] section of /etc/sssd/sssd.conf, I have > > homedir_substring = /home > >but that doesn't do it. Neither does: > > fallback_homedir = /home/%u > >Where can this variable be set? If your clients are RHEL 7.1, remove all of the hacks and use ID Views instead. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html ID view 'Default Trust View' will be applied automatically -- on RHEL7.1 clients by SSSD picking it up from IPA master, on legacy clients by their lookups to compat trees. On RHEL6.6 I think SSSD is not capable doing the lookup 'RHEL7.1 way' yet but a rebase is planned to get next update cycle to catch up. -- / Alexander Bokovoy From guertin at middlebury.edu Thu Apr 9 17:38:40 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 9 Apr 2015 17:38:40 +0000 Subject: [Freeipa-users] How to set the home directory for AD users? In-Reply-To: <20150409165056.GB8433@redhat.com> References: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> <20150409165056.GB8433@redhat.com> Message-ID: >If your clients are RHEL 7.1, remove all of the hacks and use ID Views instead. >https://access.redhat.com/documentation/en- >US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id- >views.html > >ID view 'Default Trust View' will be applied automatically -- on RHEL7.1 >clients by SSSD picking it up from IPA master, on legacy clients by their >lookups to compat trees. On RHEL6.6 I think SSSD is not capable doing the >lookup 'RHEL7.1 way' yet but a rebase is planned to get next update cycle to >catch up. Thanks, all of our clients are RHEL 6 and RHEL 5, so I'll just be patient and look forward to that (at least for RHEL 6). I was just poking around the ID Views section of the Web UI, and it looks like I can set Home Directory for Users, but not User Groups. On the one hand that makes sense, since groups don't have home directories, but on the other hand, AD users are not shown (i.e. they only exist in IPA as a group), and anyway I would like to be able to set the home directory format for all users at once (including AD users) instead of individually. Is that possible? David Guertin From chamambom at afri-com.net Thu Apr 9 17:39:14 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Thu, 9 Apr 2015 19:39:14 +0200 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: <20150409084608.GA894@mail.corp.redhat.com> References: <20150409084608.GA894@mail.corp.redhat.com> Message-ID: <000001d072ec$1ab12650$501372f0$@afri-com.net> I managed to follow this up and here is the error im getting [admin at pinnochio ~]$ sudo -l LDAP Config Summary =================== uri ldap://cyclops.ai.co.zw ldap_version 3 sudoers_base ou=SUDOers,dc=ai,dc=co,dc=zw binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ai,dc=co,dc=zw bindpw CDMA1xafri bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_initialize(ld, ldap://cyclops.ai.co.zw) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap sudoHost '+mailservers' ... not sudo: ldap sudoHost '+dev_server' ... not sudo: ldap sudoHost '+dev_server' ... not sudo: ldap sudoHost '+mailservers' ... not sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x84 [sudo] password for admin: Sorry, user admin may not run sudo on pinnochio. [admin at pinnochio ~]$ My /etc/ldap.conf is like this uri ldap://cyclops.ai.co.zw sudoers_base ou=SUDOers,dc=ai,dc=co,dc=zw binddn uid=sudo,cn=sysaccounts,cn=etc,dc=ai,dc=co,dc=zw bindpw xxxxxxxx ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 /etc/nsswitch.conf Sudoers files ldap -----Original Message----- From: Lukas Slebodnik [mailto:lslebodn at redhat.com] Sent: Thursday, April 09, 2015 10:46 AM To: Martin Chamambo Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients On (09/04/15 01:04), Martin Chamambo wrote: >I managed to install my ipa client on centos 5 using this command below > > ipa-client-install --server cyclops.ai.co.zw --domain ai.co.zw > Pease follow instruction for rhel 5 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/configuring-rhel5.html#Setting_up_sudo_Rules-Client_Configuration_for_sudo_Rules LS From jhrozek at redhat.com Thu Apr 9 18:00:52 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Apr 2015 20:00:52 +0200 Subject: [Freeipa-users] How to set the home directory for AD users? In-Reply-To: References: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> <20150409165056.GB8433@redhat.com> Message-ID: <20150409180052.GJ2718@hendrix> On Thu, Apr 09, 2015 at 05:38:40PM +0000, Guertin, David S. wrote: > >If your clients are RHEL 7.1, remove all of the hacks and use ID Views instead. > >https://access.redhat.com/documentation/en- > >US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id- > >views.html > > > >ID view 'Default Trust View' will be applied automatically -- on RHEL7.1 > >clients by SSSD picking it up from IPA master, on legacy clients by their > >lookups to compat trees. On RHEL6.6 I think SSSD is not capable doing the > >lookup 'RHEL7.1 way' yet but a rebase is planned to get next update cycle to > >catch up. > > Thanks, all of our clients are RHEL 6 and RHEL 5, so I'll just be patient and look forward to that (at least for RHEL 6). > > I was just poking around the ID Views section of the Web UI, and it looks like I can set Home Directory for Users, but not User Groups. On the one hand that makes sense, since groups don't have home directories, but on the other hand, AD users are not shown (i.e. they only exist in IPA as a group), and anyway I would like to be able to set the home directory format for all users at once (including AD users) instead of individually. Is that possible? Since the trusted AD domain is a 'subdomain' in SSSD lingo, you need to change the 'subdomain_homedir' parameter in sssd.conf From jhrozek at redhat.com Thu Apr 9 18:02:05 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Apr 2015 20:02:05 +0200 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: <000001d072ec$1ab12650$501372f0$@afri-com.net> References: <20150409084608.GA894@mail.corp.redhat.com> <000001d072ec$1ab12650$501372f0$@afri-com.net> Message-ID: <20150409180205.GK2718@hendrix> On Thu, Apr 09, 2015 at 07:39:14PM +0200, Chamambo Martin wrote: > I managed to follow this up and here is the error im getting Here is the error: > sudo: ldap sudoHost '+mailservers' ... not > sudo: ldap sudoHost '+dev_server' ... not > sudo: ldap sudoHost '+dev_server' ... not > sudo: ldap sudoHost '+mailservers' ... not > sudo: user_matches=1 > sudo: host_matches=0 So the user part of the rule matched but the host part did not. Check your nisdomainname and whether the host is part of any of the netgroups above. From wdh at dds.nl Thu Apr 9 18:13:36 2015 From: wdh at dds.nl (Winfried de Heiden) Date: Thu, 09 Apr 2015 20:13:36 +0200 Subject: [Freeipa-users] freeipa-server on Raspberry Pi 2 In-Reply-To: <55239CA1.5070709@redhat.com> References: <551D1F8E.2080707@dds.nl> <551D2A2D.1020901@redhat.com> <55238FE2.9030902@dds.nl> <55239CA1.5070709@redhat.com> Message-ID: <5526C150.6070305@dds.nl> An HTML attachment was scrubbed... URL: From guertin at middlebury.edu Thu Apr 9 18:39:15 2015 From: guertin at middlebury.edu (Guertin, David S.) Date: Thu, 9 Apr 2015 18:39:15 +0000 Subject: [Freeipa-users] How to set the home directory for AD users? In-Reply-To: <20150409180052.GJ2718@hendrix> References: <0d13fa1aa2ee42cd8d9711be5a4fa701@greyhound.middlebury.edu> <20150409165056.GB8433@redhat.com> <20150409180052.GJ2718@hendrix> Message-ID: <8b51b0ea314447c3873ec4b0f3131fd1@greyhound.middlebury.edu> >Since the trusted AD domain is a 'subdomain' in SSSD lingo, you need to >change the 'subdomain_homedir' parameter in sssd.conf Perfect! That's exactly what I was looking for. Thanks. David Guertin From rcritten at redhat.com Thu Apr 9 19:39:49 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 09 Apr 2015 15:39:49 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> Message-ID: <5526D585.6050606@redhat.com> David Dejaeghere wrote: > Hi, > > Sorry for the lack of details! > You are indeed correct about the version its 4.1 > The command I am using is this: > ipa-replica-prepare ipa-r1.myobscureddomain.com > --http-cert-file > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 > --ip-address 172.31.16.31 -v I was pretty sure a pin was required with those options as well. What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12 rob > > Regards, > > D > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden >: > > David Dejaeghere wrote: > > Hi, > > > > Does somebody have any pointers for me regarding this issue? > > It would help very much if you'd include the version you're working > with. Based on line numbers I'll assume IPA 4.1. > > It's hard to say since you don't include the command-line you're using, > or what those files consist of. > > It looks like it is blowing up trying to verify that the whole > certificate chain is available. NSS unfortunately doesn't always provide > the best error messages so it's hard to say why this particular cert > can't be loaded. > > rob > > > > > Regards, > > > > D > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > >>: > > > > Hello, > > > > I am trying to setup a replica for my master which has been setup > > with an external CA to use our godaddy wildcard certificate. > > The ipa-replica-prepare is failing with the following debug > information. > > I am using --http-cert and --dirsrv-cert with my pk12 server > > certificate. > > What can I verify to get an idea of what is going wrong? > > > > ipa: DEBUG: stderr= > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > 169, in execute > > self.ask_for_options() > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > line 276, in ask_for_options > > options.http_cert_name) > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > line 176, in load_pkcs12 > > host_name=self.replica_fqdn) > > File > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line > > 785, in load_pkcs12 > > nss_cert = x509.load_certificate(cert, x509.DER) > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > 128, > > in load_certificate > > return nss.Certificate(buffer(data)) > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > DEBUG: The > > ipa-replica-prepare command failed, exception: NSPRError: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > Regards, > > > > D > > > > > > > > > > From chamambom at afri-com.net Thu Apr 9 23:35:03 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Thu, 9 Apr 2015 23:35:03 +0000 Subject: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients In-Reply-To: <20150409180205.GK2718@hendrix> References: <20150409084608.GA894@mail.corp.redhat.com> <000001d072ec$1ab12650$501372f0$@afri-com.net>, <20150409180205.GK2718@hendrix> Message-ID: i was following this article for configuring RHEL5 clients https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Configuring_Identity_Management/configuring-rhel5.html#step.nslcd5 and i guess i wasnt understanding this part Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist. i used this article to set the nisdomain http://www.server-world.info/en/note?os=CentOS_6&p=nis&f=2 and voila its now working =================== sudo: ldap_initialize(ld, ldap://cyclops.ai.co.zw) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap sudoHost '+dev_server' ... not sudo: ldap sudoHost '+mailservers' ... MATCH! sudo: user_matches=1 sudo: host_matches=1 thanx jakub for pointing me to the right direction ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Thursday, April 09, 2015 8:02 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] Configuring SUDO on centos and RHEL 5 clients On Thu, Apr 09, 2015 at 07:39:14PM +0200, Chamambo Martin wrote: > I managed to follow this up and here is the error im getting Here is the error: > sudo: ldap sudoHost '+mailservers' ... not > sudo: ldap sudoHost '+dev_server' ... not > sudo: ldap sudoHost '+dev_server' ... not > sudo: ldap sudoHost '+mailservers' ... not > sudo: user_matches=1 > sudo: host_matches=0 So the user part of the rule matched but the host part did not. Check your nisdomainname and whether the host is part of any of the netgroups above. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From prasun.gera at gmail.com Thu Apr 9 23:44:56 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Thu, 9 Apr 2015 19:44:56 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> Message-ID: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < roberto.cornacchia at gmail.com> wrote: > Thanks, Jakub. > > > On 19 March 2015 at 21:23, Jakub Hrozek wrote: > >> >> > On 19 Mar 2015, at 21:18, Roberto Cornacchia < >> roberto.cornacchia at gmail.com> wrote: >> > >> > It's possible that I'm simply not getting the point, or that I don't >> understand the documentation correctly, but this is what I don't find clear: >> > >> > I had seen the instructions you pointed me at. These are not >> specifically about home directories. >> > >> > However, this section is: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >> > >> > It first suggests that automatic creation of home directories over NFS >> shares is possible: just automount /home and then use pam_oddjob_mkhomedir >> or pam_mkhomedir to create homedirs at first login. >> > >> > But then it also suggests that mounting the whole /home tree could be >> an issue, and says: "Use automount to mount only the user's home directory >> and only when the user logs in, rather than loading the entire /home tree." >> > >> > That means that automatic homedir creation is out of the game, doesn't >> it? >> > >> > That's what I find confusing. What's the recommended way? >> > >> >> It really depends on your environment. For your size, it's perfectly fine >> to NFS mount the whole /home tree and be done with it. Don't optimize >> prematurely :-) >> >> > >> > >> > On 19 March 2015 at 20:49, Dmitri Pal wrote: >> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >> >> Hi Dmitri, >> >> >> >> I do realise my question is borderline and I accept that it is >> considered off-topic. >> >> >> >> I did post it here because I believe it's not *only* about NFS, but >> also about its interaction with freeIPA. The issue of NFS home and in >> particular about their creation is touched in all the links I posted (all >> about freeIPA) and never really answered. >> >> >> > >> > This is what documented and recommended: >> > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >> > >> > RHEL6 has a similar chapter in its doc set though books have changed >> significantly between 6 and 7. >> > >> > I do not see any chicken and egg problem there. >> > The instructions show how to create home dirs on the first login. >> > >> > It mounts the volume and then creates dirs on it as users log in if >> they are not already there. >> > >> > It is unclear what problem you see with doing it the way it is >> recommended. >> > >> > >> > >> >> Best, >> >> Roberto >> >> >> >> On 19 March 2015 at 19:36, Dmitri Pal wrote: >> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >> >>> On 6 March 2015 at 11:15, Martin Kosek wrote: >> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >> >>> Hi there, >> >>> >> >>> I'm planning to deploy freeIPA on our lan. >> >>> It's small-ish and completely based on FC21, so I expect everything >> to work >> >>> like a charm. >> >>> >> >>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >> >>> The ideal plan is to use it as host for shared NFS home dirs once we >> switch our >> >>> desktops to freeIPA. >> >>> >> >>> Great! >> >>> >> >>> >> >>> Hello, >> >>> >> >>> The first thing I'm struggling with is to find the correct approach >> about NFS home dirs. >> >>> The ideal setting would be: >> >>> - home dirs on the NAS >> >>> - IPA manages automount maps >> >>> - home dirs are created automatically at first login >> >>> >> >>> The documentation I could find on these topics includes only >> not-so-recent pages (anything I missed?): >> >>> >> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >> >>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >> >>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >> >>> >> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >> >>> >> >>> Now, I admit I don't have much experience with setting up NFS homes, >> with or without freeIPA, so trying to get this done correctly in the >> context of freeIPA and without clear howtos isn't very easy, but I'm >> willing to get my hands dirty. >> >>> >> >>> The first problem I struggle with is on the correct approach. >> >>> From the documentation above, I understand that there is a bit of a >> chicken-egg problem about the creation of home dirs. >> >>> On the one hand, it would be optimal to have automount maps to load >> only single home dirs on demand, rather than the entire /home tree. >> >>> On the other hand, if the /home tree is not available, then creating >> /home/user1 dir automatically isn't really possible. >> >>> >> >>> Just mounting the whole /home tree would make things easier, but I >> don't have a feeling of when it starts to become a performance issue >> (assuming recent hardware and up to date software). 10 users? 50? 100? 500? >> No idea. >> >>> The realm I'm dealing with at the moment is in the range of 5-10 >> users and probably won't be larger than 50 in the next few years (and if it >> will, it means things are going well, so what the heck ;) >> >>> Also true that, with such few users, I could just create the homedirs >> manually when needed (this is not an organisation where many users come and >> go) and just mount the individually. >> >>> Any tips about this? >> >>> >> >>> Best, Roberto >> >>> >> >>> >> >>> >> >>> >> >> Some of these questions are really outside the scope of this list. >> >> You might consider asking them on the NFS list. >> >> >> >> -- >> >> Thank you, >> >> Dmitri Pal >> >> >> >> Sr. Engineering Manager IdM portfolio >> >> Red Hat, Inc. >> >> >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> >> >> >> >> >> >> > >> > >> > -- >> > Thank you, >> > Dmitri Pal >> > >> > Sr. Engineering Manager IdM portfolio >> > Red Hat, Inc. >> > >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Fri Apr 10 04:36:21 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Fri, 10 Apr 2015 04:36:21 +0000 Subject: [Freeipa-users] user account without password Message-ID: Hello! Is there any direct or indirect way to create a IPA user accounts without usable password? So, no one can ever authenticate this accounts using the account password (so it will be the only way to use account via "sudo su - username" from another account)? With best regards, Alexander Frolushkin ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.fer.ordas at unicyber.co.uk Fri Apr 10 04:43:56 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Fri, 10 Apr 2015 05:43:56 +0100 Subject: [Freeipa-users] FreeIPA -- AD Group Sync In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> Message-ID: <2914d086a6f9719b6e4f6bc31a372dfa@unicyber.co.uk> Guys IS there a way of Synching Groups AD ----> FreeIPA without using the Cert Trust Way? Is possible to Sync Groups with AD in the way we can Sync Users? (My setup is Uni-direction ---> onWay= fromWindows) Thanks! From mkosek at redhat.com Fri Apr 10 07:21:09 2015 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Apr 2015 09:21:09 +0200 Subject: [Freeipa-users] user account without password In-Reply-To: References: Message-ID: <552779E5.9020304@redhat.com> On 04/10/2015 06:36 AM, Alexander Frolushkin wrote: > Hello! > Is there any direct or indirect way to create a IPA user accounts without usable password? > So, no one can ever authenticate this accounts using the account password (so it will be the only way to use account via "sudo su - username" from another account)? You can simply create a user without Kerberos password assigned (do not use --password option or "ipa passwd" command) and use "--shell /sbin/nologin" as other system accounts that are usually found on the system. From jhrozek at redhat.com Fri Apr 10 07:23:06 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Apr 2015 09:23:06 +0200 Subject: [Freeipa-users] user account without password In-Reply-To: References: Message-ID: <20150410072306.GL2718@hendrix> On Fri, Apr 10, 2015 at 04:36:21AM +0000, Alexander Frolushkin wrote: > Hello! > Is there any direct or indirect way to create a IPA user accounts without usable password? > So, no one can ever authenticate this accounts using the account password (so it will be the only way to use account via "sudo su - username" from another account)? I can only think about limiting access to this account via HBAC rules so that the only allowed service is sudo. From jreg2k at gmail.com Fri Apr 10 07:45:01 2015 From: jreg2k at gmail.com (James James) Date: Fri, 10 Apr 2015 09:45:01 +0200 Subject: [Freeipa-users] Replica with external ca + custom subject in certificate In-Reply-To: <55260B74.8010604@redhat.com> References: <5523B6B7.7080402@redhat.com> <5523C3F0.5090807@redhat.com> <5523DC2F.2080104@redhat.com> <5524BC55.10301@redhat.com> <55260B74.8010604@redhat.com> Message-ID: Thanks for your help. James 2015-04-09 7:17 GMT+02:00 Jan Cholasta : > Dne 8.4.2015 v 17:43 James James napsal(a): > >> It's a little bit more clear. Thanks. >> >> I have created a new ipa 4.1 replica but when I want run : >> >> # ipa-cacert-manage renew --self-signed >> >> I've got this message : >> >> [root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed >> CA is not configured on this system >> > > You can run ipa-cacert-manage only on IPA servers with CA installed. > > >> If I want to install the CA I've got this message : >> >> [root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U >> CA is already installed. >> > > This command is used to install CA in CA-less IPA environment. The error > message is a bit misleading and we have a ticket for that: < > https://fedorahosted.org/freeipa/ticket/4492>. > > >> Should I have to promote the replica to a standalone master before >> installing the CA ? >> > > You need to run ipa-ca-install with the replica info file used to create > the replica to install the CA: > > # ipa-ca-install > > >> Any hints will be appreciated... >> >> >> James >> >> >> 2015-04-08 7:27 GMT+02:00 Jan Cholasta > >: >> >> >> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): >> >> On 04/07/2015 02:08 PM, James James wrote: >> >> I will try to give a better explanation : >> >> >> I have a CentOS 6.6 with ipa 3.0 named ipa-master. >> ipa-master has been >> installed with an external CA about 3 years ago and I will >> have to renew >> the certificate soon. >> >> I have created a test server (ipa-dev) with the same >> configuration (centos >> 6.6 and ipa 3.0) to test the renewal process. I want the new >> ipa-dev sever >> to be installed with an external CA. >> >> In the same time my external CA has changed and wants the >> emailAddress >> field in the certificate request 's subject. >> >> >> CSR during installation with external CA is produced by Dogtag, >> so you are >> constrained with the options and capabilities provided by >> ipa-server-install. >> Maybe it would be possible to modify the CSR and update the >> Subject manually, >> but I expect it would crash the installer later (JanC may know >> more (CCed)) >> >> >> The subject name identifies the CA in server (and other) >> certificates. If you change it, you break the trust chain from the >> CA certificate to the server certificates and that will break all >> SSL in IPA. >> >> >> If it is not possible to add emailAddress in the subject, is >> it possible to >> migrate my ipa-master CA system from an external CA to a >> CA-less or >> self-signed CA ? >> >> >> It is, with ipa-cacert-manage - see links below. >> >> >> You can change your external CA to self-signed CA in IPA 4.1 or >> newer by running: >> >> # ipa-cacert-manage renew --self-signed >> >> You can't change external CA to CA-less. >> >> >> >> Thanks. >> >> 2015-04-07 13:48 GMT+02:00 Martin Kosek > >: >> >> On 04/07/2015 01:44 PM, James James wrote: >> >> ok. >> >> Is there a way to migrate from an external CA to a >> CA-less or a >> >> self-signed >> >> CA ? >> >> >> Yes, you can use ipa-cacert-manage tool introduced in >> FreeIPA 4.1.0: >> >> https://www.freeipa.org/page/_ >> _Howto/CA_Certificate_Renewal >> > Howto/CA_Certificate_Renewal> >> https://www.freeipa.org/page/__V4/CA_certificate_renewal >> >> >> (Although I am still not sure about your use case and if >> this would help >> you) >> >> >> 2015-04-07 12:51 GMT+02:00 Martin Kosek >> >: >> >> On 04/03/2015 11:39 AM, James James wrote: >> >> Hello, >> >> I want to initialize a new replica with an >> external CA. My Certificate >> Authority wants a CSR with the field >> emailAddress in the subject like : >> >> /C=FR/O=TESTO/OU=TESTOU/CN=*.e >> __xample.com/emailAddress=none at __none.com >> > emailAddress=none at none.com> >> >> >> I am not a bit confused. Do you plan to have >> FreeIPA *without* a CA or >> with own >> CA signed by external CA? >> >> FreeIPA supports these kinds of setups right now: >> http://www.freeipa.org/page/__ >> PKI#Blending_in_PKI___infrastructure >> > infrastructure> >> >> How can I do with the ipa-server-install >> command ? I have been trying >> >> for >> >> few days but I still can't. >> >> Thanks for your help. >> >> >> CCing Honza who should know the definitive >> answer. However, FreeIPA was >> >> not >> >> very flexible in configuring special subjects >> for it's CA certificate >> >> (i.e. >> >> cn=Certificate Authority, ou=...) or hosts in >> case of CA-less setup. >> >> >> >> >> >> >> >> >> -- >> Jan Cholasta >> >> >> > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janne.blomqvist at aalto.fi Fri Apr 10 08:52:02 2015 From: janne.blomqvist at aalto.fi (Janne Blomqvist) Date: Fri, 10 Apr 2015 11:52:02 +0300 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <5523BF8C.7090403@redhat.com> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> Message-ID: <55278F32.4020302@aalto.fi> On 2015-04-07 14:29, Martin Kosek wrote: > On 04/05/2015 08:03 PM, Dmitri Pal wrote: > > On 04/05/2015 12:51 PM, Janelle wrote: > >> Hello, > >> > >> Trying to find a way on a multi-homed server to force IPA and its > related > >> apps to listen on a specific interface. I can find all kinds of > info saying > >> "the services listen on all interfaces by default" so there must be > a way? > >> > >> Thank you > >> ~J > >> > > Sounds familiar. > > I think there is a ticket open for that. > > This is the RFE: > > https://fedorahosted.org/freeipa/ticket/3338 > > Just in case anybody would like to help us extend FreeIPA installers :-) > Hi, I have a related, or opposite really, problem. So I have configured IPA for a domain (say, ipa.example.org). Then I have a bunch of client machines that can join the domain etc. Fine so far. However, I also have another bunch of client machines on an internal network (with NAT access to the outside world). So for these I add another network interface on the ipa servers. So my ipa servers have two IP's and dns names, say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now it doesn't work so well anymore for these clients, because the krb principals for the IPA server(s) are bound to the public name, so joining the domain fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by joining via the public interface (manually creating the machine accounts on the ipa server first, since otherwise it doesn't understand clientX.local dns names/IP's), but then obviously all communication goes via the NAT box which is a SPOF. So is there some reasonable way to make the above work? Can I just add krb principals for ipa1.local on the ipa server manually with kadmin? Or do I have to setup another pair of IPA servers for the internal network, with some kind of sync/trust with the public IPA servers? -- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqvist at aalto.fi From pspacek at redhat.com Fri Apr 10 09:05:25 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 10 Apr 2015 11:05:25 +0200 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <55278F32.4020302@aalto.fi> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> <55278F32.4020302@aalto.fi> Message-ID: <55279255.6070908@redhat.com> On 10.4.2015 10:52, Janne Blomqvist wrote: > On 2015-04-07 14:29, Martin Kosek wrote: >> On 04/05/2015 08:03 PM, Dmitri Pal wrote: >> > On 04/05/2015 12:51 PM, Janelle wrote: >> >> Hello, >> >> >> >> Trying to find a way on a multi-homed server to force IPA and its >> related >> >> apps to listen on a specific interface. I can find all kinds of >> info saying >> >> "the services listen on all interfaces by default" so there must be >> a way? >> >> >> >> Thank you >> >> ~J >> >> >> > Sounds familiar. >> > I think there is a ticket open for that. >> >> This is the RFE: >> >> https://fedorahosted.org/freeipa/ticket/3338 >> >> Just in case anybody would like to help us extend FreeIPA installers :-) >> > > Hi, > > I have a related, or opposite really, problem. > > So I have configured IPA for a domain (say, ipa.example.org). Then I have a > bunch of client machines that can join the domain etc. Fine so far. > > However, I also have another bunch of client machines on an internal network > (with NAT access to the outside world). So for these I add another network > interface on the ipa servers. So my ipa servers have two IP's and dns names, > say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now > it doesn't work so well anymore for these clients, because the krb principals > for the IPA server(s) are bound to the public name, so joining the domain > fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by > joining via the public interface (manually creating the machine accounts on > the ipa server first, since otherwise it doesn't understand clientX.local dns > names/IP's), but then obviously all communication goes via the NAT box which > is a SPOF. > > So is there some reasonable way to make the above work? IMHO cleanest solution is to properly configure routing in your network to route your public IP range properly to the respective subnet instead of going through a NAT. Details depend on your network so I do not have exact steps for you, sorry. -- Petr^2 Spacek > Can I just add krb > principals for ipa1.local on the ipa server manually with kadmin? Or do I have > to setup another pair of IPA servers for the internal network, with some kind > of sync/trust with the public IPA servers? From david.dejaeghere at gmail.com Fri Apr 10 09:27:21 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Fri, 10 Apr 2015 11:27:21 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <5526D585.6050606@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> Message-ID: Hi Rob, Without the --http-pin the command will give a prompt to enter the password. Tried both. I am sending the output of the pk12util -l to you in another email. It holds the wildcard certificate and the godaddy bundle for as far as I can tell. Regards, D 2015-04-09 21:39 GMT+02:00 Rob Crittenden : > David Dejaeghere wrote: > > Hi, > > > > Sorry for the lack of details! > > You are indeed correct about the version its 4.1 > > The command I am using is this: > > ipa-replica-prepare ipa-r1.myobscureddomain.com > > --http-cert-file > > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 > > --ip-address 172.31.16.31 -v > > I was pretty sure a pin was required with those options as well. > > What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12 > > rob > > > > > Regards, > > > > D > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > >: > > > > David Dejaeghere wrote: > > > Hi, > > > > > > Does somebody have any pointers for me regarding this issue? > > > > It would help very much if you'd include the version you're working > > with. Based on line numbers I'll assume IPA 4.1. > > > > It's hard to say since you don't include the command-line you're > using, > > or what those files consist of. > > > > It looks like it is blowing up trying to verify that the whole > > certificate chain is available. NSS unfortunately doesn't always > provide > > the best error messages so it's hard to say why this particular cert > > can't be loaded. > > > > rob > > > > > > > > Regards, > > > > > > D > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere < > david.dejaeghere at gmail.com > > > > >>: > > > > > > Hello, > > > > > > I am trying to setup a replica for my master which has been > setup > > > with an external CA to use our godaddy wildcard certificate. > > > The ipa-replica-prepare is failing with the following debug > > information. > > > I am using --http-cert and --dirsrv-cert with my pk12 server > > > certificate. > > > What can I verify to get an idea of what is going wrong? > > > > > > ipa: DEBUG: stderr= > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > DEBUG: > > > File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > 169, in execute > > > self.ask_for_options() > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > line 276, in ask_for_options > > > options.http_cert_name) > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > line 176, in load_pkcs12 > > > host_name=self.replica_fqdn) > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > line > > > 785, in load_pkcs12 > > > nss_cert = x509.load_certificate(cert, x509.DER) > > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > 128, > > > in load_certificate > > > return nss.Certificate(buffer(data)) > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > DEBUG: The > > > ipa-replica-prepare command failed, exception: NSPRError: > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > ERROR: > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > Regards, > > > > > > D > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Fri Apr 10 09:35:18 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Fri, 10 Apr 2015 09:35:18 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: <20150410072306.GL2718@hendrix> References: <20150410072306.GL2718@hendrix> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, April 10, 2015 1:23 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] user account without password >On Fri, Apr 10, 2015 at 04:36:21AM +0000, Alexander Frolushkin wrote: >> Hello! >> Is there any direct or indirect way to create a IPA user accounts without usable password? >> So, no one can ever authenticate this accounts using the account password (so it will be the only way to use account via "sudo su - username" from another account)? >I can only think about limiting access to this account via HBAC rules so that the only allowed service is sudo. This will be fine in common case, but unfortunately I also have identical accounts locally on some servers, and I think HBAC is not applicable to local users... ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From Alexander.Frolushkin at megafon.ru Fri Apr 10 10:44:27 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Fri, 10 Apr 2015 10:44:27 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: <552779E5.9020304@redhat.com> References: <552779E5.9020304@redhat.com> Message-ID: -----Original Message----- From: Martin Kosek [mailto:mkosek at redhat.com] Sent: Friday, April 10, 2015 1:21 PM To: Alexander Frolushkin (SIB); freeipa-users at redhat.com Subject: Re: [Freeipa-users] user account without password >On 04/10/2015 06:36 AM, Alexander Frolushkin wrote: >> Hello! >> Is there any direct or indirect way to create a IPA user accounts without usable password? >> So, no one can ever authenticate this accounts using the account password (so it will be the only way to use account via "sudo su - username" from another account)? >You can simply create a user without Kerberos password assigned (do not use --password option or "ipa passwd" command) and use "--shell /sbin/nologin" as other system accounts that are usually found on the system. Thank you, I hope this will work as blank root password in default Ubuntu :) Some notes - I think /sbin/nologin will make this account completely non-interactive, even via sudo. Also, if such account will also exist locally (my case), it will not be controlled by HBAC rules - it can be a some kind of security trap... ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From mmalek at iisg.agh.edu.pl Fri Apr 10 12:13:21 2015 From: mmalek at iisg.agh.edu.pl (Mateusz Malek) Date: Fri, 10 Apr 2015 14:13:21 +0200 Subject: [Freeipa-users] Slow user logon with IPA Message-ID: <5527BE61.8000001@iisg.agh.edu.pl> Hi everyone! I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some weird performance problems. When I'm using IPA, it takes about 5-7 (or even more) seconds to get shell prompt after entering user password (no matter whether this is local login to FreeIPA server itself or accessing FreeIPA client machine); also, during user logon, ns-slapd processes CPU usage seems to be high. For comparison, in our present environment this transitiion from login to shell is instant. Some details: we have about 1000 user accounts and 200 user groups. We're using (mostly) CentOS 7 virtual machines as servers and Fedora 20 as user workstations. There are also some physical Ubuntu 12.04 servers (our OpenLDAP is hosted there). Slow login occurs in all these (server) configurations I've tried: - FreeIPA on CentOS 7 VM, packages from "stock" repositories (version 4.1) - FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR - FreeIPA on Fedora 21 Workstation physical machine, packages from mkosek/freeipa COPR In all cases, machines had 2GB of RAM (exclusively reserved or physical). Virtual machines were tested on two separate VMware vSphere clusters (running different versions of vCenter and ESXi). I have tried using SSSD, pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck. I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some time ago, there were no similar issues. Any ideas what can be wrong or how to troubleshoot this? Best regards, Mateusz Malek From Andy.Thompson at e-tcc.com Fri Apr 10 13:27:27 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Fri, 10 Apr 2015 13:27:27 +0000 Subject: [Freeipa-users] blocking LDAP from DCs Message-ID: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> I am testing out trusts in my sandbox and the ipa-adtrust-install script notes at the end that LDAP should be blocked from the domain controllers. But http://www.freeipa.org/page/Active_Directory_trust_setup notes that it's not needed. Which recommendation is correct? Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From jbaird at follett.com Fri Apr 10 13:40:05 2015 From: jbaird at follett.com (Baird, Josh) Date: Fri, 10 Apr 2015 13:40:05 +0000 Subject: [Freeipa-users] blocking LDAP from DCs In-Reply-To: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> References: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> Message-ID: I believe that this is no longer needed (you do NOT need to block LDAP from domain controllers). Josh -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Andy Thompson Sent: Friday, April 10, 2015 8:27 AM To: freeipa-users at redhat.com Subject: [Freeipa-users] blocking LDAP from DCs I am testing out trusts in my sandbox and the ipa-adtrust-install script notes at the end that LDAP should be blocked from the domain controllers. But http://www.freeipa.org/page/Active_Directory_trust_setup notes that it's not needed. Which recommendation is correct? Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Fri Apr 10 13:41:47 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Apr 2015 16:41:47 +0300 Subject: [Freeipa-users] blocking LDAP from DCs In-Reply-To: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> References: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> Message-ID: <20150410134147.GL8433@redhat.com> On Fri, 10 Apr 2015, Andy Thompson wrote: >I am testing out trusts in my sandbox and the ipa-adtrust-install >script notes at the end that LDAP should be blocked from the domain >controllers. But >http://www.freeipa.org/page/Active_Directory_trust_setup notes that >it's not needed. > >Which recommendation is correct? Both, considering their timeline :) We may update ipa-adtrust-install text if it is confusing but it is pretty low priority right now. -- / Alexander Bokovoy From Andy.Thompson at e-tcc.com Fri Apr 10 13:52:02 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Fri, 10 Apr 2015 13:52:02 +0000 Subject: [Freeipa-users] blocking LDAP from DCs In-Reply-To: <20150410134147.GL8433@redhat.com> References: <80b886daf90947309026b15b4c5156a8@TCCCORPEXCH02.TCC.local> <20150410134147.GL8433@redhat.com> Message-ID: <119ad548b894499c98789fd0d34ef707@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Alexander Bokovoy [mailto:abokovoy at redhat.com] > Sent: Friday, April 10, 2015 9:42 AM > To: Andy Thompson > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] blocking LDAP from DCs > > On Fri, 10 Apr 2015, Andy Thompson wrote: > >I am testing out trusts in my sandbox and the ipa-adtrust-install > >script notes at the end that LDAP should be blocked from the domain > >controllers. But > >http://www.freeipa.org/page/Active_Directory_trust_setup notes that > >it's not needed. > > > >Which recommendation is correct? > Both, considering their timeline :) > > We may update ipa-adtrust-install text if it is confusing but it is pretty low > priority right now. > I don't know the relative timelines of each of them :) Probably lower than pretty low as priorities go, I was just curious. I left the firewall rules for now because I figured it wouldn't hurt. Thanks! -andy From sprokhorov at intech-global.com Thu Apr 9 09:35:32 2015 From: sprokhorov at intech-global.com (=?UTF-8?B?0J/RgNC+0YXQvtGA0L7QsiDQodC10YDQs9C10Lk=?=) Date: Thu, 09 Apr 2015 12:35:32 +0300 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server In-Reply-To: <55256E76.8000803@redhat.com> References: <55250D39.2080702@intech-global.com> <55256E76.8000803@redhat.com> Message-ID: <552647E4.7010405@intech-global.com> Thank you, Rob for your response On 08.04.2015 21:07, Rob Crittenden wrote: > I assume you can't do this because the original host is lost, right? Year, you right. > Every IPA master is a equal, some are just more equal than others. The > key bit that distinguishes them is whether there is a CA installed. The > other bit has to do with CRL generation and renewal which in your > version can only be done on one host (neither of which apply to > --selfsign anyway). I want to clarify, I didn't use --selfsign key during primery server installation. I suppose it's default key for CA, am I wrong? On mycurrent ipa server (replica) I haven't CA. > You mention migrating. What new primary server? I'm telling about installation of new freeipa server and copy all data there. > So I'd start digging around to see if you have the original CA private > key somewhere. The end of the IPA server install would have recommending > backing up cacert.p12. > I have backup of cacert.p12 key. -- Best regards, Prokhorov Sergey Senior System Engineer of INTECH LTD e-mail: sprokhorov at intech-global.com From rmeggins at redhat.com Fri Apr 10 14:17:09 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2015 08:17:09 -0600 Subject: [Freeipa-users] FreeIPA -- AD Group Sync In-Reply-To: <2914d086a6f9719b6e4f6bc31a372dfa@unicyber.co.uk> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <2914d086a6f9719b6e4f6bc31a372dfa@unicyber.co.uk> Message-ID: <5527DB65.3090009@redhat.com> On 04/09/2015 10:43 PM, g.fer.ordas at unicyber.co.uk wrote: > Guys > > IS there a way of Synching Groups AD ----> FreeIPA without using the > Cert Trust Way? No. > > Is possible to Sync Groups with AD in the way we can Sync Users? No. > > (My setup is Uni-direction ---> onWay= fromWindows) > > Thanks! > From rcritten at redhat.com Fri Apr 10 15:03:59 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Apr 2015 11:03:59 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> Message-ID: <5527E65F.2090102@redhat.com> David Dejaeghere wrote: > Hi Rob, > > Without the --http-pin the command will give a prompt to enter the password. > Tried both. > > I am sending the output of the pk12util -l to you in another email. > It holds the wildcard certificate and the godaddy bundle for as far as I > can tell. I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a rather generic NSS error which can mean any number of things. It often means that the NSS database it is using is bad in some way but given that this is a temporary database created just for this purpose I doubt that's it. You may want to look for SELinux AVCs though: ausearch -m AVC -ts recent. At the point where it is blowing up, the PKCS#12 file has already been imported and IPA is walking through the results trying to ensure that the full cert trust chain is available. It does this by reading the certs out of the database, and at that point it's blowing up. The PKCS#12 output you sent me looks ok. I don't believe this is an issue with trust or missing parts of the chain. I created a simple PKCS#12 file and was able to prepare a replica using it, so AFAICT the code isn't completely broken. Can you provide the full output from ipa-replica-prepare? rob > > Regards, > > D > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden >: > > David Dejaeghere wrote: > > Hi, > > > > Sorry for the lack of details! > > You are indeed correct about the version its 4.1 > > The command I am using is this: > > ipa-replica-prepare ipa-r1.myobscureddomain.com > > --http-cert-file > > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 > > --ip-address 172.31.16.31 -v > > I was pretty sure a pin was required with those options as well. > > What do the PKCS#12 files look like: pk12util -l > /home/fedora/newcert.pk12 > > rob > > > > > Regards, > > > > D > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > > >>: > > > > David Dejaeghere wrote: > > > Hi, > > > > > > Does somebody have any pointers for me regarding this issue? > > > > It would help very much if you'd include the version you're working > > with. Based on line numbers I'll assume IPA 4.1. > > > > It's hard to say since you don't include the command-line you're using, > > or what those files consist of. > > > > It looks like it is blowing up trying to verify that the whole > > certificate chain is available. NSS unfortunately doesn't always provide > > the best error messages so it's hard to say why this particular cert > > can't be loaded. > > > > rob > > > > > > > > Regards, > > > > > > D > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > > > > > > >>>: > > > > > > Hello, > > > > > > I am trying to setup a replica for my master which has > been setup > > > with an external CA to use our godaddy wildcard certificate. > > > The ipa-replica-prepare is failing with the following debug > > information. > > > I am using --http-cert and --dirsrv-cert with my pk12 > server > > > certificate. > > > What can I verify to get an idea of what is going wrong? > > > > > > ipa: DEBUG: stderr= > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > 169, in execute > > > self.ask_for_options() > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > line 276, in ask_for_options > > > options.http_cert_name) > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > line 176, in load_pkcs12 > > > host_name=self.replica_fqdn) > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > line > > > 785, in load_pkcs12 > > > nss_cert = x509.load_certificate(cert, x509.DER) > > > File > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > 128, > > > in load_certificate > > > return nss.Certificate(buffer(data)) > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > DEBUG: The > > > ipa-replica-prepare command failed, exception: NSPRError: > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > Regards, > > > > > > D > > > > > > > > > > > > > > > > > > From bnordgren at fs.fed.us Fri Apr 10 15:27:22 2015 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Fri, 10 Apr 2015 15:27:22 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: References: <552779E5.9020304@redhat.com> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7BA268@001FSN2MPN1-046.001f.mgd2.msft.net> > Also, if such account will also exist locally (my case), it will not be controlled > by HBAC rules - it can be a some kind of security trap... Pretty sure accounts should be either local or domain-wide, but not both. Could lead to strange and unforeseen side effects. Last I checked, only local accounts can run services. It may be advantageous to allow local accounts (which can run services) to have a representation in the domain, but the local accounts need to be scoped to the local machine (e.g., "apache" on server 1 is different than "apache" on server 2). At least that way, they could belong to the same groups domain accounts belong to. SSO certainly shouldn't work. Any access to shared storage should distinguish between same-named accounts on different machines. Alternatively, allowing domain accounts to run certain services also has some merit. (assuming the user has permissions to do so.) Just thinking into email. Bryce From dpal at redhat.com Fri Apr 10 16:39:20 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2015 12:39:20 -0400 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <5527BE61.8000001@iisg.agh.edu.pl> References: <5527BE61.8000001@iisg.agh.edu.pl> Message-ID: <5527FCB8.3030602@redhat.com> On 04/10/2015 08:13 AM, Mateusz Malek wrote: > Hi everyone! > > I'm about to migrate my OpenLDAP-based environment to FreeIPA, however > I've hit some weird performance problems. When I'm using IPA, it takes > about 5-7 (or even more) seconds to get shell prompt after entering > user password (no matter whether this is local login to FreeIPA server > itself or accessing FreeIPA client machine); also, during user logon, > ns-slapd processes CPU usage seems to be high. For comparison, in our > present environment this transitiion from login to shell is instant. > > Some details: we have about 1000 user accounts and 200 user groups. > We're using (mostly) CentOS 7 virtual machines as servers and Fedora > 20 as user workstations. There are also some physical Ubuntu 12.04 > servers (our OpenLDAP is hosted there). Slow login occurs in all these > (server) configurations I've tried: > - FreeIPA on CentOS 7 VM, packages from "stock" repositories (version > 4.1) > - FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR > - FreeIPA on Fedora 21 Workstation physical machine, packages from > mkosek/freeipa COPR > > In all cases, machines had 2GB of RAM (exclusively reserved or > physical). Virtual machines were tested on two separate VMware vSphere > clusters (running different versions of vCenter and ESXi). I have > tried using SSSD, pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck. > > I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some > time ago, there were no similar issues. > > Any ideas what can be wrong or how to troubleshoot this? Make sure your time is in sync on the server and the client. On the client (SSSD) enable verbose logging debug_level = see here https://jhrozek.fedorapeople.org/sssd/git/man/sss_debuglevel.8.html Do authentication and see where the time is spent by examining the logs. Correlate it to the logs on the server. If stuck send the logs from SSSD, and KDC/DS on the server and sssd configuration to the list for us to inspect. > > Best regards, > Mateusz Malek > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Fri Apr 10 16:42:39 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2015 12:42:39 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> Message-ID: <5527FD7F.6070502@redhat.com> On 04/09/2015 07:44 PM, Prasun Gera wrote: > I have a somewhat related question. Without kerberizing NFS, which > I'll do eventually since that needs all the clients to be migrated > first, how does one create home directories automatically ? The IPA > server and NFS server are different systems. I was able to verify that > automatic home creation works if the NFS share is exported to the IPA > server with no_root_squash. What's the proper way of doing this ? > > > The documentation says: Which documentation you are referring to? Can you please post the link? > > Use a remote user who has limited permissions to create home > directories and mount the share on the IdM server as that user. Since > the IdM server runs as an httpd process, it is possible to use sudo or > a similar program to grant limited access to the IdM server to create > home directories on the NFS server. > > > What would be the list of steps that would achieve this ? What are the > limited permissions that the NFS user would need ? Read + Write, but > no Delete to the /home directory ? Sounds like something that would > need ACLs. And where does sudo on the IPA server fit into this ? > > > > On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia > > > wrote: > > Thanks, Jakub. > > > On 19 March 2015 at 21:23, Jakub Hrozek > wrote: > > > > On 19 Mar 2015, at 21:18, Roberto Cornacchia > > wrote: > > > > It's possible that I'm simply not getting the point, or that > I don't understand the documentation correctly, but this is > what I don't find clear: > > > > I had seen the instructions you pointed me at. These are not > specifically about home directories. > > > > However, this section is: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs > > > > It first suggests that automatic creation of home > directories over NFS shares is possible: just automount /home > and then use pam_oddjob_mkhomedir or pam_mkhomedir to create > homedirs at first login. > > > > But then it also suggests that mounting the whole /home tree > could be an issue, and says: "Use automount to mount only the > user's home directory and only when the user logs in, rather > than loading the entire /home tree." > > > > That means that automatic homedir creation is out of the > game, doesn't it? > > > > That's what I find confusing. What's the recommended way? > > > > It really depends on your environment. For your size, it's > perfectly fine to NFS mount the whole /home tree and be done > with it. Don't optimize prematurely :-) > > > > > > > On 19 March 2015 at 20:49, Dmitri Pal > wrote: > > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: > >> Hi Dmitri, > >> > >> I do realise my question is borderline and I accept that it > is considered off-topic. > >> > >> I did post it here because I believe it's not *only* about > NFS, but also about its interaction with freeIPA. The issue of > NFS home and in particular about their creation is touched in > all the links I posted (all about freeIPA) and never really > answered. > >> > > > > This is what documented and recommended: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs > > > > RHEL6 has a similar chapter in its doc set though books have > changed significantly between 6 and 7. > > > > I do not see any chicken and egg problem there. > > The instructions show how to create home dirs on the first > login. > > > > It mounts the volume and then creates dirs on it as users > log in if they are not already there. > > > > It is unclear what problem you see with doing it the way it > is recommended. > > > > > > > >> Best, > >> Roberto > >> > >> On 19 March 2015 at 19:36, Dmitri Pal > wrote: > >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: > >>> On 6 March 2015 at 11:15, Martin Kosek > wrote: > >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: > >>> Hi there, > >>> > >>> I'm planning to deploy freeIPA on our lan. > >>> It's small-ish and completely based on FC21, so I expect > everything to work > >>> like a charm. > >>> > >>> Except one detail. We have Synology NAS station, which > uses DSM 5.0. > >>> The ideal plan is to use it as host for shared NFS home > dirs once we switch our > >>> desktops to freeIPA. > >>> > >>> Great! > >>> > >>> > >>> Hello, > >>> > >>> The first thing I'm struggling with is to find the correct > approach about NFS home dirs. > >>> The ideal setting would be: > >>> - home dirs on the NAS > >>> - IPA manages automount maps > >>> - home dirs are created automatically at first login > >>> > >>> The documentation I could find on these topics includes > only not-so-recent pages (anything I missed?): > >>> > >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA > >>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html > >>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories > >>> > http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ > >>> > >>> Now, I admit I don't have much experience with setting up > NFS homes, with or without freeIPA, so trying to get this done > correctly in the context of freeIPA and without clear howtos > isn't very easy, but I'm willing to get my hands dirty. > >>> > >>> The first problem I struggle with is on the correct approach. > >>> From the documentation above, I understand that there is a > bit of a chicken-egg problem about the creation of home dirs. > >>> On the one hand, it would be optimal to have automount > maps to load only single home dirs on demand, rather than the > entire /home tree. > >>> On the other hand, if the /home tree is not available, > then creating /home/user1 dir automatically isn't really possible. > >>> > >>> Just mounting the whole /home tree would make things > easier, but I don't have a feeling of when it starts to become > a performance issue (assuming recent hardware and up to date > software). 10 users? 50? 100? 500? No idea. > >>> The realm I'm dealing with at the moment is in the range > of 5-10 users and probably won't be larger than 50 in the next > few years (and if it will, it means things are going well, so > what the heck ;) > >>> Also true that, with such few users, I could just create > the homedirs manually when needed (this is not an organisation > where many users come and go) and just mount the individually. > >>> Any tips about this? > >>> > >>> Best, Roberto > >>> > >>> > >>> > >>> > >> Some of these questions are really outside the scope of > this list. > >> You might consider asking them on the NFS list. > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager IdM portfolio > >> Red Hat, Inc. > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> > >> > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 10 16:43:12 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2015 12:43:12 -0400 Subject: [Freeipa-users] FreeIPA -- AD Group Sync In-Reply-To: <5527DB65.3090009@redhat.com> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <2914d086a6f9719b6e4f6bc31a372dfa@unicyber.co.uk> <5527DB65.3090009@redhat.com> Message-ID: <5527FDA0.3050001@redhat.com> On 04/10/2015 10:17 AM, Rich Megginson wrote: > On 04/09/2015 10:43 PM, g.fer.ordas at unicyber.co.uk wrote: >> Guys >> >> IS there a way of Synching Groups AD ----> FreeIPA without using the >> Cert Trust Way? > > No. > >> >> Is possible to Sync Groups with AD in the way we can Sync Users? > > No. > >> >> (My setup is Uni-direction ---> onWay= fromWindows) >> >> Thanks! >> > By design. Why? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From prasun.gera at gmail.com Fri Apr 10 17:05:08 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Fri, 10 Apr 2015 13:05:08 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: <5527FD7F.6070502@redhat.com> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> Message-ID: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: > On 04/09/2015 07:44 PM, Prasun Gera wrote: > > I have a somewhat related question. Without kerberizing NFS, which I'll > do eventually since that needs all the clients to be migrated first, how > does one create home directories automatically ? The IPA server and NFS > server are different systems. I was able to verify that automatic home > creation works if the NFS share is exported to the IPA server with > no_root_squash. What's the proper way of doing this ? > > > The documentation says: > > > Which documentation you are referring to? > Can you please post the link? > > > > Use a remote user who has limited permissions to create home directories > and mount the share on the IdM server as that user. Since the IdM server > runs as an httpd process, it is possible to use sudo or a similar program > to grant limited access to the IdM server to create home directories on the > NFS server. > > > > What would be the list of steps that would achieve this ? What are the > limited permissions that the NFS user would need ? Read + Write, but no > Delete to the /home directory ? Sounds like something that would need ACLs. > And where does sudo on the IPA server fit into this ? > > > > On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < > roberto.cornacchia at gmail.com> wrote: > >> Thanks, Jakub. >> >> >> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >> >>> >>> > On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>> roberto.cornacchia at gmail.com> wrote: >>> > >>> > It's possible that I'm simply not getting the point, or that I don't >>> understand the documentation correctly, but this is what I don't find clear: >>> > >>> > I had seen the instructions you pointed me at. These are not >>> specifically about home directories. >>> > >>> > However, this section is: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>> > >>> > It first suggests that automatic creation of home directories over NFS >>> shares is possible: just automount /home and then use pam_oddjob_mkhomedir >>> or pam_mkhomedir to create homedirs at first login. >>> > >>> > But then it also suggests that mounting the whole /home tree could be >>> an issue, and says: "Use automount to mount only the user's home directory >>> and only when the user logs in, rather than loading the entire /home tree." >>> > >>> > That means that automatic homedir creation is out of the game, doesn't >>> it? >>> > >>> > That's what I find confusing. What's the recommended way? >>> > >>> >>> It really depends on your environment. For your size, it's perfectly >>> fine to NFS mount the whole /home tree and be done with it. Don't optimize >>> prematurely :-) >>> >>> > >>> > >>> > On 19 March 2015 at 20:49, Dmitri Pal wrote: >>> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>> >> Hi Dmitri, >>> >> >>> >> I do realise my question is borderline and I accept that it is >>> considered off-topic. >>> >> >>> >> I did post it here because I believe it's not *only* about NFS, but >>> also about its interaction with freeIPA. The issue of NFS home and in >>> particular about their creation is touched in all the links I posted (all >>> about freeIPA) and never really answered. >>> >> >>> > >>> > This is what documented and recommended: >>> > >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>> > >>> > RHEL6 has a similar chapter in its doc set though books have changed >>> significantly between 6 and 7. >>> > >>> > I do not see any chicken and egg problem there. >>> > The instructions show how to create home dirs on the first login. >>> > >>> > It mounts the volume and then creates dirs on it as users log in if >>> they are not already there. >>> > >>> > It is unclear what problem you see with doing it the way it is >>> recommended. >>> > >>> > >>> > >>> >> Best, >>> >> Roberto >>> >> >>> >> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>> >>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>> >>> Hi there, >>> >>> >>> >>> I'm planning to deploy freeIPA on our lan. >>> >>> It's small-ish and completely based on FC21, so I expect everything >>> to work >>> >>> like a charm. >>> >>> >>> >>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >>> >>> The ideal plan is to use it as host for shared NFS home dirs once we >>> switch our >>> >>> desktops to freeIPA. >>> >>> >>> >>> Great! >>> >>> >>> >>> >>> >>> Hello, >>> >>> >>> >>> The first thing I'm struggling with is to find the correct approach >>> about NFS home dirs. >>> >>> The ideal setting would be: >>> >>> - home dirs on the NAS >>> >>> - IPA manages automount maps >>> >>> - home dirs are created automatically at first login >>> >>> >>> >>> The documentation I could find on these topics includes only >>> not-so-recent pages (anything I missed?): >>> >>> >>> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>> >>> >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>> >>> >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>> >>> >>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>> >>> >>> >>> Now, I admit I don't have much experience with setting up NFS homes, >>> with or without freeIPA, so trying to get this done correctly in the >>> context of freeIPA and without clear howtos isn't very easy, but I'm >>> willing to get my hands dirty. >>> >>> >>> >>> The first problem I struggle with is on the correct approach. >>> >>> From the documentation above, I understand that there is a bit of a >>> chicken-egg problem about the creation of home dirs. >>> >>> On the one hand, it would be optimal to have automount maps to load >>> only single home dirs on demand, rather than the entire /home tree. >>> >>> On the other hand, if the /home tree is not available, then creating >>> /home/user1 dir automatically isn't really possible. >>> >>> >>> >>> Just mounting the whole /home tree would make things easier, but I >>> don't have a feeling of when it starts to become a performance issue >>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500? >>> No idea. >>> >>> The realm I'm dealing with at the moment is in the range of 5-10 >>> users and probably won't be larger than 50 in the next few years (and if it >>> will, it means things are going well, so what the heck ;) >>> >>> Also true that, with such few users, I could just create the >>> homedirs manually when needed (this is not an organisation where many users >>> come and go) and just mount the individually. >>> >>> Any tips about this? >>> >>> >>> >>> Best, Roberto >>> >>> >>> >>> >>> >>> >>> >>> >>> >> Some of these questions are really outside the scope of this list. >>> >> You might consider asking them on the NFS list. >>> >> >>> >> -- >>> >> Thank you, >>> >> Dmitri Pal >>> >> >>> >> Sr. Engineering Manager IdM portfolio >>> >> Red Hat, Inc. >>> >> >>> >> >>> >> -- >>> >> Manage your subscription for the Freeipa-users mailing list: >>> >> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> Go to http://freeipa.org for more info on the project >>> >> >>> >> >>> >> >>> > >>> > >>> > -- >>> > Thank you, >>> > Dmitri Pal >>> > >>> > Sr. Engineering Manager IdM portfolio >>> > Red Hat, Inc. >>> > >>> > >>> > -- >>> > Manage your subscription for the Freeipa-users mailing list: >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > Go to http://freeipa.org for more info on the project >>> > >>> > -- >>> > Manage your subscription for the Freeipa-users mailing list: >>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.dejaeghere at gmail.com Fri Apr 10 17:59:24 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Fri, 10 Apr 2015 19:59:24 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <5527E65F.2090102@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> Message-ID: Hi, I even tried the command using an export from the http service nss db, same issue. regarding SElinux: ausearch -m AVC -ts recent Sending you the log personally. Regards, D 2015-04-10 17:03 GMT+02:00 Rob Crittenden : > David Dejaeghere wrote: > > Hi Rob, > > > > Without the --http-pin the command will give a prompt to enter the > password. > > Tried both. > > > > I am sending the output of the pk12util -l to you in another email. > > It holds the wildcard certificate and the godaddy bundle for as far as I > > can tell. > > I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a > rather generic NSS error which can mean any number of things. It often > means that the NSS database it is using is bad in some way but given > that this is a temporary database created just for this purpose I doubt > that's it. You may want to look for SELinux AVCs though: ausearch -m AVC > -ts recent. > > At the point where it is blowing up, the PKCS#12 file has already been > imported and IPA is walking through the results trying to ensure that > the full cert trust chain is available. It does this by reading the > certs out of the database, and at that point it's blowing up. > > The PKCS#12 output you sent me looks ok. I don't believe this is an > issue with trust or missing parts of the chain. > > I created a simple PKCS#12 file and was able to prepare a replica using > it, so AFAICT the code isn't completely broken. > > Can you provide the full output from ipa-replica-prepare? > > rob > > > > Regards, > > > > D > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > >: > > > > David Dejaeghere wrote: > > > Hi, > > > > > > Sorry for the lack of details! > > > You are indeed correct about the version its 4.1 > > > The command I am using is this: > > > ipa-replica-prepare ipa-r1.myobscureddomain.com < > http://ipa-r1.myobscureddomain.com> > > > --http-cert-file > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > /home/fedora/newcert.pk12 > > > --ip-address 172.31.16.31 -v > > > > I was pretty sure a pin was required with those options as well. > > > > What do the PKCS#12 files look like: pk12util -l > > /home/fedora/newcert.pk12 > > > > rob > > > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > > > >>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Does somebody have any pointers for me regarding this issue? > > > > > > It would help very much if you'd include the version you're > working > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > It's hard to say since you don't include the command-line > you're using, > > > or what those files consist of. > > > > > > It looks like it is blowing up trying to verify that the whole > > > certificate chain is available. NSS unfortunately doesn't > always provide > > > the best error messages so it's hard to say why this > particular cert > > > can't be loaded. > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere < > david.dejaeghere at gmail.com > > david.dejaeghere at gmail.com>> > > > > > > > > > >>>: > > > > > > > > Hello, > > > > > > > > I am trying to setup a replica for my master which has > > been setup > > > > with an external CA to use our godaddy wildcard > certificate. > > > > The ipa-replica-prepare is failing with the following > debug > > > information. > > > > I am using --http-cert and --dirsrv-cert with my pk12 > > server > > > > certificate. > > > > What can I verify to get an idea of what is going wrong? > > > > > > > > ipa: DEBUG: stderr= > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > > File > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > 169, in execute > > > > self.ask_for_options() > > > > File > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > line 276, in ask_for_options > > > > options.http_cert_name) > > > > File > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > line 176, in load_pkcs12 > > > > host_name=self.replica_fqdn) > > > > File > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > line > > > > 785, in load_pkcs12 > > > > nss_cert = x509.load_certificate(cert, x509.DER) > > > > File > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > 128, > > > > in load_certificate > > > > return nss.Certificate(buffer(data)) > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > DEBUG: The > > > > ipa-replica-prepare command failed, exception: NSPRError: > > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > > > Regards, > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 10 18:48:15 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 10 Apr 2015 20:48:15 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <5527FCB8.3030602@redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> Message-ID: <20150410184815.GU2718@hendrix> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: > On 04/10/2015 08:13 AM, Mateusz Malek wrote: > >Hi everyone! > > > >I'm about to migrate my OpenLDAP-based environment to FreeIPA, however > >I've hit some weird performance problems. When I'm using IPA, it takes > >about 5-7 (or even more) seconds to get shell prompt after entering user > >password (no matter whether this is local login to FreeIPA server itself > >or accessing FreeIPA client machine); also, during user logon, ns-slapd > >processes CPU usage seems to be high. For comparison, in our present > >environment this transitiion from login to shell is instant. > > > >Some details: we have about 1000 user accounts and 200 user groups. We're > >using (mostly) CentOS 7 virtual machines as servers and Fedora 20 as user > >workstations. There are also some physical Ubuntu 12.04 servers (our > >OpenLDAP is hosted there). Slow login occurs in all these (server) > >configurations I've tried: > >- FreeIPA on CentOS 7 VM, packages from "stock" repositories (version 4.1) > >- FreeIPA on CentOS 7 VM, packages from mkosek/freeipa COPR > >- FreeIPA on Fedora 21 Workstation physical machine, packages from > >mkosek/freeipa COPR > > > >In all cases, machines had 2GB of RAM (exclusively reserved or physical). > >Virtual machines were tested on two separate VMware vSphere clusters > >(running different versions of vCenter and ESXi). I have tried using SSSD, > >pam_krb5 + nss_ldap, pam_ldap + nss_ldap - no luck. > > > >I **think** that with FreeIPA 3.3 on CentOS 7, when I tested IPA some time > >ago, there were no similar issues. > > > >Any ideas what can be wrong or how to troubleshoot this? > > Make sure your time is in sync on the server and the client. > On the client (SSSD) enable verbose logging debug_level = see here > https://jhrozek.fedorapeople.org/sssd/git/man/sss_debuglevel.8.html > Do authentication and see where the time is spent by examining the logs. > Correlate it to the logs on the server. > > If stuck send the logs from SSSD, and KDC/DS on the server and sssd > configuration to the list for us to inspect. I spent the better part of today fixing this issue: https://fedorahosted.org/sssd/ticket/2624 You might want to check if you're hit by this bug by setting: selinux_provider=none temporarily. From john.1209 at yahoo.com Fri Apr 10 19:58:10 2015 From: john.1209 at yahoo.com (John Williams) Date: Fri, 10 Apr 2015 19:58:10 +0000 (UTC) Subject: [Freeipa-users] Expired Certs Message-ID: <299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com> I've inhereted an IPA infrastructure for a group in my organization. ?So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. [root at ipa ~]# rpm -qa | grep ipa-serveripa-server-selinux-3.0.0-26.el6_4.2.x86_64ipa-server-3.0.0-26.el6_4.2.x86_64[root at ipa ~]#? [root at ipa ~]# getcert listNumber of certificates and requests being tracked: 8.Request ID '20130404232110': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Audit,O=IDEF expires: 2017-02-15 19:26:38 UTC key usage: digitalSignature,nonRepudiation pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232111': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=OCSP Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC eku: id-kp-OCSPSigning pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232112': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232113': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=IPA RA,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232114': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232127': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232155': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yesRequest ID '20130404232517': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:25:17 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:? post-save command:? track: yes auto-renew: yes Now, I've tried following the instructions under the following link for fixing expired certs: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal However, I run into a many issues, first I don't know what the is referenced very early on the instruction set. I Googled a bit an saw some advice about rolling the clock back, then restarting certmonger to renew the certs. Here is the output of that process. [root at ipa ~]# dateThu Apr 10 00:13:51 EDT 2014[root at ipa ~]# /etc/init.d/certmonger restartStopping certmonger: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?]Starting certmonger: ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [ ?OK ?][root at ipa ~]#? That did not work. Here are some errors from syslog Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm ?MyORG?.Apr 10 00:13:57 ipa certmonger: Error 7 connecting to http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't connect to server.Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'.Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'. Any ideas would greatly be appreciated. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 10 21:40:53 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 10 Apr 2015 17:40:53 -0400 Subject: [Freeipa-users] Expired Certs In-Reply-To: <299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com> References: <299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55284365.3060003@redhat.com> On 04/10/2015 03:58 PM, John Williams wrote: > I've inhereted an IPA infrastructure for a group in my organization. > So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. > > [root at ipa ~]# rpm -qa | grep ipa-server > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > [root at ipa ~]# > > > [root at ipa ~]# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20130404232110': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='242557339296' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IDEF > subject: CN=CA Audit,O=IDEF > expires: 2017-02-15 19:26:38 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232111': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin='242557339296' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IDEF > subject: CN=OCSP Subsystem,O=IDEF > expires: 2017-02-15 19:25:38 UTC > eku: id-kp-OCSPSigning > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232112': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin='242557339296' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IDEF > subject: CN=CA Subsystem,O=IDEF > expires: 2017-02-15 19:25:38 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232113': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IDEF > subject: CN=IPA RA,O=IDEF > expires: 2017-02-15 19:25:38 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232114': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin='242557339296' > certificate: > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IDEF > subject: CN=ipa.infra.idef,O=IDEF > expires: 2017-02-15 19:25:38 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232127': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for realm 'IDEF'. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IDEF > subject: CN=ipa.infra.idef,O=IDEF > expires: 2015-04-05 23:21:26 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232155': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for realm 'IDEF'. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IDEF > subject: CN=ipa.infra.idef,O=IDEF > expires: 2015-04-05 23:21:54 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > Request ID '20130404232517': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for realm 'IDEF'. > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IDEF > subject: CN=ipa.infra.idef,O=IDEF > expires: 2015-04-05 23:25:17 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Now, I've tried following the instructions under the following link > for fixing expired certs: > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > However, I run into a many issues, first I don't know what the > is referenced very early on the instruction set. > > I Googled a bit an saw some advice about rolling the clock back, then > restarting certmonger to renew the certs. Here is the output of that > process. > > [root at ipa ~]# date > Thu Apr 10 00:13:51 EDT 2014 > [root at ipa ~]# /etc/init.d/certmonger restart > Stopping certmonger: [ OK ] > Starting certmonger: [ OK ] > [root at ipa ~]# > > That did not work. > > > Here are some errors from syslog > > Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" > service on client using default keytab: Cannot contact any KDC for > realm 'MyORG'. > Apr 10 00:13:57 ipa certmonger: Error 7 connecting to > http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't > connect to server. > Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" > service on client using default keytab: Cannot contact any KDC for > realm 'MyORG'. > Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" > service on client using default keytab: Cannot contact any KDC for > realm 'MyORG'. > > Any ideas would greatly be appreciated. > > Thanks. > > > Check if your KDC started OK. Check krb5kdc.log More troubleshooting tips here: http://www.freeipa.org/page/Troubleshooting -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 10 21:46:52 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Apr 2015 17:46:52 -0400 Subject: [Freeipa-users] Expired Certs In-Reply-To: <299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com> References: <299477201.646416.1428695890225.JavaMail.yahoo@mail.yahoo.com> Message-ID: <552844CC.7040305@redhat.com> John Williams wrote: > I've inhereted an IPA infrastructure for a group in my organization. So > I've got a RHEL instance with a IPA 3.0.0 server with expired certs. > > [root at ipa ~]# rpm -qa | grep ipa-server > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > [root at ipa ~]# > > > [root at ipa ~]# getcert list [ snip ] > > [root at ipa ~]# date > Thu Apr 10 00:13:51 EDT 2014 > [root at ipa ~]# /etc/init.d/certmonger restart > Stopping certmonger: [ OK ] > Starting certmonger: [ OK ] > [root at ipa ~]# You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob From rcritten at redhat.com Fri Apr 10 22:23:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 10 Apr 2015 18:23:54 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> Message-ID: <55284D7A.2030801@redhat.com> David Dejaeghere wrote: > Hi, > > I even tried the command using an export from the http service nss db, > same issue. > > regarding SElinux: > ausearch -m AVC -ts recent > > > Sending you the log personally. Ok, so the way the certs are imported is all the certs in the PKCS#12 file are loaded in, then marked as untrusted. certutil -O is executed against the server cert which prints out what the trust chain should be and those certs marked as trusted CA's. That part is working fine. Finally it makes another pass through the database to verify the chain. Looking at the output there are two certs with the subject CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I wonder if this is confusing the cert loader. These certs are included in the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one is the "right' one, or if there even is one. rob > > Regards, > > D > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden >: > > David Dejaeghere wrote: > > Hi Rob, > > > > Without the --http-pin the command will give a prompt to enter the password. > > Tried both. > > > > I am sending the output of the pk12util -l to you in another email. > > It holds the wildcard certificate and the godaddy bundle for as far as I > > can tell. > > I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a > rather generic NSS error which can mean any number of things. It often > means that the NSS database it is using is bad in some way but given > that this is a temporary database created just for this purpose I doubt > that's it. You may want to look for SELinux AVCs though: ausearch -m AVC > -ts recent. > > At the point where it is blowing up, the PKCS#12 file has already been > imported and IPA is walking through the results trying to ensure that > the full cert trust chain is available. It does this by reading the > certs out of the database, and at that point it's blowing up. > > The PKCS#12 output you sent me looks ok. I don't believe this is an > issue with trust or missing parts of the chain. > > I created a simple PKCS#12 file and was able to prepare a replica using > it, so AFAICT the code isn't completely broken. > > Can you provide the full output from ipa-replica-prepare? > > rob > > > > Regards, > > > > D > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > > >>: > > > > David Dejaeghere wrote: > > > Hi, > > > > > > Sorry for the lack of details! > > > You are indeed correct about the version its 4.1 > > > The command I am using is this: > > > ipa-replica-prepare ipa-r1.myobscureddomain.com > > > > --http-cert-file > > > /home/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 > > > --ip-address 172.31.16.31 -v > > > > I was pretty sure a pin was required with those options as well. > > > > What do the PKCS#12 files look like: pk12util -l > > /home/fedora/newcert.pk12 > > > > rob > > > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > > > > > > >>>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Does somebody have any pointers for me regarding this > issue? > > > > > > It would help very much if you'd include the version > you're working > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > It's hard to say since you don't include the > command-line you're using, > > > or what those files consist of. > > > > > > It looks like it is blowing up trying to verify that the > whole > > > certificate chain is available. NSS unfortunately > doesn't always provide > > > the best error messages so it's hard to say why this > particular cert > > > can't be loaded. > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > > > > > >> > > > > > > > > > > > > >>>>: > > > > > > > > Hello, > > > > > > > > I am trying to setup a replica for my master which has > > been setup > > > > with an external CA to use our godaddy wildcard > certificate. > > > > The ipa-replica-prepare is failing with the > following debug > > > information. > > > > I am using --http-cert and --dirsrv-cert with my pk12 > > server > > > > certificate. > > > > What can I verify to get an idea of what is going > wrong? > > > > > > > > ipa: DEBUG: stderr= > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > > File > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > 169, in execute > > > > self.ask_for_options() > > > > File > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > line 276, in ask_for_options > > > > options.http_cert_name) > > > > File > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > line 176, in load_pkcs12 > > > > host_name=self.replica_fqdn) > > > > File > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > line > > > > 785, in load_pkcs12 > > > > nss_cert = x509.load_certificate(cert, x509.DER) > > > > File > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > 128, > > > > in load_certificate > > > > return nss.Certificate(buffer(data)) > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > DEBUG: The > > > > ipa-replica-prepare command failed, exception: > NSPRError: > > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > > > > > > > > Regards, > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > From david.dejaeghere at gmail.com Fri Apr 10 23:02:06 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Sat, 11 Apr 2015 01:02:06 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <55284D7A.2030801@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> Message-ID: Hi, I get the same error when I use a pk12 with only the server certificate (and key) in it. Not sure what else I can try. Regards, D 2015-04-11 0:23 GMT+02:00 Rob Crittenden : > David Dejaeghere wrote: > > Hi, > > > > I even tried the command using an export from the http service nss db, > > same issue. > > > > regarding SElinux: > > ausearch -m AVC -ts recent > > > > > > Sending you the log personally. > > Ok, so the way the certs are imported is all the certs in the PKCS#12 > file are loaded in, then marked as untrusted. > > certutil -O is executed against the server cert which prints out what > the trust chain should be and those certs marked as trusted CA's. > > That part is working fine. > > Finally it makes another pass through the database to verify the chain. > > Looking at the output there are two certs with the subject CN=Go Daddy > Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I > wonder if this is confusing the cert loader. These certs are included in > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one > is the "right' one, or if there even is one. > > rob > > > > > > Regards, > > > > D > > > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden > >: > > > > David Dejaeghere wrote: > > > Hi Rob, > > > > > > Without the --http-pin the command will give a prompt to enter the > password. > > > Tried both. > > > > > > I am sending the output of the pk12util -l to you in another email. > > > It holds the wildcard certificate and the godaddy bundle for as > far as I > > > can tell. > > > > I have to admit, I'm a bit stumped. (SEC_ERROR_LIBRARY_FAILURE) is a > > rather generic NSS error which can mean any number of things. It > often > > means that the NSS database it is using is bad in some way but given > > that this is a temporary database created just for this purpose I > doubt > > that's it. You may want to look for SELinux AVCs though: ausearch -m > AVC > > -ts recent. > > > > At the point where it is blowing up, the PKCS#12 file has already > been > > imported and IPA is walking through the results trying to ensure that > > the full cert trust chain is available. It does this by reading the > > certs out of the database, and at that point it's blowing up. > > > > The PKCS#12 output you sent me looks ok. I don't believe this is an > > issue with trust or missing parts of the chain. > > > > I created a simple PKCS#12 file and was able to prepare a replica > using > > it, so AFAICT the code isn't completely broken. > > > > Can you provide the full output from ipa-replica-prepare? > > > > rob > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > > > >>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Sorry for the lack of details! > > > > You are indeed correct about the version its 4.1 > > > > The command I am using is this: > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com < > http://ipa-r1.myobscureddomain.com> > > > > > > --http-cert-file > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > /home/fedora/newcert.pk12 > > > > --ip-address 172.31.16.31 -v > > > > > > I was pretty sure a pin was required with those options as > well. > > > > > > What do the PKCS#12 files look like: pk12util -l > > > /home/fedora/newcert.pk12 > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden < > rcritten at redhat.com > > > > > > > > > >>>: > > > > > > > > David Dejaeghere wrote: > > > > > Hi, > > > > > > > > > > Does somebody have any pointers for me regarding this > > issue? > > > > > > > > It would help very much if you'd include the version > > you're working > > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > > > It's hard to say since you don't include the > > command-line you're using, > > > > or what those files consist of. > > > > > > > > It looks like it is blowing up trying to verify that the > > whole > > > > certificate chain is available. NSS unfortunately > > doesn't always provide > > > > the best error messages so it's hard to say why this > > particular cert > > > > can't be loaded. > > > > > > > > rob > > > > > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > > > david.dejaeghere at gmail.com>> > > > > > > david.dejaeghere at gmail.com>>> > > > > > > > > > > > > > > > > > > > > >>>>: > > > > > > > > > > Hello, > > > > > > > > > > I am trying to setup a replica for my master which > has > > > been setup > > > > > with an external CA to use our godaddy wildcard > > certificate. > > > > > The ipa-replica-prepare is failing with the > > following debug > > > > information. > > > > > I am using --http-cert and --dirsrv-cert with my > pk12 > > > server > > > > > certificate. > > > > > What can I verify to get an idea of what is going > > wrong? > > > > > > > > > > ipa: DEBUG: stderr= > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > DEBUG: > > > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > > 169, in execute > > > > > self.ask_for_options() > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 276, in ask_for_options > > > > > options.http_cert_name) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 176, in load_pkcs12 > > > > > host_name=self.replica_fqdn) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > > line > > > > > 785, in load_pkcs12 > > > > > nss_cert = x509.load_certificate(cert, > x509.DER) > > > > > File > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > > 128, > > > > > in load_certificate > > > > > return nss.Certificate(buffer(data)) > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > > DEBUG: The > > > > > ipa-replica-prepare command failed, exception: > > NSPRError: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > ERROR: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Sat Apr 11 01:54:14 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Sat, 11 Apr 2015 01:54:14 +0000 Subject: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS Message-ID: Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] From nkinder at redhat.com Sat Apr 11 02:57:13 2015 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 10 Apr 2015 19:57:13 -0700 Subject: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS In-Reply-To: References: Message-ID: <55288D89.70305@redhat.com> On 04/10/2015 06:54 PM, Martin Chamambo wrote: > Good day > > I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. > > the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. > > my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. From chamambom at afri-com.net Sat Apr 11 04:41:26 2015 From: chamambom at afri-com.net (Martin Chamambo) Date: Sat, 11 Apr 2015 04:41:26 +0000 Subject: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS In-Reply-To: <55288D89.70305@redhat.com> References: , <55288D89.70305@redhat.com> Message-ID: Thanx for the feedback So if the replica is similar to the primary ,if the primary gets completely fried , without automatic failover ,i can reconfigure my clients to point to the new replica server without issues ??? ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Nathan Kinder [nkinder at redhat.com] Sent: Saturday, April 11, 2015 4:57 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS On 04/10/2015 06:54 PM, Martin Chamambo wrote: > Good day > > I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. > > the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. > > my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From rcritten at redhat.com Sat Apr 11 04:51:56 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 11 Apr 2015 00:51:56 -0400 Subject: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS In-Reply-To: References: , <55288D89.70305@redhat.com> Message-ID: <5528A86C.6090408@redhat.com> Martin Chamambo wrote: > Thanx for the feedback > > So if the replica is similar to the primary ,if the primary gets completely fried , without automatic failover ,i can reconfigure my clients to point to the new replica server without issues ??? If you use DNS SRV records then in the short term all you need to do is drop fried server from the list of SRV records and move on. In the short to medium term on the clients you'd want to check /etc/ipa/default.conf and /etc/sssd/sssd.conf for references to that dearly departed server and replace them with another server. You'll also want to terminate any replication agreements with it on any other masters otherwise changes will accumulate. The only difference between the very first master you install and all the others is that first one generates the CRL and manages CA renewal. See https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master I should mention that unless a master has actually created a user or group it has no DNA configuration so has no range of values to assign to POSIX users/groups. A clone is installed initially without a range and it fetches one the first time it needs it, from the master that created it. Of course, if that master is gone then problems ensure. rob > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Nathan Kinder [nkinder at redhat.com] > Sent: Saturday, April 11, 2015 4:57 AM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS > > On 04/10/2015 06:54 PM, Martin Chamambo wrote: >> Good day >> >> I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. >> >> the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. >> >> my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] > > The replica is no different from the primary master, aside from being > responsible for CRL generation. > > Failover really depends on how your clients are configured. If you are > using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' > man page for a details on how it works and how it is configured. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > From g.fer.ordas at unicyber.co.uk Sat Apr 11 06:05:42 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Sat, 11 Apr 2015 07:05:42 +0100 Subject: [Freeipa-users] AD --> IPA trust --::-- ipa: ERROR: Insufficient access: CIFS server denied your credentials In-Reply-To: <5528A86C.6090408@redhat.com> References: , <55288D89.70305@redhat.com> <5528A86C.6090408@redhat.com> Message-ID: <4ec86ee947a50f1f97bcef40721591de@unicyber.co.uk> Guys Anyway of simply skipping the CIFS mount credentials bit? I do not actually need the AD CIFS at this point. ipa trust-add --type=ad ad.domain.com --admin Admin --password Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials --- ot NTLMSSP neg_flags=0x60088205 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7f31e9911d50 s4_tevent: Destroying timer event 0x7f31e9911d50 "dcerpc_timeout_handler" dcerpc: alter_resp - rpc fault: WERR_ACCESS_DENIED s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f31e99093a0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f31e99093a0 Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for 12345778-1234-abcd-ef00-0123456789ab at AD.ad.domain.com[49155] NT_STATUS_LOGON_FAILURE s4_tevent: Destroying timer event 0x7f31e80539d0 "dcerpc_connect_timeout_handler" [Sat Apr 11 06:00:17.408265 2015] [:error] [pid 25074] ipa: INFO: [jsonserver_session] admin at LINUX.DOMAIN.COM: trust_add(u'domain.com', trust_type=u'ad', realm_admin=Admin', realm_passwd=u'********', all=False, raw=False, version=u'2.114'): ACIError ---- This is freeipa-server-4.1.4-1.el7.centos.x86_64 Thanks!! From abokovoy at redhat.com Sat Apr 11 06:38:13 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 11 Apr 2015 09:38:13 +0300 Subject: [Freeipa-users] AD --> IPA trust --::-- ipa: ERROR: Insufficient access: CIFS server denied your credentials In-Reply-To: <4ec86ee947a50f1f97bcef40721591de@unicyber.co.uk> References: <55288D89.70305@redhat.com> <5528A86C.6090408@redhat.com> <4ec86ee947a50f1f97bcef40721591de@unicyber.co.uk> Message-ID: <20150411063813.GA3945@redhat.com> On Sat, 11 Apr 2015, g.fer.ordas at unicyber.co.uk wrote: >Guys > >Anyway of simply skipping the CIFS mount credentials bit? >I do not actually need the AD CIFS at this point. What do you mean by that? Establishing trust uses SMB protocols family, it is not using 'CIFS mount' but file system operations are part of SMB protocols family, along with authentication, authorization, domain and trust management. Your 'Admin' user on AD side should be member of either Enteprise Admins, Domain Admins of the forest root domain, or Schema Admins groups. See https://technet.microsoft.com/en-us/library/cc755700%28v=ws.10%29.aspx for details. > >ipa trust-add --type=ad ad.domain.com --admin Admin --password >Active Directory domain administrator's password: >ipa: ERROR: Insufficient access: CIFS server denied >your credentials > >--- >ot NTLMSSP neg_flags=0x60088205 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7f31e9911d50 >s4_tevent: Destroying timer event 0x7f31e9911d50 >"dcerpc_timeout_handler" >dcerpc: alter_resp - rpc fault: WERR_ACCESS_DENIED >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f31e99093a0 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7f31e99093a0 >Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for >12345778-1234-abcd-ef00-0123456789ab at AD.ad.domain.com[49155] >NT_STATUS_LOGON_FAILURE >s4_tevent: Destroying timer event 0x7f31e80539d0 >"dcerpc_connect_timeout_handler" >[Sat Apr 11 06:00:17.408265 2015] [:error] [pid 25074] ipa: INFO: >[jsonserver_session] admin at LINUX.DOMAIN.COM: trust_add(u'domain.com', >trust_type=u'ad', realm_admin=Admin', realm_passwd=u'********', >all=False, raw=False, version=u'2.114'): ACIError > >---- > >This is freeipa-server-4.1.4-1.el7.centos.x86_64 > >Thanks!! > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From christoph.kaminski at biotronik.com Sat Apr 11 09:34:36 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Sat, 11 Apr 2015 11:34:36 +0200 Subject: [Freeipa-users] Replica status 'last update ended' Message-ID: Hi All with the cmd: ipa-replica-manage -v list myipaserver I can see the status of the replication... But I dont understand the field 'last update ended'. What shows the field? The last SUCCESSFULLY update? The last TRY to update? Something else? I want to code some monitoring (nagios/icinga) checks for IPA and I need a authoritative statement/information about the replica status. It is the right place? Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.kaminski at biotronik.com Sat Apr 11 10:08:56 2015 From: christoph.kaminski at biotronik.com (Christoph Kaminski) Date: Sat, 11 Apr 2015 12:08:56 +0200 Subject: [Freeipa-users] DNS questions Message-ID: Hi all, have some questions about DNS in IPA... first some info to our DNS structure: we have 4 internale domains and a lot of subdomains, for example: domain: ourdom.int subdomains: - mgmt.ourdom.int - io.ourdom.int - app.ourdom.int etc Questions: 1. How we should build the zones in ipa? should each subdomain get a zone? I see I can make only one zone for the domain and put there the subdomain records to (like myhost.mgmt then it resolvs as myhost.mgmt.ourdom.int) What is the right way for this? Is there a difference between the ways? (we got problems with IPA 4.1 to load the zones for domains because our IPA server are 'inside' the mgmt subdomain. It was necessary to put a A record for the IPA servers into the domain. Example: ipa1.mgmt . Without this record the resolving for subdomains has worked but not for the domains... With IPA 3.3.3 we didnt have this problem) 2. We have 8 IPA Server here (because all our domains are blackboxes, the hosts can communicate only with 2 IPA servers inside the blackbox, IPA server can connect each other over a special out of band network). What should be inside the NS record of each domain? All IPA servers (the hosts inside the blackbox can reach only 2) or only the 2 reachable? TiA for the answers! Greetz Christoph Kaminski -------------- next part -------------- An HTML attachment was scrubbed... URL: From traiano at gmail.com Sat Apr 11 19:51:46 2015 From: traiano at gmail.com (Traiano Welcome) Date: Sat, 11 Apr 2015 22:51:46 +0300 Subject: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute "objectclass" Message-ID: Hi I got this error while installing an IPA replica of my primary master IDM server: ".LDAPUpdate: ERROR Add failure missing required attribute "objectclass" Replica add command: ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg A little more context: --- . . . Done configuring ipa-otpd. Applying LDAP updates ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure missing required attribute "objectclass" ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure missing required attribute "objectclass" ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure missing required attribute "objectclass" ipa : ERROR Anonymous ACI not found, cannot update it Restarting the directory server Restarting the KDC Restarting the certificate server Using reverse zone xxx.16.172.in-addr.arpa. --- What does this error mean? If it's suggesting that somehow a key ldap attribute was not created, how can I fix this? Thanks in advance, Traiano From brian.topping at gmail.com Sun Apr 12 03:27:10 2015 From: brian.topping at gmail.com (Brian Topping) Date: Sun, 12 Apr 2015 10:27:10 +0700 Subject: [Freeipa-users] Checking 389 for ACI contamination Message-ID: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? If so, how would I check it? Is there an LDIF in the disto that I can manually compare the entries? cheers, Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dpal at redhat.com Mon Apr 13 02:14:21 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Apr 2015 22:14:21 -0400 Subject: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute "objectclass" In-Reply-To: References: Message-ID: <552B267D.60809@redhat.com> On 04/11/2015 03:51 PM, Traiano Welcome wrote: > Hi > > I got this error while installing an IPA replica of my primary master > IDM server: > > ".LDAPUpdate: ERROR Add failure missing required attribute "objectclass" > > > Replica add command: > > ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg > > A little more context: > > > --- > . > . > . > > Done configuring ipa-otpd. > Applying LDAP updates > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa : ERROR Anonymous ACI not found, cannot update it > Restarting the directory server > Restarting the KDC > Restarting the certificate server > Using reverse zone xxx.16.172.in-addr.arpa. > > --- > > What does this error mean? If it's suggesting that somehow a key ldap > attribute was not created, how can I fix this? > > Thanks in advance, > Traiano > You are probably installing a replica on a server that has different version than the server that created the initial replica file. What are the versions you are working with? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Mon Apr 13 02:16:19 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 12 Apr 2015 22:16:19 -0400 Subject: [Freeipa-users] Checking 389 for ACI contamination In-Reply-To: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> References: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> Message-ID: <552B26F3.9000006@redhat.com> On 04/11/2015 11:27 PM, Brian Topping wrote: > Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? > > If so, how would I check it? Is there an LDIF in the disto that I can manually compare the entries? > > cheers, Brian > > Did you do any custom ACIs in 3.3? 4.0 has new ACI framework so it most likely replicated into 3.3 not the other way around. I would leave to experts to provide specific commands on how to check things. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Mon Apr 13 03:27:10 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 13 Apr 2015 03:27:10 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7BA268@001FSN2MPN1-046.001f.mgd2.msft.net> References: <552779E5.9020304@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E7BA268@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: -----Original Message----- From: Nordgren, Bryce L -FS [mailto:bnordgren at fs.fed.us] Sent: Friday, April 10, 2015 9:27 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users at redhat.com Subject: RE: [Freeipa-users] user account without password >> Also, if such account will also exist locally (my case), it will not >> be controlled by HBAC rules - it can be a some kind of security trap... >Pretty sure accounts should be either local or domain-wide, but not both. Could lead to strange and unforeseen side effects. Last I checked, only local accounts can run services. It may be advantageous to allow local accounts (which can run services) to have a representation in the domain, but the local >accounts need to be scoped to the local machine (e.g., "apache" on server 1 is different than "apache" on server 2). At least that way, they could belong to the same groups domain accounts belong to. SSO certainly shouldn't work. Any access to shared storage should distinguish between same-named >accounts on different machines. >Alternatively, allowing domain accounts to run certain services also has some merit. (assuming the user has permissions to do so.) >Just thinking into email. >Bryce I have a long and positive experience using both local and IPA users with the same attributes, but without HBAC and without sudo way to obtain shell of such users. Default settings in nsswitch.conf and pam provides straight and clear systems behavior, for about three years. But I agree there can be case when such construction may lead to misbehavior and so on. We will try to avoid them. SSO not really the aim for us, we just need to made a environment where users must remember only one password to access all resources on unix/linux servers. Not trying to argue, just sharing some thoughts :) Alexander ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From traiano at gmail.com Mon Apr 13 04:41:12 2015 From: traiano at gmail.com (Traiano Welcome) Date: Mon, 13 Apr 2015 07:41:12 +0300 Subject: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute "objectclass" In-Reply-To: <552B267D.60809@redhat.com> References: <552B267D.60809@redhat.com> Message-ID: Hi Dmitri Thanks for the response. On Mon, Apr 13, 2015 at 5:14 AM, Dmitri Pal wrote: > On 04/11/2015 03:51 PM, Traiano Welcome wrote: >> >> Hi >> >> I got this error while installing an IPA replica of my primary master >> IDM server: >> >> ".LDAPUpdate: ERROR Add failure missing required attribute >> "objectclass" >> >> >> Replica add command: >> >> ipa-replica-install --setup-ca --setup-dns --no-forwarders >> /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg >> >> A little more context: >> >> >> --- >> . >> . >> . >> >> Done configuring ipa-otpd. >> Applying LDAP updates >> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure >> missing required attribute "objectclass" >> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure >> missing required attribute "objectclass" >> ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure >> missing required attribute "objectclass" >> ipa : ERROR Anonymous ACI not found, cannot update it >> Restarting the directory server >> Restarting the KDC >> Restarting the certificate server >> Using reverse zone xxx.16.172.in-addr.arpa. >> >> --- >> >> What does this error mean? If it's suggesting that somehow a key ldap >> attribute was not created, how can I fix this? >> >> Thanks in advance, >> Traiano >> > > > You are probably installing a replica on a server that has different version > than the server that created the initial replica file. > What are the versions you are working with? > That's possible, but very unlikely, I installed master and replicas of the same .iso, to make sure of no package variations in repos. CentOS 7.0 with this set of packages off the installation CD: --- ipa-admintools-3.3.3-28.el7.centos.x86_64.rpm ipa-client-3.3.3-28.el7.centos.x86_64.rpm ipa-gothic-fonts-003.03-5.el7.noarch.rpm ipa-mincho-fonts-003.03-5.el7.noarch.rpm ipa-pgothic-fonts-003.03-5.el7.noarch.rpm ipa-pmincho-fonts-003.03-5.el7.noarch.rpm ipa-python-3.3.3-28.el7.centos.x86_64.rpm ipa-server-3.3.3-28.el7.centos.x86_64.rpm ipa-server-trust-ad-3.3.3-28.el7.centos.x86_64.rpm python-sssdconfig-1.11.2-65.el7.noarch.rpm sssd-1.11.2-65.el7.x86_64.rpm sssd-ad-1.11.2-65.el7.x86_64.rpm sssd-client-1.11.2-65.el7.x86_64.rpm sssd-common-1.11.2-65.el7.x86_64.rpm sssd-common-pac-1.11.2-65.el7.x86_64.rpm sssd-ipa-1.11.2-65.el7.x86_64.rpm sssd-krb5-1.11.2-65.el7.x86_64.rpm sssd-krb5-common-1.11.2-65.el7.x86_64.rpm sssd-ldap-1.11.2-65.el7.x86_64.rpm sssd-proxy-1.11.2-65.el7.x86_64.rpm --- I any case, I think I've 'overwritten' the problem by upgrading to FreeIPA 4.1.0 ... This seems to have fixed that particular problem. > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From traiano at gmail.com Mon Apr 13 04:43:00 2015 From: traiano at gmail.com (Traiano Welcome) Date: Mon, 13 Apr 2015 07:43:00 +0300 Subject: [Freeipa-users] Multi-Master IPA deployment with AD Trusts: Stability and Consistency Expectations? Message-ID: Hi List The deployment I'm contemplating is as follows: 1. FreeIPA master at a central site,with AD Trust established to the primary DC. 2. Replicas of the FreeIPA master at 4 other sites (with varying WAN latency between central and site),with replication agreements only with to the master at the central site. (So the AD trust is estalished only between the master IPA server and the primary AD domain controller) There is also an existing domain controller at each site that synchs to the primary domain controller at the main site. I'd like AD user access to Linux systems at each site to be stable and consistent as possible, so to rule out the effect of WAN latency and possibly intermittent connectivity (and a host of possibly other unknown factors), I plan to establish an AD trust between the replica at each site and the local AD domain controller. My thinking is that AD user accounts information will then be available to the replica almost as soon as it's available to the AD dc at that site. So ultimately, the consistency of user information should be as good as can be expected from AD's cross wan replication to remote sites, even if the synchronisation between a replica and master is not 100% sin synch at all times (e.g due to WAN latency). My concern is that multiple trusts established this way may lead to replication inconsistency betweend master IPA server and it's replicas,especially in the case where the replica is seeing AD information in different stages of replication. My question: Does IPA cope with this scenario? Is it safe, and will it improve AD authentication performance (at least from the user point of view) to establish trust between each replica and the local domain controller in each given site? NOTE: I'm aware that AD replication also runs on a schedule and 'slaves' can lag the primary from around 180 minutes to a day depending on WAN conditions. Traiano From tlau at tetrioncapital.com Mon Apr 13 05:15:09 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Mon, 13 Apr 2015 13:15:09 +0800 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info Message-ID: Hi all, We have cronjob which running on a FreeIPA LDAP user; When connection between IPA server and client having heavy packet loss, following error would occur: CRON[20637]: Authentication service cannot retrieve authentication info I have cache credentials and store password if offline enabled on sssd, how these problem would still happening? sssd.conf: cache_credentials = True krb5_store_password_if_offline = True From abokovoy at redhat.com Mon Apr 13 06:02:28 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Apr 2015 09:02:28 +0300 Subject: [Freeipa-users] Multi-Master IPA deployment with AD Trusts: Stability and Consistency Expectations? In-Reply-To: References: Message-ID: <20150413060228.GB3945@redhat.com> On Mon, 13 Apr 2015, Traiano Welcome wrote: >Hi List > >The deployment I'm contemplating is as follows: > >1. FreeIPA master at a central site,with AD Trust established to the primary DC. >2. Replicas of the FreeIPA master at 4 other sites (with varying WAN >latency between central and site),with replication agreements only >with to the master at the central site. > >(So the AD trust is estalished only between the master IPA server and >the primary AD domain controller) > >There is also an existing domain controller at each site that synchs >to the primary domain controller at the main site. > >I'd like AD user access to Linux systems at each site to be stable >and consistent as possible, so to rule out the effect of WAN latency >and possibly intermittent connectivity (and a host of possibly other >unknown factors), I plan to establish an AD trust between the replica >at each site and the local AD domain controller. My thinking is that >AD user accounts information will then be available to the replica >almost as soon as it's available to the AD dc at that site. >So ultimately, the consistency of user information should be as good >as can be expected from AD's cross wan replication to remote sites, >even if the synchronisation between a replica and master is not 100% >sin synch at all times (e.g due to WAN latency). > >My concern is that multiple trusts established this way may lead to >replication inconsistency betweend master IPA server and it's >replicas,especially in the case where the replica is seeing AD >information in different stages of replication. > >My question: Does IPA cope with this scenario? Is it safe, and will it >improve AD authentication performance (at least from the user point of >view) to establish trust between each replica and the local domain >controller in each given site? This topic was raised already in March on this list so please study archives for more details about site-awareness in SSSD. One thing I must note is that you seem to share a common misunderstanding of how trust to Active Directory is established. There is *no* need to 'establish an AD trust between the replica at each site and the local AD domain controller'. The trust is established once and for whole forest. Information about the trust is replicated to all IPA masters. In order to get them activated to *provide* access to already established trust you need to run 'ipa-adtrust-install' on each IPA master. However, you *don't* need to run 'ipa trust-add' again, and even if you ran it, it would fail because each of your local AD DCs are not a primary domain controllers for your forest root domain. -- / Alexander Bokovoy From mkosek at redhat.com Mon Apr 13 06:31:25 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Apr 2015 08:31:25 +0200 Subject: [Freeipa-users] Replica status 'last update ended' In-Reply-To: References: Message-ID: <552B62BD.3000303@redhat.com> On 04/11/2015 11:34 AM, Christoph Kaminski wrote: > Hi All > > with the cmd: > > ipa-replica-manage -v list myipaserver > > I can see the status of the replication... But I dont understand the field > 'last update ended'. What shows the field? The last SUCCESSFULLY update? > The last TRY to update? Something else? > I want to code some monitoring (nagios/icinga) checks for IPA and I need a > authoritative statement/information about the replica status. It is the > right place? I think so, this shows the nsds5replicalastupdateend field. https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaLastUpdateEnd.html CCing Thierry to confirm. From mkosek at redhat.com Mon Apr 13 06:33:48 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Apr 2015 08:33:48 +0200 Subject: [Freeipa-users] Checking 389 for ACI contamination In-Reply-To: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> References: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> Message-ID: <552B634C.1060808@redhat.com> On 04/12/2015 05:27 AM, Brian Topping wrote: > Hi all, trying to figure out if I may have contaminated my ACIs in the > process of upgrading my replicated deployment. I didn't upgrade the > instances at the same time, is there any possibility that the 3.x ACIs > contaminated the 4.x DIT? What do you mean, by... contaminated? Can you please described what exactly happened? As Dmitri said, there were major ACI related changes in 4.0, but I am not sure what is the problem in your case. > > If so, how would I check it? Is there an LDIF in the disto that I can > manually compare the entries? I am not sure which entries are you referring to. But from 4.0, most of the ACIs are now generated dynamically, from Python code. From mkosek at redhat.com Mon Apr 13 06:39:38 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 13 Apr 2015 08:39:38 +0200 Subject: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute "objectclass" In-Reply-To: References: Message-ID: <552B64AA.6000208@redhat.com> On 04/11/2015 09:51 PM, Traiano Welcome wrote: > Hi > > I got this error while installing an IPA replica of my primary master > IDM server: > > ".LDAPUpdate: ERROR Add failure missing required attribute "objectclass" > > > Replica add command: > > ipa-replica-install --setup-ca --setup-dns --no-forwarders > /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg > > A little more context: > > > --- > . > . > . > > Done configuring ipa-otpd. > Applying LDAP updates > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERROR Add failure > missing required attribute "objectclass" > ipa : ERROR Anonymous ACI not found, cannot update it > Restarting the directory server > Restarting the KDC > Restarting the certificate server > Using reverse zone xxx.16.172.in-addr.arpa. > > --- > > What does this error mean? If it's suggesting that somehow a key ldap > attribute was not created, how can I fix this? Most probably, update process tried to add members to some object/role/privilege, it did not exist so it tried to add just the members, which failed as objectclass is required for new objects. We would need to see ipareplica-install.log, to see which attribute it was. From jhrozek at redhat.com Mon Apr 13 07:14:59 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Apr 2015 09:14:59 +0200 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: References: Message-ID: <20150413071459.GA28555@hendrix.arn.redhat.com> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: > Hi all, > > We have cronjob which running on a FreeIPA LDAP user; When connection > between IPA server and client having heavy packet loss, following > error would occur: > > CRON[20637]: Authentication service cannot retrieve authentication info > > I have cache credentials and store password if offline enabled on > sssd, how these problem would still happening? > > > sssd.conf: > > cache_credentials = True > krb5_store_password_if_offline = True Did the use log in at least once offline? You can verify if the password has been cached using the ldbsearch utility. It would be best to catch the occurence of the problem in logs. From tbordaz at redhat.com Mon Apr 13 07:29:10 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 13 Apr 2015 09:29:10 +0200 Subject: [Freeipa-users] Replica status 'last update ended' In-Reply-To: <552B62BD.3000303@redhat.com> References: <552B62BD.3000303@redhat.com> Message-ID: <552B7046.3020603@redhat.com> On 04/13/2015 08:31 AM, Martin Kosek wrote: > On 04/11/2015 11:34 AM, Christoph Kaminski wrote: >> Hi All >> >> with the cmd: >> >> ipa-replica-manage -v list myipaserver >> >> I can see the status of the replication... But I dont understand the field >> 'last update ended'. What shows the field? The last SUCCESSFULLY update? >> The last TRY to update? Something else? >> I want to code some monitoring (nagios/icinga) checks for IPA and I need a >> authoritative statement/information about the replica status. It is the >> right place? > I think so, this shows the nsds5replicalastupdateend field. > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicaLastUpdateEnd.html > > CCing Thierry to confirm. > Hello, A master starts a replication session to a replica. During this session it checks which updates are missing and is sending them. Then it closes the replication session. If the replica is already up to date, the master will send no update. The timestamp nsds5replicalastupdateend, is the time when the master has sent all the missing updates (possibly 0 if the replica is up to date) and has no more update to send. The master is waiting for the replica response (on each update) before setting this timestamp. If an error occurred while sending an update the master resets 'nsds5replicaLastUpdateStart' timestamp. thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From sprokhorov at intech-global.com Mon Apr 13 07:53:01 2015 From: sprokhorov at intech-global.com (=?UTF-8?B?0J/RgNC+0YXQvtGA0L7QsiDQodC10YDQs9C10Lk=?=) Date: Mon, 13 Apr 2015 10:53:01 +0300 Subject: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server In-Reply-To: <552647E4.7010405@intech-global.com> References: <552647E4.7010405@intech-global.com> Message-ID: <552B75DD.9010808@intech-global.com> Thank you, Rob for your response On 08.04.2015 21:07, Rob Crittenden wrote: > I assume you can't do this because the original host is lost, right? Year, you right. > Every IPA master is a equal, some are just more equal than others. The > key bit that distinguishes them is whether there is a CA installed. The > other bit has to do with CRL generation and renewal which in your > version can only be done on one host (neither of which apply to > --selfsign anyway). I want to clarify, I didn't use --selfsign key during primery server installation. I suppose it's default key for CA, am I wrong? On mycurrent ipa server (replica) I haven't CA. > You mention migrating. What new primary server? I'm telling about installation of new freeipa server and copy all data there. > So I'd start digging around to see if you have the original CA private > key somewhere. The end of the IPA server install would have recommending > backing up cacert.p12. > I have backup of cacert.p12 key. From pspacek at redhat.com Mon Apr 13 08:36:51 2015 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Apr 2015 10:36:51 +0200 Subject: [Freeipa-users] DNS questions In-Reply-To: References: Message-ID: <552B8023.5030300@redhat.com> Hello! On 11.4.2015 12:08, Christoph Kaminski wrote: > have some questions about DNS in IPA... > > first some info to our DNS structure: > > we have 4 internale domains and a lot of subdomains, for example: > > domain: > ourdom.int > > subdomains: > - mgmt.ourdom.int > - io.ourdom.int > - app.ourdom.int Before we dive into details, please note that you *should not* be using DNS names which were not delegated to you. I.e. it is a bad idea to use 'ourdom.int' unless the domain 'ourdom.int' is really registered to your name. See http://www.freeipa.org/page/DNS#Caveats It is going to cause problems when: - some other company will start using the same name on public Internet - you will merge with other company using the same name - DNSSEC validation is enabled (technically you are 'hijacking'/'shadowing' the name and DNSSEC will detect that) > Questions: > > 1. How we should build the zones in ipa? should each subdomain get a zone? > I see I can make only one zone for the domain and put there the subdomain > records to (like myhost.mgmt then it resolvs as myhost.mgmt.ourdom.int) > What is the right way for this? Technically this is up to you. > Is there a difference between the ways? Zone transfers, access control, and zone delegation are done on zone level. I.e. smaller zones give you more control over these aspects. It really depends on your use-case what you prefer. Technically it is perfectly fine to keep everything in single zone. > (we got problems with IPA 4.1 to load the zones for domains because our > IPA server are 'inside' the mgmt subdomain. It was necessary to put a A > record for the IPA servers into the domain. Example: ipa1.mgmt . Without > this record the resolving for subdomains has worked but not for the > domains... With IPA 3.3.3 we didnt have this problem) I do not fully understand what you mean. Could you described the example in whole, please? What exactly was in the non-functional configuration? What error messages/symptoms did you see? How did you change the configuration to fix it? Thank you! > 2. We have 8 IPA Server here (because all our domains are blackboxes, the > hosts can communicate only with 2 IPA servers inside the blackbox, IPA > server can connect each other over a special out of band network). What > should be inside the NS record of each domain? All IPA servers (the hosts > inside the blackbox can reach only 2) or only the 2 reachable? I'm not 100 % sure what you mean by 'blackbox'. Generally NS records should contain only servers reachable from other parts of the network. DNS resolvers try to contact servers listed in NS records when querying for records in given zone. Servers which are not reachable but listed in NS records will cause to timeouts. Have a nice day! -- Petr^2 Spacek From tlau at tetrioncapital.com Mon Apr 13 12:23:33 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Mon, 13 Apr 2015 20:23:33 +0800 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: <20150413071459.GA28555@hendrix.arn.redhat.com> References: <20150413071459.GA28555@hendrix.arn.redhat.com> Message-ID: Hi, These problem appear randomly, sometime it still work even under heavy packet loss, some times would be like this. So its hard to catch. On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: > On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: > > Hi all, > > > > We have cronjob which running on a FreeIPA LDAP user; When connection > > between IPA server and client having heavy packet loss, following > > error would occur: > > > > CRON[20637]: Authentication service cannot retrieve authentication info > > > > I have cache credentials and store password if offline enabled on > > sssd, how these problem would still happening? > > > > > > sssd.conf: > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > Did the use log in at least once offline? You can verify if the password > has been cached using the ldbsearch utility. It would be best to catch > the occurence of the problem in logs. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Janne.Blomqvist at aalto.fi Mon Apr 13 14:07:28 2015 From: Janne.Blomqvist at aalto.fi (Janne Blomqvist) Date: Mon, 13 Apr 2015 17:07:28 +0300 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <55279255.6070908@redhat.com> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> <55278F32.4020302@aalto.fi> <55279255.6070908@redhat.com> Message-ID: <552BCDA0.2050200@aalto.fi> On 2015-04-10 12:05, Petr Spacek wrote: > On 10.4.2015 10:52, Janne Blomqvist wrote: > > On 2015-04-07 14:29, Martin Kosek wrote: > >> On 04/05/2015 08:03 PM, Dmitri Pal wrote: > >>> On 04/05/2015 12:51 PM, Janelle wrote: > >>>> Hello, > >>>> > >>>> Trying to find a way on a multi-homed server to force IPA and its > >> related > >>>> apps to listen on a specific interface. I can find all kinds of > >> info saying > >>>> "the services listen on all interfaces by default" so there must be > >> a way? > >>>> > >>>> Thank you > >>>> ~J > >>>> > >>> Sounds familiar. > >>> I think there is a ticket open for that. > >> > >> This is the RFE: > >> > >> https://fedorahosted.org/freeipa/ticket/3338 > >> > >> Just in case anybody would like to help us extend FreeIPA installers :-) > >> > > > > Hi, > > > > I have a related, or opposite really, problem. > > > > So I have configured IPA for a domain (say, ipa.example.org). Then I have a > > bunch of client machines that can join the domain etc. Fine so far. > > > > However, I also have another bunch of client machines on an internal network > > (with NAT access to the outside world). So for these I add another network > > interface on the ipa servers. So my ipa servers have two IP's and dns names, > > say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now > > it doesn't work so well anymore for these clients, because the krb principals > > for the IPA server(s) are bound to the public name, so joining the domain > > fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by > > joining via the public interface (manually creating the machine accounts on > > the ipa server first, since otherwise it doesn't understand clientX.local dns > > names/IP's), but then obviously all communication goes via the NAT box which > > is a SPOF. > > > > So is there some reasonable way to make the above work? > > IMHO cleanest solution is to properly configure routing in your network to > route your public IP range properly to the respective subnet instead of going > through a NAT. > > Details depend on your network so I do not have exact steps for you, sorry. > Thanks. So do you mean something like on each client machine in the NATed network I add special routes to the ipa servers? And by that the client machines would know that ipa1.ipa.example.org can be reached via ipa1.local instead of going via the default route (which is the NAT box)? -- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqvist at aalto.fi From guertin at middlebury.edu Mon Apr 13 14:23:08 2015 From: guertin at middlebury.edu (David Guertin) Date: Mon, 13 Apr 2015 10:23:08 -0400 Subject: [Freeipa-users] Can an Active Directory domain be the default domain? Message-ID: <552BD14C.90800@middlebury.edu> In our newly-setup IPA environment, users can log in to RHEL clients with the username @addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the public_html directory in their home directory. With our old NIS configuration, the URL is of the form http://hostname/~username. With the new IPA configuration, these URLs no longer work; the web pages are now found in http://hostname/~username at addomain. I can think of several ways to approach this problem, but my first thought is to have IPA recognize the AD domain as the default domain, so that our users could log in with instead of @addomain, and the existing URLs will work. Is this possible? I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't figure out what to do with it. Thanks, David Guertin From rcritten at redhat.com Mon Apr 13 14:28:01 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Apr 2015 10:28:01 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> Message-ID: <552BD271.5010608@redhat.com> David Dejaeghere wrote: > Hi, > > I get the same error when I use a pk12 with only the server certificate > (and key) in it. > Not sure what else I can try. I'd need to see the full output again. rob > > Regards, > > D > > 2015-04-11 0:23 GMT+02:00 Rob Crittenden >: > > David Dejaeghere wrote: > > Hi, > > > > I even tried the command using an export from the http service nss db, > > same issue. > > > > regarding SElinux: > > ausearch -m AVC -ts recent > > > > > > Sending you the log personally. > > Ok, so the way the certs are imported is all the certs in the PKCS#12 > file are loaded in, then marked as untrusted. > > certutil -O is executed against the server cert which prints out what > the trust chain should be and those certs marked as trusted CA's. > > That part is working fine. > > Finally it makes another pass through the database to verify the chain. > > Looking at the output there are two certs with the subject CN=Go Daddy > Root Certificate Authority - G2,O="GoDaddy.com, > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I > wonder if this is confusing the cert loader. These certs are included in > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which one > is the "right' one, or if there even is one. > > rob > > > > > > Regards, > > > > D > > > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden > > >>: > > > > David Dejaeghere wrote: > > > Hi Rob, > > > > > > Without the --http-pin the command will give a prompt to > enter the password. > > > Tried both. > > > > > > I am sending the output of the pk12util -l to you in another > email. > > > It holds the wildcard certificate and the godaddy bundle for > as far as I > > > can tell. > > > > I have to admit, I'm a bit stumped. > (SEC_ERROR_LIBRARY_FAILURE) is a > > rather generic NSS error which can mean any number of things. > It often > > means that the NSS database it is using is bad in some way but > given > > that this is a temporary database created just for this > purpose I doubt > > that's it. You may want to look for SELinux AVCs though: > ausearch -m AVC > > -ts recent. > > > > At the point where it is blowing up, the PKCS#12 file has > already been > > imported and IPA is walking through the results trying to > ensure that > > the full cert trust chain is available. It does this by > reading the > > certs out of the database, and at that point it's blowing up. > > > > The PKCS#12 output you sent me looks ok. I don't believe this > is an > > issue with trust or missing parts of the chain. > > > > I created a simple PKCS#12 file and was able to prepare a > replica using > > it, so AFAICT the code isn't completely broken. > > > > Can you provide the full output from ipa-replica-prepare? > > > > rob > > > > > > Regards, > > > > > > D > > > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > > > > > > > >>>: > > > > > > David Dejaeghere wrote: > > > > Hi, > > > > > > > > Sorry for the lack of details! > > > > You are indeed correct about the version its 4.1 > > > > The command I am using is this: > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com > > > > > > > > --http-cert-file > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > /home/fedora/newcert.pk12 > > > > --ip-address 172.31.16.31 -v > > > > > > I was pretty sure a pin was required with those options > as well. > > > > > > What do the PKCS#12 files look like: pk12util -l > > > /home/fedora/newcert.pk12 > > > > > > rob > > > > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > > > > > > >> > > > > > > > > >>>>: > > > > > > > > David Dejaeghere wrote: > > > > > Hi, > > > > > > > > > > Does somebody have any pointers for me regarding > this > > issue? > > > > > > > > It would help very much if you'd include the version > > you're working > > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > > > It's hard to say since you don't include the > > command-line you're using, > > > > or what those files consist of. > > > > > > > > It looks like it is blowing up trying to verify > that the > > whole > > > > certificate chain is available. NSS unfortunately > > doesn't always provide > > > > the best error messages so it's hard to say why this > > particular cert > > > > can't be loaded. > > > > > > > > rob > > > > > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > > > > > > >> > > > > > > > > > >>> > > > > > > > > > > > > > >> > > > > > > > > > > > > >>>>>: > > > > > > > > > > Hello, > > > > > > > > > > I am trying to setup a replica for my master > which has > > > been setup > > > > > with an external CA to use our godaddy wildcard > > certificate. > > > > > The ipa-replica-prepare is failing with the > > following debug > > > > information. > > > > > I am using --http-cert and --dirsrv-cert > with my pk12 > > > server > > > > > certificate. > > > > > What can I verify to get an idea of what is > going > > wrong? > > > > > > > > > > ipa: DEBUG: stderr= > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > > > File > > > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > > > > > 169, in execute > > > > > self.ask_for_options() > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 276, in ask_for_options > > > > > options.http_cert_name) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > line 176, in load_pkcs12 > > > > > host_name=self.replica_fqdn) > > > > > File > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > > line > > > > > 785, in load_pkcs12 > > > > > nss_cert = x509.load_certificate(cert, > x509.DER) > > > > > File > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > > 128, > > > > > in load_certificate > > > > > return nss.Certificate(buffer(data)) > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > > DEBUG: The > > > > > ipa-replica-prepare command failed, exception: > > NSPRError: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > failure. > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From jhrozek at redhat.com Mon Apr 13 14:28:22 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Apr 2015 16:28:22 +0200 Subject: [Freeipa-users] Can an Active Directory domain be the default domain? In-Reply-To: <552BD14C.90800@middlebury.edu> References: <552BD14C.90800@middlebury.edu> Message-ID: <20150413142822.GB11302@hendrix.arn.redhat.com> On Mon, Apr 13, 2015 at 10:23:08AM -0400, David Guertin wrote: > In our newly-setup IPA environment, users can log in to RHEL clients with > the username @addomain. This works, but I've run into a problem > with some RHEL 5 clients that are Apache servers -- the Apache UserDir > mappings no longer work. Many of the users have web pages served from the > public_html directory in their home directory. With our old NIS > configuration, the URL is of the form http://hostname/~username. With the > new IPA configuration, these URLs no longer work; the web pages are now > found in http://hostname/~username at addomain. > > I can think of several ways to approach this problem, but my first thought > is to have IPA recognize the AD domain as the default domain, so that our > users could log in with instead of @addomain, and the > existing URLs will work. Is this possible? > > I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't > figure out what to do with it. > > Thanks, > David Guertin Have you seen the default_domain_suffix option in sssd.conf? From david.dejaeghere at gmail.com Mon Apr 13 14:32:46 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Mon, 13 Apr 2015 16:32:46 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <552BD271.5010608@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> Message-ID: Hi Rob, So you want to output of the command using pk12 with server cert and key? or with the ca chain in there too? Regards, David 2015-04-13 16:28 GMT+02:00 Rob Crittenden : > David Dejaeghere wrote: > > Hi, > > > > I get the same error when I use a pk12 with only the server certificate > > (and key) in it. > > Not sure what else I can try. > > I'd need to see the full output again. > > rob > > > > > Regards, > > > > D > > > > 2015-04-11 0:23 GMT+02:00 Rob Crittenden > >: > > > > David Dejaeghere wrote: > > > Hi, > > > > > > I even tried the command using an export from the http service nss > db, > > > same issue. > > > > > > regarding SElinux: > > > ausearch -m AVC -ts recent > > > > > > > > > Sending you the log personally. > > > > Ok, so the way the certs are imported is all the certs in the PKCS#12 > > file are loaded in, then marked as untrusted. > > > > certutil -O is executed against the server cert which prints out what > > the trust chain should be and those certs marked as trusted CA's. > > > > That part is working fine. > > > > Finally it makes another pass through the database to verify the > chain. > > > > Looking at the output there are two certs with the subject CN=Go > Daddy > > Root Certificate Authority - G2,O="GoDaddy.com, > > Inc.",L=Scottsdale,ST=Arizona,C=US and different serial numbers. I > > wonder if this is confusing the cert loader. These certs are > included in > > the PKCS#12 file (serial #0 and #1828629 AFAICT). I don't know which > one > > is the "right' one, or if there even is one. > > > > rob > > > > > > > > > > Regards, > > > > > > D > > > > > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden > > > >>: > > > > > > David Dejaeghere wrote: > > > > Hi Rob, > > > > > > > > Without the --http-pin the command will give a prompt to > > enter the password. > > > > Tried both. > > > > > > > > I am sending the output of the pk12util -l to you in another > > email. > > > > It holds the wildcard certificate and the godaddy bundle for > > as far as I > > > > can tell. > > > > > > I have to admit, I'm a bit stumped. > > (SEC_ERROR_LIBRARY_FAILURE) is a > > > rather generic NSS error which can mean any number of things. > > It often > > > means that the NSS database it is using is bad in some way but > > given > > > that this is a temporary database created just for this > > purpose I doubt > > > that's it. You may want to look for SELinux AVCs though: > > ausearch -m AVC > > > -ts recent. > > > > > > At the point where it is blowing up, the PKCS#12 file has > > already been > > > imported and IPA is walking through the results trying to > > ensure that > > > the full cert trust chain is available. It does this by > > reading the > > > certs out of the database, and at that point it's blowing up. > > > > > > The PKCS#12 output you sent me looks ok. I don't believe this > > is an > > > issue with trust or missing parts of the chain. > > > > > > I created a simple PKCS#12 file and was able to prepare a > > replica using > > > it, so AFAICT the code isn't completely broken. > > > > > > Can you provide the full output from ipa-replica-prepare? > > > > > > rob > > > > > > > > Regards, > > > > > > > > D > > > > > > > > 2015-04-09 21:39 GMT+02:00 Rob Crittenden > > > > > > > > > > > >>>: > > > > > > > > David Dejaeghere wrote: > > > > > Hi, > > > > > > > > > > Sorry for the lack of details! > > > > > You are indeed correct about the version its 4.1 > > > > > The command I am using is this: > > > > > ipa-replica-prepare ipa-r1.myobscureddomain.com > > > > > > > > > > > > --http-cert-file > > > > > /home/fedora/newcert.pk12 --dirsrv-cert-file > > /home/fedora/newcert.pk12 > > > > > --ip-address 172.31.16.31 -v > > > > > > > > I was pretty sure a pin was required with those options > > as well. > > > > > > > > What do the PKCS#12 files look like: pk12util -l > > > > /home/fedora/newcert.pk12 > > > > > > > > rob > > > > > > > > > > > > > > Regards, > > > > > > > > > > D > > > > > > > > > > 2015-04-09 16:16 GMT+02:00 Rob Crittenden > > > > > > > > > > >> > > > > > > > > > > > > > >>>>: > > > > > > > > > > David Dejaeghere wrote: > > > > > > Hi, > > > > > > > > > > > > Does somebody have any pointers for me regarding > > this > > > issue? > > > > > > > > > > It would help very much if you'd include the > version > > > you're working > > > > > with. Based on line numbers I'll assume IPA 4.1. > > > > > > > > > > It's hard to say since you don't include the > > > command-line you're using, > > > > > or what those files consist of. > > > > > > > > > > It looks like it is blowing up trying to verify > > that the > > > whole > > > > > certificate chain is available. NSS unfortunately > > > doesn't always provide > > > > > the best error messages so it's hard to say why > this > > > particular cert > > > > > can't be loaded. > > > > > > > > > > rob > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > D > > > > > > > > > > > > 2015-04-07 13:34 GMT+02:00 David Dejaeghere > > > > > > david.dejaeghere at gmail.com>> > > > > > > david.dejaeghere at gmail.com>>> > > > > > > > > > > > > > > > > > >>> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >>>>>: > > > > > > > > > > > > Hello, > > > > > > > > > > > > I am trying to setup a replica for my master > > which has > > > > been setup > > > > > > with an external CA to use our godaddy > wildcard > > > certificate. > > > > > > The ipa-replica-prepare is failing with the > > > following debug > > > > > information. > > > > > > I am using --http-cert and --dirsrv-cert > > with my pk12 > > > > server > > > > > > certificate. > > > > > > What can I verify to get an idea of what is > > going > > > wrong? > > > > > > > > > > > > ipa: DEBUG: stderr= > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: > > > > > > File > > > > > > > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", > line > > > > > > 169, in execute > > > > > > self.ask_for_options() > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > > line 276, in ask_for_options > > > > > > options.http_cert_name) > > > > > > File > > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py", > > > > > > line 176, in load_pkcs12 > > > > > > host_name=self.replica_fqdn) > > > > > > File > > > > > > > > > > > > > > > > > > > > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > > > > > line > > > > > > 785, in load_pkcs12 > > > > > > nss_cert = x509.load_certificate(cert, > > x509.DER) > > > > > > File > > > > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line > > > > > 128, > > > > > > in load_certificate > > > > > > return nss.Certificate(buffer(data)) > > > > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: > > > > > DEBUG: The > > > > > > ipa-replica-prepare command failed, > exception: > > > NSPRError: > > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > > failure. > > > > > > > > > > > > ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: > > > > > > (SEC_ERROR_LIBRARY_FAILURE) security library > > failure. > > > > > > > > > > > > Regards, > > > > > > > > > > > > D > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 13 14:44:55 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Apr 2015 17:44:55 +0300 Subject: [Freeipa-users] Can an Active Directory domain be the default domain? In-Reply-To: <552BD14C.90800@middlebury.edu> References: <552BD14C.90800@middlebury.edu> Message-ID: <20150413144455.GF3945@redhat.com> On Mon, 13 Apr 2015, David Guertin wrote: >In our newly-setup IPA environment, users can log in to RHEL clients >with the username @addomain. This works, but I've run into a >problem with some RHEL 5 clients that are Apache servers -- the Apache >UserDir mappings no longer work. Many of the users have web pages >served from the public_html directory in their home directory. With >our old NIS configuration, the URL is of the form >http://hostname/~username. With the new IPA configuration, these URLs >no longer work; the web pages are now found in >http://hostname/~username at addomain. > >I can think of several ways to approach this problem, but my first >thought is to have IPA recognize the AD domain as the default domain, >so that our users could log in with instead of >@addomain, and the existing URLs will work. Is this >possible? > >I was looking at the auth_to_local setting in /etc/krb5.conf, but I >couldn't figure out what to do with it. auth_to_local is for a different purpose. It is not possible to change SSSD to use default domain of AD forest root domain on IPA master because you'll break the compat tree and SSSD on IPA clients. Compat tree and extdom plugin are expecting to have normalized user names on IPA master. Additionally, compat tree is expecting normalized names to come from legacy clients, it is the only way we efficiently recognizing these requests to be done against AD users and not doing a search for every misnamed IPA user. Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. However, this will only work in case you have a single AD domain in a forest. If you have more than one AD domain, you are out of luck. I'd suggest looking into mod_rewrite configuration to handle @addomain part in Apache configuration. -- / Alexander Bokovoy From bnordgren at fs.fed.us Mon Apr 13 15:18:33 2015 From: bnordgren at fs.fed.us (Nordgren, Bryce L -FS) Date: Mon, 13 Apr 2015 15:18:33 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: References: <552779E5.9020304@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E7BA268@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7BA6F0@001FSN2MPN1-046.001f.mgd2.msft.net> Hi Alex, Just because I gave up doesn't mean there isn't a way. Does your partitioning of local/domain users allow a domain user to run a service on a machine? I was trying to run an iPython notebook server as my regular user/domain account via systemd. Much of the data that the service needed access to resided on a multi-Terabyte NFS share, hence the desire to make it work with my domain account. IIRC, systemd was the thing choking on the domain user. Do you just manually create a local user with the same attributes as the domain user? (and in the case of the above use NFS with sec=host)? Thanks, Bryce > -----Original Message----- > From: Alexander Frolushkin [mailto:Alexander.Frolushkin at Megafon.ru] > Sent: Sunday, April 12, 2015 9:27 PM > To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] user account without password > > -----Original Message----- > From: Nordgren, Bryce L -FS [mailto:bnordgren at fs.fed.us] > Sent: Friday, April 10, 2015 9:27 PM > To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] user account without password > > >> Also, if such account will also exist locally (my case), it will not > >> be controlled by HBAC rules - it can be a some kind of security trap... > > >Pretty sure accounts should be either local or domain-wide, but not both. > Could lead to strange and unforeseen side effects. Last I checked, only local > accounts can run services. It may be advantageous to allow local accounts > (which can run services) to have a representation in the domain, but the local > >accounts need to be scoped to the local machine (e.g., "apache" on server 1 > is different than "apache" on server 2). At least that way, they could belong > to the same groups domain accounts belong to. SSO certainly shouldn't work. > Any access to shared storage should distinguish between same-named > >accounts on different machines. > > >Alternatively, allowing domain accounts to run certain services also > >has some merit. (assuming the user has permissions to do so.) > > >Just thinking into email. > >Bryce > > I have a long and positive experience using both local and IPA users with the > same attributes, but without HBAC and without sudo way to obtain shell of > such users. > Default settings in nsswitch.conf and pam provides straight and clear systems > behavior, for about three years. > But I agree there can be case when such construction may lead to > misbehavior and so on. We will try to avoid them. > SSO not really the aim for us, we just need to made a environment where > users must remember only one password to access all resources on > unix/linux servers. > > Not trying to argue, just sharing some thoughts :) Alexander > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? > ?????????? ???, ??????? ??? ??????????. ? ????????? ????? > ??????????? ???????????????? ??????????, ??????? ?? ????? ???? > ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? > ??????? ????? ?????????, ?? ?????????????, ?????????????, > ??????????? ??? ??????????????? ?????????? ????????? ??? ??? > ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? > ????????, ??????????, ??????????????? ???????? ??????????? ?? > ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? > ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the > use of the individual or entity to whom it is addressed and others authorized > to receive it. It may contain confidential or legally privileged information. The > contents may not be disclosed or used by anyone other than the addressee. > If you are not the intended recipient(s), any use, disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it is > prohibited and may be unlawful. If you have received this communication in > error please notify us immediately by responding to this email and then > delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 From Joshua.Gould at osumc.edu Mon Apr 13 15:24:06 2015 From: Joshua.Gould at osumc.edu (Gould, Joshua) Date: Mon, 13 Apr 2015 11:24:06 -0400 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) Message-ID: I?ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo The issue being that when I try to add my AD Trust user, it doesn?t allow the @ sign. (ex. gould at test.osuwmc). If I modify the sudo rule to allow all users, I can see that it allows my AD account sudo rights. $ sudo ?l User gould at test.osuwmc may run the following commands on this host: (ALL : ALL) ALL How can I configure the rule to allow certain AD users to be able to execute certain sudo rules? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 13 15:37:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Apr 2015 18:37:43 +0300 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) In-Reply-To: References: Message-ID: <20150413153743.GH3945@redhat.com> On Mon, 13 Apr 2015, Gould, Joshua wrote: >I?ve looked at the docs and it looks as if I can specify an external >user who can have sudo rights via IPA. > >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo > >The issue being that when I try to add my AD Trust user, it doesn?t >allow the @ sign. (ex. gould at test.osuwmc). > >If I modify the sudo rule to allow all users, I can see that it allows >my AD account sudo rights. > >$ sudo ?l > >User gould at test.osuwmc may run the following commands on this host: > (ALL : ALL) ALL > >How can I configure the rule to allow certain AD users to be able to >execute certain sudo rules? Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould at test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. -- / Alexander Bokovoy From Joshua.Gould at osumc.edu Mon Apr 13 15:59:28 2015 From: Joshua.Gould at osumc.edu (Gould, Joshua) Date: Mon, 13 Apr 2015 11:59:28 -0400 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) In-Reply-To: <20150413153743.GH3945@redhat.com> References: <20150413153743.GH3945@redhat.com> Message-ID: On 4/13/15, 11:37 AM, "Alexander Bokovoy" wrote: >Through external users' groups mechanism we use for any other AD users >mapping in HBAC and SUDO. These are not local (not defined in IPA but >defined on the host) groups and users but rather AD groups and users. > >ipa group-add --external gould_group_ext >ipa group-add-member gould_group_ext --external=gould at test.osuwmc >ipa group-add gould_group >ipa group-add-member gould_group --groups=gould_group_ext > >And now make sudo rule that allows users of gould_group to run needed >commands. SSSD will pull in all membership information for gould_group, >including AD users. Just curious, but if we don?t plan on using any IPA native users, could you skip the last two commands and add gould_group_ext to the sudo rule? I?ve seen this same basic example used for HBAC, but it never was clear to me why the IPA group needed to be added if you?re only concerned with AD users? Does it need to be added or do the examples include the IPA group because they assume that you?ll be wanting to use a mix of AD and IPA users for HBAC and sudo? Joshua From abokovoy at redhat.com Mon Apr 13 16:16:15 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Apr 2015 19:16:15 +0300 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) In-Reply-To: References: <20150413153743.GH3945@redhat.com> Message-ID: <20150413161615.GI3945@redhat.com> On Mon, 13 Apr 2015, Gould, Joshua wrote: >On 4/13/15, 11:37 AM, "Alexander Bokovoy" wrote: > >>Through external users' groups mechanism we use for any other AD users >>mapping in HBAC and SUDO. These are not local (not defined in IPA but >>defined on the host) groups and users but rather AD groups and users. >> >>ipa group-add --external gould_group_ext >>ipa group-add-member gould_group_ext --external=gould at test.osuwmc >>ipa group-add gould_group >>ipa group-add-member gould_group --groups=gould_group_ext >> >>And now make sudo rule that allows users of gould_group to run needed >>commands. SSSD will pull in all membership information for gould_group, >>including AD users. > >Just curious, but if we don?t plan on using any IPA native users, could >you skip the last two commands and add gould_group_ext to the sudo rule? No. gould_group_ext has no POSIX attributes and thus is not visible to sudo. >I?ve seen this same basic example used for HBAC, but it never was clear to >me why the IPA group needed to be added if you?re only concerned with AD >users? Does it need to be added or do the examples include the IPA group >because they assume that you?ll be wanting to use a mix of AD and IPA >users for HBAC and sudo? A schema IPA uses for storing group membership requires existence of an object in LDAP. AD users and groups don't exist in IPA LDAP and thus cannot be addressed directly. For doing this we create a real LDAP object which has reference to AD user/group's SID as a string. SSSD knows about this arrangement and properly pulls information from this LDAP object whenever it is encountered as a member of POSIX group. As result, you can see AD user or group as a member of a POSIX group but we need a helper object to allow this magic to work. -- / Alexander Bokovoy From guertin at middlebury.edu Mon Apr 13 17:02:18 2015 From: guertin at middlebury.edu (David Guertin) Date: Mon, 13 Apr 2015 13:02:18 -0400 Subject: [Freeipa-users] Can an Active Directory domain be the default domain? In-Reply-To: <20150413144455.GF3945@redhat.com> References: <552BD14C.90800@middlebury.edu> <20150413144455.GF3945@redhat.com> Message-ID: <552BF69A.3020800@middlebury.edu> > Said that, you can set default domain in SSSD configuration on the > legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified > name will be sent towards compat tree and non-qualified name can be > asked on the client (RHEL 5) side. I was able to do this on RHEL 6/sssd 1.11 with "default_domain_suffix = middlebury.edu", and it works great. But that command does not work with RHEL 5/sssd 1.5. Is there a comparable sssd.conf setting for older sssd versions? David Guertin From jhrozek at redhat.com Mon Apr 13 18:25:37 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 13 Apr 2015 20:25:37 +0200 Subject: [Freeipa-users] Can an Active Directory domain be the default domain? In-Reply-To: <552BF69A.3020800@middlebury.edu> References: <552BD14C.90800@middlebury.edu> <20150413144455.GF3945@redhat.com> <552BF69A.3020800@middlebury.edu> Message-ID: <20150413182537.GH16427@Jakubs-MacBook-Pro.local> On Mon, Apr 13, 2015 at 01:02:18PM -0400, David Guertin wrote: > > >Said that, you can set default domain in SSSD configuration on the > >legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified > >name will be sent towards compat tree and non-qualified name can be > >asked on the client (RHEL 5) side. > I was able to do this on RHEL 6/sssd 1.11 with "default_domain_suffix = > middlebury.edu", and it works great. But that command does not work with > RHEL 5/sssd 1.5. Is there a comparable sssd.conf setting for older sssd > versions? I'm afraid there is not. The AD entries in the compat tree are fully qualified anyway and in the same tree as IPA users, there needs to be a way to distinguish them.. From prasun.gera at gmail.com Mon Apr 13 18:58:01 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Mon, 13 Apr 2015 14:58:01 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> Message-ID: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera wrote: > Here's the link: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > > On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: > >> On 04/09/2015 07:44 PM, Prasun Gera wrote: >> >> I have a somewhat related question. Without kerberizing NFS, which I'll >> do eventually since that needs all the clients to be migrated first, how >> does one create home directories automatically ? The IPA server and NFS >> server are different systems. I was able to verify that automatic home >> creation works if the NFS share is exported to the IPA server with >> no_root_squash. What's the proper way of doing this ? >> >> >> The documentation says: >> >> >> Which documentation you are referring to? >> Can you please post the link? >> >> >> >> Use a remote user who has limited permissions to create home directories >> and mount the share on the IdM server as that user. Since the IdM server >> runs as an httpd process, it is possible to use sudo or a similar program >> to grant limited access to the IdM server to create home directories on the >> NFS server. >> >> >> >> What would be the list of steps that would achieve this ? What are the >> limited permissions that the NFS user would need ? Read + Write, but no >> Delete to the /home directory ? Sounds like something that would need ACLs. >> And where does sudo on the IPA server fit into this ? >> >> >> >> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >> roberto.cornacchia at gmail.com> wrote: >> >>> Thanks, Jakub. >>> >>> >>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >>> >>>> >>>> > On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>> roberto.cornacchia at gmail.com> wrote: >>>> > >>>> > It's possible that I'm simply not getting the point, or that I don't >>>> understand the documentation correctly, but this is what I don't find clear: >>>> > >>>> > I had seen the instructions you pointed me at. These are not >>>> specifically about home directories. >>>> > >>>> > However, this section is: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>> > >>>> > It first suggests that automatic creation of home directories over >>>> NFS shares is possible: just automount /home and then use >>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. >>>> > >>>> > But then it also suggests that mounting the whole /home tree could be >>>> an issue, and says: "Use automount to mount only the user's home directory >>>> and only when the user logs in, rather than loading the entire /home tree." >>>> > >>>> > That means that automatic homedir creation is out of the game, >>>> doesn't it? >>>> > >>>> > That's what I find confusing. What's the recommended way? >>>> > >>>> >>>> It really depends on your environment. For your size, it's perfectly >>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize >>>> prematurely :-) >>>> >>>> > >>>> > >>>> > On 19 March 2015 at 20:49, Dmitri Pal wrote: >>>> > On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>> >> Hi Dmitri, >>>> >> >>>> >> I do realise my question is borderline and I accept that it is >>>> considered off-topic. >>>> >> >>>> >> I did post it here because I believe it's not *only* about NFS, but >>>> also about its interaction with freeIPA. The issue of NFS home and in >>>> particular about their creation is touched in all the links I posted (all >>>> about freeIPA) and never really answered. >>>> >> >>>> > >>>> > This is what documented and recommended: >>>> > >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>> > >>>> > RHEL6 has a similar chapter in its doc set though books have changed >>>> significantly between 6 and 7. >>>> > >>>> > I do not see any chicken and egg problem there. >>>> > The instructions show how to create home dirs on the first login. >>>> > >>>> > It mounts the volume and then creates dirs on it as users log in if >>>> they are not already there. >>>> > >>>> > It is unclear what problem you see with doing it the way it is >>>> recommended. >>>> > >>>> > >>>> > >>>> >> Best, >>>> >> Roberto >>>> >> >>>> >> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>>> >> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>> >>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>>> >>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>> >>> Hi there, >>>> >>> >>>> >>> I'm planning to deploy freeIPA on our lan. >>>> >>> It's small-ish and completely based on FC21, so I expect everything >>>> to work >>>> >>> like a charm. >>>> >>> >>>> >>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >>>> >>> The ideal plan is to use it as host for shared NFS home dirs once >>>> we switch our >>>> >>> desktops to freeIPA. >>>> >>> >>>> >>> Great! >>>> >>> >>>> >>> >>>> >>> Hello, >>>> >>> >>>> >>> The first thing I'm struggling with is to find the correct >>>> approach about NFS home dirs. >>>> >>> The ideal setting would be: >>>> >>> - home dirs on the NAS >>>> >>> - IPA manages automount maps >>>> >>> - home dirs are created automatically at first login >>>> >>> >>>> >>> The documentation I could find on these topics includes only >>>> not-so-recent pages (anything I missed?): >>>> >>> >>>> >>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>> >>> >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>> >>> >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>> >>> >>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>> >>> >>>> >>> Now, I admit I don't have much experience with setting up NFS >>>> homes, with or without freeIPA, so trying to get this done correctly in the >>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>> willing to get my hands dirty. >>>> >>> >>>> >>> The first problem I struggle with is on the correct approach. >>>> >>> From the documentation above, I understand that there is a bit of a >>>> chicken-egg problem about the creation of home dirs. >>>> >>> On the one hand, it would be optimal to have automount maps to load >>>> only single home dirs on demand, rather than the entire /home tree. >>>> >>> On the other hand, if the /home tree is not available, then >>>> creating /home/user1 dir automatically isn't really possible. >>>> >>> >>>> >>> Just mounting the whole /home tree would make things easier, but I >>>> don't have a feeling of when it starts to become a performance issue >>>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500? >>>> No idea. >>>> >>> The realm I'm dealing with at the moment is in the range of 5-10 >>>> users and probably won't be larger than 50 in the next few years (and if it >>>> will, it means things are going well, so what the heck ;) >>>> >>> Also true that, with such few users, I could just create the >>>> homedirs manually when needed (this is not an organisation where many users >>>> come and go) and just mount the individually. >>>> >>> Any tips about this? >>>> >>> >>>> >>> Best, Roberto >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >> Some of these questions are really outside the scope of this list. >>>> >> You might consider asking them on the NFS list. >>>> >> >>>> >> -- >>>> >> Thank you, >>>> >> Dmitri Pal >>>> >> >>>> >> Sr. Engineering Manager IdM portfolio >>>> >> Red Hat, Inc. >>>> >> >>>> >> >>>> >> -- >>>> >> Manage your subscription for the Freeipa-users mailing list: >>>> >> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >> Go to http://freeipa.org for more info on the project >>>> >> >>>> >> >>>> >> >>>> > >>>> > >>>> > -- >>>> > Thank you, >>>> > Dmitri Pal >>>> > >>>> > Sr. Engineering Manager IdM portfolio >>>> > Red Hat, Inc. >>>> > >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > Go to http://freeipa.org for more info on the project >>>> > >>>> > -- >>>> > Manage your subscription for the Freeipa-users mailing list: >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 13 21:34:17 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Apr 2015 17:34:17 -0400 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: References: <20150413071459.GA28555@hendrix.arn.redhat.com> Message-ID: <552C3659.1060801@redhat.com> On 04/13/2015 08:23 AM, Thomas Lau wrote: > > Hi, > > These problem appear randomly, sometime it still work even under heavy > packet loss, some times would be like this. So its hard to catch. > > On Apr 13, 2015 3:22 PM, "Jakub Hrozek" > wrote: > > On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: > > Hi all, > > > > We have cronjob which running on a FreeIPA LDAP user; When > connection > > between IPA server and client having heavy packet loss, following > > error would occur: > > > > CRON[20637]: Authentication service cannot retrieve > authentication info > > > > I have cache credentials and store password if offline enabled on > > sssd, how these problem would still happening? > It might be that the cause of the problem is actually the packet loss or some kind of delay. SSSD might not think that it is offline but cron job itself times out and reports failure. Do you know what operation in the job fails? > > > > > > sssd.conf: > > > > cache_credentials = True > > krb5_store_password_if_offline = True > > Did the use log in at least once offline? You can verify if the > password > has been cached using the ldbsearch utility. It would be best to catch > the occurence of the problem in logs. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From awilisch at gmail.com Mon Apr 13 23:26:36 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Mon, 13 Apr 2015 19:26:36 -0400 Subject: [Freeipa-users] Upgrading Freeipa 3 server. Message-ID: One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I?m stuck. I can?t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del ?force stip01.staging.fioptics.int it tells me I can?t because it would leave me without a CA. However I can?t find any documentation on migrating the CA from IPA3 to IPA4. Any help would be appreciated. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 13 23:47:18 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 13 Apr 2015 19:47:18 -0400 Subject: [Freeipa-users] Upgrading Freeipa 3 server. In-Reply-To: References: Message-ID: <552C5586.6080607@redhat.com> On 04/13/2015 07:26 PM, Aric Wilisch wrote: > One of our environments has a Freeipa3 sever installed and I need to > upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed > FreeIPA 4 as a replica of the FreeIPA3 box. But now I'm stuck. I can't > find any good documentation on how to promote the new FreeIPA4 server > and take the old FreeIPA3 server out of the picture. If I do a > ida-replica-manage del ---force stip01.staging.fioptics.int it tells > me I can't because it would leave me without a CA. However I can't > find any documentation on migrating the CA from IPA3 to IPA4. > > Any help would be appreciated. > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com > > > > > > Did you follow this procedure? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc I would say that I would recommend upgrading to 6.6 rather than 6.5. If you did not what exactly did you do? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From awilisch at gmail.com Tue Apr 14 00:06:42 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Mon, 13 Apr 2015 20:06:42 -0400 Subject: [Freeipa-users] Upgrading Freeipa 3 server. In-Reply-To: <552C5586.6080607@redhat.com> References: <552C5586.6080607@redhat.com> Message-ID: I didn?t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. I?ll uninstall the 4 server and work through the script process to see if that fixes the issue. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com > On Apr 13, 2015, at 7:47 PM, Dmitri Pal wrote: > > On 04/13/2015 07:26 PM, Aric Wilisch wrote: >> One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I?m stuck. I can?t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del ?force stip01.staging.fioptics.int it tells me I can?t because it would leave me without a CA. However I can?t find any documentation on migrating the CA from IPA3 to IPA4. >> >> Any help would be appreciated. >> >> Regards, >> ------------------------------------------ >> Aric Wilisch >> awilisch at gmail.com >> >> >> >> >> >> > > > Did you follow this procedure? > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > > I would say that I would recommend upgrading to 6.6 rather than 6.5. > > If you did not what exactly did you do? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.topping at gmail.com Tue Apr 14 01:51:31 2015 From: brian.topping at gmail.com (Brian Topping) Date: Tue, 14 Apr 2015 08:51:31 +0700 Subject: [Freeipa-users] Checking 389 for ACI contamination In-Reply-To: <552B634C.1060808@redhat.com> References: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> <552B634C.1060808@redhat.com> Message-ID: > On Apr 13, 2015, at 1:33 PM, Martin Kosek wrote: > > On 04/12/2015 05:27 AM, Brian Topping wrote: >> Hi all, trying to figure out if I may have contaminated my ACIs in the >> process of upgrading my replicated deployment. I didn't upgrade the >> instances at the same time, is there any possibility that the 3.x ACIs >> contaminated the 4.x DIT? > > What do you mean, by... contaminated? Can you please described what exactly > happened? > > As Dmitri said, there were major ACI related changes in 4.0, but I am not sure > what is the problem in your case. The only thing that is broken at the moment is my OCD. I did make a couple of changes in my 3.x deployment that appear to have been insufficient when I upgraded, but I didn't name them well and I'm having issues trying to find which ones they were. Now that I've RTFM on ACIs, I want to make sure everything that is there is there for a reason. I'd rather put effort in now than be surprised by some cruft I left behind in a future upgrade. >> If so, how would I check it? Is there an LDIF in the disto that I can >> manually compare the entries? > > I am not sure which entries are you referring to. But from 4.0, most of the > ACIs are now generated dynamically, from Python code. If the schema/ACIs are managed by Python, it might be interesting for the script to generate warnings when it runs. Stuff like missing/extra schema & ACIs. Just a thought. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From tlau at tetrioncapital.com Tue Apr 14 02:41:38 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Tue, 14 Apr 2015 10:41:38 +0800 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: <552C3659.1060801@redhat.com> References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> Message-ID: Hi, It's an in-house program which runs on one kerberos user. On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: > On 04/13/2015 08:23 AM, Thomas Lau wrote: > > Hi, > > These problem appear randomly, sometime it still work even under heavy > packet loss, some times would be like this. So its hard to catch. > > On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >> >> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >> > Hi all, >> > >> > We have cronjob which running on a FreeIPA LDAP user; When connection >> > between IPA server and client having heavy packet loss, following >> > error would occur: >> > >> > CRON[20637]: Authentication service cannot retrieve authentication info >> > >> > I have cache credentials and store password if offline enabled on >> > sssd, how these problem would still happening? > > > It might be that the cause of the problem is actually the packet loss or > some kind of delay. > SSSD might not think that it is offline but cron job itself times out and > reports failure. > Do you know what operation in the job fails? > > >> > >> > >> > sssd.conf: >> > >> > cache_credentials = True >> > krb5_store_password_if_offline = True >> >> Did the use log in at least once offline? You can verify if the password >> has been cached using the ldbsearch utility. It would be best to catch >> the occurence of the problem in logs. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Thomas Lau Director of Infrastructure Tetrion Capital Limited Direct: +852-3976-8903 Mobile: +852-9323-9670 Address: 20/F, IFC 1, Central district, Hong Kong From Alexander.Frolushkin at megafon.ru Tue Apr 14 03:40:38 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 14 Apr 2015 03:40:38 +0000 Subject: [Freeipa-users] user account without password In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7BA6F0@001FSN2MPN1-046.001f.mgd2.msft.net> References: <552779E5.9020304@redhat.com> <82E7C9A01FD0764CACDD35D10F5DFB6E7BA268@001FSN2MPN1-046.001f.mgd2.msft.net> <82E7C9A01FD0764CACDD35D10F5DFB6E7BA6F0@001FSN2MPN1-046.001f.mgd2.msft.net> Message-ID: <22cee14788b54ae0989796682f501653@sib-ums01.Megafon.ru> Hello, usually domain users used to run services AND to make some administration work. Some of users only used to run services. Also, there is a number of domain users, for example, "oracle" which is very important for application life, so we duplicating such users locally, to make sure it resolving is not depend on sssd (we still not thinking it is completely rock-stable, sorry :)). I have limited experience with NFS and domain users, in case of security, anyway. We do have a special nfs server sharing its filesystems to other services and using the same domain user on all this servers. For now I cannot remember any issues related this complex. -----Original Message----- From: Nordgren, Bryce L -FS [mailto:bnordgren at fs.fed.us] Sent: Monday, April 13, 2015 9:19 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users at redhat.com Subject: RE: [Freeipa-users] user account without password Hi Alex, Just because I gave up doesn't mean there isn't a way. Does your partitioning of local/domain users allow a domain user to run a service on a machine? I was trying to run an iPython notebook server as my regular user/domain account via systemd. Much of the data that the service needed access to resided on a multi-Terabyte NFS share, hence the desire to make it work with my domain account. IIRC, systemd was the thing choking on the domain user. Do you just manually create a local user with the same attributes as the domain user? (and in the case of the above use NFS with sec=host)? Thanks, Bryce > -----Original Message----- > From: Alexander Frolushkin [mailto:Alexander.Frolushkin at Megafon.ru] > Sent: Sunday, April 12, 2015 9:27 PM > To: Nordgren, Bryce L -FS; 'Martin Kosek'; freeipa-users at redhat.com > Subject: RE: [Freeipa-users] user account without password > > -----Original Message----- > From: Nordgren, Bryce L -FS [mailto:bnordgren at fs.fed.us] > Sent: Friday, April 10, 2015 9:27 PM > To: Alexander Frolushkin (SIB); 'Martin Kosek'; > freeipa-users at redhat.com > Subject: RE: [Freeipa-users] user account without password > > >> Also, if such account will also exist locally (my case), it will > >> not be controlled by HBAC rules - it can be a some kind of security trap... > > >Pretty sure accounts should be either local or domain-wide, but not both. > Could lead to strange and unforeseen side effects. Last I checked, > only local accounts can run services. It may be advantageous to allow > local accounts (which can run services) to have a representation in > the domain, but the local > >accounts need to be scoped to the local machine (e.g., "apache" on > >server 1 > is different than "apache" on server 2). At least that way, they could > belong to the same groups domain accounts belong to. SSO certainly shouldn't work. > Any access to shared storage should distinguish between same-named > >accounts on different machines. > > >Alternatively, allowing domain accounts to run certain services also > >has some merit. (assuming the user has permissions to do so.) > > >Just thinking into email. > >Bryce > > I have a long and positive experience using both local and IPA users > with the same attributes, but without HBAC and without sudo way to > obtain shell of such users. > Default settings in nsswitch.conf and pam provides straight and clear > systems behavior, for about three years. > But I agree there can be case when such construction may lead to > misbehavior and so on. We will try to avoid them. > SSO not really the aim for us, we just need to made a environment > where users must remember only one password to access all resources on > unix/linux servers. > > Not trying to argue, just sharing some thoughts :) Alexander > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by anyone other than the addressee. > If you are not the intended recipient(s), any use, disclosure, > copying, distribution or any action taken or omitted to be taken in > reliance on it is prohibited and may be unlawful. If you have received > this communication in error please notify us immediately by responding > to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From mkosek at redhat.com Tue Apr 14 06:51:16 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 08:51:16 +0200 Subject: [Freeipa-users] Checking 389 for ACI contamination In-Reply-To: References: <2B6BD5B0-B11F-40B2-BBC6-D5C84086783B@gmail.com> <552B634C.1060808@redhat.com> Message-ID: <552CB8E4.2060803@redhat.com> On 04/14/2015 03:51 AM, Brian Topping wrote: > >> On Apr 13, 2015, at 1:33 PM, Martin Kosek wrote: >> >> On 04/12/2015 05:27 AM, Brian Topping wrote: >>> Hi all, trying to figure out if I may have contaminated my ACIs in the >>> process of upgrading my replicated deployment. I didn't upgrade the >>> instances at the same time, is there any possibility that the 3.x ACIs >>> contaminated the 4.x DIT? >> >> What do you mean, by... contaminated? Can you please described what >> exactly happened? >> >> As Dmitri said, there were major ACI related changes in 4.0, but I am not >> sure what is the problem in your case. > > The only thing that is broken at the moment is my OCD. I did make a couple > of changes in my 3.x deployment that appear to have been insufficient when I > upgraded, but I didn't name them well and I'm having issues trying to find > which ones they were. Now that I've RTFM on ACIs, I want to make sure > everything that is there is there for a reason. I'd rather put effort in now > than be surprised by some cruft I left behind in a future upgrade. Ok :-) > >>> If so, how would I check it? Is there an LDIF in the disto that I can >>> manually compare the entries? >> >> I am not sure which entries are you referring to. But from 4.0, most of >> the ACIs are now generated dynamically, from Python code. > > If the schema/ACIs are managed by Python, it might be interesting for the > script to generate warnings when it runs. Stuff like missing/extra schema & > ACIs. Just a thought. I think the ACI upgrade plugin indeed generates warnings whet it has problems when processing the ACIs. Not all ACIs are processed during upgrade to FreeIPA 4.0+. Only the FreeIPA default system ACIs are processed, after upgrade you will see them as "System: ..." permissions that you will only have limited edit capabilities. From mkosek at redhat.com Tue Apr 14 06:58:16 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 08:58:16 +0200 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) In-Reply-To: <20150413153743.GH3945@redhat.com> References: <20150413153743.GH3945@redhat.com> Message-ID: <552CBA88.5000605@redhat.com> On 04/13/2015 05:37 PM, Alexander Bokovoy wrote: > On Mon, 13 Apr 2015, Gould, Joshua wrote: >> I?ve looked at the docs and it looks as if I can specify an external >> user who can have sudo rights via IPA. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo >> >> >> The issue being that when I try to add my AD Trust user, it doesn?t >> allow the @ sign. (ex. gould at test.osuwmc). >> >> If I modify the sudo rule to allow all users, I can see that it allows >> my AD account sudo rights. >> >> $ sudo ?l >> >> User gould at test.osuwmc may run the following commands on this host: >> (ALL : ALL) ALL >> >> How can I configure the rule to allow certain AD users to be able to >> execute certain sudo rules? > Through external users' groups mechanism we use for any other AD users > mapping in HBAC and SUDO. These are not local (not defined in IPA but > defined on the host) groups and users but rather AD groups and users. > > ipa group-add --external gould_group_ext > ipa group-add-member gould_group_ext --external=gould at test.osuwmc > ipa group-add gould_group > ipa group-add-member gould_group --groups=gould_group_ext > > And now make sudo rule that allows users of gould_group to run needed > commands. SSSD will pull in all membership information for gould_group, > including AD users. Theoretically, adding AD users as *external* users to the SUDO rule should work, given they are stored as a bare string, no? See example of such rule below.. # ipa sudorule-show test --all --raw dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21 cn: test ipaenabledflag: TRUE hostcategory: all externaluser: foouser ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33 memberallowcmd: ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21 objectClass: ipasudorule objectClass: ipaassociation The change in FreeIPA would be then only a matter of allowing users with '@' in 'externaluser' attribute From mkosek at redhat.com Tue Apr 14 07:03:23 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 09:03:23 +0200 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> Message-ID: <552CBBBB.8060807@redhat.com> I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: > Just a follow up. I thought that making NFS a service in IPA takes care of > this, but it looks like the issues are unrelated. Home directories are > created automatically if the user logs in to the NFS server, but I haven't > found any solution to trigger this from a client without using > no_root_squah for the mount on the IPA server. If someone has achieved this > functionality, can you share your experience ? > > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera wrote: > >> Here's the link: >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >> >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: >> >>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>> >>> I have a somewhat related question. Without kerberizing NFS, which I'll >>> do eventually since that needs all the clients to be migrated first, how >>> does one create home directories automatically ? The IPA server and NFS >>> server are different systems. I was able to verify that automatic home >>> creation works if the NFS share is exported to the IPA server with >>> no_root_squash. What's the proper way of doing this ? >>> >>> >>> The documentation says: >>> >>> >>> Which documentation you are referring to? >>> Can you please post the link? >>> >>> >>> >>> Use a remote user who has limited permissions to create home directories >>> and mount the share on the IdM server as that user. Since the IdM server >>> runs as an httpd process, it is possible to use sudo or a similar program >>> to grant limited access to the IdM server to create home directories on the >>> NFS server. >>> >>> >>> >>> What would be the list of steps that would achieve this ? What are the >>> limited permissions that the NFS user would need ? Read + Write, but no >>> Delete to the /home directory ? Sounds like something that would need ACLs. >>> And where does sudo on the IPA server fit into this ? >>> >>> >>> >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>> roberto.cornacchia at gmail.com> wrote: >>> >>>> Thanks, Jakub. >>>> >>>> >>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >>>> >>>>> >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>> roberto.cornacchia at gmail.com> wrote: >>>>>> >>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>> understand the documentation correctly, but this is what I don't find clear: >>>>>> >>>>>> I had seen the instructions you pointed me at. These are not >>>>> specifically about home directories. >>>>>> >>>>>> However, this section is: >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>> >>>>>> It first suggests that automatic creation of home directories over >>>>> NFS shares is possible: just automount /home and then use >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. >>>>>> >>>>>> But then it also suggests that mounting the whole /home tree could be >>>>> an issue, and says: "Use automount to mount only the user's home directory >>>>> and only when the user logs in, rather than loading the entire /home tree." >>>>>> >>>>>> That means that automatic homedir creation is out of the game, >>>>> doesn't it? >>>>>> >>>>>> That's what I find confusing. What's the recommended way? >>>>>> >>>>> >>>>> It really depends on your environment. For your size, it's perfectly >>>>> fine to NFS mount the whole /home tree and be done with it. Don't optimize >>>>> prematurely :-) >>>>> >>>>>> >>>>>> >>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>> Hi Dmitri, >>>>>>> >>>>>>> I do realise my question is borderline and I accept that it is >>>>> considered off-topic. >>>>>>> >>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>> particular about their creation is touched in all the links I posted (all >>>>> about freeIPA) and never really answered. >>>>>>> >>>>>> >>>>>> This is what documented and recommended: >>>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>> >>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>> significantly between 6 and 7. >>>>>> >>>>>> I do not see any chicken and egg problem there. >>>>>> The instructions show how to create home dirs on the first login. >>>>>> >>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>> they are not already there. >>>>>> >>>>>> It is unclear what problem you see with doing it the way it is >>>>> recommended. >>>>>> >>>>>> >>>>>> >>>>>>> Best, >>>>>>> Roberto >>>>>>> >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>> Hi there, >>>>>>>> >>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>> It's small-ish and completely based on FC21, so I expect everything >>>>> to work >>>>>>>> like a charm. >>>>>>>> >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM 5.0. >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>> we switch our >>>>>>>> desktops to freeIPA. >>>>>>>> >>>>>>>> Great! >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> The first thing I'm struggling with is to find the correct >>>>> approach about NFS home dirs. >>>>>>>> The ideal setting would be: >>>>>>>> - home dirs on the NAS >>>>>>>> - IPA manages automount maps >>>>>>>> - home dirs are created automatically at first login >>>>>>>> >>>>>>>> The documentation I could find on these topics includes only >>>>> not-so-recent pages (anything I missed?): >>>>>>>> >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>>>>>> >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>>>>>> >>>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>>>>>> >>>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>> >>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>> homes, with or without freeIPA, so trying to get this done correctly in the >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>> willing to get my hands dirty. >>>>>>>> >>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>> From the documentation above, I understand that there is a bit of a >>>>> chicken-egg problem about the creation of home dirs. >>>>>>>> On the one hand, it would be optimal to have automount maps to load >>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>> On the other hand, if the /home tree is not available, then >>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>> >>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>> don't have a feeling of when it starts to become a performance issue >>>>> (assuming recent hardware and up to date software). 10 users? 50? 100? 500? >>>>> No idea. >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>> users and probably won't be larger than 50 in the next few years (and if it >>>>> will, it means things are going well, so what the heck ;) >>>>>>>> Also true that, with such few users, I could just create the >>>>> homedirs manually when needed (this is not an organisation where many users >>>>> come and go) and just mount the individually. >>>>>>>> Any tips about this? >>>>>>>> >>>>>>>> Best, Roberto >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Some of these questions are really outside the scope of this list. >>>>>>> You might consider asking them on the NFS list. >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > > > From mkosek at redhat.com Tue Apr 14 07:07:02 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 09:07:02 +0200 Subject: [Freeipa-users] Upgrading Freeipa 3 server. In-Reply-To: References: <552C5586.6080607@redhat.com> Message-ID: <552CBC96.1080505@redhat.com> You do not need to uninstall the 4 server, you just need to install the CA component on it: # ipa-ca-install /path/to/replica.file ... and make it CRL/renewal master. See step 8 and later in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html On 04/14/2015 02:06 AM, Aric Wilisch wrote: > I didn?t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. > > I?ll uninstall the 4 server and work through the script process to see if that fixes the issue. > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com > > > > >> On Apr 13, 2015, at 7:47 PM, Dmitri Pal wrote: >> >> On 04/13/2015 07:26 PM, Aric Wilisch wrote: >>> One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I?m stuck. I can?t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del ?force stip01.staging.fioptics.int it tells me I can?t because it would leave me without a CA. However I can?t find any documentation on migrating the CA from IPA3 to IPA4. >>> >>> Any help would be appreciated. >>> >>> Regards, >>> ------------------------------------------ >>> Aric Wilisch >>> awilisch at gmail.com >>> >>> >>> >>> >>> >>> >> >> >> Did you follow this procedure? >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc >> >> I would say that I would recommend upgrading to 6.6 rather than 6.5. >> >> If you did not what exactly did you do? >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > > From pspacek at redhat.com Tue Apr 14 07:17:20 2015 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Apr 2015 09:17:20 +0200 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552BCDA0.2050200@aalto.fi> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> <55278F32.4020302@aalto.fi> <55279255.6070908@redhat.com> <552BCDA0.2050200@aalto.fi> Message-ID: <552CBF00.1050001@redhat.com> On 13.4.2015 16:07, Janne Blomqvist wrote: > On 2015-04-10 12:05, Petr Spacek wrote: >> On 10.4.2015 10:52, Janne Blomqvist wrote: >>> On 2015-04-07 14:29, Martin Kosek wrote: >>>> On 04/05/2015 08:03 PM, Dmitri Pal wrote: >>>>> On 04/05/2015 12:51 PM, Janelle wrote: >>>>>> Hello, >>>>>> >>>>>> Trying to find a way on a multi-homed server to force IPA and its >>>> related >>>>>> apps to listen on a specific interface. I can find all kinds of >>>> info saying >>>>>> "the services listen on all interfaces by default" so there must be >>>> a way? >>>>>> >>>>>> Thank you >>>>>> ~J >>>>>> >>>>> Sounds familiar. >>>>> I think there is a ticket open for that. >>>> >>>> This is the RFE: >>>> >>>> https://fedorahosted.org/freeipa/ticket/3338 >>>> >>>> Just in case anybody would like to help us extend FreeIPA installers :-) >>>> >>> >>> Hi, >>> >>> I have a related, or opposite really, problem. >>> >>> So I have configured IPA for a domain (say, ipa.example.org). Then I have a >>> bunch of client machines that can join the domain etc. Fine so far. >>> >>> However, I also have another bunch of client machines on an internal network >>> (with NAT access to the outside world). So for these I add another network >>> interface on the ipa servers. So my ipa servers have two IP's and dns names, >>> say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now >>> it doesn't work so well anymore for these clients, because the krb principals >>> for the IPA server(s) are bound to the public name, so joining the domain >>> fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by >>> joining via the public interface (manually creating the machine accounts on >>> the ipa server first, since otherwise it doesn't understand clientX.local dns >>> names/IP's), but then obviously all communication goes via the NAT box which >>> is a SPOF. >>> >>> So is there some reasonable way to make the above work? >> >> IMHO cleanest solution is to properly configure routing in your network to >> route your public IP range properly to the respective subnet instead of going >> through a NAT. >> >> Details depend on your network so I do not have exact steps for you, sorry. >> > Thanks. So do you mean something like on each client machine in the NATed network I add special routes to the ipa servers? And by that the client machines would know that ipa1.ipa.example.org can be reached via ipa1.local instead of going via the default route (which is the NAT box)? Details really depend on your setup. For example: - IPA servers are in subnet 10.1.1.0/24 and have public addresses in 192.0.2.0/24 subnet. - Clients are in 10.2.2.0/24 subnet behind NAT, subnet gateway is 10.2.2.254. In this setup you need to add route 192.0.2.0/24 to the gateway 10.2.2.254 (and to add 192.0.2.0/24 addresses to IPA server interfaces if they are not configured yet). If you have really small network where all hosts are in a single network then you really might need to add route to multiple hosts to get rid of SPOF on gateway. Here you need to consider what happens if adding the route to all hosts is worth the effort: What happens if the gateway is down? Is the gateway a separate router or is it some kind of all-in-one switch+router as typically seen in really small setups? I hope this helps. -- Petr Spacek @ Red Hat From prasun.gera at gmail.com Tue Apr 14 08:37:23 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 14 Apr 2015 04:37:23 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: <552CBBBB.8060807@redhat.com> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> Message-ID: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( "Use a remote user ...") ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek wrote: > I am personally not aware of such deployment. The linux-nfs.org NFS > HOWTOs we > link from > http://www.freeipa.org/page/HowTos#Authentication > also uses no_root_squash. > > To do this properly, I assume you would need have some notification > mechanism > deployed on FreeIPA server, that would trigger the home directory creation > on > the server. > > (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) > > On 04/13/2015 08:58 PM, Prasun Gera wrote: > > Just a follow up. I thought that making NFS a service in IPA takes care > of > > this, but it looks like the issues are unrelated. Home directories are > > created automatically if the user logs in to the NFS server, but I > haven't > > found any solution to trigger this from a client without using > > no_root_squah for the mount on the IPA server. If someone has achieved > this > > functionality, can you share your experience ? > > > > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera > wrote: > > > >> Here's the link: > >> > >> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > >> > >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: > >> > >>> On 04/09/2015 07:44 PM, Prasun Gera wrote: > >>> > >>> I have a somewhat related question. Without kerberizing NFS, which > I'll > >>> do eventually since that needs all the clients to be migrated first, > how > >>> does one create home directories automatically ? The IPA server and NFS > >>> server are different systems. I was able to verify that automatic home > >>> creation works if the NFS share is exported to the IPA server with > >>> no_root_squash. What's the proper way of doing this ? > >>> > >>> > >>> The documentation says: > >>> > >>> > >>> Which documentation you are referring to? > >>> Can you please post the link? > >>> > >>> > >>> > >>> Use a remote user who has limited permissions to create home > directories > >>> and mount the share on the IdM server as that user. Since the IdM > server > >>> runs as an httpd process, it is possible to use sudo or a similar > program > >>> to grant limited access to the IdM server to create home directories > on the > >>> NFS server. > >>> > >>> > >>> > >>> What would be the list of steps that would achieve this ? What are the > >>> limited permissions that the NFS user would need ? Read + Write, but no > >>> Delete to the /home directory ? Sounds like something that would need > ACLs. > >>> And where does sudo on the IPA server fit into this ? > >>> > >>> > >>> > >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < > >>> roberto.cornacchia at gmail.com> wrote: > >>> > >>>> Thanks, Jakub. > >>>> > >>>> > >>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: > >>>> > >>>>> > >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < > >>>>> roberto.cornacchia at gmail.com> wrote: > >>>>>> > >>>>>> It's possible that I'm simply not getting the point, or that I don't > >>>>> understand the documentation correctly, but this is what I don't > find clear: > >>>>>> > >>>>>> I had seen the instructions you pointed me at. These are not > >>>>> specifically about home directories. > >>>>>> > >>>>>> However, this section is: > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs > >>>>>> > >>>>>> It first suggests that automatic creation of home directories over > >>>>> NFS shares is possible: just automount /home and then use > >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first > login. > >>>>>> > >>>>>> But then it also suggests that mounting the whole /home tree could > be > >>>>> an issue, and says: "Use automount to mount only the user's home > directory > >>>>> and only when the user logs in, rather than loading the entire /home > tree." > >>>>>> > >>>>>> That means that automatic homedir creation is out of the game, > >>>>> doesn't it? > >>>>>> > >>>>>> That's what I find confusing. What's the recommended way? > >>>>>> > >>>>> > >>>>> It really depends on your environment. For your size, it's perfectly > >>>>> fine to NFS mount the whole /home tree and be done with it. Don't > optimize > >>>>> prematurely :-) > >>>>> > >>>>>> > >>>>>> > >>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: > >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: > >>>>>>> Hi Dmitri, > >>>>>>> > >>>>>>> I do realise my question is borderline and I accept that it is > >>>>> considered off-topic. > >>>>>>> > >>>>>>> I did post it here because I believe it's not *only* about NFS, but > >>>>> also about its interaction with freeIPA. The issue of NFS home and in > >>>>> particular about their creation is touched in all the links I posted > (all > >>>>> about freeIPA) and never really answered. > >>>>>>> > >>>>>> > >>>>>> This is what documented and recommended: > >>>>>> > >>>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs > >>>>>> > >>>>>> RHEL6 has a similar chapter in its doc set though books have changed > >>>>> significantly between 6 and 7. > >>>>>> > >>>>>> I do not see any chicken and egg problem there. > >>>>>> The instructions show how to create home dirs on the first login. > >>>>>> > >>>>>> It mounts the volume and then creates dirs on it as users log in if > >>>>> they are not already there. > >>>>>> > >>>>>> It is unclear what problem you see with doing it the way it is > >>>>> recommended. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Best, > >>>>>>> Roberto > >>>>>>> > >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: > >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: > >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: > >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: > >>>>>>>> Hi there, > >>>>>>>> > >>>>>>>> I'm planning to deploy freeIPA on our lan. > >>>>>>>> It's small-ish and completely based on FC21, so I expect > everything > >>>>> to work > >>>>>>>> like a charm. > >>>>>>>> > >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM > 5.0. > >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once > >>>>> we switch our > >>>>>>>> desktops to freeIPA. > >>>>>>>> > >>>>>>>> Great! > >>>>>>>> > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> > >>>>>>>> The first thing I'm struggling with is to find the correct > >>>>> approach about NFS home dirs. > >>>>>>>> The ideal setting would be: > >>>>>>>> - home dirs on the NAS > >>>>>>>> - IPA manages automount maps > >>>>>>>> - home dirs are created automatically at first login > >>>>>>>> > >>>>>>>> The documentation I could find on these topics includes only > >>>>> not-so-recent pages (anything I missed?): > >>>>>>>> > >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA > >>>>>>>> > >>>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html > >>>>>>>> > >>>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories > >>>>>>>> > >>>>> > http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ > >>>>>>>> > >>>>>>>> Now, I admit I don't have much experience with setting up NFS > >>>>> homes, with or without freeIPA, so trying to get this done correctly > in the > >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm > >>>>> willing to get my hands dirty. > >>>>>>>> > >>>>>>>> The first problem I struggle with is on the correct approach. > >>>>>>>> From the documentation above, I understand that there is a bit of > a > >>>>> chicken-egg problem about the creation of home dirs. > >>>>>>>> On the one hand, it would be optimal to have automount maps to > load > >>>>> only single home dirs on demand, rather than the entire /home tree. > >>>>>>>> On the other hand, if the /home tree is not available, then > >>>>> creating /home/user1 dir automatically isn't really possible. > >>>>>>>> > >>>>>>>> Just mounting the whole /home tree would make things easier, but I > >>>>> don't have a feeling of when it starts to become a performance issue > >>>>> (assuming recent hardware and up to date software). 10 users? 50? > 100? 500? > >>>>> No idea. > >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 > >>>>> users and probably won't be larger than 50 in the next few years > (and if it > >>>>> will, it means things are going well, so what the heck ;) > >>>>>>>> Also true that, with such few users, I could just create the > >>>>> homedirs manually when needed (this is not an organisation where > many users > >>>>> come and go) and just mount the individually. > >>>>>>>> Any tips about this? > >>>>>>>> > >>>>>>>> Best, Roberto > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> Some of these questions are really outside the scope of this list. > >>>>>>> You might consider asking them on the NFS list. > >>>>>>> > >>>>>>> -- > >>>>>>> Thank you, > >>>>>>> Dmitri Pal > >>>>>>> > >>>>>>> Sr. Engineering Manager IdM portfolio > >>>>>>> Red Hat, Inc. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Thank you, > >>>>>> Dmitri Pal > >>>>>> > >>>>>> Sr. Engineering Manager IdM portfolio > >>>>>> Red Hat, Inc. > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info on the project > >>>>> > >>>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>>> > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> Thank you, > >>> Dmitri Pal > >>> > >>> Sr. Engineering Manager IdM portfolio > >>> Red Hat, Inc. > >>> > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >> > >> > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 14 08:48:59 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Apr 2015 11:48:59 +0300 Subject: [Freeipa-users] Sudo rules w/ external users (RHEL7) In-Reply-To: <552CBA88.5000605@redhat.com> References: <20150413153743.GH3945@redhat.com> <552CBA88.5000605@redhat.com> Message-ID: <20150414084859.GK3945@redhat.com> On Tue, 14 Apr 2015, Martin Kosek wrote: >On 04/13/2015 05:37 PM, Alexander Bokovoy wrote: >> On Mon, 13 Apr 2015, Gould, Joshua wrote: >>> I?ve looked at the docs and it looks as if I can specify an external >>> user who can have sudo rights via IPA. >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo >>> >>> >>> The issue being that when I try to add my AD Trust user, it doesn?t >>> allow the @ sign. (ex. gould at test.osuwmc). >>> >>> If I modify the sudo rule to allow all users, I can see that it allows >>> my AD account sudo rights. >>> >>> $ sudo ?l >>> >>> User gould at test.osuwmc may run the following commands on this host: >>> (ALL : ALL) ALL >>> >>> How can I configure the rule to allow certain AD users to be able to >>> execute certain sudo rules? >> Through external users' groups mechanism we use for any other AD users >> mapping in HBAC and SUDO. These are not local (not defined in IPA but >> defined on the host) groups and users but rather AD groups and users. >> >> ipa group-add --external gould_group_ext >> ipa group-add-member gould_group_ext --external=gould at test.osuwmc >> ipa group-add gould_group >> ipa group-add-member gould_group --groups=gould_group_ext >> >> And now make sudo rule that allows users of gould_group to run needed >> commands. SSSD will pull in all membership information for gould_group, >> including AD users. > >Theoretically, adding AD users as *external* users to the SUDO rule should >work, given they are stored as a bare string, no? See example of such rule below.. > ># ipa sudorule-show test --all --raw > dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21 > cn: test > ipaenabledflag: TRUE > hostcategory: all > externaluser: foouser > ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33 > memberallowcmd: >ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21 > objectClass: ipasudorule > objectClass: ipaassociation > >The change in FreeIPA would be then only a matter of allowing users with '@' in >'externaluser' attribute You lose validation of the user name here (we do validate that AD user in question exists). And externaluser* options are deprecated. -- / Alexander Bokovoy From mkosek at redhat.com Tue Apr 14 08:55:50 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 10:55:50 +0200 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> Message-ID: <552CD616.5050500@redhat.com> We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: > Thanks. Yes, the feature would be pretty useful. Do you have any thoughts > on the documentation blurb mentioned a couple of mails ago ( "Use a remote > user ...") ? The local root on the IPA server can be mapped to a > particular user on the NFS server. That bit sounds straightforward. The > other parts are less clear. > > > > On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek wrote: > >> I am personally not aware of such deployment. The linux-nfs.org NFS >> HOWTOs we >> link from >> http://www.freeipa.org/page/HowTos#Authentication >> also uses no_root_squash. >> >> To do this properly, I assume you would need have some notification >> mechanism >> deployed on FreeIPA server, that would trigger the home directory creation >> on >> the server. >> >> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >> >> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>> Just a follow up. I thought that making NFS a service in IPA takes care >> of >>> this, but it looks like the issues are unrelated. Home directories are >>> created automatically if the user logs in to the NFS server, but I >> haven't >>> found any solution to trigger this from a client without using >>> no_root_squah for the mount on the IPA server. If someone has achieved >> this >>> functionality, can you share your experience ? >>> >>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera >> wrote: >>> >>>> Here's the link: >>>> >>>> >>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>> >>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: >>>> >>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>> >>>>> I have a somewhat related question. Without kerberizing NFS, which >> I'll >>>>> do eventually since that needs all the clients to be migrated first, >> how >>>>> does one create home directories automatically ? The IPA server and NFS >>>>> server are different systems. I was able to verify that automatic home >>>>> creation works if the NFS share is exported to the IPA server with >>>>> no_root_squash. What's the proper way of doing this ? >>>>> >>>>> >>>>> The documentation says: >>>>> >>>>> >>>>> Which documentation you are referring to? >>>>> Can you please post the link? >>>>> >>>>> >>>>> >>>>> Use a remote user who has limited permissions to create home >> directories >>>>> and mount the share on the IdM server as that user. Since the IdM >> server >>>>> runs as an httpd process, it is possible to use sudo or a similar >> program >>>>> to grant limited access to the IdM server to create home directories >> on the >>>>> NFS server. >>>>> >>>>> >>>>> >>>>> What would be the list of steps that would achieve this ? What are the >>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>> Delete to the /home directory ? Sounds like something that would need >> ACLs. >>>>> And where does sudo on the IPA server fit into this ? >>>>> >>>>> >>>>> >>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>> roberto.cornacchia at gmail.com> wrote: >>>>> >>>>>> Thanks, Jakub. >>>>>> >>>>>> >>>>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >>>>>> >>>>>>> >>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>>>> >>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>> understand the documentation correctly, but this is what I don't >> find clear: >>>>>>>> >>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>> specifically about home directories. >>>>>>>> >>>>>>>> However, this section is: >>>>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>> >>>>>>>> It first suggests that automatic creation of home directories over >>>>>>> NFS shares is possible: just automount /home and then use >>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >> login. >>>>>>>> >>>>>>>> But then it also suggests that mounting the whole /home tree could >> be >>>>>>> an issue, and says: "Use automount to mount only the user's home >> directory >>>>>>> and only when the user logs in, rather than loading the entire /home >> tree." >>>>>>>> >>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>> doesn't it? >>>>>>>> >>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>> >>>>>>> >>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >> optimize >>>>>>> prematurely :-) >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: >>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>> Hi Dmitri, >>>>>>>>> >>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>> considered off-topic. >>>>>>>>> >>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>> particular about their creation is touched in all the links I posted >> (all >>>>>>> about freeIPA) and never really answered. >>>>>>>>> >>>>>>>> >>>>>>>> This is what documented and recommended: >>>>>>>> >>>>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>> >>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>> significantly between 6 and 7. >>>>>>>> >>>>>>>> I do not see any chicken and egg problem there. >>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>> >>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>> they are not already there. >>>>>>>> >>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>> recommended. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Best, >>>>>>>>> Roberto >>>>>>>>> >>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>> Hi there, >>>>>>>>>> >>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>> It's small-ish and completely based on FC21, so I expect >> everything >>>>>>> to work >>>>>>>>>> like a charm. >>>>>>>>>> >>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >> 5.0. >>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>> we switch our >>>>>>>>>> desktops to freeIPA. >>>>>>>>>> >>>>>>>>>> Great! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>> approach about NFS home dirs. >>>>>>>>>> The ideal setting would be: >>>>>>>>>> - home dirs on the NAS >>>>>>>>>> - IPA manages automount maps >>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>> >>>>>>>>>> The documentation I could find on these topics includes only >>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>> >>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>>>>>>>> >>>>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>>>>>>>> >>>>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>>>>>>>> >>>>>>> >> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>> >>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>> homes, with or without freeIPA, so trying to get this done correctly >> in the >>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>> willing to get my hands dirty. >>>>>>>>>> >>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>> From the documentation above, I understand that there is a bit of >> a >>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>> On the one hand, it would be optimal to have automount maps to >> load >>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>> >>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >> 100? 500? >>>>>>> No idea. >>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>> users and probably won't be larger than 50 in the next few years >> (and if it >>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>> homedirs manually when needed (this is not an organisation where >> many users >>>>>>> come and go) and just mount the individually. >>>>>>>>>> Any tips about this? >>>>>>>>>> >>>>>>>>>> Best, Roberto >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thank you, >>>>>>>>> Dmitri Pal >>>>>>>>> >>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>> Red Hat, Inc. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thank you, >>>>>>>> Dmitri Pal >>>>>>>> >>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>> Red Hat, Inc. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>> >>> >>> >> >> > From abokovoy at redhat.com Tue Apr 14 08:58:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Apr 2015 11:58:44 +0300 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> Message-ID: <20150414085844.GL3945@redhat.com> On Tue, 14 Apr 2015, Prasun Gera wrote: >Thanks. Yes, the feature would be pretty useful. Do you have any thoughts >on the documentation blurb mentioned a couple of mails ago ( "Use a remote >user ...") ? The local root on the IPA server can be mapped to a >particular user on the NFS server. That bit sounds straightforward. The >other parts are less clear. In general we are not recommending to allow generic users to login to IPA masters and to use IPA masters for other purposes than KDC and LDAP servers. IPA masters are at heart of your organizational infrastructure, any break of them will cause outage for the whole organization. This is one of reasons we didn't add tight integration with storage servers. We recognize need to trigger external events when something happens on IPA, like a user is created or deleted. We already have oddjob as a general mechanism to send messages from a non-privileged process to a privileged process. We just need to add another client (DS plugin or Python code depending on which level of granularity we are interested in) and a process that would react to the messages plus configuration for that. I would argue a process that oddjob would run can be something simple for the default configuration. I'd suggest we would also provide a configuration that would simply emit the message from oddjob to some of message passing systems and be done with it. If anyone familiar with Python wants to add such integration, I'd be happy to guide you through and make sure the end result will be in FreeIPA releases. > > > >On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek wrote: > >> I am personally not aware of such deployment. The linux-nfs.org NFS >> HOWTOs we >> link from >> http://www.freeipa.org/page/HowTos#Authentication >> also uses no_root_squash. >> >> To do this properly, I assume you would need have some notification >> mechanism >> deployed on FreeIPA server, that would trigger the home directory creation >> on >> the server. >> >> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >> >> On 04/13/2015 08:58 PM, Prasun Gera wrote: >> > Just a follow up. I thought that making NFS a service in IPA takes care >> of >> > this, but it looks like the issues are unrelated. Home directories are >> > created automatically if the user logs in to the NFS server, but I >> haven't >> > found any solution to trigger this from a client without using >> > no_root_squah for the mount on the IPA server. If someone has achieved >> this >> > functionality, can you share your experience ? >> > >> > On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera >> wrote: >> > >> >> Here's the link: >> >> >> >> >> >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >> >> >> >> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: >> >> >> >>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >> >>> >> >>> I have a somewhat related question. Without kerberizing NFS, which >> I'll >> >>> do eventually since that needs all the clients to be migrated first, >> how >> >>> does one create home directories automatically ? The IPA server and NFS >> >>> server are different systems. I was able to verify that automatic home >> >>> creation works if the NFS share is exported to the IPA server with >> >>> no_root_squash. What's the proper way of doing this ? >> >>> >> >>> >> >>> The documentation says: >> >>> >> >>> >> >>> Which documentation you are referring to? >> >>> Can you please post the link? >> >>> >> >>> >> >>> >> >>> Use a remote user who has limited permissions to create home >> directories >> >>> and mount the share on the IdM server as that user. Since the IdM >> server >> >>> runs as an httpd process, it is possible to use sudo or a similar >> program >> >>> to grant limited access to the IdM server to create home directories >> on the >> >>> NFS server. >> >>> >> >>> >> >>> >> >>> What would be the list of steps that would achieve this ? What are the >> >>> limited permissions that the NFS user would need ? Read + Write, but no >> >>> Delete to the /home directory ? Sounds like something that would need >> ACLs. >> >>> And where does sudo on the IPA server fit into this ? >> >>> >> >>> >> >>> >> >>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >> >>> roberto.cornacchia at gmail.com> wrote: >> >>> >> >>>> Thanks, Jakub. >> >>>> >> >>>> >> >>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >> >>>> >> >>>>> >> >>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >> >>>>> roberto.cornacchia at gmail.com> wrote: >> >>>>>> >> >>>>>> It's possible that I'm simply not getting the point, or that I don't >> >>>>> understand the documentation correctly, but this is what I don't >> find clear: >> >>>>>> >> >>>>>> I had seen the instructions you pointed me at. These are not >> >>>>> specifically about home directories. >> >>>>>> >> >>>>>> However, this section is: >> >>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >> >>>>>> >> >>>>>> It first suggests that automatic creation of home directories over >> >>>>> NFS shares is possible: just automount /home and then use >> >>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >> login. >> >>>>>> >> >>>>>> But then it also suggests that mounting the whole /home tree could >> be >> >>>>> an issue, and says: "Use automount to mount only the user's home >> directory >> >>>>> and only when the user logs in, rather than loading the entire /home >> tree." >> >>>>>> >> >>>>>> That means that automatic homedir creation is out of the game, >> >>>>> doesn't it? >> >>>>>> >> >>>>>> That's what I find confusing. What's the recommended way? >> >>>>>> >> >>>>> >> >>>>> It really depends on your environment. For your size, it's perfectly >> >>>>> fine to NFS mount the whole /home tree and be done with it. Don't >> optimize >> >>>>> prematurely :-) >> >>>>> >> >>>>>> >> >>>>>> >> >>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: >> >>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >> >>>>>>> Hi Dmitri, >> >>>>>>> >> >>>>>>> I do realise my question is borderline and I accept that it is >> >>>>> considered off-topic. >> >>>>>>> >> >>>>>>> I did post it here because I believe it's not *only* about NFS, but >> >>>>> also about its interaction with freeIPA. The issue of NFS home and in >> >>>>> particular about their creation is touched in all the links I posted >> (all >> >>>>> about freeIPA) and never really answered. >> >>>>>>> >> >>>>>> >> >>>>>> This is what documented and recommended: >> >>>>>> >> >>>>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >> >>>>>> >> >>>>>> RHEL6 has a similar chapter in its doc set though books have changed >> >>>>> significantly between 6 and 7. >> >>>>>> >> >>>>>> I do not see any chicken and egg problem there. >> >>>>>> The instructions show how to create home dirs on the first login. >> >>>>>> >> >>>>>> It mounts the volume and then creates dirs on it as users log in if >> >>>>> they are not already there. >> >>>>>> >> >>>>>> It is unclear what problem you see with doing it the way it is >> >>>>> recommended. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>> Best, >> >>>>>>> Roberto >> >>>>>>> >> >>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: >> >>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >> >>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: >> >>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >> >>>>>>>> Hi there, >> >>>>>>>> >> >>>>>>>> I'm planning to deploy freeIPA on our lan. >> >>>>>>>> It's small-ish and completely based on FC21, so I expect >> everything >> >>>>> to work >> >>>>>>>> like a charm. >> >>>>>>>> >> >>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >> 5.0. >> >>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >> >>>>> we switch our >> >>>>>>>> desktops to freeIPA. >> >>>>>>>> >> >>>>>>>> Great! >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Hello, >> >>>>>>>> >> >>>>>>>> The first thing I'm struggling with is to find the correct >> >>>>> approach about NFS home dirs. >> >>>>>>>> The ideal setting would be: >> >>>>>>>> - home dirs on the NAS >> >>>>>>>> - IPA manages automount maps >> >>>>>>>> - home dirs are created automatically at first login >> >>>>>>>> >> >>>>>>>> The documentation I could find on these topics includes only >> >>>>> not-so-recent pages (anything I missed?): >> >>>>>>>> >> >>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >> >>>>>>>> >> >>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >> >>>>>>>> >> >>>>> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >> >>>>>>>> >> >>>>> >> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >> >>>>>>>> >> >>>>>>>> Now, I admit I don't have much experience with setting up NFS >> >>>>> homes, with or without freeIPA, so trying to get this done correctly >> in the >> >>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >> >>>>> willing to get my hands dirty. >> >>>>>>>> >> >>>>>>>> The first problem I struggle with is on the correct approach. >> >>>>>>>> From the documentation above, I understand that there is a bit of >> a >> >>>>> chicken-egg problem about the creation of home dirs. >> >>>>>>>> On the one hand, it would be optimal to have automount maps to >> load >> >>>>> only single home dirs on demand, rather than the entire /home tree. >> >>>>>>>> On the other hand, if the /home tree is not available, then >> >>>>> creating /home/user1 dir automatically isn't really possible. >> >>>>>>>> >> >>>>>>>> Just mounting the whole /home tree would make things easier, but I >> >>>>> don't have a feeling of when it starts to become a performance issue >> >>>>> (assuming recent hardware and up to date software). 10 users? 50? >> 100? 500? >> >>>>> No idea. >> >>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >> >>>>> users and probably won't be larger than 50 in the next few years >> (and if it >> >>>>> will, it means things are going well, so what the heck ;) >> >>>>>>>> Also true that, with such few users, I could just create the >> >>>>> homedirs manually when needed (this is not an organisation where >> many users >> >>>>> come and go) and just mount the individually. >> >>>>>>>> Any tips about this? >> >>>>>>>> >> >>>>>>>> Best, Roberto >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>> Some of these questions are really outside the scope of this list. >> >>>>>>> You might consider asking them on the NFS list. >> >>>>>>> >> >>>>>>> -- >> >>>>>>> Thank you, >> >>>>>>> Dmitri Pal >> >>>>>>> >> >>>>>>> Sr. Engineering Manager IdM portfolio >> >>>>>>> Red Hat, Inc. >> >>>>>>> >> >>>>>>> >> >>>>>>> -- >> >>>>>>> Manage your subscription for the Freeipa-users mailing list: >> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>>> Go to http://freeipa.org for more info on the project >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Thank you, >> >>>>>> Dmitri Pal >> >>>>>> >> >>>>>> Sr. Engineering Manager IdM portfolio >> >>>>>> Red Hat, Inc. >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Manage your subscription for the Freeipa-users mailing list: >> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>> Go to http://freeipa.org for more info on the project >> >>>>>> >> >>>>>> -- >> >>>>>> Manage your subscription for the Freeipa-users mailing list: >> >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>>>> Go to http://freeipa.org for more info on the project >> >>>>> >> >>>>> >> >>>> >> >>>> -- >> >>>> Manage your subscription for the Freeipa-users mailing list: >> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>>> Go to http://freeipa.org for more info on the project >> >>>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> -- >> >>> Thank you, >> >>> Dmitri Pal >> >>> >> >>> Sr. Engineering Manager IdM portfolio >> >>> Red Hat, Inc. >> >>> >> >>> >> >>> -- >> >>> Manage your subscription for the Freeipa-users mailing list: >> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>> Go to http://freeipa.org for more info on the project >> >>> >> >> >> >> >> > >> > >> > >> >> >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy From iain.bell at keryx.im Tue Apr 14 09:04:24 2015 From: iain.bell at keryx.im (Iain Bell) Date: Tue, 14 Apr 2015 10:04:24 +0100 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: <552CD616.5050500@redhat.com> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> <552CD616.5050500@redhat.com> Message-ID: Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. I'm happy to proof read as well > On 14 Apr 2015, at 09:55, Martin Kosek wrote: > > We will get someone review the chapter again, to remove the uncertainty. Would > you then be willing to proof-read the result? > >> On 04/14/2015 10:37 AM, Prasun Gera wrote: >> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts >> on the documentation blurb mentioned a couple of mails ago ( "Use a remote >> user ...") ? The local root on the IPA server can be mapped to a >> particular user on the NFS server. That bit sounds straightforward. The >> other parts are less clear. >> >> >> >>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek wrote: >>> >>> I am personally not aware of such deployment. The linux-nfs.org NFS >>> HOWTOs we >>> link from >>> http://www.freeipa.org/page/HowTos#Authentication >>> also uses no_root_squash. >>> >>> To do this properly, I assume you would need have some notification >>> mechanism >>> deployed on FreeIPA server, that would trigger the home directory creation >>> on >>> the server. >>> >>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >>> >>>> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>>> Just a follow up. I thought that making NFS a service in IPA takes care >>> of >>>> this, but it looks like the issues are unrelated. Home directories are >>>> created automatically if the user logs in to the NFS server, but I >>> haven't >>>> found any solution to trigger this from a client without using >>>> no_root_squah for the mount on the IPA server. If someone has achieved >>> this >>>> functionality, can you share your experience ? >>>> >>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera >>>> wrote: >>>> >>>>> Here's the link: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>>> >>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: >>>>>> >>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>>> >>>>>> I have a somewhat related question. Without kerberizing NFS, which >>> I'll >>>>>> do eventually since that needs all the clients to be migrated first, >>> how >>>>>> does one create home directories automatically ? The IPA server and NFS >>>>>> server are different systems. I was able to verify that automatic home >>>>>> creation works if the NFS share is exported to the IPA server with >>>>>> no_root_squash. What's the proper way of doing this ? >>>>>> >>>>>> >>>>>> The documentation says: >>>>>> >>>>>> >>>>>> Which documentation you are referring to? >>>>>> Can you please post the link? >>>>>> >>>>>> >>>>>> >>>>>> Use a remote user who has limited permissions to create home >>> directories >>>>>> and mount the share on the IdM server as that user. Since the IdM >>> server >>>>>> runs as an httpd process, it is possible to use sudo or a similar >>> program >>>>>> to grant limited access to the IdM server to create home directories >>> on the >>>>>> NFS server. >>>>>> >>>>>> >>>>>> >>>>>> What would be the list of steps that would achieve this ? What are the >>>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>>> Delete to the /home directory ? Sounds like something that would need >>> ACLs. >>>>>> And where does sudo on the IPA server fit into this ? >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>> >>>>>>> Thanks, Jakub. >>>>>>> >>>>>>> >>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >>>>>>>> >>>>>>>> >>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>>>>> >>>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>>> understand the documentation correctly, but this is what I don't >>> find clear: >>>>>>>>> >>>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>>> specifically about home directories. >>>>>>>>> >>>>>>>>> However, this section is: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>>> >>>>>>>>> It first suggests that automatic creation of home directories over >>>>>>>> NFS shares is possible: just automount /home and then use >>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >>> login. >>>>>>>>> >>>>>>>>> But then it also suggests that mounting the whole /home tree could >>> be >>>>>>>> an issue, and says: "Use automount to mount only the user's home >>> directory >>>>>>>> and only when the user logs in, rather than loading the entire /home >>> tree." >>>>>>>>> >>>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>>> doesn't it? >>>>>>>>> >>>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>> >>>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >>> optimize >>>>>>>> prematurely :-) >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: >>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>>> Hi Dmitri, >>>>>>>>>> >>>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>>> considered off-topic. >>>>>>>>>> >>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>>> particular about their creation is touched in all the links I posted >>> (all >>>>>>>> about freeIPA) and never really answered. >>>>>>>>> >>>>>>>>> This is what documented and recommended: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>>> >>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>>> significantly between 6 and 7. >>>>>>>>> >>>>>>>>> I do not see any chicken and egg problem there. >>>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>>> >>>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>>> they are not already there. >>>>>>>>> >>>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>>> recommended. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> Roberto >>>>>>>>>> >>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>>> Hi there, >>>>>>>>>>> >>>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>>> It's small-ish and completely based on FC21, so I expect >>> everything >>>>>>>> to work >>>>>>>>>>> like a charm. >>>>>>>>>>> >>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >>> 5.0. >>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>>> we switch our >>>>>>>>>>> desktops to freeIPA. >>>>>>>>>>> >>>>>>>>>>> Great! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>>> approach about NFS home dirs. >>>>>>>>>>> The ideal setting would be: >>>>>>>>>>> - home dirs on the NAS >>>>>>>>>>> - IPA manages automount maps >>>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>>> >>>>>>>>>>> The documentation I could find on these topics includes only >>>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>>> >>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>>> >>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>>> homes, with or without freeIPA, so trying to get this done correctly >>> in the >>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>>> willing to get my hands dirty. >>>>>>>>>>> >>>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>>> From the documentation above, I understand that there is a bit of >>> a >>>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>>> On the one hand, it would be optimal to have automount maps to >>> load >>>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>>> >>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >>> 100? 500? >>>>>>>> No idea. >>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>>> users and probably won't be larger than 50 in the next few years >>> (and if it >>>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>>> homedirs manually when needed (this is not an organisation where >>> many users >>>>>>>> come and go) and just mount the individually. >>>>>>>>>>> Any tips about this? >>>>>>>>>>> >>>>>>>>>>> Best, Roberto >>>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thank you, >>>>>>>>>> Dmitri Pal >>>>>>>>>> >>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>> Red Hat, Inc. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thank you, >>>>>>>>> Dmitri Pal >>>>>>>>> >>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>> Red Hat, Inc. >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mkosek at redhat.com Tue Apr 14 10:17:38 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 12:17:38 +0200 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> <552CD616.5050500@redhat.com> Message-ID: <552CE942.8060202@redhat.com> On 04/14/2015 11:04 AM, Iain Bell wrote: > Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. Just to make sure we are on the same page - someone would proof read the problematic chapter in Red Hat docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories not the Synology DSM5 specific information/HOWTO - members of this list will have more experience in that. > I'm happy to proof read as well > >> On 14 Apr 2015, at 09:55, Martin Kosek wrote: >> >> We will get someone review the chapter again, to remove the uncertainty. Would >> you then be willing to proof-read the result? >> >>> On 04/14/2015 10:37 AM, Prasun Gera wrote: >>> Thanks. Yes, the feature would be pretty useful. Do you have any thoughts >>> on the documentation blurb mentioned a couple of mails ago ( "Use a remote >>> user ...") ? The local root on the IPA server can be mapped to a >>> particular user on the NFS server. That bit sounds straightforward. The >>> other parts are less clear. >>> >>> >>> >>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek wrote: >>>> >>>> I am personally not aware of such deployment. The linux-nfs.org NFS >>>> HOWTOs we >>>> link from >>>> http://www.freeipa.org/page/HowTos#Authentication >>>> also uses no_root_squash. >>>> >>>> To do this properly, I assume you would need have some notification >>>> mechanism >>>> deployed on FreeIPA server, that would trigger the home directory creation >>>> on >>>> the server. >>>> >>>> (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) >>>> >>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote: >>>>> Just a follow up. I thought that making NFS a service in IPA takes care >>>> of >>>>> this, but it looks like the issues are unrelated. Home directories are >>>>> created automatically if the user logs in to the NFS server, but I >>>> haven't >>>>> found any solution to trigger this from a client without using >>>>> no_root_squah for the mount on the IPA server. If someone has achieved >>>> this >>>>> functionality, can you share your experience ? >>>>> >>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera >>>>> wrote: >>>>> >>>>>> Here's the link: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories >>>>>> >>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal wrote: >>>>>>> >>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: >>>>>>> >>>>>>> I have a somewhat related question. Without kerberizing NFS, which >>>> I'll >>>>>>> do eventually since that needs all the clients to be migrated first, >>>> how >>>>>>> does one create home directories automatically ? The IPA server and NFS >>>>>>> server are different systems. I was able to verify that automatic home >>>>>>> creation works if the NFS share is exported to the IPA server with >>>>>>> no_root_squash. What's the proper way of doing this ? >>>>>>> >>>>>>> >>>>>>> The documentation says: >>>>>>> >>>>>>> >>>>>>> Which documentation you are referring to? >>>>>>> Can you please post the link? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Use a remote user who has limited permissions to create home >>>> directories >>>>>>> and mount the share on the IdM server as that user. Since the IdM >>>> server >>>>>>> runs as an httpd process, it is possible to use sudo or a similar >>>> program >>>>>>> to grant limited access to the IdM server to create home directories >>>> on the >>>>>>> NFS server. >>>>>>> >>>>>>> >>>>>>> >>>>>>> What would be the list of steps that would achieve this ? What are the >>>>>>> limited permissions that the NFS user would need ? Read + Write, but no >>>>>>> Delete to the /home directory ? Sounds like something that would need >>>> ACLs. >>>>>>> And where does sudo on the IPA server fit into this ? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < >>>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>>> >>>>>>>> Thanks, Jakub. >>>>>>>> >>>>>>>> >>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < >>>>>>>>>> roberto.cornacchia at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> It's possible that I'm simply not getting the point, or that I don't >>>>>>>>> understand the documentation correctly, but this is what I don't >>>> find clear: >>>>>>>>>> >>>>>>>>>> I had seen the instructions you pointed me at. These are not >>>>>>>>> specifically about home directories. >>>>>>>>>> >>>>>>>>>> However, this section is: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs >>>>>>>>>> >>>>>>>>>> It first suggests that automatic creation of home directories over >>>>>>>>> NFS shares is possible: just automount /home and then use >>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first >>>> login. >>>>>>>>>> >>>>>>>>>> But then it also suggests that mounting the whole /home tree could >>>> be >>>>>>>>> an issue, and says: "Use automount to mount only the user's home >>>> directory >>>>>>>>> and only when the user logs in, rather than loading the entire /home >>>> tree." >>>>>>>>>> >>>>>>>>>> That means that automatic homedir creation is out of the game, >>>>>>>>> doesn't it? >>>>>>>>>> >>>>>>>>>> That's what I find confusing. What's the recommended way? >>>>>>>>> >>>>>>>>> It really depends on your environment. For your size, it's perfectly >>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't >>>> optimize >>>>>>>>> prematurely :-) >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: >>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: >>>>>>>>>>> Hi Dmitri, >>>>>>>>>>> >>>>>>>>>>> I do realise my question is borderline and I accept that it is >>>>>>>>> considered off-topic. >>>>>>>>>>> >>>>>>>>>>> I did post it here because I believe it's not *only* about NFS, but >>>>>>>>> also about its interaction with freeIPA. The issue of NFS home and in >>>>>>>>> particular about their creation is touched in all the links I posted >>>> (all >>>>>>>>> about freeIPA) and never really answered. >>>>>>>>>> >>>>>>>>>> This is what documented and recommended: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs >>>>>>>>>> >>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have changed >>>>>>>>> significantly between 6 and 7. >>>>>>>>>> >>>>>>>>>> I do not see any chicken and egg problem there. >>>>>>>>>> The instructions show how to create home dirs on the first login. >>>>>>>>>> >>>>>>>>>> It mounts the volume and then creates dirs on it as users log in if >>>>>>>>> they are not already there. >>>>>>>>>> >>>>>>>>>> It is unclear what problem you see with doing it the way it is >>>>>>>>> recommended. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Best, >>>>>>>>>>> Roberto >>>>>>>>>>> >>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: >>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: >>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek wrote: >>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: >>>>>>>>>>>> Hi there, >>>>>>>>>>>> >>>>>>>>>>>> I'm planning to deploy freeIPA on our lan. >>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect >>>> everything >>>>>>>>> to work >>>>>>>>>>>> like a charm. >>>>>>>>>>>> >>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses DSM >>>> 5.0. >>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs once >>>>>>>>> we switch our >>>>>>>>>>>> desktops to freeIPA. >>>>>>>>>>>> >>>>>>>>>>>> Great! >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> The first thing I'm struggling with is to find the correct >>>>>>>>> approach about NFS home dirs. >>>>>>>>>>>> The ideal setting would be: >>>>>>>>>>>> - home dirs on the NAS >>>>>>>>>>>> - IPA manages automount maps >>>>>>>>>>>> - home dirs are created automatically at first login >>>>>>>>>>>> >>>>>>>>>>>> The documentation I could find on these topics includes only >>>>>>>>> not-so-recent pages (anything I missed?): >>>>>>>>>>>> >>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html >>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories >>>> http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ >>>>>>>>>>>> >>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS >>>>>>>>> homes, with or without freeIPA, so trying to get this done correctly >>>> in the >>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but I'm >>>>>>>>> willing to get my hands dirty. >>>>>>>>>>>> >>>>>>>>>>>> The first problem I struggle with is on the correct approach. >>>>>>>>>>>> From the documentation above, I understand that there is a bit of >>>> a >>>>>>>>> chicken-egg problem about the creation of home dirs. >>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to >>>> load >>>>>>>>> only single home dirs on demand, rather than the entire /home tree. >>>>>>>>>>>> On the other hand, if the /home tree is not available, then >>>>>>>>> creating /home/user1 dir automatically isn't really possible. >>>>>>>>>>>> >>>>>>>>>>>> Just mounting the whole /home tree would make things easier, but I >>>>>>>>> don't have a feeling of when it starts to become a performance issue >>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50? >>>> 100? 500? >>>>>>>>> No idea. >>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of 5-10 >>>>>>>>> users and probably won't be larger than 50 in the next few years >>>> (and if it >>>>>>>>> will, it means things are going well, so what the heck ;) >>>>>>>>>>>> Also true that, with such few users, I could just create the >>>>>>>>> homedirs manually when needed (this is not an organisation where >>>> many users >>>>>>>>> come and go) and just mount the individually. >>>>>>>>>>>> Any tips about this? >>>>>>>>>>>> >>>>>>>>>>>> Best, Roberto >>>>>>>>>>> Some of these questions are really outside the scope of this list. >>>>>>>>>>> You might consider asking them on the NFS list. >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thank you, >>>>>>>>>>> Dmitri Pal >>>>>>>>>>> >>>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>>> Red Hat, Inc. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thank you, >>>>>>>>>> Dmitri Pal >>>>>>>>>> >>>>>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>>>>> Red Hat, Inc. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thank you, >>>>>>> Dmitri Pal >>>>>>> >>>>>>> Sr. Engineering Manager IdM portfolio >>>>>>> Red Hat, Inc. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From prasun.gera at gmail.com Tue Apr 14 10:50:44 2015 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 14 Apr 2015 06:50:44 -0400 Subject: [Freeipa-users] Synology DSM5 and freeIPA In-Reply-To: <552CE942.8060202@redhat.com> References: <54F97E3A.6090803@redhat.com> <550B171A.6070600@redhat.com> <550B2841.5000905@redhat.com> <9290BB8D-824B-40CD-8D36-B3CA317696ED@redhat.com> <5527FD7F.6070502@redhat.com> <552CBBBB.8060807@redhat.com> <552CD616.5050500@redhat.com> <552CE942.8060202@redhat.com> Message-ID: I can proof read the revised documentation and try out any additional steps that would help in enabling this feature (automatic home dir creation on client login). On Tue, Apr 14, 2015 at 6:17 AM, Martin Kosek wrote: > On 04/14/2015 11:04 AM, Iain Bell wrote: > > Getting FreeIPA Synology DSM5 working together is something I'm > interested in doing as well. > > Just to make sure we are on the same page - someone would proof read the > problematic chapter in Red Hat docs: > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > > not the Synology DSM5 specific information/HOWTO - members of this list > will > have more experience in that. > > > I'm happy to proof read as well > > > >> On 14 Apr 2015, at 09:55, Martin Kosek wrote: > >> > >> We will get someone review the chapter again, to remove the > uncertainty. Would > >> you then be willing to proof-read the result? > >> > >>> On 04/14/2015 10:37 AM, Prasun Gera wrote: > >>> Thanks. Yes, the feature would be pretty useful. Do you have any > thoughts > >>> on the documentation blurb mentioned a couple of mails ago ( "Use a > remote > >>> user ...") ? The local root on the IPA server can be mapped to a > >>> particular user on the NFS server. That bit sounds straightforward. The > >>> other parts are less clear. > >>> > >>> > >>> > >>>> On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek > wrote: > >>>> > >>>> I am personally not aware of such deployment. The linux-nfs.org NFS > >>>> HOWTOs we > >>>> link from > >>>> http://www.freeipa.org/page/HowTos#Authentication > >>>> also uses no_root_squash. > >>>> > >>>> To do this properly, I assume you would need have some notification > >>>> mechanism > >>>> deployed on FreeIPA server, that would trigger the home directory > creation > >>>> on > >>>> the server. > >>>> > >>>> (We have a ticket for it: > https://fedorahosted.org/freeipa/ticket/1593) > >>>> > >>>>> On 04/13/2015 08:58 PM, Prasun Gera wrote: > >>>>> Just a follow up. I thought that making NFS a service in IPA takes > care > >>>> of > >>>>> this, but it looks like the issues are unrelated. Home directories > are > >>>>> created automatically if the user logs in to the NFS server, but I > >>>> haven't > >>>>> found any solution to trigger this from a client without using > >>>>> no_root_squah for the mount on the IPA server. If someone has > achieved > >>>> this > >>>>> functionality, can you share your experience ? > >>>>> > >>>>>> On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera > > >>>>> wrote: > >>>>> > >>>>>> Here's the link: > >>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories > >>>>>> > >>>>>>> On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal > wrote: > >>>>>>> > >>>>>>> On 04/09/2015 07:44 PM, Prasun Gera wrote: > >>>>>>> > >>>>>>> I have a somewhat related question. Without kerberizing NFS, which > >>>> I'll > >>>>>>> do eventually since that needs all the clients to be migrated > first, > >>>> how > >>>>>>> does one create home directories automatically ? The IPA server > and NFS > >>>>>>> server are different systems. I was able to verify that automatic > home > >>>>>>> creation works if the NFS share is exported to the IPA server with > >>>>>>> no_root_squash. What's the proper way of doing this ? > >>>>>>> > >>>>>>> > >>>>>>> The documentation says: > >>>>>>> > >>>>>>> > >>>>>>> Which documentation you are referring to? > >>>>>>> Can you please post the link? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Use a remote user who has limited permissions to create home > >>>> directories > >>>>>>> and mount the share on the IdM server as that user. Since the IdM > >>>> server > >>>>>>> runs as an httpd process, it is possible to use sudo or a similar > >>>> program > >>>>>>> to grant limited access to the IdM server to create home > directories > >>>> on the > >>>>>>> NFS server. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> What would be the list of steps that would achieve this ? What are > the > >>>>>>> limited permissions that the NFS user would need ? Read + Write, > but no > >>>>>>> Delete to the /home directory ? Sounds like something that would > need > >>>> ACLs. > >>>>>>> And where does sudo on the IPA server fit into this ? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia < > >>>>>>> roberto.cornacchia at gmail.com> wrote: > >>>>>>> > >>>>>>>> Thanks, Jakub. > >>>>>>>> > >>>>>>>> > >>>>>>>>> On 19 March 2015 at 21:23, Jakub Hrozek > wrote: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>>> On 19 Mar 2015, at 21:18, Roberto Cornacchia < > >>>>>>>>>> roberto.cornacchia at gmail.com> wrote: > >>>>>>>>>> > >>>>>>>>>> It's possible that I'm simply not getting the point, or that I > don't > >>>>>>>>> understand the documentation correctly, but this is what I don't > >>>> find clear: > >>>>>>>>>> > >>>>>>>>>> I had seen the instructions you pointed me at. These are not > >>>>>>>>> specifically about home directories. > >>>>>>>>>> > >>>>>>>>>> However, this section is: > >>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs > >>>>>>>>>> > >>>>>>>>>> It first suggests that automatic creation of home directories > over > >>>>>>>>> NFS shares is possible: just automount /home and then use > >>>>>>>>> pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first > >>>> login. > >>>>>>>>>> > >>>>>>>>>> But then it also suggests that mounting the whole /home tree > could > >>>> be > >>>>>>>>> an issue, and says: "Use automount to mount only the user's home > >>>> directory > >>>>>>>>> and only when the user logs in, rather than loading the entire > /home > >>>> tree." > >>>>>>>>>> > >>>>>>>>>> That means that automatic homedir creation is out of the game, > >>>>>>>>> doesn't it? > >>>>>>>>>> > >>>>>>>>>> That's what I find confusing. What's the recommended way? > >>>>>>>>> > >>>>>>>>> It really depends on your environment. For your size, it's > perfectly > >>>>>>>>> fine to NFS mount the whole /home tree and be done with it. Don't > >>>> optimize > >>>>>>>>> prematurely :-) > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On 19 March 2015 at 20:49, Dmitri Pal wrote: > >>>>>>>>>>> On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: > >>>>>>>>>>> Hi Dmitri, > >>>>>>>>>>> > >>>>>>>>>>> I do realise my question is borderline and I accept that it is > >>>>>>>>> considered off-topic. > >>>>>>>>>>> > >>>>>>>>>>> I did post it here because I believe it's not *only* about > NFS, but > >>>>>>>>> also about its interaction with freeIPA. The issue of NFS home > and in > >>>>>>>>> particular about their creation is touched in all the links I > posted > >>>> (all > >>>>>>>>> about freeIPA) and never really answered. > >>>>>>>>>> > >>>>>>>>>> This is what documented and recommended: > >>>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs > >>>>>>>>>> > >>>>>>>>>> RHEL6 has a similar chapter in its doc set though books have > changed > >>>>>>>>> significantly between 6 and 7. > >>>>>>>>>> > >>>>>>>>>> I do not see any chicken and egg problem there. > >>>>>>>>>> The instructions show how to create home dirs on the first > login. > >>>>>>>>>> > >>>>>>>>>> It mounts the volume and then creates dirs on it as users log > in if > >>>>>>>>> they are not already there. > >>>>>>>>>> > >>>>>>>>>> It is unclear what problem you see with doing it the way it is > >>>>>>>>> recommended. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Best, > >>>>>>>>>>> Roberto > >>>>>>>>>>> > >>>>>>>>>>> On 19 March 2015 at 19:36, Dmitri Pal wrote: > >>>>>>>>>>>> On 03/19/2015 05:29 AM, Roberto Cornacchia wrote: > >>>>>>>>>>>> On 6 March 2015 at 11:15, Martin Kosek > wrote: > >>>>>>>>>>>> On 03/06/2015 10:56 AM, Roberto Cornacchia wrote: > >>>>>>>>>>>> Hi there, > >>>>>>>>>>>> > >>>>>>>>>>>> I'm planning to deploy freeIPA on our lan. > >>>>>>>>>>>> It's small-ish and completely based on FC21, so I expect > >>>> everything > >>>>>>>>> to work > >>>>>>>>>>>> like a charm. > >>>>>>>>>>>> > >>>>>>>>>>>> Except one detail. We have Synology NAS station, which uses > DSM > >>>> 5.0. > >>>>>>>>>>>> The ideal plan is to use it as host for shared NFS home dirs > once > >>>>>>>>> we switch our > >>>>>>>>>>>> desktops to freeIPA. > >>>>>>>>>>>> > >>>>>>>>>>>> Great! > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> Hello, > >>>>>>>>>>>> > >>>>>>>>>>>> The first thing I'm struggling with is to find the correct > >>>>>>>>> approach about NFS home dirs. > >>>>>>>>>>>> The ideal setting would be: > >>>>>>>>>>>> - home dirs on the NAS > >>>>>>>>>>>> - IPA manages automount maps > >>>>>>>>>>>> - home dirs are created automatically at first login > >>>>>>>>>>>> > >>>>>>>>>>>> The documentation I could find on these topics includes only > >>>>>>>>> not-so-recent pages (anything I missed?): > >>>>>>>>>>>> > >>>>>>>>>>>> http://wiki.linux-nfs.org/wiki/index.php/NFS_and_FreeIPA > >>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automount.html > >>>> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/users.html#home-directories > >>>> > http://adam.younglogic.com/2011/06/automount-and-home-directory-creation/ > >>>>>>>>>>>> > >>>>>>>>>>>> Now, I admit I don't have much experience with setting up NFS > >>>>>>>>> homes, with or without freeIPA, so trying to get this done > correctly > >>>> in the > >>>>>>>>> context of freeIPA and without clear howtos isn't very easy, but > I'm > >>>>>>>>> willing to get my hands dirty. > >>>>>>>>>>>> > >>>>>>>>>>>> The first problem I struggle with is on the correct approach. > >>>>>>>>>>>> From the documentation above, I understand that there is a > bit of > >>>> a > >>>>>>>>> chicken-egg problem about the creation of home dirs. > >>>>>>>>>>>> On the one hand, it would be optimal to have automount maps to > >>>> load > >>>>>>>>> only single home dirs on demand, rather than the entire /home > tree. > >>>>>>>>>>>> On the other hand, if the /home tree is not available, then > >>>>>>>>> creating /home/user1 dir automatically isn't really possible. > >>>>>>>>>>>> > >>>>>>>>>>>> Just mounting the whole /home tree would make things easier, > but I > >>>>>>>>> don't have a feeling of when it starts to become a performance > issue > >>>>>>>>> (assuming recent hardware and up to date software). 10 users? 50? > >>>> 100? 500? > >>>>>>>>> No idea. > >>>>>>>>>>>> The realm I'm dealing with at the moment is in the range of > 5-10 > >>>>>>>>> users and probably won't be larger than 50 in the next few years > >>>> (and if it > >>>>>>>>> will, it means things are going well, so what the heck ;) > >>>>>>>>>>>> Also true that, with such few users, I could just create the > >>>>>>>>> homedirs manually when needed (this is not an organisation where > >>>> many users > >>>>>>>>> come and go) and just mount the individually. > >>>>>>>>>>>> Any tips about this? > >>>>>>>>>>>> > >>>>>>>>>>>> Best, Roberto > >>>>>>>>>>> Some of these questions are really outside the scope of this > list. > >>>>>>>>>>> You might consider asking them on the NFS list. > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> Thank you, > >>>>>>>>>>> Dmitri Pal > >>>>>>>>>>> > >>>>>>>>>>> Sr. Engineering Manager IdM portfolio > >>>>>>>>>>> Red Hat, Inc. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> Thank you, > >>>>>>>>>> Dmitri Pal > >>>>>>>>>> > >>>>>>>>>> Sr. Engineering Manager IdM portfolio > >>>>>>>>>> Red Hat, Inc. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>>> Go to http://freeipa.org for more info on the project > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Thank you, > >>>>>>> Dmitri Pal > >>>>>>> > >>>>>>> Sr. Engineering Manager IdM portfolio > >>>>>>> Red Hat, Inc. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Manage your subscription for the Freeipa-users mailing list: > >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>>> Go to http://freeipa.org for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awilisch at gmail.com Tue Apr 14 12:59:55 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Tue, 14 Apr 2015 08:59:55 -0400 Subject: [Freeipa-users] Upgrading Freeipa 3 server. In-Reply-To: <552CBC96.1080505@redhat.com> References: <552C5586.6080607@redhat.com> <552CBC96.1080505@redhat.com> Message-ID: <14D193FE-01BC-43F9-864C-90028FD18F59@gmail.com> Thanks that actually helped. I have the CA moved and the old server decommissioned now. Thanks. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com > On Apr 14, 2015, at 3:07 AM, Martin Kosek wrote: > > You do not need to uninstall the 4 server, you just need to install the CA > component on it: > > # ipa-ca-install /path/to/replica.file > > ... and make it CRL/renewal master. See step 8 and later in > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > On 04/14/2015 02:06 AM, Aric Wilisch wrote: >> I didn?t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. >> >> I?ll uninstall the 4 server and work through the script process to see if that fixes the issue. >> >> Regards, >> ------------------------------------------ >> Aric Wilisch >> awilisch at gmail.com >> >> >> >> >>> On Apr 13, 2015, at 7:47 PM, Dmitri Pal wrote: >>> >>> On 04/13/2015 07:26 PM, Aric Wilisch wrote: >>>> One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I?m stuck. I can?t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del ?force stip01.staging.fioptics.int it tells me I can?t because it would leave me without a CA. However I can?t find any documentation on migrating the CA from IPA3 to IPA4. >>>> >>>> Any help would be appreciated. >>>> >>>> Regards, >>>> ------------------------------------------ >>>> Aric Wilisch >>>> awilisch at gmail.com > >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> Did you follow this procedure? >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > >>> >>> I would say that I would recommend upgrading to 6.6 rather than 6.5. >>> >>> If you did not what exactly did you do? >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From Joshua.Gould at osumc.edu Tue Apr 14 13:37:01 2015 From: Joshua.Gould at osumc.edu (Gould, Joshua) Date: Tue, 14 Apr 2015 09:37:01 -0400 Subject: [Freeipa-users] FreeIPA 4.1 on RHEL7/Power? Message-ID: We have the option to deploy our production IPA environment on either x86_64/VMWare or IBM Power. The RHEL7 IDM doc states that only x86_64 is supported. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prereqs.html#Operating_System_Requirements If we went ahead with either a mix of Power/x86_64 or entirely Power for IDM, would that be a Red Hat supported configuration? The docs are pretty clear, but documentation is usually the last thing to get updated! Anything else as far as current IPA plans/roadmap/etc. for Power vs. x86_64? Joshua -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 14 13:54:20 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 14 Apr 2015 09:54:20 -0400 Subject: [Freeipa-users] FreeIPA 4.1 on RHEL7/Power? In-Reply-To: References: Message-ID: <552D1C0C.6080904@redhat.com> On 04/14/2015 09:37 AM, Gould, Joshua wrote: > We have the option to deploy our production IPA environment on either > x86_64/VMWare or IBM Power. The RHEL7 IDM doc states that only x86_64 > is supported. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prereqs.html#Operating_System_Requirements > > If we went ahead with either a mix of Power/x86_64 or entirely Power > for IDM, would that be a Red Hat supported configuration? The docs are > pretty clear, but documentation is usually the last thing to get updated! > > Anything else as far as current IPA plans/roadmap/etc. for Power vs. > x86_64? No plans for Power support, sorry. > > > Joshua > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 14 14:07:33 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 14 Apr 2015 10:07:33 -0400 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> Message-ID: <552D1F25.4030200@redhat.com> On 04/13/2015 10:41 PM, Thomas Lau wrote: > Hi, > > It's an in-house program which runs on one kerberos user. You need to look what this program is doing. I suspect it is doing some sort of kinit itself and does not rely on the PAM stack, i.e it bypasses SSSD in the given scenario. Can this be the case? > > On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: >> On 04/13/2015 08:23 AM, Thomas Lau wrote: >> >> Hi, >> >> These problem appear randomly, sometime it still work even under heavy >> packet loss, some times would be like this. So its hard to catch. >> >> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>> Hi all, >>>> >>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>> between IPA server and client having heavy packet loss, following >>>> error would occur: >>>> >>>> CRON[20637]: Authentication service cannot retrieve authentication info >>>> >>>> I have cache credentials and store password if offline enabled on >>>> sssd, how these problem would still happening? >> >> It might be that the cause of the problem is actually the packet loss or >> some kind of delay. >> SSSD might not think that it is offline but cron job itself times out and >> reports failure. >> Do you know what operation in the job fails? >> >> >>>> >>>> sssd.conf: >>>> >>>> cache_credentials = True >>>> krb5_store_password_if_offline = True >>> Did the use log in at least once offline? You can verify if the password >>> has been cached using the ldbsearch utility. It would be best to catch >>> the occurence of the problem in logs. >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From mkosek at redhat.com Tue Apr 14 14:22:52 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 14 Apr 2015 16:22:52 +0200 Subject: [Freeipa-users] Upgrading Freeipa 3 server. In-Reply-To: <14D193FE-01BC-43F9-864C-90028FD18F59@gmail.com> References: <552C5586.6080607@redhat.com> <552CBC96.1080505@redhat.com> <14D193FE-01BC-43F9-864C-90028FD18F59@gmail.com> Message-ID: <552D22BC.8030108@redhat.com> Thanks for confirmation. Enjoy the new and shiny FreeIPA 4.1+! :-) On 04/14/2015 02:59 PM, Aric Wilisch wrote: > Thanks that actually helped. I have the CA moved and the old server decommissioned now. Thanks. > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com > > > > >> On Apr 14, 2015, at 3:07 AM, Martin Kosek wrote: >> >> You do not need to uninstall the 4 server, you just need to install the CA >> component on it: >> >> # ipa-ca-install /path/to/replica.file >> >> ... and make it CRL/renewal master. See step 8 and later in >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> On 04/14/2015 02:06 AM, Aric Wilisch wrote: >>> I didn?t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. >>> >>> I?ll uninstall the 4 server and work through the script process to see if that fixes the issue. >>> >>> Regards, >>> ------------------------------------------ >>> Aric Wilisch >>> awilisch at gmail.com >>> >>> >>> >>> >>>> On Apr 13, 2015, at 7:47 PM, Dmitri Pal wrote: >>>> >>>> On 04/13/2015 07:26 PM, Aric Wilisch wrote: >>>>> One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I?m stuck. I can?t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del ?force stip01.staging.fioptics.int it tells me I can?t because it would leave me without a CA. However I can?t find any documentation on migrating the CA from IPA3 to IPA4. >>>>> >>>>> Any help would be appreciated. >>>>> >>>>> Regards, >>>>> ------------------------------------------ >>>>> Aric Wilisch >>>>> awilisch at gmail.com > >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> Did you follow this procedure? >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc > >>>> >>>> I would say that I would recommend upgrading to 6.6 rather than 6.5. >>>> >>>> If you did not what exactly did you do? >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project > > > > From matthew.joseph at lmco.com Tue Apr 14 14:43:46 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 14 Apr 2015 14:43:46 +0000 Subject: [Freeipa-users] Can't delete group because it states it's not found Message-ID: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> Hello, I'm trying to delete a group in IdM but when I do a ipa group-del "group" it states the following; Ipa: ERROR: "group": group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 14 15:00:54 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2015 11:00:54 -0400 Subject: [Freeipa-users] Can't delete group because it states it's not found In-Reply-To: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> Message-ID: <552D2BA6.2000602@redhat.com> Joseph, Matthew (EXP) wrote: > Hello, > > > > I?m trying to delete a group in IdM but when I do a ipa group-del > ?group? it states the following; > > Ipa: ERROR: ?group?: group not found > > > > I do an ipa group-find and it displays the group with the current memebers. > > > > I look in the WebgUI and I can see the group in there but it has no > information. If I try to view the group or delete it from there it again > states that the group is not found. > > > > Anyone see this before? Run ipa group-show --all --raw and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob From mmalek at iisg.agh.edu.pl Tue Apr 14 15:36:16 2015 From: mmalek at iisg.agh.edu.pl (Mateusz Malek) Date: Tue, 14 Apr 2015 17:36:16 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <20150410184815.GU2718@hendrix> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> Message-ID: <552D33F0.4010207@iisg.agh.edu.pl> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: > On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: >> On 04/10/2015 08:13 AM, Mateusz Malek wrote: >>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however >>> I've hit some weird performance problems. When I'm using IPA, it takes >>> about 5-7 (or even more) seconds to get shell prompt after entering user >>> password (...) >> (...) >> Do authentication and see where the time is spent by examining the logs. >> Correlate it to the logs on the server. (...) > I spent the better part of today fixing this issue: > https://fedorahosted.org/sssd/ticket/2624 > > You might want to check if you're hit by this bug by setting: > selinux_provider=none > temporarily. With selinux_provider=none things seems faster. It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just "stop flowing" for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes "hangs" on MOD operation - is it updating user last logon time?). Best regards, Mateusz Malek From matthew.joseph at lmco.com Tue Apr 14 15:55:35 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 14 Apr 2015 15:55:35 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <552D2BA6.2000602@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943F493FB@HCXDSPM1.ca.lmco.com> Hey Rob, It couldn't find the group when I did your command. I replaced show with find and was able to find the dn number. I can use the ldapdelete command to delete the entry right? Thanks, Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: > Hello, > > > > I'm trying to delete a group in IdM but when I do a ipa group-del > "group" it states the following; > > Ipa: ERROR: "group": group not found > > > > I do an ipa group-find and it displays the group with the current memebers. > > > > I look in the WebgUI and I can see the group in there but it has no > information. If I try to view the group or delete it from there it again > states that the group is not found. > > > > Anyone see this before? Run ipa group-show --all --raw and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob From matthew.joseph at lmco.com Tue Apr 14 16:34:38 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 14 Apr 2015 16:34:38 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <552D2BA6.2000602@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943F4942D@HCXDSPM1.ca.lmco.com> Hey Rob, So I'm trying to delete this group but I can't seem to find an example. Would you be able to provide an example for me? Should I be telling the command the nsuniqueid or the sn=groupname or the ipauniqueid? Thanks, Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: > Hello, > > > > I'm trying to delete a group in IdM but when I do a ipa group-del > "group" it states the following; > > Ipa: ERROR: "group": group not found > > > > I do an ipa group-find and it displays the group with the current memebers. > > > > I look in the WebgUI and I can see the group in there but it has no > information. If I try to view the group or delete it from there it again > states that the group is not found. > > > > Anyone see this before? Run ipa group-show --all --raw and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob From matthew.joseph at lmco.com Tue Apr 14 17:21:03 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 14 Apr 2015 17:21:03 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <552D2BA6.2000602@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> Hey Rob, So I did the following command; Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca" and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: > Hello, > > > > I'm trying to delete a group in IdM but when I do a ipa group-del > "group" it states the following; > > Ipa: ERROR: "group": group not found > > > > I do an ipa group-find and it displays the group with the current memebers. > > > > I look in the WebgUI and I can see the group in there but it has no > information. If I try to view the group or delete it from there it again > states that the group is not found. > > > > Anyone see this before? Run ipa group-show --all --raw and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob From rcritten at redhat.com Tue Apr 14 17:31:30 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2015 13:31:30 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> Message-ID: <552D4EF2.5000700@redhat.com> Joseph, Matthew (EXP) wrote: > Hey Rob, > > So I did the following command; > > Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca" and it comes back with the following; > Ldap_delete: No such object > > I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, April 14, 2015 12:01 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found > > Joseph, Matthew (EXP) wrote: >> Hello, >> >> >> >> I'm trying to delete a group in IdM but when I do a ipa group-del >> "group" it states the following; >> >> Ipa: ERROR: "group": group not found >> >> >> >> I do an ipa group-find and it displays the group with the current memebers. >> >> >> >> I look in the WebgUI and I can see the group in there but it has no >> information. If I try to view the group or delete it from there it again >> states that the group is not found. >> >> >> >> Anyone see this before? > > Run ipa group-show --all --raw and look at the dn value. It > may be a replication conflict entry. You'd need to delete that manually > using something like ldapdelete. > > rob > From rcritten at redhat.com Tue Apr 14 17:47:04 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2015 13:47:04 -0400 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> Message-ID: <552D5298.6040608@redhat.com> David Dejaeghere wrote: > Hi Rob, > > So you want to output of the command using pk12 with server cert and > key? or with the ca chain in there too? > Oddly enough it is failing in exactly the same place. Those GoDaddy CA certs are still being loaded from somewhere, I'm not sure where, and I suspect that is the source of the problem. I'm going to forward the log to a colleague who has worked on this code more recently than I have. Maybe he will have an idea. rob From matthew.joseph at lmco.com Tue Apr 14 17:48:12 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 14 Apr 2015 17:48:12 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <552D4EF2.5000700@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> <552D4EF2.5000700@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943F49466@HCXDSPM1.ca.lmco.com> I tried to do the following command; Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca" And I get the ldap_delete: no such object Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 14, 2015 2:32 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: > Hey Rob, > > So I did the following command; > > Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca" and it comes back with the following; > Ldap_delete: No such object > > I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, April 14, 2015 12:01 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found > > Joseph, Matthew (EXP) wrote: >> Hello, >> >> >> >> I'm trying to delete a group in IdM but when I do a ipa group-del >> "group" it states the following; >> >> Ipa: ERROR: "group": group not found >> >> >> >> I do an ipa group-find and it displays the group with the current memebers. >> >> >> >> I look in the WebgUI and I can see the group in there but it has no >> information. If I try to view the group or delete it from there it again >> states that the group is not found. >> >> >> >> Anyone see this before? > > Run ipa group-show --all --raw and look at the dn value. It > may be a replication conflict entry. You'd need to delete that manually > using something like ldapdelete. > > rob > From rcritten at redhat.com Tue Apr 14 18:16:22 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2015 14:16:22 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <9621CE4454B9514B9E709C1719B2B943F49466@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> <552D4EF2.5000700@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49466@HCXDSPM1.ca.lmco.com> Message-ID: <552D5976.5000209@redhat.com> Joseph, Matthew (EXP) wrote: > I tried to do the following command; > Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca" > And I get the ldap_delete: no such object Maybe this will help: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I can't see what you're seeing so it's hard to get more precise. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, April 14, 2015 2:32 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found > > Joseph, Matthew (EXP) wrote: >> Hey Rob, >> >> So I did the following command; >> >> Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca" and it comes back with the following; >> Ldap_delete: No such object >> >> I also tried replacing the group_name with the nsuniqueid and still the same results. > > I'd need more details on what you did. You already know the group by > it's name doesn't exist otherwise IPA would have been able to delete it. > > The point is to use the --all --raw flags to get the actual DN of the > group entry and delete that. > > rob > >> >> Matt >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Tuesday, April 14, 2015 12:01 PM >> To: Joseph, Matthew (EXP); freeipa-users at redhat.com >> Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found >> >> Joseph, Matthew (EXP) wrote: >>> Hello, >>> >>> >>> >>> I'm trying to delete a group in IdM but when I do a ipa group-del >>> "group" it states the following; >>> >>> Ipa: ERROR: "group": group not found >>> >>> >>> >>> I do an ipa group-find and it displays the group with the current memebers. >>> >>> >>> >>> I look in the WebgUI and I can see the group in there but it has no >>> information. If I try to view the group or delete it from there it again >>> states that the group is not found. >>> >>> >>> >>> Anyone see this before? >> >> Run ipa group-show --all --raw and look at the dn value. It >> may be a replication conflict entry. You'd need to delete that manually >> using something like ldapdelete. >> >> rob >> > From gjn at gjn.priv.at Tue Apr 14 18:18:38 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Tue, 14 Apr 2015 20:18:38 +0200 Subject: [Freeipa-users] ipa-getcert Problem ? Message-ID: <5696258.IKv8r23WkC@techz> Hello I mean I have a Problem with the ipa-getcert script. system CentOS 7 (1503) and IPA 4.1.x can any help or declare my mistake or is this a IPA Problem I do a kinit admin ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' and have afterward with ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150414172251': status: CA_REJECTED ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4gjn,dc=prv'.). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes ipa-getcert status process 4731: arguments to dbus_message_new_method_call() were incorrect, assertion "path != NULL" failed in file dbus-message.c line 1262. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Abgebrochen (Speicherabzug geschrieben) what is wrong ? -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From nalin at redhat.com Tue Apr 14 18:29:58 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 14 Apr 2015 14:29:58 -0400 Subject: [Freeipa-users] ipa-getcert Problem ? In-Reply-To: <5696258.IKv8r23WkC@techz> References: <5696258.IKv8r23WkC@techz> Message-ID: <20150414182958.GB27959@redhat.com> On Tue, Apr 14, 2015 at 08:18:38PM +0200, G?nther J. Niederwimmer wrote: > Hello > > I mean I have a Problem with the ipa-getcert script. > > system CentOS 7 (1503) and IPA 4.1.x > > can any help or declare my mistake or is this a IPA Problem > > I do a > > kinit admin > > ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N > 'CN=xxx.4gjn.prv,O=$4GJN.PRV' > > and have afterward with > ipa-getcert list > > Number of certificates and requests being tracked: 1. > Request ID '20150414172251': > status: CA_REJECTED > ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, > giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' > privilege to add the entry > 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4gjn,dc=prv'.). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- > Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes The server rejected the request because no service with the Kerberos principal name in the request exists yet. The "host" service is the one that's automatically created, and because Kerberos principal names are case sensitive, "HOST" is seen as being different from "host". The certmonger service uses the local host's credentials in /etc/krb5.keytab to authenticate when it sends the request to the CA (so you could skip the kinit step above), and the host doesn't have the necessary privileges to create a new service, and that's why that particular error message is coming back from the server. > ipa-getcert status > process 4731: arguments to dbus_message_new_method_call() were incorrect, > assertion "path != NULL" failed in file dbus-message.c line 1262. > This is normally a bug in some application using the D-Bus library. > D-Bus not built with -rdynamic so unable to print a backtrace > Abgebrochen (Speicherabzug geschrieben) That's a bug in ipa-getcert. It should be producing an error message, suggesting that you'd need to specify additional options to indicate which request you wanted to check the status on, like so: getcert status -i 20150414172251 getcert status -d /etc/pki/nssdb -n Server-Cert I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv' (note the lower case) to change the parameters in the certificate request, which should be enough to satisfy the server's requirements. HTH, Nalin From tbordaz at redhat.com Tue Apr 14 18:35:39 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 14 Apr 2015 20:35:39 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <552D33F0.4010207@iisg.agh.edu.pl> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> Message-ID: <552D5DFB.8050602@redhat.com> On 04/14/2015 05:36 PM, Mateusz Malek wrote: > > > On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: >> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: >>> On 04/10/2015 08:13 AM, Mateusz Malek wrote: >>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however >>>> I've hit some weird performance problems. When I'm using IPA, it takes >>>> about 5-7 (or even more) seconds to get shell prompt after entering >>>> user >>>> password (...) >>> (...) >>> Do authentication and see where the time is spent by examining the >>> logs. >>> Correlate it to the logs on the server. (...) >> I spent the better part of today fixing this issue: >> https://fedorahosted.org/sssd/ticket/2624 >> >> You might want to check if you're hit by this bug by setting: >> selinux_provider=none >> temporarily. > > With selinux_provider=none things seems faster. > > It's still not as fast as with existing OpenLDAP, but logon times seem > acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they > go up to 3 seconds). It seems that most time is spent in Kerberos > authentication (logs just "stop flowing" for a while) and on HBAC > processing - on the 389 DS side it seems that LDAP is busy with > requests (it looks like it sometimes "hangs" on MOD operation - is it > updating user last logon time?). Hello, When such long requests happened, you may take several pstack of the 389-ds process. Ideally you can timestamp the pstack output so that it is easier to correlate with DS access logs. Providing pstacks+access/errors logs would really help to know if there is a bottleneck. thanks > > Best regards, > Mateusz Malek > From rmeggins at redhat.com Tue Apr 14 19:30:38 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Apr 2015 13:30:38 -0600 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <552D5DFB.8050602@redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> Message-ID: <552D6ADE.1040309@redhat.com> On 04/14/2015 12:35 PM, thierry bordaz wrote: > On 04/14/2015 05:36 PM, Mateusz Malek wrote: >> >> >> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: >>> On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: >>>> On 04/10/2015 08:13 AM, Mateusz Malek wrote: >>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, >>>>> however >>>>> I've hit some weird performance problems. When I'm using IPA, it >>>>> takes >>>>> about 5-7 (or even more) seconds to get shell prompt after >>>>> entering user >>>>> password (...) >>>> (...) >>>> Do authentication and see where the time is spent by examining the >>>> logs. >>>> Correlate it to the logs on the server. (...) >>> I spent the better part of today fixing this issue: >>> https://fedorahosted.org/sssd/ticket/2624 >>> >>> You might want to check if you're hit by this bug by setting: >>> selinux_provider=none >>> temporarily. >> >> With selinux_provider=none things seems faster. >> >> It's still not as fast as with existing OpenLDAP, but logon times >> seem acceptable now (they mostly vary from 0.5 to 2 seconds, >> sometimes they go up to 3 seconds). It seems that most time is spent >> in Kerberos authentication (logs just "stop flowing" for a while) and >> on HBAC processing - on the 389 DS side it seems that LDAP is busy >> with requests (it looks like it sometimes "hangs" on MOD operation - >> is it updating user last logon time?). > > Hello, > > When such long requests happened, you may take several pstack of the > 389-ds process. Ideally you can timestamp the pstack output so that it > is easier to correlate with DS access logs. > Providing pstacks+access/errors logs would really help to know if > there is a bottleneck. See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs You'll need to do "debuginfo-install ipa-server slapi-nis" > > thanks >> >> Best regards, >> Mateusz Malek >> > From g.fer.ordas at unicyber.co.uk Tue Apr 14 20:25:20 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Tue, 14 Apr 2015 21:25:20 +0100 Subject: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence. In-Reply-To: <552D5DFB.8050602@redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> Message-ID: <63ef58000058fb06d4aea3b27a3877f8@unicyber.co.uk> Hi Dealing with AD --> Cert Trust I am reaching the following step: ipa trust-add ad.company.com --admin --password Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue Reaching this far I do not know what the issue is .. Nevertheless and before start playing around with the DNS further more.... if I run the following it seems to successfully establish the trust by the IPA side of the business # ipa trust-add --type=ad "ad_domain" --trust-secret So this part seems find by the look of it.. I also had to manually add the AD host and the remote CIFS resource but I am getting instead: ipa trust-fetch-domains corp.hootsuitemedia.com ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example on the log for kerberos I get: krb5kdc[23951](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.146.161: BAD_ENCRYPTION_TYPE: authtime 0, HTTP/freeipaserver.ldap.company.com at LDAP.COMPANY.COMfor cifs/server1.ad.company.com at LDAP.COMPANY.COM, KDC has no support for encryption type Any idea? tips? Thanks very much! From abokovoy at redhat.com Wed Apr 15 05:03:24 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Apr 2015 08:03:24 +0300 Subject: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence. In-Reply-To: <63ef58000058fb06d4aea3b27a3877f8@unicyber.co.uk> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> <63ef58000058fb06d4aea3b27a3877f8@unicyber.co.uk> Message-ID: <20150415050324.GC4797@redhat.com> On Tue, 14 Apr 2015, g.fer.ordas at unicyber.co.uk wrote: >Hi > >Dealing with AD --> Cert Trust I am reaching the following step: > > ipa trust-add ad.company.com --admin --password >Active Directory domain administrator's password: >ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most >likely it is a DNS or firewall issue > > >Reaching this far I do not know what the issue is .. Nevertheless and >before start playing around with the DNS further more.... The issue is what reported above -- at request of IPA DC to validate the trust, AD DC tried to resolve IPA DC via SRV records and then tried to contact its Samba instance on its own to complete validation of the trust. Either step might fail, after which AD DC would report back to IPA DC that it was unable to reach it. This diagnostics wasn't added for nothing, you need to trust it. :) > > >if I run the following it seems to successfully establish the trust by >the IPA side of the business > ># ipa trust-add --type=ad "ad_domain" --trust-secret > >So this part seems find by the look of it.. It works because it does not communicate with AD DCs here, only with IPA's Samba instance. >I also had to manually add the AD host and the remote CIFS resource >but I am getting instead: > >ipa trust-fetch-domains corp.hootsuitemedia.com >ipa: ERROR: AD domain controller complains about communication >sequence. It may mean unsynchronized time on both sides, for example This doesn't work because AD DC did not complete the trust validation and cannot trust IPA Kerberos tickets, thus refusing operation. Unfortunately, reporting in SMB protocol is less than perfect so we only are able to get guesses at what has happened. In any case, running trust-fetch-domains makes no sense until you complete validation. And to complete validation you really need to fix issues with either DNS or firewall so that AD DCs are capable to reach proper IPA DCs. And all IPA DCs should be initialized with ipa-adtrust-install currently. -- / Alexander Bokovoy From jcholast at redhat.com Wed Apr 15 05:33:29 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Apr 2015 07:33:29 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <552D5298.6040608@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> Message-ID: <552DF829.4060209@redhat.com> Hi, Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): > David Dejaeghere wrote: >> Hi Rob, >> >> So you want to output of the command using pk12 with server cert and >> key? or with the ca chain in there too? >> > > Oddly enough it is failing in exactly the same place. Those GoDaddy CA > certs are still being loaded from somewhere, I'm not sure where, and I > suspect that is the source of the problem. They are in the default CA certificate bundle (in the ca-certificate package). I guess NSS loads it automatically. > > I'm going to forward the log to a colleague who has worked on this code > more recently than I have. Maybe he will have an idea. Could you try if the following works? # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt /root/ca-bundle.trust.crt # update-ca-trust # ipa-replica-prepare ... # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-source/ca-bundle.trust.crt # update-ca-trust > > rob > Honza -- Jan Cholasta From gjn at gjn.priv.at Wed Apr 15 06:47:12 2015 From: gjn at gjn.priv.at (=?ISO-8859-1?Q?G=FCnther_J=2E?= Niederwimmer) Date: Wed, 15 Apr 2015 08:47:12 +0200 Subject: [Freeipa-users] ipa-getcert Problem ? In-Reply-To: <20150414182958.GB27959@redhat.com> References: <5696258.IKv8r23WkC@techz> <20150414182958.GB27959@redhat.com> Message-ID: <1523193.2qOJYkTWrV@techz> Hello, Am Dienstag, 14. April 2015, 14:29:58 schrieb Nalin Dahyabhai: > On Tue, Apr 14, 2015 at 08:18:38PM +0200, G?nther J. Niederwimmer wrote: > > Hello > > > > I mean I have a Problem with the ipa-getcert script. > > > > system CentOS 7 (1503) and IPA 4.1.x > > > > can any help or declare my mistake or is this a IPA Problem > > > > I do a > > > > kinit admin > > > > ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv > > -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' > > > > and have afterward with > > ipa-getcert list > > > > Number of certificates and requests being tracked: 1. > > > > Request ID '20150414172251': > > status: CA_REJECTED > > ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our > > request, > > > > giving up: 2100 (RPC failed at server. Insufficient access: Insufficient > > 'add' privilege to add the entry > > 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4g > > jn,dc=prv'.).> > > stuck: yes > > > > key pair storage: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > > > certificate: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server- > > > > Cert' > > > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > The server rejected the request because no service with the Kerberos > principal name in the request exists yet. > > The "host" service is the one that's automatically created, and because > Kerberos principal names are case sensitive, "HOST" is seen as being > different from "host". The certmonger service uses the local host's > credentials in /etc/krb5.keytab to authenticate when it sends the > request to the CA (so you could skip the kinit step above), and the host > doesn't have the necessary privileges to create a new service, and > that's why that particular error message is coming back from the server. > > > ipa-getcert status > > process 4731: arguments to dbus_message_new_method_call() were incorrect, > > assertion "path != NULL" failed in file dbus-message.c line 1262. > > This is normally a bug in some application using the D-Bus library. > > > > D-Bus not built with -rdynamic so unable to print a backtrace > > > > Abgebrochen (Speicherabzug geschrieben) > > That's a bug in ipa-getcert. It should be producing an error message, > suggesting that you'd need to specify additional options to indicate > which request you wanted to check the status on, like so: > getcert status -i 20150414172251 > getcert status -d /etc/pki/nssdb -n Server-Cert > > I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv' > (note the lower case) to change the parameters in the certificate > request, which should be enough to satisfy the server's requirements. Thank you for the answer and help I mean this is working now ;) after some --uninstall and delete the certificate (?) . The wrong command I found with google :-(. The status command is not working on my system! -- mit freundlichen Gr??en / best regards, G?nther J. Niederwimmer From jhrozek at redhat.com Wed Apr 15 06:53:13 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 15 Apr 2015 08:53:13 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <552D33F0.4010207@iisg.agh.edu.pl> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> Message-ID: <20150415065313.GI2859@hendrix> On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote: > > > On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: > >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: > >>On 04/10/2015 08:13 AM, Mateusz Malek wrote: > >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however > >>>I've hit some weird performance problems. When I'm using IPA, it takes > >>>about 5-7 (or even more) seconds to get shell prompt after entering user > >>>password (...) > >>(...) > >>Do authentication and see where the time is spent by examining the logs. > >>Correlate it to the logs on the server. (...) > >I spent the better part of today fixing this issue: > > https://fedorahosted.org/sssd/ticket/2624 > > > >You might want to check if you're hit by this bug by setting: > > selinux_provider=none > >temporarily. > > With selinux_provider=none things seems faster. > > It's still not as fast as with existing OpenLDAP, but logon times seem > acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up > to 3 seconds). It seems that most time is spent in Kerberos authentication > (logs just "stop flowing" for a while) and on HBAC processing - on the 389 > DS side it seems that LDAP is busy with requests (it looks like it sometimes > "hangs" on MOD operation - is it updating user last logon time?). I pushed the selinux performance patches upstream yesterday. They will make their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for Fedora. From Janne.Blomqvist at aalto.fi Wed Apr 15 07:59:49 2015 From: Janne.Blomqvist at aalto.fi (Janne Blomqvist) Date: Wed, 15 Apr 2015 10:59:49 +0300 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552CBF00.1050001@redhat.com> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> <55278F32.4020302@aalto.fi> <55279255.6070908@redhat.com> <552BCDA0.2050200@aalto.fi> <552CBF00.1050001@redhat.com> Message-ID: <552E1A75.5010403@aalto.fi> On 2015-04-14 10:17, Petr Spacek wrote: > On 13.4.2015 16:07, Janne Blomqvist wrote: > > On 2015-04-10 12:05, Petr Spacek wrote: > >> On 10.4.2015 10:52, Janne Blomqvist wrote: > >>> On 2015-04-07 14:29, Martin Kosek wrote: > >>>> On 04/05/2015 08:03 PM, Dmitri Pal wrote: > >>>>> On 04/05/2015 12:51 PM, Janelle wrote: > >>>>>> Hello, > >>>>>> > >>>>>> Trying to find a way on a multi-homed server to force IPA and its > >>>> related > >>>>>> apps to listen on a specific interface. I can find all kinds of > >>>> info saying > >>>>>> "the services listen on all interfaces by default" so there must be > >>>> a way? > >>>>>> > >>>>>> Thank you > >>>>>> ~J > >>>>>> > >>>>> Sounds familiar. > >>>>> I think there is a ticket open for that. > >>>> > >>>> This is the RFE: > >>>> > >>>> https://fedorahosted.org/freeipa/ticket/3338 > >>>> > >>>> Just in case anybody would like to help us extend FreeIPA > installers :-) > >>>> > >>> > >>> Hi, > >>> > >>> I have a related, or opposite really, problem. > >>> > >>> So I have configured IPA for a domain (say, ipa.example.org). Then > I have a > >>> bunch of client machines that can join the domain etc. Fine so far. > >>> > >>> However, I also have another bunch of client machines on an > internal network > >>> (with NAT access to the outside world). So for these I add another > network > >>> interface on the ipa servers. So my ipa servers have two IP's and > dns names, > >>> say, ipa1.ipa.example.org (some public IP) and ipa1.local > (10.x.x.x IP). Now > >>> it doesn't work so well anymore for these clients, because the krb > principals > >>> for the IPA server(s) are bound to the public name, so joining the > domain > >>> fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it > work by > >>> joining via the public interface (manually creating the machine > accounts on > >>> the ipa server first, since otherwise it doesn't understand > clientX.local dns > >>> names/IP's), but then obviously all communication goes via the NAT > box which > >>> is a SPOF. > >>> > >>> So is there some reasonable way to make the above work? > >> > >> IMHO cleanest solution is to properly configure routing in your > network to > >> route your public IP range properly to the respective subnet > instead of going > >> through a NAT. > >> > >> Details depend on your network so I do not have exact steps for > you, sorry. > >> > > Thanks. So do you mean something like on each client machine in the > NATed network I add special routes to the ipa servers? And by that the > client machines would know that ipa1.ipa.example.org can be reached > via ipa1.local instead of going via the default route (which is the > NAT box)? > > Details really depend on your setup. For example: > > - IPA servers are in subnet 10.1.1.0/24 and have public addresses in > 192.0.2.0/24 subnet. > - Clients are in 10.2.2.0/24 subnet behind NAT, subnet gateway is > 10.2.2.254. > > In this setup you need to add route 192.0.2.0/24 to the gateway 10.2.2.254 > (and to add 192.0.2.0/24 addresses to IPA server interfaces if they > are not > configured yet). > > If you have really small network where all hosts are in a single > network then > you really might need to add route to multiple hosts to get rid of SPOF on > gateway. > > Here you need to consider what happens if adding the route to all hosts is > worth the effort: > What happens if the gateway is down? Is the gateway a separate router > or is it > some kind of all-in-one switch+router as typically seen in really > small setups? > > I hope this helps. Ok, lets take a few steps back and allow me to explain. So the system I'm discussing is a HPC cluster. There is a special "frontend" node with a public IP & DNS where users log in, compile their code, submit batch jobs etc. Then there are a bunch of "compute" nodes which execute the batch jobs (at the moment about 550 compute nodes, FWIW). These compute nodes are on a private 10.x.x.x network, where also the frontend node has an IP and DNS name. And the frontend node then also functions as a NAT gateway node for the internal compute network. Now, what we want to do is migrating from the existing cluster-specific passwd/group databases to a freeIPA cluster which is also shared by some other machines. But the simple solution of adding an extra interface to the IPA servers to connect them directly to the cluster internal 10.x.x.x network doesn't work, as then the Kerberos principal name of the IPA servers don't match the DNS names on the cluster internal network. -- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqvist at aalto.fi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From david.dejaeghere at gmail.com Wed Apr 15 09:48:23 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Wed, 15 Apr 2015 11:48:23 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <552DF829.4060209@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> Message-ID: Hi Honza, That gave me the exact same output. Any ideas? Regards, D 2015-04-15 7:33 GMT+02:00 Jan Cholasta : > Hi, > > Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): > >> David Dejaeghere wrote: >> >>> Hi Rob, >>> >>> So you want to output of the command using pk12 with server cert and >>> key? or with the ca chain in there too? >>> >>> >> Oddly enough it is failing in exactly the same place. Those GoDaddy CA >> certs are still being loaded from somewhere, I'm not sure where, and I >> suspect that is the source of the problem. >> > > They are in the default CA certificate bundle (in the ca-certificate > package). I guess NSS loads it automatically. > > >> I'm going to forward the log to a colleague who has worked on this code >> more recently than I have. Maybe he will have an idea. >> > > Could you try if the following works? > > # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt > /root/ca-bundle.trust.crt > > # update-ca-trust > > # ipa-replica-prepare ... > > # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust- > source/ca-bundle.trust.crt > > # update-ca-trust > > >> rob >> >> > Honza > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Wed Apr 15 11:01:11 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 15 Apr 2015 11:01:11 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found In-Reply-To: <552D5976.5000209@redhat.com> References: <9621CE4454B9514B9E709C1719B2B943F493C9@HCXDSPM1.ca.lmco.com> <552D2BA6.2000602@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49447@HCXDSPM1.ca.lmco.com> <552D4EF2.5000700@redhat.com> <9621CE4454B9514B9E709C1719B2B943F49466@HCXDSPM1.ca.lmco.com> <552D5976.5000209@redhat.com> Message-ID: <9621CE4454B9514B9E709C1719B2B943F49678@HCXDSPM1.ca.lmco.com> I was able to get the group modified and deleted with your commands Rob. Thank you very much for the help. Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 14, 2015 3:16 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: > I tried to do the following command; > Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca" > And I get the ldap_delete: no such object Maybe this will help: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I can't see what you're seeing so it's hard to get more precise. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, April 14, 2015 2:32 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found > > Joseph, Matthew (EXP) wrote: >> Hey Rob, >> >> So I did the following command; >> >> Ldapdelete -D "cn=Directory Manager" -h server_name -p 389 "cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca" and it comes back with the following; >> Ldap_delete: No such object >> >> I also tried replacing the group_name with the nsuniqueid and still the same results. > > I'd need more details on what you did. You already know the group by > it's name doesn't exist otherwise IPA would have been able to delete it. > > The point is to use the --all --raw flags to get the actual DN of the > group entry and delete that. > > rob > >> >> Matt >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Tuesday, April 14, 2015 12:01 PM >> To: Joseph, Matthew (EXP); freeipa-users at redhat.com >> Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found >> >> Joseph, Matthew (EXP) wrote: >>> Hello, >>> >>> >>> >>> I'm trying to delete a group in IdM but when I do a ipa group-del >>> "group" it states the following; >>> >>> Ipa: ERROR: "group": group not found >>> >>> >>> >>> I do an ipa group-find and it displays the group with the current memebers. >>> >>> >>> >>> I look in the WebgUI and I can see the group in there but it has no >>> information. If I try to view the group or delete it from there it again >>> states that the group is not found. >>> >>> >>> >>> Anyone see this before? >> >> Run ipa group-show --all --raw and look at the dn value. It >> may be a replication conflict entry. You'd need to delete that manually >> using something like ldapdelete. >> >> rob >> > From lslebodn at redhat.com Wed Apr 15 13:08:53 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 15 Apr 2015 15:08:53 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <20150415065313.GI2859@hendrix> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <20150415065313.GI2859@hendrix> Message-ID: <20150415130853.GC893@mail.corp.redhat.com> On (15/04/15 08:53), Jakub Hrozek wrote: >On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote: >> >> >> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: >> >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: >> >>On 04/10/2015 08:13 AM, Mateusz Malek wrote: >> >>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however >> >>>I've hit some weird performance problems. When I'm using IPA, it takes >> >>>about 5-7 (or even more) seconds to get shell prompt after entering user >> >>>password (...) >> >>(...) >> >>Do authentication and see where the time is spent by examining the logs. >> >>Correlate it to the logs on the server. (...) >> >I spent the better part of today fixing this issue: >> > https://fedorahosted.org/sssd/ticket/2624 >> > >> >You might want to check if you're hit by this bug by setting: >> > selinux_provider=none >> >temporarily. >> >> With selinux_provider=none things seems faster. >> >> It's still not as fast as with existing OpenLDAP, but logon times seem >> acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up >> to 3 seconds). It seems that most time is spent in Kerberos authentication >> (logs just "stop flowing" for a while) and on HBAC processing - on the 389 >> DS side it seems that LDAP is busy with requests (it looks like it sometimes >> "hangs" on MOD operation - is it updating user last logon time?). > >I pushed the selinux performance patches upstream yesterday. They will make >their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for >Fedora. > Packages for fedora 21,22 are built. You just need to wait utill they are available in updates testing or you can download packages from koji. https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22 https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21 Please test and provide karma. LS From nalin at redhat.com Wed Apr 15 14:36:31 2015 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 15 Apr 2015 10:36:31 -0400 Subject: [Freeipa-users] ipa-getcert Problem ? In-Reply-To: <1523193.2qOJYkTWrV@techz> References: <5696258.IKv8r23WkC@techz> <20150414182958.GB27959@redhat.com> <1523193.2qOJYkTWrV@techz> Message-ID: <20150415143631.GA31767@redhat.com> On Wed, Apr 15, 2015 at 08:47:12AM +0200, G?nther J. Niederwimmer wrote: > Thank you for the answer and help > > I mean this is working now ;) after some --uninstall and delete the certificate > (?) . The wrong command I found with google :-(. > > The status command is not working on my system! The "status" command's only job is to set an exit status to indicate whether or not a certificate's okay (0 means okay, other values are described in the man page), which is why it needs to be told which certificate it's being asked about. If you're looking for something human readable, you probably wanted to use "list". If it's not working as expected in some other way, could you describe the problem you're seeing in more detail? HTH, Nalin From pspacek at redhat.com Wed Apr 15 14:50:48 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Apr 2015 16:50:48 +0200 Subject: [Freeipa-users] multihome - single interface? In-Reply-To: <552E1A75.5010403@aalto.fi> References: <552167FA.4040400@gmail.com> <552178F9.7000403@redhat.com> <5523BF8C.7090403@redhat.com> <55278F32.4020302@aalto.fi> <55279255.6070908@redhat.com> <552BCDA0.2050200@aalto.fi> <552CBF00.1050001@redhat.com> <552E1A75.5010403@aalto.fi> Message-ID: <552E7AC8.3020002@redhat.com> On 15.4.2015 09:59, Janne Blomqvist wrote: > On 2015-04-14 10:17, Petr Spacek wrote: >> On 13.4.2015 16:07, Janne Blomqvist wrote: >>> On 2015-04-10 12:05, Petr Spacek wrote: >>>> On 10.4.2015 10:52, Janne Blomqvist wrote: >>>>> On 2015-04-07 14:29, Martin Kosek wrote: >>>>>> On 04/05/2015 08:03 PM, Dmitri Pal wrote: >>>>>>> On 04/05/2015 12:51 PM, Janelle wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Trying to find a way on a multi-homed server to force IPA >>>>>>>> and its >>>>>> related >>>>>>>> apps to listen on a specific interface. I can find all >>>>>>>> kinds of >>>>>> info saying >>>>>>>> "the services listen on all interfaces by default" so there >>>>>>>> must be >>>>>> a way? >>>>>>>> >>>>>>>> Thank you ~J >>>>>>>> >>>>>>> Sounds familiar. I think there is a ticket open for that. >>>>>> >>>>>> This is the RFE: >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/3338 >>>>>> >>>>>> Just in case anybody would like to help us extend FreeIPA >> installers :-) >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> I have a related, or opposite really, problem. >>>>> >>>>> So I have configured IPA for a domain (say, ipa.example.org). >>>>> Then >> I have a >>>>> bunch of client machines that can join the domain etc. Fine so >>>>> far. >>>>> >>>>> However, I also have another bunch of client machines on an >> internal network >>>>> (with NAT access to the outside world). So for these I add >>>>> another >> network >>>>> interface on the ipa servers. So my ipa servers have two IP's >>>>> and >> dns names, >>>>> say, ipa1.ipa.example.org (some public IP) and ipa1.local >> (10.x.x.x IP). Now >>>>> it doesn't work so well anymore for these clients, because the >>>>> krb >> principals >>>>> for the IPA server(s) are bound to the public name, so joining >>>>> the >> domain >>>>> fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make >>>>> it >> work by >>>>> joining via the public interface (manually creating the machine >> accounts on >>>>> the ipa server first, since otherwise it doesn't understand >> clientX.local dns >>>>> names/IP's), but then obviously all communication goes via the >>>>> NAT >> box which >>>>> is a SPOF. >>>>> >>>>> So is there some reasonable way to make the above work? >>>> >>>> IMHO cleanest solution is to properly configure routing in your >> network to >>>> route your public IP range properly to the respective subnet >> instead of going >>>> through a NAT. >>>> >>>> Details depend on your network so I do not have exact steps for >> you, sorry. >>>> >>> Thanks. So do you mean something like on each client machine in the >> NATed network I add special routes to the ipa servers? And by that the >> client machines would know that ipa1.ipa.example.org can be reached via >> ipa1.local instead of going via the default route (which is the NAT >> box)? >> >> Details really depend on your setup. For example: >> >> - IPA servers are in subnet 10.1.1.0/24 and have public addresses in >> 192.0.2.0/24 subnet. - Clients are in 10.2.2.0/24 subnet behind NAT, >> subnet gateway is 10.2.2.254. >> >> In this setup you need to add route 192.0.2.0/24 to the gateway >> 10.2.2.254 (and to add 192.0.2.0/24 addresses to IPA server interfaces >> if they are not configured yet). >> >> If you have really small network where all hosts are in a single >> network then you really might need to add route to multiple hosts to >> get rid of SPOF on gateway. >> >> Here you need to consider what happens if adding the route to all hosts >> is worth the effort: What happens if the gateway is down? Is the >> gateway a separate router or is it some kind of all-in-one >> switch+router as typically seen in really small setups? >> >> I hope this helps. > > Ok, lets take a few steps back and allow me to explain. So the system I'm > discussing is a HPC cluster. There is a special "frontend" node with a > public IP & DNS where users log in, compile their code, submit batch jobs > etc. Then there are a bunch of "compute" nodes which execute the batch > jobs (at the moment about 550 compute nodes, FWIW). These compute nodes > are on a private 10.x.x.x network, where also the frontend node has an IP > and DNS name. And the frontend node then also functions as a NAT gateway > node for the internal compute network. > > Now, what we want to do is migrating from the existing cluster-specific > passwd/group databases to a freeIPA cluster which is also shared by some > other machines. But the simple solution of adding an extra interface to > the IPA servers to connect them directly to the cluster internal 10.x.x.x > network doesn't work, as then the Kerberos principal name of the IPA > servers don't match the DNS names on the cluster internal network. Okay. Do I understand correctly that FreeIPA server will be outside the cluster network, i.e. in the 'public' subnet? What prevents you from using 'public' name and IP address of the FreeIPA server for cluster nodes inside NATed network? It should just work as long as routing on NAT box is setup properly. What am I missing? :-) -- Petr^2 Spacek From jreg2k at gmail.com Wed Apr 15 15:46:48 2015 From: jreg2k at gmail.com (James James) Date: Wed, 15 Apr 2015 17:46:48 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... Message-ID: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed .... I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress [ipa.example.com] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication On the master I have this message : 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task: Successfully cleaned rid(19). [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt="cn= meToipa1.example.com" (ipa1:389): Replica has a different generation ID than the local data. [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meToipa1.example.com" (ipa1:389)". [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt="cn= meToipa1.example.com" (ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) Any hints will be useful. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: replica-acces-log Type: application/octet-stream Size: 713710 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: replica-erros-log Type: application/octet-stream Size: 21805 bytes Desc: not available URL: From rmeggins at redhat.com Wed Apr 15 16:58:43 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2015 10:58:43 -0600 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: Message-ID: <552E98C3.8020900@redhat.com> On 04/15/2015 09:46 AM, James James wrote: > Hello, > > I have been looking to solve my problem but I 'm asking for some help. > > The replication begins but cannot be completed .... > > I want to install a new fresh replica but I've always got this error : > > [21/35]: configure dirsrv ccache > [22/35]: enable SASL mapping fallback > [23/35]: restarting directory server > [24/35]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 127 seconds elapsed > Update in progress yet not in progress > > Update in progress yet not in progress > > [ipa.example.com ] reports: Update failed! > Status: [10 Total update abortedLDAP error: Referral] > > [error] RuntimeError: Failed to start replication > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Failed to start replication > > > On the master I have this message : > 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task: > Successfully cleaned rid(19). > [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa1.example.com " > (ipa1:389): Replica has a different generation ID than the local data. > [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=meToipa1.example.com > " (ipa1:389)". What is happening on the consumer (ipa1.example.com) error and access log at this time? > [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - > agmt="cn=meToipa1.example.com " > (ipa1:389): Unable to receive the response for a startReplication > extended operation to consumer (Can't contact LDAP server). Will retry > later. > [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 > (Transport endpoint is not connected) > > Any hints will be useful. > > Thanks. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From awilisch at gmail.com Wed Apr 15 17:43:55 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Wed, 15 Apr 2015 13:43:55 -0400 Subject: [Freeipa-users] Freeipa4 - AD SSH logins Message-ID: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> Today I managed to finally get a trust established between my AD Domain and my FreeIPA 4 environment. However I?m noticing a couple issues and hope someone might be able to give me some help. First when the user logs in it creates their home directory in /home/fioptics/ rather than /home/. I read that you had to put subdomain_homedir= /home in /etc/sssd/sssd.conf but that didn?t seem to fix it. Also the FreeIPA environment is set to use /bin/bash as the shell, however everyone from AD is logging in and using /bin/sh. I?m hoping if I can get these issues sorted out the other issues I?m seeing with go as well, but if they don?t I can address those at that time. Let me know what I would need to post in order to help. I?m including the sssd.conf and krb5.conf file below. I appreciate any help anyone can give. ????????? sssd.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGING.FIOPTICS.INT dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] STAGING.FIOPTICS.INT = { kdc = stip01.staging.fioptics.int:88 master_kdc = stip01.staging.fioptics.int:88 admin_server = stip01.staging.fioptics.int:749 default_domain = staging.fioptics.int pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } [domain_realm] .staging.fioptics.int = STAGING.FIOPTICS.INT staging.fioptics.int = STAGING.FIOPTICS.INT [dbmodules] STAGING.FIOPTICS.INT = { db_library = ipadb.so } ???????????????? krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGING.FIOPTICS.INT dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] STAGING.FIOPTICS.INT = { kdc = stip01.staging.fioptics.int:88 master_kdc = stip01.staging.fioptics.int:88 admin_server = stip01.staging.fioptics.int:749 default_domain = staging.fioptics.int pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@AD_DOMAIN$)s/@AD_DOMAIN/@ad_domain/ auth_to_local = DEFAULT } [domain_realm] .staging.fioptics.int = STAGING.FIOPTICS.INT staging.fioptics.int = STAGING.FIOPTICS.INT [dbmodules] STAGING.FIOPTICS.INT = { db_library = ipadb.so } Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com From lslebodn at redhat.com Wed Apr 15 17:52:31 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 15 Apr 2015 19:52:31 +0200 Subject: [Freeipa-users] Freeipa4 - AD SSH logins In-Reply-To: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> References: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> Message-ID: <20150415175231.GE893@mail.corp.redhat.com> On (15/04/15 13:43), Aric Wilisch wrote: >Today I managed to finally get a trust established between my AD Domain and my FreeIPA 4 environment. > >However I?m noticing a couple issues and hope someone might be able to give me some help. > >First when the user logs in it creates their home directory in /home/fioptics/ rather than /home/. I read that you had to put >subdomain_homedir= /home in /etc/sssd/sssd.conf but that didn?t seem to fix it. ^^^^^ The value of this option is template. The default is "/home/%d/%u" You can find details in man sssd.conf -> subdomain_homedir -> override_homedir LS From abokovoy at redhat.com Wed Apr 15 18:00:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Apr 2015 21:00:01 +0300 Subject: [Freeipa-users] Freeipa4 - AD SSH logins In-Reply-To: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> References: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> Message-ID: <20150415180001.GF4797@redhat.com> On Wed, 15 Apr 2015, Aric Wilisch wrote: >Today I managed to finally get a trust established between my AD Domain and my FreeIPA 4 environment. > >However I?m noticing a couple issues and hope someone might be able to give me some help. > >First when the user logs in it creates their home directory in >/home/fioptics/ rather than /home/. I read that you >had to put subdomain_homedir= /home in /etc/sssd/sssd.conf but that >didn?t seem to fix it. > >Also the FreeIPA environment is set to use /bin/bash as the shell, >however everyone from AD is logging in and using /bin/sh. > >I?m hoping if I can get these issues sorted out the other issues I?m >seeing with go as well, but if they don?t I can address those at that >time. These issues are addressed with IDViews functionality in FreeIPA 4.1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html I have a 'sneak peak' videos of how this feature works: http://talks.vda.li/video/freeipa-idviews-override-shell-and-homedir.webm http://talks.vda.li/video/freeipa-idviews-override-public-ssh-key.webm These are draft sequences, no sound or subtitles so you need to read documentation too :) -- / Alexander Bokovoy From awilisch at gmail.com Wed Apr 15 18:19:09 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Wed, 15 Apr 2015 14:19:09 -0400 Subject: [Freeipa-users] Freeipa4 - AD SSH logins In-Reply-To: <20150415180001.GF4797@redhat.com> References: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> <20150415180001.GF4797@redhat.com> Message-ID: So I would have to setup an ID View Override for every user in AD that needs to login to to a FreeIPA host? I guess I?m having trouble understanding why it wouldn?t just use the defaults set into FreeIPA? The Default home directory is set to /home and the default shell is set to /bin/bash. This is a lot of work to go to unless there?s a way to set it globally for the entire domain. Also noticing sudo doesn?t work for those users even though I have the ad_admins group added to the sudo group I created. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com > On Apr 15, 2015, at 2:00 PM, Alexander Bokovoy wrote: > > On Wed, 15 Apr 2015, Aric Wilisch wrote: >> Today I managed to finally get a trust established between my AD Domain and my FreeIPA 4 environment. >> >> However I?m noticing a couple issues and hope someone might be able to give me some help. >> >> First when the user logs in it creates their home directory in >> /home/fioptics/ rather than /home/. I read that you >> had to put subdomain_homedir= /home in /etc/sssd/sssd.conf but that >> didn?t seem to fix it. >> >> Also the FreeIPA environment is set to use /bin/bash as the shell, >> however everyone from AD is logging in and using /bin/sh. >> >> I?m hoping if I can get these issues sorted out the other issues I?m >> seeing with go as well, but if they don?t I can address those at that >> time. > These issues are addressed with IDViews functionality in FreeIPA 4.1. > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html > > I have a 'sneak peak' videos of how this feature works: > http://talks.vda.li/video/freeipa-idviews-override-shell-and-homedir.webm > http://talks.vda.li/video/freeipa-idviews-override-public-ssh-key.webm > These are draft sequences, no sound or subtitles so you need to read > documentation too :) > -- > / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From jreg2k at gmail.com Wed Apr 15 18:43:43 2015 From: jreg2k at gmail.com (James James) Date: Wed, 15 Apr 2015 20:43:43 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <552E98C3.8020900@redhat.com> References: <552E98C3.8020900@redhat.com> Message-ID: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson : > On 04/15/2015 09:46 AM, James James wrote: > > Hello, > > I have been looking to solve my problem but I 'm asking for some help. > > The replication begins but cannot be completed .... > > I want to install a new fresh replica but I've always got this error : > > [21/35]: configure dirsrv ccache > [22/35]: enable SASL mapping fallback > [23/35]: restarting directory server > [24/35]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 127 seconds elapsed > Update in progress yet not in progress > > Update in progress yet not in progress > > [ipa.example.com] reports: Update failed! Status: [10 Total update > abortedLDAP error: Referral] > > [error] RuntimeError: Failed to start replication > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Failed to start replication > > > On the master I have this message : > 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task: > Successfully cleaned rid(19). > [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt="cn= > meToipa1.example.com" (ipa1:389): Replica has a different generation ID > than the local data. > [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=meToipa1.example.com" (ipa1:389)". > > > What is happening on the consumer (ipa1.example.com) error and access log > at this time? > > [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt="cn= > meToipa1.example.com" (ipa1:389): Unable to receive the response for a > startReplication extended operation to consumer (Can't contact LDAP > server). Will retry later. > [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send > startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport > endpoint is not connected) > > Any hints will be useful. > > Thanks. > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- [15/Apr/2015:16:39:40 +0200] conn=1 fd=64 slot=64 connection from ::1 to ::1 [15/Apr/2015:16:39:40 +0200] conn=1 op=-1 fd=64 closed - B1 [15/Apr/2015:16:39:40 +0200] conn=2 fd=64 slot=64 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=2 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=3 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=3 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=3 op=1 MOD dn="cn=MemberOf Plugin,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=3 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=3 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=3 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=4 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=4 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=4 op=1 ADD dn="cn=ipa-winsync,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=4 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=4 op=2 fd=66 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=5 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=5 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=5 op=1 ADD dn="cn=IPA Version Replication,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=5 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=5 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=5 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=6 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=6 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=6 op=1 ADD dn="cn=ipa_enrollment_extop,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=6 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=6 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=6 op=2 fd=66 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=7 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=7 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=7 op=1 MOD dn="cn=config" [15/Apr/2015:16:39:40 +0200] conn=7 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=7 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=7 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=8 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=8 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=8 op=1 ADD dn="cn=krbPrincipalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=8 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=8 op=2 ADD dn="cn=krbCanonicalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=8 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=8 op=3 ADD dn="cn=netgroup uniqueness,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=8 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=8 op=4 ADD dn="cn=ipaUniqueID uniqueness,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=8 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=8 op=5 ADD dn="cn=sudorule name uniqueness,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=8 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=8 op=6 UNBIND [15/Apr/2015:16:39:40 +0200] conn=8 op=6 fd=66 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=9 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=9 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=9 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=9 op=1 ADD dn="cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=9 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=9 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=9 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=10 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=10 op=1 ADD dn="cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=10 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=10 op=2 ADD dn="cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=10 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=10 op=3 UNBIND [15/Apr/2015:16:39:40 +0200] conn=10 op=3 fd=66 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=11 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=11 op=1 ADD dn="cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=11 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=11 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=11 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=12 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=12 op=1 ADD dn="cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=12 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:40 +0200] conn=12 op=2 UNBIND [15/Apr/2015:16:39:40 +0200] conn=12 op=2 fd=66 closed - U1 [15/Apr/2015:16:39:40 +0200] conn=13 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:40 +0200] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:40 +0200] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:40 +0200] conn=13 op=1 ADD dn="cn=IPA DNS,cn=plugins,cn=config" [15/Apr/2015:16:39:40 +0200] conn=13 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=13 op=2 UNBIND [15/Apr/2015:16:39:41 +0200] conn=13 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:41 +0200] conn=14 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:41 +0200] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:41 +0200] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:41 +0200] conn=14 op=1 MOD dn="cn=config" [15/Apr/2015:16:39:41 +0200] conn=14 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=14 op=2 MOD dn="cn=config" [15/Apr/2015:16:39:41 +0200] conn=14 op=2 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=14 op=3 MOD dn="cn=USN,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=14 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=14 op=4 UNBIND [15/Apr/2015:16:39:41 +0200] conn=14 op=4 fd=66 closed - U1 [15/Apr/2015:16:39:41 +0200] conn=15 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:41 +0200] conn=15 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:41 +0200] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:41 +0200] conn=15 op=1 ADD dn="cn=IPA Lockout,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=15 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=15 op=2 UNBIND [15/Apr/2015:16:39:41 +0200] conn=15 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:41 +0200] conn=16 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:41 +0200] conn=16 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:41 +0200] conn=16 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:41 +0200] conn=16 op=1 ADD dn="cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=2 ADD dn="cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=3 ADD dn="cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=4 ADD dn="cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=5 ADD dn="cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=6 ADD dn="cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=6 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=7 ADD dn="cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=7 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=8 MOD dn="cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=8 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=9 ADD dn="cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=9 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=10 ADD dn="cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=10 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=11 MOD dn="cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=11 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=12 MOD dn="cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=12 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=13 ADD dn="cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=13 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=14 ADD dn="cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=14 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=15 ADD dn="cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=15 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=16 ADD dn="cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=16 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=17 ADD dn="cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=17 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=18 ADD dn="cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=18 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=19 ADD dn="cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=19 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=20 ADD dn="cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=20 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=21 ADD dn="cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=21 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=22 ADD dn="cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=22 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=23 ADD dn="cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=23 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=24 ADD dn="cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=24 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=25 ADD dn="cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=25 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=26 ADD dn="cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=16 op=26 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=16 op=27 UNBIND [15/Apr/2015:16:39:41 +0200] conn=16 op=27 fd=66 closed - U1 [15/Apr/2015:16:39:41 +0200] conn=17 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:16:39:41 +0200] conn=17 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:16:39:41 +0200] conn=17 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:16:39:41 +0200] conn=17 op=1 MOD dn="cn=referential integrity postoperation,cn=plugins,cn=config" [15/Apr/2015:16:39:41 +0200] conn=17 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:16:39:41 +0200] conn=17 op=2 UNBIND [15/Apr/2015:16:39:41 +0200] conn=17 op=2 fd=65 closed - U1 [15/Apr/2015:16:39:41 +0200] conn=2 op=1 UNBIND [15/Apr/2015:16:39:41 +0200] conn=2 op=1 fd=64 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=1 fd=64 slot=64 connection from ::1 to ::1 [15/Apr/2015:17:02:05 +0200] conn=1 op=-1 fd=64 closed - B1 [15/Apr/2015:17:02:05 +0200] conn=2 fd=64 slot=64 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=2 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=3 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=3 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=3 op=1 MOD dn="cn=MemberOf Plugin,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=3 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=3 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=3 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=4 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=4 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=4 op=1 ADD dn="cn=ipa-winsync,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=4 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=4 op=2 fd=66 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=5 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=5 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=5 op=1 ADD dn="cn=IPA Version Replication,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=5 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=5 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=5 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=6 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=6 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=6 op=1 ADD dn="cn=ipa_enrollment_extop,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=6 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=6 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=6 op=2 fd=66 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=7 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=7 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=7 op=1 MOD dn="cn=config" [15/Apr/2015:17:02:05 +0200] conn=7 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=7 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=7 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=8 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=8 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=8 op=1 ADD dn="cn=krbPrincipalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=8 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=8 op=2 ADD dn="cn=krbCanonicalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=8 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=8 op=3 ADD dn="cn=netgroup uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=8 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=8 op=4 ADD dn="cn=ipaUniqueID uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=8 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=8 op=5 ADD dn="cn=sudorule name uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=8 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=8 op=6 UNBIND [15/Apr/2015:17:02:05 +0200] conn=8 op=6 fd=66 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=9 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=9 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=9 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=9 op=1 ADD dn="cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=9 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=9 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=9 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=10 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=10 op=1 ADD dn="cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=10 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=10 op=2 ADD dn="cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=10 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=10 op=3 UNBIND [15/Apr/2015:17:02:05 +0200] conn=10 op=3 fd=66 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=11 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=11 op=1 ADD dn="cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=11 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=11 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=11 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=12 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=12 op=1 ADD dn="cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=12 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=12 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=12 op=2 fd=66 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=13 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=13 op=1 ADD dn="cn=IPA DNS,cn=plugins,cn=config" [15/Apr/2015:17:02:05 +0200] conn=13 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:05 +0200] conn=13 op=2 UNBIND [15/Apr/2015:17:02:05 +0200] conn=13 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:05 +0200] conn=14 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:05 +0200] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:05 +0200] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:05 +0200] conn=14 op=1 MOD dn="cn=config" [15/Apr/2015:17:02:06 +0200] conn=14 op=1 RESULT err=0 tag=103 nentries=0 etime=1 [15/Apr/2015:17:02:06 +0200] conn=14 op=2 MOD dn="cn=config" [15/Apr/2015:17:02:06 +0200] conn=14 op=2 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=14 op=3 MOD dn="cn=USN,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=14 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=14 op=4 UNBIND [15/Apr/2015:17:02:06 +0200] conn=14 op=4 fd=66 closed - U1 [15/Apr/2015:17:02:06 +0200] conn=15 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:06 +0200] conn=15 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:06 +0200] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:06 +0200] conn=15 op=1 ADD dn="cn=IPA Lockout,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=15 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=15 op=2 UNBIND [15/Apr/2015:17:02:06 +0200] conn=15 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:06 +0200] conn=16 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:06 +0200] conn=16 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:06 +0200] conn=16 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:06 +0200] conn=16 op=1 ADD dn="cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=2 ADD dn="cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=3 ADD dn="cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=4 ADD dn="cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=5 ADD dn="cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=6 ADD dn="cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=6 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=7 ADD dn="cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=7 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=8 MOD dn="cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=8 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=9 ADD dn="cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=9 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=10 ADD dn="cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=10 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=11 MOD dn="cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=11 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=12 MOD dn="cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=12 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=13 ADD dn="cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=13 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=14 ADD dn="cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=14 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=15 ADD dn="cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=15 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=16 ADD dn="cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=16 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=17 ADD dn="cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=17 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=18 ADD dn="cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=18 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=19 ADD dn="cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=19 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=20 ADD dn="cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=20 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=21 ADD dn="cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=21 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=22 ADD dn="cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=22 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=23 ADD dn="cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=23 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=24 ADD dn="cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=24 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=25 ADD dn="cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=25 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=26 ADD dn="cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=16 op=26 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=16 op=27 UNBIND [15/Apr/2015:17:02:06 +0200] conn=16 op=27 fd=66 closed - U1 [15/Apr/2015:17:02:06 +0200] conn=17 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:02:06 +0200] conn=17 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:02:06 +0200] conn=17 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:02:06 +0200] conn=17 op=1 MOD dn="cn=referential integrity postoperation,cn=plugins,cn=config" [15/Apr/2015:17:02:06 +0200] conn=17 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:02:06 +0200] conn=17 op=2 UNBIND [15/Apr/2015:17:02:06 +0200] conn=17 op=2 fd=65 closed - U1 [15/Apr/2015:17:02:06 +0200] conn=2 op=1 UNBIND [15/Apr/2015:17:02:06 +0200] conn=2 op=1 fd=64 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=1 fd=64 slot=64 connection from ::1 to ::1 [15/Apr/2015:17:06:25 +0200] conn=1 op=-1 fd=64 closed - B1 [15/Apr/2015:17:06:25 +0200] conn=2 fd=64 slot=64 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=2 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=3 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=3 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=3 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=3 op=1 MOD dn="cn=MemberOf Plugin,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=3 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=3 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=3 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=4 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=4 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=4 op=1 ADD dn="cn=ipa-winsync,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=4 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=4 op=2 fd=66 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=5 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=5 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=5 op=1 ADD dn="cn=IPA Version Replication,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=5 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=5 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=5 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=6 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=6 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=6 op=1 ADD dn="cn=ipa_enrollment_extop,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=6 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=6 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=6 op=2 fd=66 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=7 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=7 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=7 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=7 op=1 MOD dn="cn=config" [15/Apr/2015:17:06:25 +0200] conn=7 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=7 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=7 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=8 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=8 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=8 op=1 ADD dn="cn=krbPrincipalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=8 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=8 op=2 ADD dn="cn=krbCanonicalName uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=8 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=8 op=3 ADD dn="cn=netgroup uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=8 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=8 op=4 ADD dn="cn=ipaUniqueID uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=8 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=8 op=5 ADD dn="cn=sudorule name uniqueness,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=8 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=8 op=6 UNBIND [15/Apr/2015:17:06:25 +0200] conn=8 op=6 fd=66 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=9 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=9 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=9 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=9 op=1 ADD dn="cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=9 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=9 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=9 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=10 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=10 op=1 ADD dn="cn=IPA Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=10 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=10 op=2 ADD dn="cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=10 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=10 op=3 UNBIND [15/Apr/2015:17:06:25 +0200] conn=10 op=3 fd=66 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=11 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=11 op=1 ADD dn="cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=11 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=11 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=11 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=12 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=12 op=1 ADD dn="cn=Kerberos Principal Name,cn=IPA MODRDN,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=12 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=12 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=12 op=2 fd=66 closed - U1 [15/Apr/2015:17:06:25 +0200] conn=13 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:25 +0200] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:25 +0200] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:25 +0200] conn=13 op=1 ADD dn="cn=IPA DNS,cn=plugins,cn=config" [15/Apr/2015:17:06:25 +0200] conn=13 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:25 +0200] conn=13 op=2 UNBIND [15/Apr/2015:17:06:25 +0200] conn=13 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=14 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=14 op=1 MOD dn="cn=config" [15/Apr/2015:17:06:26 +0200] conn=14 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=14 op=2 MOD dn="cn=config" [15/Apr/2015:17:06:26 +0200] conn=14 op=2 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=14 op=3 MOD dn="cn=USN,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=14 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=14 op=4 UNBIND [15/Apr/2015:17:06:26 +0200] conn=14 op=4 fd=66 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=15 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=15 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=15 op=1 ADD dn="cn=IPA Lockout,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=15 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=15 op=2 UNBIND [15/Apr/2015:17:06:26 +0200] conn=15 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=16 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=16 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=16 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=16 op=1 ADD dn="cn=krbPrincipalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=2 ADD dn="cn=ou,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=2 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=3 ADD dn="cn=carLicense,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=4 ADD dn="cn=title,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=5 ADD dn="cn=manager,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=6 ADD dn="cn=secretary,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=6 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=7 ADD dn="cn=displayname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=7 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=8 MOD dn="cn=uid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=8 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=9 ADD dn="cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=9 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=10 ADD dn="cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=10 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=11 MOD dn="cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=11 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=12 MOD dn="cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=12 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=13 ADD dn="cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=13 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=14 ADD dn="cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=14 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=15 ADD dn="cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=15 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=16 ADD dn="cn=memberUser,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=16 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=17 ADD dn="cn=sourcehost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=17 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=18 ADD dn="cn=memberservice,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=18 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=19 ADD dn="cn=managedby,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=19 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=20 ADD dn="cn=memberallowcmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=20 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=21 ADD dn="cn=memberdenycmd,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=21 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=22 ADD dn="cn=ipasudorunas,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=22 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=23 ADD dn="cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=23 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=24 ADD dn="cn=automountkey,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=24 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=25 ADD dn="cn=ipakrbprincipalalias,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=25 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=26 ADD dn="cn=ipauniqueid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=16 op=26 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=16 op=27 UNBIND [15/Apr/2015:17:06:26 +0200] conn=16 op=27 fd=66 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=17 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=17 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=17 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=17 op=1 MOD dn="cn=referential integrity postoperation,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=17 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=17 op=2 UNBIND [15/Apr/2015:17:06:26 +0200] conn=17 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=18 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=18 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=18 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=18 op=1 MOD dn="cn=encryption,cn=config" [15/Apr/2015:17:06:26 +0200] conn=18 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=18 op=2 MOD dn="cn=config" [15/Apr/2015:17:06:26 +0200] conn=18 op=2 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=18 op=3 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [15/Apr/2015:17:06:26 +0200] conn=18 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:26 +0200] conn=18 op=4 ADD dn="cn=RSA,cn=encryption,cn=config" [15/Apr/2015:17:06:26 +0200] conn=18 op=4 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=18 op=5 UNBIND [15/Apr/2015:17:06:26 +0200] conn=18 op=5 fd=65 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=19 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=19 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=19 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=19 op=1 ADD dn="cn=root-autobind,cn=config" [15/Apr/2015:17:06:26 +0200] conn=19 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=19 op=2 MOD dn="cn=config" [15/Apr/2015:17:06:26 +0200] conn=19 op=2 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=19 op=3 MOD dn="cn=config" [15/Apr/2015:17:06:26 +0200] conn=19 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=19 op=4 UNBIND [15/Apr/2015:17:06:26 +0200] conn=19 op=4 fd=66 closed - U1 [15/Apr/2015:17:06:26 +0200] conn=20 fd=65 slot=65 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:26 +0200] conn=20 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:26 +0200] conn=20 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:26 +0200] conn=20 op=1 MOD dn="cn=Managed Entries,cn=plugins,cn=config" [15/Apr/2015:17:06:26 +0200] conn=20 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:26 +0200] conn=20 op=2 UNBIND [15/Apr/2015:17:06:26 +0200] conn=20 op=2 fd=65 closed - U1 [15/Apr/2015:17:06:27 +0200] conn=21 fd=66 slot=66 connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:27 +0200] conn=21 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Apr/2015:17:06:27 +0200] conn=21 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:27 +0200] conn=21 op=1 MOD dn="cn=config" [15/Apr/2015:17:06:27 +0200] conn=21 op=1 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:27 +0200] conn=21 op=2 UNBIND [15/Apr/2015:17:06:27 +0200] conn=21 op=2 fd=66 closed - U1 [15/Apr/2015:17:06:28 +0200] conn=1 fd=64 slot=64 connection from ::1 to ::1 [15/Apr/2015:17:06:28 +0200] conn=1 op=-1 fd=64 closed - B1 [15/Apr/2015:17:06:28 +0200] conn=2 fd=64 slot=64 connection from local to /var/run/slapd-EXAMPLE-COM.socket [15/Apr/2015:17:06:28 +0200] conn=2 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:17:06:28 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:28 +0200] conn=2 op=1 SRCH base="cn=IPA Version Replication,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [15/Apr/2015:17:06:28 +0200] conn=2 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:28 +0200] conn=2 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [15/Apr/2015:17:06:28 +0200] conn=2 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:28 +0200] conn=2 op=3 MOD dn="cn=IPA Version Replication,cn=plugins,cn=config" [15/Apr/2015:17:06:28 +0200] conn=2 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:28 +0200] conn=2 op=4 UNBIND [15/Apr/2015:17:06:28 +0200] conn=2 op=4 fd=64 closed - U1 [15/Apr/2015:17:06:31 +0200] conn=1 fd=64 slot=64 connection from ::1 to ::1 [15/Apr/2015:17:06:31 +0200] conn=1 op=-1 fd=64 closed - B1 [15/Apr/2015:17:06:31 +0200] conn=2 fd=64 slot=64 SSL connection from 193.55.176.68 to 193.55.176.68 [15/Apr/2015:17:06:31 +0200] conn=2 TLS1.2 128-bit AES [15/Apr/2015:17:06:31 +0200] conn=2 op=0 BIND dn="cn=directory manager" method=128 version=3 [15/Apr/2015:17:06:31 +0200] conn=2 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Apr/2015:17:06:31 +0200] conn=2 op=1 SRCH base="cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [15/Apr/2015:17:06:31 +0200] conn=2 op=1 RESULT err=32 tag=101 nentries=0 etime=0 [15/Apr/2015:17:06:31 +0200] conn=2 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [15/Apr/2015:17:06:31 +0200] conn=2 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=3 ADD dn="cn=replication manager,cn=config" [15/Apr/2015:17:06:32 +0200] conn=2 op=3 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=4 SRCH base="cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [15/Apr/2015:17:06:32 +0200] conn=2 op=4 RESULT err=32 tag=101 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=5 ADD dn="cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [15/Apr/2015:17:06:32 +0200] conn=2 op=5 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=6 SRCH base="cn=config,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs="nsslapd-directory" [15/Apr/2015:17:06:32 +0200] conn=2 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=7 ADD dn="cn=changelog5,cn=config" [15/Apr/2015:17:06:32 +0200] conn=2 op=7 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 fd=65 slot=65 connection from 193.55.176.37 to 193.55.176.68 [15/Apr/2015:17:06:32 +0200] conn=3 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [15/Apr/2015:17:06:32 +0200] conn=3 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 TLS1.0 128-bit AES [15/Apr/2015:17:06:32 +0200] conn=3 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [15/Apr/2015:17:06:32 +0200] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [15/Apr/2015:17:06:32 +0200] conn=3 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:06:32 +0200] conn=3 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:06:32 +0200] conn=3 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=4 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:06:32 +0200] conn=2 op=8 SRCH base="cn=meToipa.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [15/Apr/2015:17:06:32 +0200] conn=2 op=8 RESULT err=32 tag=101 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=9 ADD dn="cn=meToipa.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [15/Apr/2015:17:06:32 +0200] conn=2 op=9 RESULT err=0 tag=105 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=5 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="nsSchemaCSN" [15/Apr/2015:17:06:32 +0200] conn=2 op=10 MOD dn="cn=meToipa.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" [15/Apr/2015:17:06:32 +0200] conn=2 op=10 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=2 op=11 SRCH base="cn=meToipa.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL [15/Apr/2015:17:06:32 +0200] conn=2 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=6 MOD dn="cn=schema" [15/Apr/2015:17:06:32 +0200] conn=3 op=6 RESULT err=0 tag=103 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=7 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:06:32 +0200] conn=3 op=7 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:32 +0200] conn=3 op=8 UNBIND [15/Apr/2015:17:06:32 +0200] conn=3 op=8 fd=65 closed - U1 [15/Apr/2015:17:06:33 +0200] conn=4 fd=66 slot=66 connection from 193.55.176.37 to 193.55.176.68 [15/Apr/2015:17:06:33 +0200] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [15/Apr/2015:17:06:33 +0200] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 TLS1.0 128-bit AES [15/Apr/2015:17:06:33 +0200] conn=4 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [15/Apr/2015:17:06:33 +0200] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [15/Apr/2015:17:06:33 +0200] conn=4 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:06:33 +0200] conn=4 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:06:33 +0200] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=4 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:06:33 +0200] conn=4 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=5 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="nsSchemaCSN" [15/Apr/2015:17:06:33 +0200] conn=4 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=6 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=6 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=7 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=7 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=8 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=8 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=9 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=9 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=10 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=10 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=11 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=11 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=12 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=12 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=13 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=13 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=14 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=14 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=15 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=15 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=16 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=16 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=17 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=17 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=18 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=18 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=19 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=19 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=20 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=20 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=21 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=21 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=22 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=22 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=23 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=23 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=24 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=24 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=25 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=25 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=26 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=26 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=27 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=27 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=28 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=28 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=29 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=29 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=30 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=30 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=31 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=31 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=32 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=32 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=33 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=33 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=34 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=34 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=35 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=35 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=36 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=36 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=37 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=37 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=38 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=38 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=39 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=39 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=40 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=40 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=41 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=41 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=42 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=42 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=43 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=43 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=44 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=44 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=45 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=45 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=46 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=46 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=47 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=47 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=48 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=48 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=49 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=49 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=50 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=50 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=51 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=51 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=52 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=52 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=53 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=53 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=54 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=54 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=55 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=55 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=56 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=56 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=57 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=57 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=58 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=58 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=59 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=59 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=60 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=60 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=61 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=61 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=62 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=62 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=63 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=63 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=64 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=64 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=65 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=65 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=66 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=66 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=67 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=67 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=68 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=68 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=69 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=69 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=70 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=70 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=71 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=71 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=72 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=72 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=73 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=73 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=74 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=74 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=75 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=75 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=76 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=76 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=77 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=77 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=78 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=78 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=79 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=79 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=80 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=80 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=81 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=81 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=82 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=82 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=83 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=83 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=84 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=84 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=85 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=85 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=86 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=86 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=87 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=87 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=88 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=88 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=89 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=89 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=90 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=90 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=91 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=91 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=92 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=92 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=93 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=93 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=94 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=94 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=95 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=95 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=96 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=96 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=97 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=97 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=98 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=98 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=99 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=99 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=100 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=100 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=101 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=101 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=102 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=102 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=103 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=103 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=104 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=104 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=105 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=105 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=106 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=106 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=107 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=107 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=108 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=108 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=109 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=109 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=110 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=110 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=111 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=111 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=112 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=112 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=113 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=113 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=114 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=114 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=115 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=115 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=116 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=116 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=117 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=117 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=118 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=118 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=119 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=119 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=120 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=120 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=121 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=121 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=122 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=122 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=123 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=123 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=124 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=124 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=125 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=125 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=126 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=126 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=127 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=127 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=128 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=128 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=129 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=129 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=130 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=130 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=131 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=131 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=132 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=132 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=133 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=133 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=134 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=134 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=135 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=135 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=136 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=136 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=137 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=137 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=138 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=138 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=139 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=139 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=140 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=140 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=141 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=141 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=142 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=142 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=143 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=143 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=144 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=144 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=145 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=145 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=146 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=146 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=147 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=147 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=148 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=148 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=149 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=149 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=150 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=150 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=151 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=151 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=152 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=152 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=153 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=153 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=154 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=154 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=155 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=155 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=156 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=156 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=157 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=157 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=158 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=158 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=159 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=159 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=160 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=160 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=161 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=161 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=162 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=162 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=163 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=163 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=164 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=164 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=165 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=165 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=166 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=166 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=167 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=167 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=168 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=168 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=169 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=169 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=170 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=170 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=171 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=171 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=172 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=172 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=173 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=173 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=174 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=174 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=175 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=175 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=176 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=176 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=177 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=177 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=178 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=178 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=179 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=179 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=180 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=180 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=181 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=181 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=182 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=182 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=183 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=183 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=184 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=184 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=185 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=185 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=186 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=186 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=187 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=187 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=188 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=188 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=189 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=189 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=190 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=190 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=191 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=191 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=192 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=192 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=193 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=193 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=194 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=194 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=195 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=195 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=196 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=196 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=197 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=197 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=198 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=198 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=199 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=199 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=200 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=200 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=201 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=201 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=202 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=202 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=203 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=203 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=204 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=204 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=205 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=205 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=206 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=206 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=207 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=207 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=208 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=208 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=209 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=209 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=210 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=210 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=211 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=211 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=212 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=212 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=213 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=213 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=214 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=214 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=215 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=215 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=216 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=216 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=217 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=217 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=218 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=218 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=219 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=219 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=220 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=220 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=221 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=221 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=222 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=222 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=223 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=223 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=224 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=224 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=225 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=225 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=226 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=226 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=227 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=227 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=228 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=228 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=229 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=229 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=230 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=230 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=231 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=231 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=232 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=232 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=233 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=233 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=234 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=234 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=235 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=235 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=236 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=236 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=237 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=237 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=238 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=238 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=239 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=239 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=240 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=240 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=241 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=241 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=242 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=242 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=243 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=243 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=244 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=244 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=245 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=245 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=246 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=246 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=247 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=247 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=248 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=248 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=249 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=249 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=250 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=250 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=251 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=251 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=252 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=252 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=253 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=253 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=254 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=254 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=255 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=255 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=256 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=256 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=257 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=257 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=258 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=258 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=259 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=259 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=260 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=260 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=261 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=261 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=262 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=262 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=263 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=263 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=264 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=264 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=265 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=265 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=266 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=266 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=267 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=267 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=268 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=268 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=269 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=269 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=270 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=270 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=271 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=271 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=272 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=272 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=273 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=273 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=274 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=274 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=275 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=275 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=276 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=276 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=277 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=277 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=278 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=278 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=279 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=279 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=280 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=280 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=281 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=281 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=282 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=282 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=283 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=283 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=284 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=284 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=285 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=285 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=286 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=286 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=287 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=287 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=288 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=288 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=289 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=289 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=290 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=290 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=291 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=291 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=292 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=292 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=293 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=293 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=294 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=294 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=295 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=295 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=296 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=296 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=297 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=297 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=298 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=298 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=299 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=299 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=300 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=300 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=301 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=301 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=302 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=302 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=303 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=303 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=304 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=304 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=305 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=305 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=306 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=306 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=307 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=307 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=308 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=308 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=309 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=309 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=310 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=310 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=311 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=311 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=312 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=312 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=313 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=313 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=314 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=314 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=315 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=315 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=316 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=316 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=317 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=317 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=318 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=318 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=319 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=319 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=320 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=320 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=321 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=321 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=322 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=322 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=323 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=323 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=324 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=324 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=325 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=325 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=326 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=326 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=327 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=327 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=328 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=328 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=329 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=329 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=330 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=330 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=331 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=331 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=332 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=332 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=333 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=333 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=334 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=334 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=335 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=335 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=336 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=336 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=337 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=337 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=338 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=338 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=339 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=339 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=340 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=340 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=341 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=341 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=342 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=342 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=343 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=343 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=344 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=344 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=345 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=345 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=346 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=346 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=347 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=347 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=348 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=348 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=349 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=349 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=350 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=350 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=351 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=351 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=352 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=352 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=353 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=353 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=354 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=354 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=355 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=355 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=356 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=356 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=357 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=357 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=358 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=358 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=359 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=359 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=360 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=360 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=361 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=361 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=362 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=362 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=363 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=363 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=364 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=364 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=365 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=365 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=366 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=366 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=367 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=367 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=368 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=368 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=369 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=369 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=370 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=370 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=371 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=371 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=372 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=372 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=373 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=373 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=374 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=374 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=375 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=375 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=376 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=376 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=377 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=377 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=378 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=378 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=379 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=379 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=380 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=380 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=381 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=381 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=382 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=382 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=383 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=383 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=384 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=384 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=385 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=385 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=386 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=386 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=387 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=387 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=388 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=388 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=389 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=389 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=390 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=390 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=391 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=391 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=392 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=392 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=393 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=393 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=394 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=394 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=395 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=395 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=396 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=396 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=397 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=397 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=398 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=398 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=399 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=399 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=400 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=400 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=401 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=401 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=402 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=402 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=403 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=403 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=404 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=404 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=405 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=405 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=406 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=406 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=407 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=407 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=408 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=408 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=409 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=409 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=410 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=410 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=411 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=411 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=412 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=412 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=413 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=413 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=414 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=414 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=415 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=415 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=416 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=416 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=417 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=417 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=418 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=418 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=419 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=419 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=420 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=420 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=421 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=421 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=422 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=422 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=423 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=423 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=424 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=424 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=425 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=425 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=426 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=426 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=427 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=427 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=428 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=428 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=429 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=429 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=430 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=430 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=431 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=431 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=432 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=432 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=433 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=433 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=434 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=434 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=435 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=435 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=436 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=436 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=437 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=437 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=438 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=438 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=439 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=439 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=440 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=440 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=441 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=441 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=442 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=442 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=443 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=443 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=444 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=444 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=445 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=445 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=446 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=446 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=447 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=447 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=448 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=448 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=449 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=449 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=450 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=450 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=451 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=451 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=452 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=452 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=453 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=453 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=454 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=454 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=455 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=455 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=456 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=456 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=457 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=457 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=458 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=458 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=459 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=459 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=460 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=460 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=461 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=461 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=462 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=462 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=463 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=463 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=464 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=464 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=465 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=465 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=466 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=466 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=467 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=467 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=468 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=468 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=469 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=469 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=470 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=470 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=471 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=471 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=472 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=472 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=473 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=473 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=474 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=474 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=475 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=475 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=476 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=476 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=477 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=477 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=478 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=478 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=479 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=479 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=480 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=480 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=481 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=481 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=482 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=482 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=483 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=483 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=484 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=484 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=485 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=485 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=486 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=486 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=487 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=487 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=488 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=488 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=489 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=489 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=490 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=490 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=491 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=491 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=492 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=492 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=493 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=493 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=494 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=494 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=495 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=495 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=496 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=496 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=497 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=497 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=498 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=498 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=499 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=499 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=500 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=500 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=501 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=501 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=502 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=502 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=503 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=503 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=504 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=504 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=505 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=505 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=506 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=506 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=507 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=507 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=508 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=508 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=509 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=509 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=510 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=510 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=511 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=511 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=512 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=512 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=513 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=513 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=514 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=514 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=515 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=515 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=516 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=516 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=517 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=517 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=518 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=518 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=519 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=519 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=520 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=520 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=521 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=521 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=522 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=522 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=523 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=523 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=524 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=524 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=525 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=525 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=526 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=526 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=527 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=527 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=528 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=528 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=529 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=529 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=530 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=530 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=531 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=531 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=532 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=532 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=533 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=533 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=534 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=534 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=535 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=535 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=536 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=536 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=537 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=537 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=538 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=538 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=539 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=539 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=540 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=540 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=541 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=541 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=542 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=542 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=543 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=543 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=544 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=544 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=545 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=545 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=546 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=546 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=547 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=547 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=548 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=548 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=549 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=549 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=550 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=550 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=551 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=551 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=552 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=552 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=553 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=553 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=554 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=554 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=555 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=555 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=556 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=556 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=557 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=557 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=558 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=558 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=559 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=559 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=560 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=560 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=561 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=561 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=562 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=562 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=563 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=563 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=564 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=564 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=565 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=565 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=566 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=566 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=567 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=567 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=568 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=568 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=569 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=569 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=570 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=570 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=571 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=571 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=572 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=572 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=573 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=573 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=574 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=574 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=575 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=575 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=576 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=576 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=577 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=577 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=578 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=578 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=579 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=579 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=580 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=580 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=581 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=581 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=582 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=582 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=583 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=583 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=584 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=584 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=585 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=585 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=586 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=586 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=587 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=587 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=588 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=588 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=589 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=589 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=590 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=590 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=591 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=591 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=592 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=592 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=593 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=593 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=594 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=594 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=595 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=595 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=596 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=596 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=597 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=597 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=598 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=598 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=599 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=599 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=600 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=600 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=601 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=601 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=602 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=602 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=603 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=603 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=604 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=604 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=605 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=605 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=606 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=606 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=607 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=607 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=608 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=608 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=609 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=609 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=610 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=610 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=611 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=611 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=612 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=612 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=613 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=613 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=614 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=614 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=615 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=615 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=616 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=616 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=617 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=617 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=618 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=618 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=619 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=619 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=620 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=620 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=621 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=621 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=622 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=622 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=623 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=623 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=624 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=624 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=625 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=625 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=626 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=626 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=627 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=627 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=628 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=628 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=629 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=629 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=630 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=630 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=631 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=631 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=632 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=632 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=633 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=633 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=634 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=634 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=635 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=635 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=636 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=636 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=637 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=637 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=638 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=638 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=639 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=639 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=640 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=640 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=641 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=641 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=642 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=642 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=643 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=643 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=644 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=644 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=645 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=645 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=646 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=646 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=647 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=647 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=648 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=648 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=649 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=649 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=650 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=650 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=651 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=651 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=652 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=652 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=653 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=653 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=654 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=654 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=655 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=655 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=656 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=656 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=657 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=657 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=658 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=658 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=659 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:33 +0200] conn=4 op=659 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:33 +0200] conn=4 op=660 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=660 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:06:34 +0200] conn=4 op=661 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=661 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=662 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=662 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=663 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=663 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=664 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=664 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=665 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=665 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=666 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=666 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=667 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=667 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=668 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=668 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=669 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=669 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=670 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=670 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=671 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=671 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=672 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=672 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=673 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=673 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=674 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=674 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=675 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=675 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=676 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=676 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=677 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=677 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=678 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=678 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=679 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=679 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=680 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=680 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=681 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=681 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=682 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=682 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=683 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=683 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=684 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=684 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=685 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=685 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=686 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=686 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=687 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=687 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=688 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=688 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=689 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=689 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=690 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=690 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=691 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=691 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=692 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=692 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=693 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=693 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=694 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=694 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=695 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=695 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=696 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=696 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=697 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=697 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=698 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=698 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=699 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=699 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=700 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=700 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=701 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=701 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=702 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=702 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=703 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=703 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=704 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=704 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=705 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=705 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=706 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=706 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=707 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=707 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=708 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=708 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=709 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=709 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=710 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=710 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=711 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=711 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=712 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=712 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=713 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=713 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=714 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=714 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=715 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=715 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=716 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=716 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=717 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=717 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=718 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=718 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=719 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=719 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=720 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=720 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=721 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=721 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=722 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=722 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=723 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=723 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=724 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=724 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=725 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=725 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=726 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=726 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=727 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=727 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=728 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=728 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=729 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=729 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=730 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=730 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=731 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=731 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=732 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=732 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=733 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=733 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=734 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=734 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=735 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=735 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=736 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=736 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=737 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=737 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=738 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=738 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=739 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=739 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=740 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=740 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=741 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=741 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=742 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=742 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=743 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=743 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=744 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=744 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=745 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=745 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=746 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=746 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=747 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=747 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=748 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=748 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=749 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=749 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=750 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=750 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=751 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=751 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=752 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=752 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=753 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=753 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=754 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=754 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=755 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=755 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=756 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=756 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=757 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=757 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=758 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=758 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=759 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=759 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=760 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=760 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=761 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=761 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=762 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=762 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=763 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=763 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=764 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=764 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=765 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=765 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=766 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=766 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=767 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=767 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=768 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=768 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=769 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=769 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=770 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=770 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=771 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=771 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=772 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=772 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=773 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=773 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=774 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=774 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=775 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=775 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=776 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=776 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=777 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=777 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=778 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=778 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=779 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=779 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=780 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=780 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=781 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=781 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=782 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=782 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=783 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=783 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=784 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=784 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=785 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=785 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=786 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=786 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=787 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=787 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=788 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=788 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=789 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=789 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=790 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=790 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=791 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=791 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=792 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=792 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=793 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=793 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=794 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=794 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=795 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=795 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=796 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=796 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=797 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=797 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=798 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=798 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=799 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=799 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=800 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=800 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=801 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=801 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=802 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=802 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=803 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=803 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=804 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=804 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=805 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=805 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=806 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=806 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=807 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=807 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=808 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=808 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=809 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=809 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=810 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=810 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=811 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=811 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=812 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=812 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=813 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=813 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=814 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=814 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=815 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=815 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=816 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=816 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=817 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=817 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=818 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=818 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=819 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=819 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=820 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=820 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=821 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=821 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=822 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=822 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=823 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=823 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=824 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=824 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=825 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=825 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=826 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=826 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=827 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=827 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=828 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=828 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=829 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=829 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=830 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=830 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=831 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=831 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=832 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=832 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=833 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=833 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=834 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=834 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=835 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=835 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=836 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=836 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=837 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=837 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=838 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=838 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=839 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=839 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=840 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=840 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=841 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=841 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=842 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=842 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=843 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=843 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=844 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=844 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=845 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=845 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=846 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=846 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=847 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=847 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=848 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=848 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=849 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=849 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=850 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=850 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=851 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=851 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=852 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=852 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=853 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=853 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=854 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=854 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=855 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=855 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=856 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=856 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=857 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=857 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=858 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=858 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=859 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=859 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=860 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=860 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=861 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=861 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=862 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=862 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=863 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=863 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=864 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=864 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=865 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=865 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=866 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=866 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=867 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=867 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=868 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=868 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=869 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=869 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=870 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=870 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=871 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=871 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=872 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=872 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=873 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=873 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=874 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=874 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=875 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=875 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=876 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=876 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=877 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=877 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=878 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=878 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=879 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=879 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=880 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=880 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=881 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=881 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=882 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=882 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=883 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=883 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=884 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=884 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=885 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=885 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=886 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=886 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=887 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=887 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=888 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=888 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=889 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=889 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=890 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=890 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=891 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=891 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=892 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=892 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=893 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=893 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=894 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=894 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=895 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=895 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=896 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=896 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=897 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=897 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=898 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=898 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=899 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=899 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=900 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=900 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=901 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=901 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=902 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=902 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=903 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=903 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=904 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=904 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=905 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=905 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=906 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=906 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=907 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=907 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=908 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=908 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=909 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=909 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=910 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=910 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=911 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=911 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=912 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=912 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=913 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=913 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=914 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=914 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=915 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=915 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=916 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=916 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=917 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=917 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=918 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=918 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=919 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=919 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=920 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=920 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=921 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=921 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=922 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=922 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=923 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=923 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=924 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=924 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=925 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=925 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=926 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=926 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=927 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=927 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=928 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=928 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=929 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=929 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=930 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=930 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=931 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=931 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=932 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=932 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=933 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=933 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=934 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=934 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=935 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=935 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=936 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=936 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=937 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=937 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=938 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=938 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=939 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=939 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=940 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=940 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=941 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=941 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=942 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=942 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=943 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=943 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=944 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=944 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=945 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=945 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=946 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=946 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=947 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=947 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=948 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=948 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=949 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=949 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=950 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=950 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=951 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=951 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=952 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=952 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=953 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=953 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=954 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=954 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=955 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=955 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=956 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=956 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=957 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=957 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=958 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=958 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=959 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=959 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=960 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=960 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=961 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=961 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=962 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=962 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=963 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=963 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=964 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=964 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=965 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=965 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=966 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=966 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=967 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=967 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=968 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=968 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=969 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=969 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=970 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=970 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=971 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=971 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=972 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=972 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=973 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=973 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=974 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=974 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=975 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=975 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=976 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=976 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=977 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=977 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=978 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=978 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=979 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=979 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=980 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=980 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=981 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=981 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=982 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=982 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=983 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=983 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=984 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=984 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=985 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=985 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=986 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=986 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=987 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=987 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=988 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=988 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=989 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=989 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=990 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=990 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=991 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=991 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=992 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=992 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=993 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=993 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=994 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=994 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=995 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=995 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=996 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=996 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=997 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=997 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=998 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=998 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=999 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=999 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1000 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1000 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1001 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1001 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1002 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1002 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1003 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1003 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1004 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1004 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1005 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1005 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1006 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1006 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1007 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1007 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1008 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1008 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1009 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1009 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1010 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1010 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1011 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1011 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1012 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1012 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1013 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1013 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1014 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1014 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1015 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1015 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1016 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1016 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1017 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1017 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1018 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1018 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1019 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1019 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1020 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1020 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1021 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1021 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1022 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1022 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1023 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1023 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1024 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1024 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1025 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1025 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1026 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1026 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1027 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1027 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1028 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1028 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1029 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1029 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1030 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1030 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1031 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1031 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1032 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1032 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1033 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1033 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1034 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1034 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1035 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1035 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1036 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1036 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1037 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1037 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1038 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1038 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1039 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1039 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1040 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1040 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1041 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1041 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1042 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1042 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1043 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1043 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1044 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1044 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1045 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1045 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1046 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1046 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1047 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1047 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1048 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1048 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1049 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1049 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1050 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1050 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1051 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1051 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1052 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1052 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1053 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1053 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1054 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1054 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1055 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1055 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1056 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1056 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1057 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1057 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1058 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1058 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1059 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1059 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1060 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1060 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1061 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1061 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1062 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1062 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1063 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1063 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1064 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1064 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1065 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1065 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1066 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1066 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1067 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1067 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1068 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1068 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1069 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1069 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1070 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1070 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1071 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1071 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1072 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1072 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1073 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1073 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1074 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1074 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1075 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1075 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1076 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1076 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1077 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1077 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1078 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1078 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1079 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1079 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1080 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1080 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1081 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1081 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1082 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1082 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1083 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1083 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1084 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1084 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1085 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1085 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1086 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1086 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1087 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1087 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1088 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1088 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1089 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1089 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1090 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1090 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1091 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1091 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1092 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1092 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1093 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1093 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1094 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1094 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1095 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1095 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1096 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1096 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1097 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1097 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1098 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1098 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1099 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1099 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1100 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1100 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1101 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1101 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1102 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1102 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1103 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1103 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1104 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1104 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1105 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1105 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1106 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1106 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1107 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1107 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1108 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1108 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1109 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1109 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1110 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1110 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1111 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1111 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1112 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1112 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1113 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1113 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1114 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1114 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1115 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1115 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1116 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1116 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1117 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1117 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1118 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1118 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1119 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1119 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1120 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1120 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1121 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1121 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1122 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1122 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1123 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1123 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1124 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1124 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1125 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1125 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1126 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1126 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1127 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1127 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1128 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1128 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1129 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1129 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1130 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1130 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1131 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1131 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1132 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1132 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1133 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1133 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1134 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1134 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1135 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1135 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1136 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1136 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1137 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1137 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1138 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1138 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1139 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1139 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1140 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1140 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1141 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1141 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1142 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1142 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1143 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1143 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1144 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1144 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1145 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1145 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1146 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1146 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1147 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1147 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1148 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1148 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1149 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1149 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1150 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1150 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1151 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1151 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1152 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1152 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1153 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1153 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1154 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1154 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1155 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1155 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1156 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1156 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1157 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1157 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1158 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1158 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1159 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1159 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1160 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1160 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1161 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1161 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1162 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1162 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1163 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1163 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1164 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1164 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1165 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1165 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1166 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1166 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1167 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1167 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1168 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1168 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1169 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1169 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1170 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1170 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1171 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1171 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1172 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1172 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1173 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1173 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1174 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1174 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1175 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1175 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1176 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1176 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1177 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1177 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1178 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1178 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1179 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1179 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1180 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1180 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1181 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1181 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1182 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1182 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1183 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1183 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1184 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1184 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1185 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1185 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1186 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1186 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1187 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1187 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1188 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1188 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1189 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1189 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1190 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1190 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1191 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1191 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1192 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1192 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1193 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1193 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1194 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1194 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1195 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1195 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1196 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1196 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1197 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1197 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1198 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1198 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1199 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1199 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1200 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1200 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1201 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1201 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1202 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1202 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1203 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1203 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1204 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1204 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1205 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1205 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1206 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1206 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1207 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1207 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1208 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1208 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1209 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1209 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1210 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1210 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1211 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1211 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1212 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1212 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1213 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1213 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1214 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1214 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1215 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1215 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1216 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1216 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1217 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1217 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1218 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1218 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1219 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1219 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1220 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1220 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1221 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1221 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1222 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1222 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1223 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1223 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1224 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1224 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1225 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1225 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1226 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1226 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1227 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1228 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1229 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1229 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1230 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1230 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1231 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1231 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1232 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1232 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1233 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1233 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1234 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1234 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1235 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1235 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1236 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1236 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1237 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1237 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1238 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1238 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1239 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1239 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1240 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1240 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1241 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1241 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1242 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1242 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1243 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1243 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1244 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1244 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1245 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1245 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1246 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1246 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1247 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1247 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1248 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1248 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1249 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1249 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1250 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1250 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1251 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1251 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1252 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1252 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1253 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1253 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1254 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1254 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1255 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1255 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1256 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1256 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1257 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1257 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1258 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1258 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1259 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1259 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1260 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1260 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1261 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1261 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1262 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1262 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1263 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1263 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1264 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1264 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1265 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1265 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1266 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1266 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1267 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1267 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1268 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1268 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1269 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1269 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1270 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1270 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1271 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1271 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1272 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1272 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1273 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1273 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1274 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1274 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1275 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1275 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1276 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1276 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1277 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1277 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1278 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1278 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1279 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1279 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1280 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1280 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1281 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1281 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1282 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1282 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1283 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1283 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1284 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1284 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1285 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1285 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1286 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1286 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1287 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1287 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1288 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1288 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1289 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1289 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1290 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1290 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1291 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1291 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1292 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1292 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1293 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1293 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1294 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1294 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1295 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1295 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1296 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1296 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1297 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1297 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1298 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1298 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1299 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1299 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1300 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1300 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1301 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1301 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1302 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1302 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1303 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1303 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1304 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1304 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1305 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1305 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1306 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1306 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1307 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1307 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1308 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1308 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1309 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1309 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1310 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1310 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1311 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1311 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1312 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1312 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1313 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1313 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1314 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1314 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1315 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1315 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1316 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1316 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1317 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1317 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1318 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1318 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1319 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1319 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1320 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1320 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1321 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1321 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1322 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1322 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1323 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1323 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1324 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1324 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1325 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1325 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1326 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1326 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1327 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1327 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1328 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1328 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1329 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1329 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1330 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1330 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1331 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1331 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1332 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1332 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1333 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1333 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1334 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1334 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1335 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1335 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1336 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1336 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1337 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1337 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1338 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1338 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1339 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1339 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1340 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1340 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1341 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1341 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1342 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1342 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1343 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1343 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1344 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1344 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1345 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1345 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1346 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1346 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1347 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1347 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1348 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1348 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1349 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1349 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1350 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1350 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1351 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1351 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1352 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1352 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1353 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1353 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1354 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1354 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1355 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1355 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1356 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1356 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1357 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1357 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1358 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1358 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1359 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1359 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1360 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1360 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1361 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1361 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1362 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1362 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1363 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1363 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1364 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1364 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1365 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1365 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1366 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1366 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1367 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1367 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1368 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1368 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1369 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1369 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1370 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1370 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1371 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1371 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1372 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1372 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1373 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1373 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1374 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1374 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1375 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1375 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1376 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1376 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1377 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1377 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1378 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1378 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1379 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1379 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1380 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1380 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1381 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1381 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1382 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1382 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1383 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1383 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1384 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1384 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1385 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1385 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1386 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1386 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1387 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1387 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1388 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1388 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1389 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1389 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1390 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1390 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1391 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1391 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1392 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1392 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1393 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1393 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1394 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1394 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1395 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1395 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1396 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1396 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1397 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1397 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1398 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1398 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1399 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1399 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1400 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1400 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1401 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1401 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1402 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1402 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1403 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:06:34 +0200] conn=4 op=1403 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:06:34 +0200] conn=4 op=1404 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1404 RESULT err=0 tag=120 nentries=0 etime=120 [15/Apr/2015:17:08:34 +0200] conn=4 op=1405 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1405 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1406 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1406 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1407 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1407 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1408 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1408 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1409 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1409 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1410 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1410 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1411 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1411 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1412 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1412 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1413 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1413 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1414 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1414 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1415 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1415 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1416 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1416 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1417 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1417 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1418 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1418 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1419 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1419 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1420 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1420 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1421 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1421 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1422 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1422 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1423 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1423 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1424 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1424 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1425 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1425 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1426 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1426 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1427 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1427 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1428 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1428 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1429 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1429 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1430 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1430 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1431 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1431 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1432 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1432 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1433 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1433 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1434 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1434 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1435 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1435 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1436 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1436 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1437 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1437 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1438 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1438 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1439 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1439 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1440 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1440 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1441 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1441 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1442 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1442 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1443 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1443 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1444 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1444 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1445 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1445 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1446 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1446 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1447 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1447 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1448 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1448 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1449 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1449 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1450 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1450 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1451 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1451 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1452 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1452 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1453 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1453 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1454 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1454 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1455 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1455 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1456 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1456 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1457 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1457 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1458 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1458 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1459 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1459 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1460 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1460 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1461 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1461 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1462 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1462 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1463 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1463 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1464 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1464 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1465 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1465 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1466 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1466 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1467 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1467 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1468 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1468 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1469 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1469 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1470 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1470 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1471 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1471 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1472 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1472 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1473 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1473 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1474 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1474 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1475 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1475 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1476 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1476 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1477 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1477 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1478 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1478 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1479 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1479 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1480 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1480 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1481 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1481 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1482 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1482 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1483 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1483 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1484 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1484 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1485 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1485 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1486 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1486 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1487 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1487 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1488 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1488 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1489 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1489 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1490 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1490 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1491 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1491 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1492 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1492 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1493 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1493 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1494 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1494 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1495 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1495 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1496 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1496 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1497 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1497 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1498 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1498 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1499 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1499 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1500 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1500 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1501 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1501 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1502 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1502 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1503 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1503 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1504 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1504 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1505 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1505 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1506 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1506 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1507 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1507 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1508 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1508 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1509 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1509 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1510 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1510 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1511 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1511 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1512 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1512 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1513 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1513 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1514 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1514 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1515 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1515 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1516 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1516 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1517 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1517 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1518 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1518 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1519 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1519 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1520 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1520 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1521 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1521 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1522 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1522 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1523 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1523 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1524 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1524 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1525 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1525 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1526 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1526 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1527 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1527 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1528 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1528 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1529 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1529 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1530 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1530 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1531 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1531 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1532 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:34 +0200] conn=4 op=1532 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:34 +0200] conn=4 op=1533 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1533 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:08:35 +0200] conn=4 op=1534 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1534 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1535 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1535 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1536 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1536 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1537 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1537 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1538 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1538 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1539 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1539 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1540 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1540 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1541 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1541 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1542 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1542 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1543 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1543 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:35 +0200] conn=4 op=1544 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [15/Apr/2015:17:08:35 +0200] conn=4 op=1544 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:38 +0200] conn=4 op=1546 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:39 +0200] conn=4 op=1546 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:08:40 +0200] conn=4 op=1547 UNBIND [15/Apr/2015:17:08:40 +0200] conn=4 op=1547 fd=66 closed - U1 [15/Apr/2015:17:08:40 +0200] conn=5 fd=65 slot=65 connection from 193.55.176.37 to 193.55.176.68 [15/Apr/2015:17:08:40 +0200] conn=5 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [15/Apr/2015:17:08:40 +0200] conn=5 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:40 +0200] conn=5 TLS1.0 128-bit AES [15/Apr/2015:17:08:40 +0200] conn=5 op=1 BIND dn="cn=replication manager,cn=config" method=128 version=3 [15/Apr/2015:17:08:40 +0200] conn=5 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication manager,cn=config" [15/Apr/2015:17:08:40 +0200] conn=5 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:08:40 +0200] conn=5 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:08:40 +0200] conn=5 op=3 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [15/Apr/2015:17:08:40 +0200] conn=5 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:08:40 +0200] conn=5 op=4 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:40 +0200] conn=5 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:40 +0200] conn=5 op=5 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="nsSchemaCSN" [15/Apr/2015:17:08:40 +0200] conn=5 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:08:40 +0200] conn=5 op=6 SRCH base="cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsDS5ReplicaId" [15/Apr/2015:17:08:40 +0200] conn=5 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:08:41 +0200] conn=5 op=7 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:41 +0200] conn=5 op=7 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:41 +0200] conn=5 op=8 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:41 +0200] conn=5 op=8 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:42 +0200] conn=5 op=9 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:42 +0200] conn=5 op=9 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:43 +0200] conn=2 op=12 UNBIND [15/Apr/2015:17:08:43 +0200] conn=2 op=12 fd=64 closed - U1 [15/Apr/2015:17:08:44 +0200] conn=5 op=10 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:44 +0200] conn=5 op=10 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:45 +0200] conn=5 op=11 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:45 +0200] conn=5 op=11 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:45 +0200] conn=5 op=12 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:45 +0200] conn=5 op=12 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:46 +0200] conn=5 op=13 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:46 +0200] conn=5 op=13 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:46 +0200] conn=5 op=14 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:46 +0200] conn=5 op=14 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:47 +0200] conn=5 op=16 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:47 +0200] conn=5 op=16 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:48 +0200] conn=5 op=17 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:48 +0200] conn=5 op=17 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:49 +0200] conn=5 op=18 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:49 +0200] conn=5 op=18 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:49 +0200] conn=5 op=19 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:49 +0200] conn=5 op=19 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:50 +0200] conn=5 op=20 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:50 +0200] conn=5 op=20 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:52 +0200] conn=5 op=21 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:52 +0200] conn=5 op=21 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:53 +0200] conn=5 op=23 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:53 +0200] conn=5 op=23 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:55 +0200] conn=5 op=24 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:55 +0200] conn=5 op=24 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:56 +0200] conn=5 op=25 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:56 +0200] conn=5 op=25 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:56 +0200] conn=5 op=26 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:08:56 +0200] conn=5 op=26 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:08:57 +0200] conn=5 op=27 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:08:57 +0200] conn=5 op=27 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:00 +0200] conn=5 op=28 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:00 +0200] conn=5 op=28 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:01 +0200] conn=5 op=30 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:01 +0200] conn=5 op=30 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:01 +0200] conn=5 op=31 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:01 +0200] conn=5 op=31 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:02 +0200] conn=5 op=32 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:02 +0200] conn=5 op=32 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:03 +0200] conn=5 op=33 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:03 +0200] conn=5 op=33 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:04 +0200] conn=5 op=34 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:04 +0200] conn=5 op=34 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:04 +0200] conn=5 op=35 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:04 +0200] conn=5 op=35 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:05 +0200] conn=5 op=36 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:05 +0200] conn=5 op=36 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:10 +0200] conn=5 op=37 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:10 +0200] conn=5 op=37 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:11 +0200] conn=5 op=39 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:11 +0200] conn=5 op=39 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:12 +0200] conn=5 op=40 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:12 +0200] conn=5 op=40 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:13 +0200] conn=5 op=41 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:13 +0200] conn=5 op=41 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:13 +0200] conn=5 op=42 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:13 +0200] conn=5 op=42 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:14 +0200] conn=5 op=43 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:14 +0200] conn=5 op=43 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:20 +0200] conn=5 op=44 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:20 +0200] conn=5 op=44 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:21 +0200] conn=5 op=46 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:21 +0200] conn=5 op=46 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:21 +0200] conn=5 op=47 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:21 +0200] conn=5 op=47 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:22 +0200] conn=5 op=48 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:22 +0200] conn=5 op=48 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:28 +0200] conn=5 op=49 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:28 +0200] conn=5 op=49 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:29 +0200] conn=5 op=51 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:29 +0200] conn=5 op=51 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:29 +0200] conn=5 op=52 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:29 +0200] conn=5 op=52 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:30 +0200] conn=5 op=53 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:30 +0200] conn=5 op=53 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:31 +0200] conn=5 op=54 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:31 +0200] conn=5 op=54 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:32 +0200] conn=5 op=55 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:32 +0200] conn=5 op=55 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:32 +0200] conn=5 op=56 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:32 +0200] conn=5 op=56 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:33 +0200] conn=5 op=57 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:33 +0200] conn=5 op=57 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:33 +0200] conn=5 op=58 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:33 +0200] conn=5 op=58 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:34 +0200] conn=5 op=59 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:34 +0200] conn=5 op=59 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:36 +0200] conn=5 op=61 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:36 +0200] conn=5 op=61 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:37 +0200] conn=5 op=62 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:37 +0200] conn=5 op=62 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:42 +0200] conn=5 op=63 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:42 +0200] conn=5 op=63 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:44 +0200] conn=5 op=65 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:44 +0200] conn=5 op=65 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:44 +0200] conn=5 op=66 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:44 +0200] conn=5 op=66 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:45 +0200] conn=5 op=67 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:45 +0200] conn=5 op=67 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:45 +0200] conn=5 op=68 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:45 +0200] conn=5 op=68 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:46 +0200] conn=5 op=69 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:46 +0200] conn=5 op=69 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:46 +0200] conn=5 op=70 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:46 +0200] conn=5 op=70 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:47 +0200] conn=5 op=71 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:47 +0200] conn=5 op=71 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:49 +0200] conn=5 op=72 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:49 +0200] conn=5 op=72 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:50 +0200] conn=5 op=74 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:50 +0200] conn=5 op=74 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:50 +0200] conn=5 op=75 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:50 +0200] conn=5 op=75 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:51 +0200] conn=5 op=76 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:51 +0200] conn=5 op=76 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:51 +0200] conn=5 op=77 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:51 +0200] conn=5 op=77 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:52 +0200] conn=5 op=78 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:52 +0200] conn=5 op=78 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:52 +0200] conn=5 op=79 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:52 +0200] conn=5 op=79 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:53 +0200] conn=5 op=80 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:53 +0200] conn=5 op=80 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:55 +0200] conn=5 op=81 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:55 +0200] conn=5 op=81 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:56 +0200] conn=5 op=83 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:56 +0200] conn=5 op=83 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:56 +0200] conn=5 op=84 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:56 +0200] conn=5 op=84 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:57 +0200] conn=5 op=85 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:57 +0200] conn=5 op=85 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:57 +0200] conn=5 op=86 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:57 +0200] conn=5 op=86 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:58 +0200] conn=5 op=87 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:58 +0200] conn=5 op=87 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:58 +0200] conn=5 op=88 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:58 +0200] conn=5 op=88 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:59 +0200] conn=5 op=89 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:09:59 +0200] conn=5 op=89 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:09:59 +0200] conn=5 op=90 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:09:59 +0200] conn=5 op=90 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:00 +0200] conn=5 op=91 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:00 +0200] conn=5 op=91 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:00 +0200] conn=5 op=92 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:00 +0200] conn=5 op=92 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:01 +0200] conn=5 op=93 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:01 +0200] conn=5 op=93 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:01 +0200] conn=5 op=94 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:01 +0200] conn=5 op=94 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:02 +0200] conn=5 op=96 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:02 +0200] conn=5 op=96 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:06 +0200] conn=5 op=97 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:06 +0200] conn=5 op=97 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:07 +0200] conn=5 op=98 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:07 +0200] conn=5 op=98 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:07 +0200] conn=5 op=99 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:07 +0200] conn=5 op=99 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:08 +0200] conn=5 op=101 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:08 +0200] conn=5 op=101 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:08 +0200] conn=5 op=102 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:08 +0200] conn=5 op=102 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:09 +0200] conn=5 op=103 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:09 +0200] conn=5 op=103 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:09 +0200] conn=5 op=104 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:09 +0200] conn=5 op=104 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:10 +0200] conn=5 op=105 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:10 +0200] conn=5 op=105 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:10 +0200] conn=5 op=106 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:10 +0200] conn=5 op=106 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:11 +0200] conn=5 op=107 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:11 +0200] conn=5 op=107 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:11 +0200] conn=5 op=108 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:11 +0200] conn=5 op=108 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:12 +0200] conn=5 op=109 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:12 +0200] conn=5 op=109 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:13 +0200] conn=5 op=110 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:13 +0200] conn=5 op=110 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:14 +0200] conn=5 op=112 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:14 +0200] conn=5 op=112 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:14 +0200] conn=5 op=113 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:14 +0200] conn=5 op=113 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:15 +0200] conn=5 op=114 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:15 +0200] conn=5 op=114 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:16 +0200] conn=5 op=115 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:16 +0200] conn=5 op=115 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:17 +0200] conn=5 op=116 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:17 +0200] conn=5 op=116 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:18 +0200] conn=5 op=117 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:18 +0200] conn=5 op=117 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:19 +0200] conn=5 op=118 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:19 +0200] conn=5 op=118 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:19 +0200] conn=5 op=119 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:19 +0200] conn=5 op=119 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:20 +0200] conn=5 op=121 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:20 +0200] conn=5 op=121 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:26 +0200] conn=5 op=122 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:26 +0200] conn=5 op=122 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:27 +0200] conn=5 op=124 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:27 +0200] conn=5 op=124 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:27 +0200] conn=5 op=125 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:27 +0200] conn=5 op=125 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:28 +0200] conn=5 op=126 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:28 +0200] conn=5 op=126 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:33 +0200] conn=5 op=127 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:33 +0200] conn=5 op=127 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:35 +0200] conn=5 op=129 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:35 +0200] conn=5 op=129 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:35 +0200] conn=5 op=130 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:35 +0200] conn=5 op=130 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:36 +0200] conn=5 op=131 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:36 +0200] conn=5 op=131 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:40 +0200] conn=5 op=132 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:40 +0200] conn=5 op=132 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:41 +0200] conn=5 op=134 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:41 +0200] conn=5 op=134 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:41 +0200] conn=5 op=135 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:41 +0200] conn=5 op=135 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:42 +0200] conn=5 op=136 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:42 +0200] conn=5 op=136 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:42 +0200] conn=5 op=137 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:42 +0200] conn=5 op=137 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:43 +0200] conn=5 op=138 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:43 +0200] conn=5 op=138 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:49 +0200] conn=5 op=139 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:49 +0200] conn=5 op=139 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:50 +0200] conn=5 op=141 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:50 +0200] conn=5 op=141 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:50 +0200] conn=5 op=142 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:50 +0200] conn=5 op=142 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:51 +0200] conn=5 op=143 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:51 +0200] conn=5 op=143 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:55 +0200] conn=5 op=144 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:55 +0200] conn=5 op=144 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:56 +0200] conn=5 op=146 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:56 +0200] conn=5 op=146 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:57 +0200] conn=5 op=147 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:57 +0200] conn=5 op=147 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:58 +0200] conn=5 op=148 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:58 +0200] conn=5 op=148 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:58 +0200] conn=5 op=149 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:10:58 +0200] conn=5 op=149 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:10:59 +0200] conn=5 op=150 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:10:59 +0200] conn=5 op=150 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:00 +0200] conn=5 op=151 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:00 +0200] conn=5 op=151 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:02 +0200] conn=5 op=152 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:02 +0200] conn=5 op=152 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:03 +0200] conn=5 op=154 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:03 +0200] conn=5 op=154 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:04 +0200] conn=5 op=155 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:04 +0200] conn=5 op=155 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:04 +0200] conn=5 op=156 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:04 +0200] conn=5 op=156 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:05 +0200] conn=5 op=157 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:05 +0200] conn=5 op=157 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:09 +0200] conn=5 op=158 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:09 +0200] conn=5 op=158 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:10 +0200] conn=5 op=160 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:10 +0200] conn=5 op=160 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:10 +0200] conn=5 op=161 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:10 +0200] conn=5 op=161 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:11 +0200] conn=5 op=162 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:11 +0200] conn=5 op=162 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:11 +0200] conn=5 op=163 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:11 +0200] conn=5 op=163 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:12 +0200] conn=5 op=164 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:12 +0200] conn=5 op=164 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:12 +0200] conn=5 op=165 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:12 +0200] conn=5 op=165 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:13 +0200] conn=5 op=166 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:13 +0200] conn=5 op=166 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:18 +0200] conn=5 op=167 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:18 +0200] conn=5 op=167 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:19 +0200] conn=5 op=169 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:19 +0200] conn=5 op=169 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:19 +0200] conn=5 op=170 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:19 +0200] conn=5 op=170 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:20 +0200] conn=5 op=171 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:20 +0200] conn=5 op=171 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:20 +0200] conn=5 op=172 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:20 +0200] conn=5 op=172 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:21 +0200] conn=5 op=173 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:21 +0200] conn=5 op=173 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:22 +0200] conn=5 op=174 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:22 +0200] conn=5 op=174 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:23 +0200] conn=5 op=175 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:23 +0200] conn=5 op=175 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:24 +0200] conn=5 op=176 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:24 +0200] conn=5 op=176 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:25 +0200] conn=5 op=178 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:25 +0200] conn=5 op=178 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:25 +0200] conn=5 op=179 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:25 +0200] conn=5 op=179 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:27 +0200] conn=5 op=180 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:27 +0200] conn=5 op=180 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:27 +0200] conn=5 op=181 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:27 +0200] conn=5 op=181 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:28 +0200] conn=5 op=182 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:28 +0200] conn=5 op=182 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:28 +0200] conn=5 op=183 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:28 +0200] conn=5 op=183 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:29 +0200] conn=5 op=184 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:29 +0200] conn=5 op=184 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:33 +0200] conn=5 op=185 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:33 +0200] conn=5 op=185 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:34 +0200] conn=5 op=187 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:34 +0200] conn=5 op=187 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:34 +0200] conn=5 op=188 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:34 +0200] conn=5 op=188 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:35 +0200] conn=5 op=189 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:35 +0200] conn=5 op=189 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:35 +0200] conn=5 op=190 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:35 +0200] conn=5 op=190 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:36 +0200] conn=5 op=191 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:36 +0200] conn=5 op=191 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:36 +0200] conn=5 op=192 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:36 +0200] conn=5 op=192 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:37 +0200] conn=5 op=193 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:37 +0200] conn=5 op=193 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:39 +0200] conn=5 op=194 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:39 +0200] conn=5 op=194 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:40 +0200] conn=5 op=196 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:40 +0200] conn=5 op=196 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:41 +0200] conn=5 op=197 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:41 +0200] conn=5 op=197 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:42 +0200] conn=5 op=198 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:42 +0200] conn=5 op=198 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:42 +0200] conn=5 op=199 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:42 +0200] conn=5 op=199 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:43 +0200] conn=5 op=200 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:43 +0200] conn=5 op=200 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:43 +0200] conn=5 op=201 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:43 +0200] conn=5 op=201 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:44 +0200] conn=5 op=202 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:44 +0200] conn=5 op=202 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:44 +0200] conn=5 op=203 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:44 +0200] conn=5 op=203 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:45 +0200] conn=5 op=204 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:45 +0200] conn=5 op=204 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:50 +0200] conn=5 op=206 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:50 +0200] conn=5 op=206 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:51 +0200] conn=5 op=207 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:51 +0200] conn=5 op=207 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:51 +0200] conn=5 op=208 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:51 +0200] conn=5 op=208 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:52 +0200] conn=5 op=210 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:52 +0200] conn=5 op=210 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:52 +0200] conn=5 op=211 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:52 +0200] conn=5 op=211 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:53 +0200] conn=5 op=212 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:53 +0200] conn=5 op=212 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:56 +0200] conn=5 op=213 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:56 +0200] conn=5 op=213 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:57 +0200] conn=5 op=214 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:57 +0200] conn=5 op=214 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:58 +0200] conn=5 op=216 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:11:58 +0200] conn=5 op=216 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:11:59 +0200] conn=5 op=217 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:11:59 +0200] conn=5 op=217 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:01 +0200] conn=5 op=218 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:01 +0200] conn=5 op=218 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:02 +0200] conn=5 op=219 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:02 +0200] conn=5 op=219 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:03 +0200] conn=5 op=220 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:03 +0200] conn=5 op=220 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:04 +0200] conn=5 op=222 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:04 +0200] conn=5 op=222 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:05 +0200] conn=5 op=223 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:05 +0200] conn=5 op=223 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:06 +0200] conn=5 op=224 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:06 +0200] conn=5 op=224 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:09 +0200] conn=5 op=225 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:09 +0200] conn=5 op=225 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:10 +0200] conn=5 op=227 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:10 +0200] conn=5 op=227 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:10 +0200] conn=5 op=228 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:10 +0200] conn=5 op=228 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:11 +0200] conn=5 op=229 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:11 +0200] conn=5 op=229 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:12 +0200] conn=5 op=230 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:12 +0200] conn=5 op=230 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:13 +0200] conn=5 op=231 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:13 +0200] conn=5 op=231 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:15 +0200] conn=5 op=232 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:15 +0200] conn=5 op=232 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:16 +0200] conn=5 op=234 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:16 +0200] conn=5 op=234 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:17 +0200] conn=5 op=235 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:17 +0200] conn=5 op=235 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:18 +0200] conn=5 op=236 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:18 +0200] conn=5 op=236 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:18 +0200] conn=5 op=237 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:18 +0200] conn=5 op=237 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:19 +0200] conn=5 op=238 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:19 +0200] conn=5 op=238 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:19 +0200] conn=5 op=239 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:19 +0200] conn=5 op=239 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:20 +0200] conn=5 op=240 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:20 +0200] conn=5 op=240 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:20 +0200] conn=5 op=241 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:20 +0200] conn=5 op=241 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:21 +0200] conn=5 op=242 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:21 +0200] conn=5 op=242 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:21 +0200] conn=5 op=243 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:21 +0200] conn=5 op=243 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:22 +0200] conn=5 op=245 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:22 +0200] conn=5 op=245 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:22 +0200] conn=5 op=246 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:22 +0200] conn=5 op=246 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:23 +0200] conn=5 op=247 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:23 +0200] conn=5 op=247 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:26 +0200] conn=5 op=248 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:26 +0200] conn=5 op=248 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:27 +0200] conn=5 op=249 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:27 +0200] conn=5 op=249 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:32 +0200] conn=5 op=251 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:32 +0200] conn=5 op=251 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:33 +0200] conn=5 op=252 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:33 +0200] conn=5 op=252 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:33 +0200] conn=5 op=253 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:33 +0200] conn=5 op=253 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:34 +0200] conn=5 op=255 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:34 +0200] conn=5 op=255 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:34 +0200] conn=5 op=256 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:34 +0200] conn=5 op=256 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:35 +0200] conn=5 op=257 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:35 +0200] conn=5 op=257 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:35 +0200] conn=5 op=258 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:35 +0200] conn=5 op=258 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:36 +0200] conn=5 op=259 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:36 +0200] conn=5 op=259 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:36 +0200] conn=5 op=260 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:36 +0200] conn=5 op=260 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:37 +0200] conn=5 op=261 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:37 +0200] conn=5 op=261 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:37 +0200] conn=5 op=262 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:37 +0200] conn=5 op=262 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:38 +0200] conn=5 op=263 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:39 +0200] conn=5 op=263 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:12:41 +0200] conn=5 op=264 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:41 +0200] conn=5 op=264 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:42 +0200] conn=5 op=266 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:42 +0200] conn=5 op=266 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:42 +0200] conn=5 op=267 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:42 +0200] conn=5 op=267 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:43 +0200] conn=5 op=268 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:43 +0200] conn=5 op=268 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:43 +0200] conn=5 op=269 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:43 +0200] conn=5 op=269 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:44 +0200] conn=5 op=270 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:44 +0200] conn=5 op=270 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:44 +0200] conn=5 op=271 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:44 +0200] conn=5 op=271 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:45 +0200] conn=5 op=272 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:45 +0200] conn=5 op=272 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:45 +0200] conn=5 op=273 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:45 +0200] conn=5 op=273 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:46 +0200] conn=5 op=274 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:46 +0200] conn=5 op=274 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:46 +0200] conn=5 op=275 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:46 +0200] conn=5 op=275 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:47 +0200] conn=5 op=276 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:47 +0200] conn=5 op=276 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:47 +0200] conn=5 op=277 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:47 +0200] conn=5 op=277 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:48 +0200] conn=5 op=279 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:48 +0200] conn=5 op=279 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:48 +0200] conn=5 op=280 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:48 +0200] conn=5 op=280 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:49 +0200] conn=5 op=281 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:49 +0200] conn=5 op=281 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:54 +0200] conn=5 op=282 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:54 +0200] conn=5 op=282 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:55 +0200] conn=5 op=284 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:55 +0200] conn=5 op=284 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:55 +0200] conn=5 op=285 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:55 +0200] conn=5 op=285 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:56 +0200] conn=5 op=286 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:56 +0200] conn=5 op=286 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:56 +0200] conn=5 op=287 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:56 +0200] conn=5 op=287 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:57 +0200] conn=5 op=288 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:57 +0200] conn=5 op=288 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:57 +0200] conn=5 op=289 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:57 +0200] conn=5 op=289 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:58 +0200] conn=5 op=290 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:58 +0200] conn=5 op=290 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:58 +0200] conn=5 op=291 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:58 +0200] conn=5 op=291 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:59 +0200] conn=5 op=292 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:12:59 +0200] conn=5 op=292 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:12:59 +0200] conn=5 op=293 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:12:59 +0200] conn=5 op=293 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:00 +0200] conn=5 op=294 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:00 +0200] conn=5 op=294 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:00 +0200] conn=5 op=295 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:00 +0200] conn=5 op=295 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:01 +0200] conn=5 op=297 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:01 +0200] conn=5 op=297 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:01 +0200] conn=5 op=298 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:01 +0200] conn=5 op=298 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:03 +0200] conn=5 op=299 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:03 +0200] conn=5 op=299 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:03 +0200] conn=5 op=300 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:03 +0200] conn=5 op=300 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:04 +0200] conn=5 op=301 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:04 +0200] conn=5 op=301 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:04 +0200] conn=5 op=302 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:04 +0200] conn=5 op=302 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:05 +0200] conn=5 op=303 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:05 +0200] conn=5 op=303 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:05 +0200] conn=5 op=304 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:05 +0200] conn=5 op=304 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:06 +0200] conn=5 op=305 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:06 +0200] conn=5 op=305 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:06 +0200] conn=5 op=306 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:06 +0200] conn=5 op=306 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:07 +0200] conn=5 op=308 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:07 +0200] conn=5 op=308 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:07 +0200] conn=5 op=309 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:07 +0200] conn=5 op=309 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:08 +0200] conn=5 op=310 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:08 +0200] conn=5 op=310 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:08 +0200] conn=5 op=311 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:08 +0200] conn=5 op=311 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:09 +0200] conn=5 op=312 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:09 +0200] conn=5 op=312 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:09 +0200] conn=5 op=313 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:09 +0200] conn=5 op=313 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:10 +0200] conn=5 op=314 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:10 +0200] conn=5 op=314 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:10 +0200] conn=5 op=315 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:10 +0200] conn=5 op=315 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:11 +0200] conn=5 op=316 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:11 +0200] conn=5 op=316 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:11 +0200] conn=5 op=317 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:11 +0200] conn=5 op=317 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:12 +0200] conn=5 op=318 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:12 +0200] conn=5 op=318 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:12 +0200] conn=5 op=319 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:12 +0200] conn=5 op=319 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:13 +0200] conn=5 op=321 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:13 +0200] conn=5 op=321 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:16 +0200] conn=5 op=322 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:16 +0200] conn=5 op=322 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:17 +0200] conn=5 op=323 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:17 +0200] conn=5 op=323 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:17 +0200] conn=5 op=324 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:17 +0200] conn=5 op=324 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:18 +0200] conn=5 op=325 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:18 +0200] conn=5 op=325 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:18 +0200] conn=5 op=326 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:18 +0200] conn=5 op=326 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:19 +0200] conn=5 op=328 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:19 +0200] conn=5 op=328 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:20 +0200] conn=5 op=329 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:20 +0200] conn=5 op=329 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:21 +0200] conn=5 op=330 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:21 +0200] conn=5 op=330 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:22 +0200] conn=5 op=331 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:22 +0200] conn=5 op=331 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:23 +0200] conn=5 op=332 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:23 +0200] conn=5 op=332 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:25 +0200] conn=5 op=333 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:25 +0200] conn=5 op=333 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:26 +0200] conn=5 op=335 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:26 +0200] conn=5 op=335 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:26 +0200] conn=5 op=336 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:26 +0200] conn=5 op=336 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:27 +0200] conn=5 op=337 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:27 +0200] conn=5 op=337 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:27 +0200] conn=5 op=338 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:27 +0200] conn=5 op=338 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:28 +0200] conn=5 op=339 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:28 +0200] conn=5 op=339 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:28 +0200] conn=5 op=340 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:28 +0200] conn=5 op=340 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:29 +0200] conn=5 op=341 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:29 +0200] conn=5 op=341 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:29 +0200] conn=5 op=342 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:29 +0200] conn=5 op=342 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:30 +0200] conn=5 op=343 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:30 +0200] conn=5 op=343 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:30 +0200] conn=5 op=344 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:30 +0200] conn=5 op=344 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:31 +0200] conn=5 op=345 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:32 +0200] conn=5 op=345 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:13:32 +0200] conn=5 op=346 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:32 +0200] conn=5 op=346 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:34 +0200] conn=5 op=348 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:34 +0200] conn=5 op=348 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:34 +0200] conn=5 op=349 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:34 +0200] conn=5 op=349 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:35 +0200] conn=5 op=350 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:35 +0200] conn=5 op=350 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:35 +0200] conn=5 op=351 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:35 +0200] conn=5 op=351 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:36 +0200] conn=5 op=352 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:36 +0200] conn=5 op=352 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:36 +0200] conn=5 op=353 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:36 +0200] conn=5 op=353 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:37 +0200] conn=5 op=354 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:37 +0200] conn=5 op=354 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:40 +0200] conn=5 op=356 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:40 +0200] conn=5 op=356 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:41 +0200] conn=5 op=357 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:41 +0200] conn=5 op=357 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:41 +0200] conn=5 op=358 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:41 +0200] conn=5 op=358 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:42 +0200] conn=5 op=359 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:42 +0200] conn=5 op=359 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:42 +0200] conn=5 op=360 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:42 +0200] conn=5 op=360 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:43 +0200] conn=5 op=361 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:43 +0200] conn=5 op=361 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:43 +0200] conn=5 op=362 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:43 +0200] conn=5 op=362 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:44 +0200] conn=5 op=364 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:44 +0200] conn=5 op=364 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:44 +0200] conn=5 op=365 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:44 +0200] conn=5 op=365 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:45 +0200] conn=5 op=366 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:45 +0200] conn=5 op=366 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:47 +0200] conn=5 op=367 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:47 +0200] conn=5 op=367 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:48 +0200] conn=5 op=368 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:48 +0200] conn=5 op=368 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:48 +0200] conn=5 op=369 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:48 +0200] conn=5 op=369 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:49 +0200] conn=5 op=370 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:49 +0200] conn=5 op=370 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:50 +0200] conn=5 op=371 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:50 +0200] conn=5 op=371 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:13:51 +0200] conn=5 op=373 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:51 +0200] conn=5 op=373 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:54 +0200] conn=5 op=374 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:54 +0200] conn=5 op=374 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:55 +0200] conn=5 op=375 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:55 +0200] conn=5 op=375 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:55 +0200] conn=5 op=376 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:55 +0200] conn=5 op=376 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:56 +0200] conn=5 op=378 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:56 +0200] conn=5 op=378 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:56 +0200] conn=5 op=379 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:56 +0200] conn=5 op=379 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:57 +0200] conn=5 op=380 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:13:57 +0200] conn=5 op=380 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:13:59 +0200] conn=5 op=381 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:13:59 +0200] conn=5 op=381 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:00 +0200] conn=5 op=382 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:00 +0200] conn=5 op=382 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:00 +0200] conn=5 op=383 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:00 +0200] conn=5 op=383 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:01 +0200] conn=5 op=384 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:01 +0200] conn=5 op=384 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:01 +0200] conn=5 op=385 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:01 +0200] conn=5 op=385 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:02 +0200] conn=5 op=387 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:02 +0200] conn=5 op=387 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:02 +0200] conn=5 op=388 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:02 +0200] conn=5 op=388 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:03 +0200] conn=5 op=389 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:03 +0200] conn=5 op=389 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:03 +0200] conn=5 op=390 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:03 +0200] conn=5 op=390 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:04 +0200] conn=5 op=391 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:04 +0200] conn=5 op=391 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:04 +0200] conn=5 op=392 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:04 +0200] conn=5 op=392 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:05 +0200] conn=5 op=393 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:05 +0200] conn=5 op=393 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:05 +0200] conn=5 op=394 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:05 +0200] conn=5 op=394 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:06 +0200] conn=5 op=395 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:06 +0200] conn=5 op=395 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:06 +0200] conn=5 op=396 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:06 +0200] conn=5 op=396 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:07 +0200] conn=5 op=397 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:07 +0200] conn=5 op=397 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:07 +0200] conn=5 op=398 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:07 +0200] conn=5 op=398 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:08 +0200] conn=5 op=400 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:08 +0200] conn=5 op=400 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:10 +0200] conn=5 op=401 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:10 +0200] conn=5 op=401 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:11 +0200] conn=5 op=402 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:11 +0200] conn=5 op=402 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:11 +0200] conn=5 op=403 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:11 +0200] conn=5 op=403 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:12 +0200] conn=5 op=404 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:12 +0200] conn=5 op=404 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:12 +0200] conn=5 op=405 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:12 +0200] conn=5 op=405 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:13 +0200] conn=5 op=406 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:13 +0200] conn=5 op=406 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:16 +0200] conn=5 op=408 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:16 +0200] conn=5 op=408 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:17 +0200] conn=5 op=409 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:17 +0200] conn=5 op=409 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:18 +0200] conn=5 op=410 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:18 +0200] conn=5 op=410 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:19 +0200] conn=5 op=411 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:19 +0200] conn=5 op=411 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:19 +0200] conn=5 op=412 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:19 +0200] conn=5 op=412 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:21 +0200] conn=5 op=414 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:21 +0200] conn=5 op=414 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:21 +0200] conn=5 op=415 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:21 +0200] conn=5 op=415 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:22 +0200] conn=5 op=416 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:22 +0200] conn=5 op=416 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:22 +0200] conn=5 op=417 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:22 +0200] conn=5 op=417 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:23 +0200] conn=5 op=418 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:23 +0200] conn=5 op=418 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:24 +0200] conn=5 op=419 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:24 +0200] conn=5 op=419 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:25 +0200] conn=5 op=420 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:25 +0200] conn=5 op=420 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:25 +0200] conn=5 op=421 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:25 +0200] conn=5 op=421 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:26 +0200] conn=5 op=423 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:26 +0200] conn=5 op=423 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:26 +0200] conn=5 op=424 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:26 +0200] conn=5 op=424 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:27 +0200] conn=5 op=425 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:27 +0200] conn=5 op=425 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:28 +0200] conn=5 op=426 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:28 +0200] conn=5 op=426 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:29 +0200] conn=5 op=427 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:29 +0200] conn=5 op=427 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:30 +0200] conn=5 op=428 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:30 +0200] conn=5 op=428 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:31 +0200] conn=5 op=429 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:31 +0200] conn=5 op=429 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:31 +0200] conn=5 op=430 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:31 +0200] conn=5 op=430 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:32 +0200] conn=5 op=432 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:32 +0200] conn=5 op=432 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:33 +0200] conn=5 op=433 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:33 +0200] conn=5 op=433 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:34 +0200] conn=5 op=434 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:34 +0200] conn=5 op=434 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:35 +0200] conn=5 op=435 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:35 +0200] conn=5 op=435 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:36 +0200] conn=5 op=436 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:36 +0200] conn=5 op=436 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:36 +0200] conn=5 op=437 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:36 +0200] conn=5 op=437 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:37 +0200] conn=5 op=438 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:37 +0200] conn=5 op=438 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:37 +0200] conn=5 op=439 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:37 +0200] conn=5 op=439 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:38 +0200] conn=5 op=441 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:38 +0200] conn=5 op=441 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:39 +0200] conn=5 op=442 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:39 +0200] conn=5 op=442 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:40 +0200] conn=5 op=443 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:40 +0200] conn=5 op=443 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:40 +0200] conn=5 op=444 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:40 +0200] conn=5 op=444 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:41 +0200] conn=5 op=445 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:41 +0200] conn=5 op=445 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:41 +0200] conn=5 op=446 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:41 +0200] conn=5 op=446 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:42 +0200] conn=5 op=447 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:42 +0200] conn=5 op=447 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:43 +0200] conn=5 op=448 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:43 +0200] conn=5 op=448 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:44 +0200] conn=5 op=450 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:44 +0200] conn=5 op=450 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:44 +0200] conn=5 op=451 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:44 +0200] conn=5 op=451 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:45 +0200] conn=5 op=452 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:45 +0200] conn=5 op=452 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:45 +0200] conn=5 op=453 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:45 +0200] conn=5 op=453 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:47 +0200] conn=5 op=454 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:47 +0200] conn=5 op=454 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:47 +0200] conn=5 op=455 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:47 +0200] conn=5 op=455 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:48 +0200] conn=5 op=456 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:48 +0200] conn=5 op=456 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:48 +0200] conn=5 op=457 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:48 +0200] conn=5 op=457 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:50 +0200] conn=5 op=458 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:50 +0200] conn=5 op=458 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:50 +0200] conn=5 op=459 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:50 +0200] conn=5 op=459 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:51 +0200] conn=5 op=461 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:51 +0200] conn=5 op=461 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:51 +0200] conn=5 op=462 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:51 +0200] conn=5 op=462 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:52 +0200] conn=5 op=463 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:52 +0200] conn=5 op=463 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:55 +0200] conn=5 op=464 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:55 +0200] conn=5 op=464 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:56 +0200] conn=5 op=465 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:56 +0200] conn=5 op=465 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:56 +0200] conn=5 op=466 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:56 +0200] conn=5 op=466 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:57 +0200] conn=5 op=468 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:57 +0200] conn=5 op=468 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:57 +0200] conn=5 op=469 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:57 +0200] conn=5 op=469 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:58 +0200] conn=5 op=470 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:58 +0200] conn=5 op=470 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:58 +0200] conn=5 op=471 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:58 +0200] conn=5 op=471 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:59 +0200] conn=5 op=472 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:14:59 +0200] conn=5 op=472 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:14:59 +0200] conn=5 op=473 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:14:59 +0200] conn=5 op=473 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:00 +0200] conn=5 op=474 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:00 +0200] conn=5 op=474 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:00 +0200] conn=5 op=475 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:00 +0200] conn=5 op=475 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:01 +0200] conn=5 op=476 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:01 +0200] conn=5 op=476 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:01 +0200] conn=5 op=477 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:01 +0200] conn=5 op=477 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:02 +0200] conn=5 op=478 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:02 +0200] conn=5 op=478 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:02 +0200] conn=5 op=479 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:02 +0200] conn=5 op=479 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:03 +0200] conn=5 op=481 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:03 +0200] conn=5 op=481 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:06 +0200] conn=5 op=482 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:06 +0200] conn=5 op=482 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:07 +0200] conn=5 op=483 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:07 +0200] conn=5 op=483 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:07 +0200] conn=5 op=484 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:07 +0200] conn=5 op=484 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:08 +0200] conn=5 op=485 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:08 +0200] conn=5 op=485 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:08 +0200] conn=5 op=486 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:08 +0200] conn=5 op=486 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:09 +0200] conn=5 op=488 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:09 +0200] conn=5 op=488 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:10 +0200] conn=5 op=489 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:10 +0200] conn=5 op=489 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:11 +0200] conn=5 op=490 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:11 +0200] conn=5 op=490 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:13 +0200] conn=5 op=491 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:13 +0200] conn=5 op=491 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:14 +0200] conn=5 op=492 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:14 +0200] conn=5 op=492 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:20 +0200] conn=5 op=494 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:20 +0200] conn=5 op=494 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:21 +0200] conn=5 op=496 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:21 +0200] conn=5 op=496 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:21 +0200] conn=5 op=497 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:21 +0200] conn=5 op=497 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:22 +0200] conn=5 op=498 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:22 +0200] conn=5 op=498 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:22 +0200] conn=5 op=499 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:22 +0200] conn=5 op=499 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:23 +0200] conn=5 op=500 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:23 +0200] conn=5 op=500 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:23 +0200] conn=5 op=501 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:23 +0200] conn=5 op=501 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:24 +0200] conn=5 op=502 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:24 +0200] conn=5 op=502 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:25 +0200] conn=5 op=503 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:25 +0200] conn=5 op=503 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:26 +0200] conn=5 op=504 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:26 +0200] conn=5 op=504 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:27 +0200] conn=5 op=506 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:27 +0200] conn=5 op=506 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:28 +0200] conn=5 op=507 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:28 +0200] conn=5 op=507 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:28 +0200] conn=5 op=508 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:28 +0200] conn=5 op=508 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:29 +0200] conn=5 op=509 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:29 +0200] conn=5 op=509 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:29 +0200] conn=5 op=510 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:29 +0200] conn=5 op=510 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:30 +0200] conn=5 op=511 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:30 +0200] conn=5 op=511 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:34 +0200] conn=5 op=512 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:34 +0200] conn=5 op=512 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:35 +0200] conn=5 op=514 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:35 +0200] conn=5 op=514 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:41 +0200] conn=5 op=515 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:41 +0200] conn=5 op=515 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:42 +0200] conn=5 op=517 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:42 +0200] conn=5 op=517 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:42 +0200] conn=5 op=518 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:42 +0200] conn=5 op=518 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:43 +0200] conn=5 op=519 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:43 +0200] conn=5 op=519 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:49 +0200] conn=5 op=520 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:49 +0200] conn=5 op=520 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:50 +0200] conn=5 op=522 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:50 +0200] conn=5 op=522 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:50 +0200] conn=5 op=523 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:50 +0200] conn=5 op=523 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:52 +0200] conn=5 op=524 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:52 +0200] conn=5 op=524 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:52 +0200] conn=5 op=525 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:52 +0200] conn=5 op=525 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:53 +0200] conn=5 op=526 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:53 +0200] conn=5 op=526 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:54 +0200] conn=5 op=527 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:54 +0200] conn=5 op=527 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:55 +0200] conn=5 op=528 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:55 +0200] conn=5 op=528 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:55 +0200] conn=5 op=529 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:55 +0200] conn=5 op=529 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:56 +0200] conn=5 op=531 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:56 +0200] conn=5 op=531 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:56 +0200] conn=5 op=532 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:56 +0200] conn=5 op=532 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:57 +0200] conn=5 op=533 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:57 +0200] conn=5 op=533 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:57 +0200] conn=5 op=534 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:57 +0200] conn=5 op=534 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:58 +0200] conn=5 op=535 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:58 +0200] conn=5 op=535 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:58 +0200] conn=5 op=536 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:15:58 +0200] conn=5 op=536 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:15:59 +0200] conn=5 op=537 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:15:59 +0200] conn=5 op=537 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:01 +0200] conn=5 op=538 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:01 +0200] conn=5 op=538 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:02 +0200] conn=5 op=540 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:02 +0200] conn=5 op=540 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:02 +0200] conn=5 op=541 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:02 +0200] conn=5 op=541 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:03 +0200] conn=5 op=542 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:03 +0200] conn=5 op=542 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:04 +0200] conn=5 op=543 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:04 +0200] conn=5 op=543 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:05 +0200] conn=5 op=544 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:05 +0200] conn=5 op=544 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:05 +0200] conn=5 op=545 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:05 +0200] conn=5 op=545 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:06 +0200] conn=5 op=546 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:06 +0200] conn=5 op=546 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:06 +0200] conn=5 op=547 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:06 +0200] conn=5 op=547 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:07 +0200] conn=5 op=548 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:07 +0200] conn=5 op=548 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:07 +0200] conn=5 op=549 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:07 +0200] conn=5 op=549 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:08 +0200] conn=5 op=551 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:08 +0200] conn=5 op=551 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:08 +0200] conn=5 op=552 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:08 +0200] conn=5 op=552 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:09 +0200] conn=5 op=553 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:09 +0200] conn=5 op=553 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:10 +0200] conn=5 op=554 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:10 +0200] conn=5 op=554 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:11 +0200] conn=5 op=555 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:11 +0200] conn=5 op=555 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:15 +0200] conn=5 op=556 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:15 +0200] conn=5 op=556 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:16 +0200] conn=5 op=558 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:16 +0200] conn=5 op=558 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:17 +0200] conn=5 op=559 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:17 +0200] conn=5 op=559 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:18 +0200] conn=5 op=560 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:18 +0200] conn=5 op=560 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:18 +0200] conn=5 op=561 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:18 +0200] conn=5 op=561 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:19 +0200] conn=5 op=562 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:19 +0200] conn=5 op=562 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:19 +0200] conn=5 op=563 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:19 +0200] conn=5 op=563 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:20 +0200] conn=5 op=564 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:20 +0200] conn=5 op=564 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:20 +0200] conn=5 op=565 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:20 +0200] conn=5 op=565 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:21 +0200] conn=5 op=566 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:21 +0200] conn=5 op=566 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:21 +0200] conn=5 op=567 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:21 +0200] conn=5 op=567 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:22 +0200] conn=5 op=569 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:22 +0200] conn=5 op=569 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:22 +0200] conn=5 op=570 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:22 +0200] conn=5 op=570 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:23 +0200] conn=5 op=571 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:23 +0200] conn=5 op=571 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:25 +0200] conn=5 op=572 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:25 +0200] conn=5 op=572 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:26 +0200] conn=5 op=573 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:26 +0200] conn=5 op=573 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:27 +0200] conn=5 op=574 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:27 +0200] conn=5 op=574 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:28 +0200] conn=5 op=576 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:28 +0200] conn=5 op=576 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:28 +0200] conn=5 op=577 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:28 +0200] conn=5 op=577 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:29 +0200] conn=5 op=578 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:29 +0200] conn=5 op=578 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:34 +0200] conn=5 op=579 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:34 +0200] conn=5 op=579 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:35 +0200] conn=5 op=581 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:35 +0200] conn=5 op=581 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:35 +0200] conn=5 op=582 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:35 +0200] conn=5 op=582 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:36 +0200] conn=5 op=583 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:36 +0200] conn=5 op=583 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:36 +0200] conn=5 op=584 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:36 +0200] conn=5 op=584 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:37 +0200] conn=5 op=585 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:37 +0200] conn=5 op=585 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:38 +0200] conn=5 op=586 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:38 +0200] conn=5 op=586 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:39 +0200] conn=5 op=587 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:39 +0200] conn=5 op=587 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:43 +0200] conn=5 op=588 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:43 +0200] conn=5 op=588 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:44 +0200] conn=5 op=590 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:44 +0200] conn=5 op=590 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:44 +0200] conn=5 op=591 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:44 +0200] conn=5 op=591 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:45 +0200] conn=5 op=592 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:45 +0200] conn=5 op=592 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:45 +0200] conn=5 op=593 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:45 +0200] conn=5 op=593 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:46 +0200] conn=5 op=594 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:46 +0200] conn=5 op=594 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:46 +0200] conn=5 op=595 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:46 +0200] conn=5 op=595 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:47 +0200] conn=5 op=596 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:47 +0200] conn=5 op=596 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:47 +0200] conn=5 op=597 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:47 +0200] conn=5 op=597 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:48 +0200] conn=5 op=598 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:48 +0200] conn=5 op=598 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:52 +0200] conn=5 op=599 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:52 +0200] conn=5 op=599 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:53 +0200] conn=5 op=601 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:54 +0200] conn=5 op=601 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:16:55 +0200] conn=5 op=602 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:55 +0200] conn=5 op=602 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:56 +0200] conn=5 op=603 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:56 +0200] conn=5 op=603 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:56 +0200] conn=5 op=604 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:56 +0200] conn=5 op=604 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:57 +0200] conn=5 op=605 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:57 +0200] conn=5 op=605 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:57 +0200] conn=5 op=606 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:57 +0200] conn=5 op=606 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:58 +0200] conn=5 op=607 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:58 +0200] conn=5 op=607 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:58 +0200] conn=5 op=608 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:58 +0200] conn=5 op=608 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:59 +0200] conn=5 op=610 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:16:59 +0200] conn=5 op=610 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:16:59 +0200] conn=5 op=611 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:16:59 +0200] conn=5 op=611 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:00 +0200] conn=5 op=612 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:00 +0200] conn=5 op=612 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:00 +0200] conn=5 op=613 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:00 +0200] conn=5 op=613 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:01 +0200] conn=5 op=614 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:01 +0200] conn=5 op=614 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:02 +0200] conn=5 op=615 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:02 +0200] conn=5 op=615 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:03 +0200] conn=5 op=616 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:03 +0200] conn=5 op=616 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:06 +0200] conn=5 op=617 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:06 +0200] conn=5 op=617 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:07 +0200] conn=5 op=619 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:07 +0200] conn=5 op=619 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:10 +0200] conn=5 op=620 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:10 +0200] conn=5 op=620 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:11 +0200] conn=5 op=621 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:11 +0200] conn=5 op=621 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:11 +0200] conn=5 op=622 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:11 +0200] conn=5 op=622 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:12 +0200] conn=5 op=623 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:12 +0200] conn=5 op=623 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:13 +0200] conn=5 op=625 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:13 +0200] conn=5 op=625 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:14 +0200] conn=5 op=626 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:14 +0200] conn=5 op=626 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:14 +0200] conn=5 op=627 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:14 +0200] conn=5 op=627 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:15 +0200] conn=5 op=628 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:15 +0200] conn=5 op=628 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:18 +0200] conn=5 op=629 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:18 +0200] conn=5 op=629 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:19 +0200] conn=5 op=631 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:19 +0200] conn=5 op=631 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:19 +0200] conn=5 op=632 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:19 +0200] conn=5 op=632 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:20 +0200] conn=5 op=633 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:20 +0200] conn=5 op=633 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:20 +0200] conn=5 op=634 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:20 +0200] conn=5 op=634 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:21 +0200] conn=5 op=635 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:21 +0200] conn=5 op=635 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:21 +0200] conn=5 op=636 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:21 +0200] conn=5 op=636 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:22 +0200] conn=5 op=637 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:22 +0200] conn=5 op=637 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:22 +0200] conn=5 op=638 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:22 +0200] conn=5 op=638 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:23 +0200] conn=5 op=639 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:23 +0200] conn=5 op=639 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:23 +0200] conn=5 op=640 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:23 +0200] conn=5 op=640 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:24 +0200] conn=5 op=641 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:24 +0200] conn=5 op=641 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:29 +0200] conn=5 op=643 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:29 +0200] conn=5 op=643 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:30 +0200] conn=5 op=644 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:30 +0200] conn=5 op=644 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:30 +0200] conn=5 op=645 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:30 +0200] conn=5 op=645 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:31 +0200] conn=5 op=647 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:31 +0200] conn=5 op=647 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:31 +0200] conn=5 op=648 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:31 +0200] conn=5 op=648 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:32 +0200] conn=5 op=649 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:32 +0200] conn=5 op=649 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:32 +0200] conn=5 op=650 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:32 +0200] conn=5 op=650 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:33 +0200] conn=5 op=651 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:33 +0200] conn=5 op=651 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:33 +0200] conn=5 op=652 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:33 +0200] conn=5 op=652 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:34 +0200] conn=5 op=653 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:34 +0200] conn=5 op=653 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:34 +0200] conn=5 op=654 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:34 +0200] conn=5 op=654 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:35 +0200] conn=5 op=655 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:35 +0200] conn=5 op=655 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:36 +0200] conn=5 op=656 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:36 +0200] conn=5 op=656 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:37 +0200] conn=5 op=658 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:37 +0200] conn=5 op=658 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:41 +0200] conn=5 op=659 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:41 +0200] conn=5 op=659 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:42 +0200] conn=5 op=660 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:42 +0200] conn=5 op=660 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:42 +0200] conn=5 op=661 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:42 +0200] conn=5 op=661 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:43 +0200] conn=5 op=663 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:43 +0200] conn=5 op=663 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:43 +0200] conn=5 op=664 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:43 +0200] conn=5 op=664 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:44 +0200] conn=5 op=665 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:44 +0200] conn=5 op=665 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:44 +0200] conn=5 op=666 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:44 +0200] conn=5 op=666 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:45 +0200] conn=5 op=667 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:45 +0200] conn=5 op=667 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:45 +0200] conn=5 op=668 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:45 +0200] conn=5 op=668 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:46 +0200] conn=5 op=669 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:46 +0200] conn=5 op=669 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:46 +0200] conn=5 op=670 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:46 +0200] conn=5 op=670 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:47 +0200] conn=5 op=671 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:47 +0200] conn=5 op=671 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:48 +0200] conn=5 op=672 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:48 +0200] conn=5 op=672 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:49 +0200] conn=5 op=674 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:49 +0200] conn=5 op=674 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:49 +0200] conn=5 op=675 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:49 +0200] conn=5 op=675 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:50 +0200] conn=5 op=676 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:50 +0200] conn=5 op=676 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:50 +0200] conn=5 op=677 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:50 +0200] conn=5 op=677 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:51 +0200] conn=5 op=678 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:51 +0200] conn=5 op=678 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:51 +0200] conn=5 op=679 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:51 +0200] conn=5 op=679 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:52 +0200] conn=5 op=680 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:52 +0200] conn=5 op=680 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:52 +0200] conn=5 op=681 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:52 +0200] conn=5 op=681 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:53 +0200] conn=5 op=682 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:53 +0200] conn=5 op=682 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:53 +0200] conn=5 op=683 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:53 +0200] conn=5 op=683 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:54 +0200] conn=5 op=684 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:54 +0200] conn=5 op=684 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:55 +0200] conn=5 op=685 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:55 +0200] conn=5 op=685 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:17:56 +0200] conn=5 op=687 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:56 +0200] conn=5 op=687 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:56 +0200] conn=5 op=688 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:56 +0200] conn=5 op=688 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:57 +0200] conn=5 op=689 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:57 +0200] conn=5 op=689 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:57 +0200] conn=5 op=690 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:57 +0200] conn=5 op=690 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:58 +0200] conn=5 op=691 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:58 +0200] conn=5 op=691 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:58 +0200] conn=5 op=692 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:58 +0200] conn=5 op=692 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:59 +0200] conn=5 op=693 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:17:59 +0200] conn=5 op=693 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:17:59 +0200] conn=5 op=694 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:17:59 +0200] conn=5 op=694 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:00 +0200] conn=5 op=695 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:00 +0200] conn=5 op=695 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:00 +0200] conn=5 op=696 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:00 +0200] conn=5 op=696 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:01 +0200] conn=5 op=698 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:01 +0200] conn=5 op=698 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:01 +0200] conn=5 op=699 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:01 +0200] conn=5 op=699 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:02 +0200] conn=5 op=700 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:02 +0200] conn=5 op=700 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:02 +0200] conn=5 op=701 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:02 +0200] conn=5 op=701 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:03 +0200] conn=5 op=702 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:03 +0200] conn=5 op=702 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:03 +0200] conn=5 op=703 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:03 +0200] conn=5 op=703 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:04 +0200] conn=5 op=704 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:04 +0200] conn=5 op=704 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:04 +0200] conn=5 op=705 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:04 +0200] conn=5 op=705 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:05 +0200] conn=5 op=706 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:05 +0200] conn=5 op=706 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:05 +0200] conn=5 op=707 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:05 +0200] conn=5 op=707 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:06 +0200] conn=5 op=708 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:06 +0200] conn=5 op=708 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:10 +0200] conn=5 op=710 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:10 +0200] conn=5 op=710 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:11 +0200] conn=5 op=711 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:11 +0200] conn=5 op=711 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:12 +0200] conn=5 op=712 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:12 +0200] conn=5 op=712 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:13 +0200] conn=5 op=714 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:13 +0200] conn=5 op=714 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:13 +0200] conn=5 op=715 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:13 +0200] conn=5 op=715 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:14 +0200] conn=5 op=716 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:14 +0200] conn=5 op=716 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:14 +0200] conn=5 op=717 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:14 +0200] conn=5 op=717 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:15 +0200] conn=5 op=718 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:15 +0200] conn=5 op=718 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:20 +0200] conn=5 op=719 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:20 +0200] conn=5 op=719 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:21 +0200] conn=5 op=721 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:21 +0200] conn=5 op=721 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:21 +0200] conn=5 op=722 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:21 +0200] conn=5 op=722 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:22 +0200] conn=5 op=723 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:22 +0200] conn=5 op=723 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:22 +0200] conn=5 op=724 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:22 +0200] conn=5 op=724 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:24 +0200] conn=5 op=725 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:24 +0200] conn=5 op=725 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:25 +0200] conn=5 op=726 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:25 +0200] conn=5 op=726 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:26 +0200] conn=5 op=727 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:26 +0200] conn=5 op=727 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:26 +0200] conn=5 op=728 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:26 +0200] conn=5 op=728 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:27 +0200] conn=5 op=730 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:27 +0200] conn=5 op=730 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:27 +0200] conn=5 op=731 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:27 +0200] conn=5 op=731 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:28 +0200] conn=5 op=732 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:28 +0200] conn=5 op=732 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:28 +0200] conn=5 op=733 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:28 +0200] conn=5 op=733 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:29 +0200] conn=5 op=734 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:29 +0200] conn=5 op=734 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:29 +0200] conn=5 op=735 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:29 +0200] conn=5 op=735 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:30 +0200] conn=5 op=736 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:30 +0200] conn=5 op=736 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:30 +0200] conn=5 op=737 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:30 +0200] conn=5 op=737 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:31 +0200] conn=5 op=738 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:31 +0200] conn=5 op=738 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:31 +0200] conn=5 op=739 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:31 +0200] conn=5 op=739 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:32 +0200] conn=5 op=740 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:32 +0200] conn=5 op=740 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:32 +0200] conn=5 op=741 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:32 +0200] conn=5 op=741 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:33 +0200] conn=5 op=743 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:33 +0200] conn=5 op=743 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:33 +0200] conn=5 op=744 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:33 +0200] conn=5 op=744 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:34 +0200] conn=5 op=745 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:34 +0200] conn=5 op=745 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:35 +0200] conn=5 op=746 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:35 +0200] conn=5 op=746 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:36 +0200] conn=5 op=747 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:36 +0200] conn=5 op=747 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:36 +0200] conn=5 op=748 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:36 +0200] conn=5 op=748 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:37 +0200] conn=5 op=749 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:37 +0200] conn=5 op=749 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:37 +0200] conn=5 op=750 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:37 +0200] conn=5 op=750 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:38 +0200] conn=5 op=751 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:38 +0200] conn=5 op=751 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:40 +0200] conn=5 op=753 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:40 +0200] conn=5 op=753 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:41 +0200] conn=5 op=754 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:41 +0200] conn=5 op=754 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:42 +0200] conn=5 op=755 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:42 +0200] conn=5 op=755 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:43 +0200] conn=5 op=756 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:43 +0200] conn=5 op=756 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:49 +0200] conn=5 op=757 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:49 +0200] conn=5 op=757 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:50 +0200] conn=5 op=759 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:50 +0200] conn=5 op=759 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:50 +0200] conn=5 op=760 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:50 +0200] conn=5 op=760 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:51 +0200] conn=5 op=761 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:51 +0200] conn=5 op=761 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:51 +0200] conn=5 op=762 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:51 +0200] conn=5 op=762 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:52 +0200] conn=5 op=763 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:52 +0200] conn=5 op=763 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:56 +0200] conn=5 op=764 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:18:56 +0200] conn=5 op=764 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:18:57 +0200] conn=5 op=766 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:18:57 +0200] conn=5 op=766 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:01 +0200] conn=5 op=767 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:01 +0200] conn=5 op=767 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:02 +0200] conn=5 op=768 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:02 +0200] conn=5 op=768 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:02 +0200] conn=5 op=769 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:02 +0200] conn=5 op=769 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:03 +0200] conn=5 op=771 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:03 +0200] conn=5 op=771 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:03 +0200] conn=5 op=772 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:03 +0200] conn=5 op=772 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:04 +0200] conn=5 op=773 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:04 +0200] conn=5 op=773 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:04 +0200] conn=5 op=774 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:04 +0200] conn=5 op=774 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:05 +0200] conn=5 op=775 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:05 +0200] conn=5 op=775 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:05 +0200] conn=5 op=776 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:05 +0200] conn=5 op=776 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:06 +0200] conn=5 op=777 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:06 +0200] conn=5 op=777 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:06 +0200] conn=5 op=778 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:06 +0200] conn=5 op=778 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:07 +0200] conn=5 op=779 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:07 +0200] conn=5 op=779 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:12 +0200] conn=5 op=780 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:12 +0200] conn=5 op=780 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:13 +0200] conn=5 op=782 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:13 +0200] conn=5 op=782 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:13 +0200] conn=5 op=783 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:13 +0200] conn=5 op=783 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:14 +0200] conn=5 op=784 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:14 +0200] conn=5 op=784 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:14 +0200] conn=5 op=785 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:14 +0200] conn=5 op=785 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:15 +0200] conn=5 op=786 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:15 +0200] conn=5 op=786 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:15 +0200] conn=5 op=787 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:15 +0200] conn=5 op=787 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:16 +0200] conn=5 op=788 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:16 +0200] conn=5 op=788 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:16 +0200] conn=5 op=789 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:16 +0200] conn=5 op=789 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:17 +0200] conn=5 op=790 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:17 +0200] conn=5 op=790 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:17 +0200] conn=5 op=791 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:17 +0200] conn=5 op=791 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:18 +0200] conn=5 op=792 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:18 +0200] conn=5 op=792 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:18 +0200] conn=5 op=793 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:18 +0200] conn=5 op=793 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:19 +0200] conn=5 op=795 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:19 +0200] conn=5 op=795 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:19 +0200] conn=5 op=796 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:19 +0200] conn=5 op=796 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:20 +0200] conn=5 op=797 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:20 +0200] conn=5 op=797 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:21 +0200] conn=5 op=798 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:21 +0200] conn=5 op=798 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:22 +0200] conn=5 op=799 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:22 +0200] conn=5 op=799 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:22 +0200] conn=5 op=800 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:22 +0200] conn=5 op=800 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:23 +0200] conn=5 op=801 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:23 +0200] conn=5 op=801 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:23 +0200] conn=5 op=802 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:23 +0200] conn=5 op=802 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:24 +0200] conn=5 op=803 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:24 +0200] conn=5 op=803 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:25 +0200] conn=5 op=804 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:25 +0200] conn=5 op=804 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:19:26 +0200] conn=5 op=806 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:26 +0200] conn=5 op=806 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:26 +0200] conn=5 op=807 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:26 +0200] conn=5 op=807 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:27 +0200] conn=5 op=808 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:27 +0200] conn=5 op=808 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:27 +0200] conn=5 op=809 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:27 +0200] conn=5 op=809 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:28 +0200] conn=5 op=810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:28 +0200] conn=5 op=810 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:28 +0200] conn=5 op=811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:28 +0200] conn=5 op=811 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:29 +0200] conn=5 op=812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:29 +0200] conn=5 op=812 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:29 +0200] conn=5 op=813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:29 +0200] conn=5 op=813 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:30 +0200] conn=5 op=814 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:30 +0200] conn=5 op=814 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:30 +0200] conn=5 op=815 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:30 +0200] conn=5 op=815 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:31 +0200] conn=5 op=817 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:31 +0200] conn=5 op=817 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:34 +0200] conn=5 op=818 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:34 +0200] conn=5 op=818 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:35 +0200] conn=5 op=819 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:35 +0200] conn=5 op=819 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:35 +0200] conn=5 op=820 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:35 +0200] conn=5 op=820 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:36 +0200] conn=5 op=821 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:36 +0200] conn=5 op=821 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:41 +0200] conn=5 op=823 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:41 +0200] conn=5 op=823 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:42 +0200] conn=5 op=824 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:42 +0200] conn=5 op=824 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:42 +0200] conn=5 op=825 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:42 +0200] conn=5 op=825 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:43 +0200] conn=5 op=827 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:43 +0200] conn=5 op=827 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:44 +0200] conn=5 op=828 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:44 +0200] conn=5 op=828 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:45 +0200] conn=5 op=829 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:45 +0200] conn=5 op=829 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:45 +0200] conn=5 op=830 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:45 +0200] conn=5 op=830 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:46 +0200] conn=5 op=831 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:46 +0200] conn=5 op=831 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:46 +0200] conn=5 op=832 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:46 +0200] conn=5 op=832 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:47 +0200] conn=5 op=833 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:47 +0200] conn=5 op=833 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:51 +0200] conn=5 op=834 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:51 +0200] conn=5 op=834 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:52 +0200] conn=5 op=836 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:52 +0200] conn=5 op=836 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:52 +0200] conn=5 op=837 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:52 +0200] conn=5 op=837 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:53 +0200] conn=5 op=838 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:53 +0200] conn=5 op=838 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:55 +0200] conn=5 op=839 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:55 +0200] conn=5 op=839 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:56 +0200] conn=5 op=840 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:56 +0200] conn=5 op=840 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:57 +0200] conn=5 op=841 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:57 +0200] conn=5 op=841 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:58 +0200] conn=5 op=843 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:58 +0200] conn=5 op=843 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:58 +0200] conn=5 op=844 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:58 +0200] conn=5 op=844 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:59 +0200] conn=5 op=845 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:19:59 +0200] conn=5 op=845 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:19:59 +0200] conn=5 op=846 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:19:59 +0200] conn=5 op=846 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:00 +0200] conn=5 op=847 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:00 +0200] conn=5 op=847 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:01 +0200] conn=5 op=848 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:01 +0200] conn=5 op=848 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:02 +0200] conn=5 op=849 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:02 +0200] conn=5 op=849 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:02 +0200] conn=5 op=850 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:02 +0200] conn=5 op=850 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:03 +0200] conn=5 op=851 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:03 +0200] conn=5 op=851 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:04 +0200] conn=5 op=853 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:04 +0200] conn=5 op=853 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:05 +0200] conn=5 op=854 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:05 +0200] conn=5 op=854 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:05 +0200] conn=5 op=855 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:05 +0200] conn=5 op=855 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:06 +0200] conn=5 op=856 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:06 +0200] conn=5 op=856 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:07 +0200] conn=5 op=857 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:07 +0200] conn=5 op=857 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:08 +0200] conn=5 op=858 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:08 +0200] conn=5 op=858 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:08 +0200] conn=5 op=859 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:08 +0200] conn=5 op=859 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:09 +0200] conn=5 op=860 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:09 +0200] conn=5 op=860 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:10 +0200] conn=5 op=861 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:10 +0200] conn=5 op=861 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:20:11 +0200] conn=5 op=863 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:11 +0200] conn=5 op=863 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:13 +0200] conn=5 op=864 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:13 +0200] conn=5 op=864 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:14 +0200] conn=5 op=865 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:14 +0200] conn=5 op=865 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:14 +0200] conn=5 op=866 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:14 +0200] conn=5 op=866 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:15 +0200] conn=5 op=867 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:15 +0200] conn=5 op=867 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:19 +0200] conn=5 op=869 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:19 +0200] conn=5 op=869 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:20 +0200] conn=5 op=870 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:20 +0200] conn=5 op=870 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:21 +0200] conn=5 op=871 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:21 +0200] conn=5 op=871 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:22 +0200] conn=5 op=873 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:22 +0200] conn=5 op=873 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:22 +0200] conn=5 op=874 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:22 +0200] conn=5 op=874 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:24 +0200] conn=5 op=875 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:24 +0200] conn=5 op=875 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:25 +0200] conn=5 op=876 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:25 +0200] conn=5 op=876 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:26 +0200] conn=5 op=877 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:26 +0200] conn=5 op=877 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:26 +0200] conn=5 op=878 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:26 +0200] conn=5 op=878 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:27 +0200] conn=5 op=879 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:27 +0200] conn=5 op=879 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:27 +0200] conn=5 op=880 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:27 +0200] conn=5 op=880 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:28 +0200] conn=5 op=882 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:28 +0200] conn=5 op=882 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:28 +0200] conn=5 op=883 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:28 +0200] conn=5 op=883 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:29 +0200] conn=5 op=884 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:29 +0200] conn=5 op=884 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:33 +0200] conn=5 op=885 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:33 +0200] conn=5 op=885 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:34 +0200] conn=5 op=887 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:34 +0200] conn=5 op=887 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:37 +0200] conn=5 op=888 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:37 +0200] conn=5 op=888 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:38 +0200] conn=5 op=889 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:38 +0200] conn=5 op=889 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:40 +0200] conn=5 op=890 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:40 +0200] conn=5 op=890 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:41 +0200] conn=5 op=892 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:41 +0200] conn=5 op=892 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:41 +0200] conn=5 op=893 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:41 +0200] conn=5 op=893 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:42 +0200] conn=5 op=894 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:42 +0200] conn=5 op=894 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:43 +0200] conn=5 op=895 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:43 +0200] conn=5 op=895 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:44 +0200] conn=5 op=896 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:44 +0200] conn=5 op=896 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:48 +0200] conn=5 op=897 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:48 +0200] conn=5 op=897 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:49 +0200] conn=5 op=899 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:49 +0200] conn=5 op=899 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:49 +0200] conn=5 op=900 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:49 +0200] conn=5 op=900 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:50 +0200] conn=5 op=901 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:50 +0200] conn=5 op=901 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:50 +0200] conn=5 op=902 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:50 +0200] conn=5 op=902 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:51 +0200] conn=5 op=903 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:51 +0200] conn=5 op=903 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:57 +0200] conn=5 op=904 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:57 +0200] conn=5 op=904 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:58 +0200] conn=5 op=906 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:58 +0200] conn=5 op=906 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:58 +0200] conn=5 op=907 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:58 +0200] conn=5 op=907 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:59 +0200] conn=5 op=908 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:20:59 +0200] conn=5 op=908 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:20:59 +0200] conn=5 op=909 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:20:59 +0200] conn=5 op=909 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:00 +0200] conn=5 op=910 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:00 +0200] conn=5 op=910 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:00 +0200] conn=5 op=911 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:00 +0200] conn=5 op=911 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:01 +0200] conn=5 op=912 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:01 +0200] conn=5 op=912 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:01 +0200] conn=5 op=913 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:01 +0200] conn=5 op=913 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:02 +0200] conn=5 op=914 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:02 +0200] conn=5 op=914 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:02 +0200] conn=5 op=915 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:02 +0200] conn=5 op=915 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:03 +0200] conn=5 op=916 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:03 +0200] conn=5 op=916 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:04 +0200] conn=5 op=918 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:04 +0200] conn=5 op=918 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:05 +0200] conn=5 op=919 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:05 +0200] conn=5 op=919 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:07 +0200] conn=5 op=920 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:07 +0200] conn=5 op=920 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:08 +0200] conn=5 op=921 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:08 +0200] conn=5 op=921 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:10 +0200] conn=5 op=922 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:10 +0200] conn=5 op=922 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:11 +0200] conn=5 op=924 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:11 +0200] conn=5 op=924 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:11 +0200] conn=5 op=925 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:11 +0200] conn=5 op=925 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:12 +0200] conn=5 op=926 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:12 +0200] conn=5 op=926 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:12 +0200] conn=5 op=927 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:12 +0200] conn=5 op=927 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:13 +0200] conn=5 op=928 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:13 +0200] conn=5 op=928 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:14 +0200] conn=5 op=929 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:14 +0200] conn=5 op=929 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:15 +0200] conn=5 op=930 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:15 +0200] conn=5 op=930 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:15 +0200] conn=5 op=931 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:15 +0200] conn=5 op=931 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:16 +0200] conn=5 op=932 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:16 +0200] conn=5 op=932 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:16 +0200] conn=5 op=933 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:16 +0200] conn=5 op=933 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:17 +0200] conn=5 op=935 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:17 +0200] conn=5 op=935 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:17 +0200] conn=5 op=936 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:17 +0200] conn=5 op=936 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:18 +0200] conn=5 op=937 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:18 +0200] conn=5 op=937 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:18 +0200] conn=5 op=938 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:18 +0200] conn=5 op=938 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:19 +0200] conn=5 op=939 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:19 +0200] conn=5 op=939 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:19 +0200] conn=5 op=940 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:19 +0200] conn=5 op=940 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:20 +0200] conn=5 op=941 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:20 +0200] conn=5 op=941 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:21 +0200] conn=5 op=942 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:21 +0200] conn=5 op=942 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:22 +0200] conn=5 op=943 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:22 +0200] conn=5 op=943 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:22 +0200] conn=5 op=944 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:22 +0200] conn=5 op=944 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:23 +0200] conn=5 op=946 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:23 +0200] conn=5 op=946 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:23 +0200] conn=5 op=947 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:23 +0200] conn=5 op=947 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:24 +0200] conn=5 op=948 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:24 +0200] conn=5 op=948 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:24 +0200] conn=5 op=949 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:24 +0200] conn=5 op=949 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:25 +0200] conn=5 op=950 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:25 +0200] conn=5 op=950 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:25 +0200] conn=5 op=951 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:25 +0200] conn=5 op=951 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:26 +0200] conn=5 op=952 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:26 +0200] conn=5 op=952 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:26 +0200] conn=5 op=953 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:26 +0200] conn=5 op=953 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:27 +0200] conn=5 op=954 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:27 +0200] conn=5 op=954 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:33 +0200] conn=5 op=955 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:33 +0200] conn=5 op=955 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:34 +0200] conn=5 op=957 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:34 +0200] conn=5 op=957 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:34 +0200] conn=5 op=958 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:34 +0200] conn=5 op=958 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:35 +0200] conn=5 op=959 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:35 +0200] conn=5 op=959 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:36 +0200] conn=5 op=960 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:36 +0200] conn=5 op=960 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:37 +0200] conn=5 op=961 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:37 +0200] conn=5 op=961 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:37 +0200] conn=5 op=962 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:37 +0200] conn=5 op=962 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:38 +0200] conn=5 op=963 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:38 +0200] conn=5 op=963 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:40 +0200] conn=5 op=964 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:40 +0200] conn=5 op=964 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:41 +0200] conn=5 op=966 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:41 +0200] conn=5 op=966 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:42 +0200] conn=5 op=967 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:42 +0200] conn=5 op=967 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:43 +0200] conn=5 op=968 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:43 +0200] conn=5 op=968 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:43 +0200] conn=5 op=969 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:43 +0200] conn=5 op=969 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:44 +0200] conn=5 op=970 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:44 +0200] conn=5 op=970 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:49 +0200] conn=5 op=971 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:49 +0200] conn=5 op=971 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:50 +0200] conn=5 op=973 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:50 +0200] conn=5 op=973 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:55 +0200] conn=5 op=974 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:55 +0200] conn=5 op=974 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:56 +0200] conn=5 op=976 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:56 +0200] conn=5 op=976 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:56 +0200] conn=5 op=977 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:56 +0200] conn=5 op=977 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:57 +0200] conn=5 op=978 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:57 +0200] conn=5 op=978 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:57 +0200] conn=5 op=979 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:57 +0200] conn=5 op=979 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:58 +0200] conn=5 op=980 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:58 +0200] conn=5 op=980 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:58 +0200] conn=5 op=981 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:58 +0200] conn=5 op=981 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:59 +0200] conn=5 op=982 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:21:59 +0200] conn=5 op=982 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:21:59 +0200] conn=5 op=983 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:21:59 +0200] conn=5 op=983 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:00 +0200] conn=5 op=984 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:00 +0200] conn=5 op=984 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:00 +0200] conn=5 op=985 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:00 +0200] conn=5 op=985 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:01 +0200] conn=5 op=986 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:01 +0200] conn=5 op=986 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:01 +0200] conn=5 op=987 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:01 +0200] conn=5 op=987 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:02 +0200] conn=5 op=989 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:02 +0200] conn=5 op=989 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:06 +0200] conn=5 op=990 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:06 +0200] conn=5 op=990 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:07 +0200] conn=5 op=991 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:07 +0200] conn=5 op=991 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:11 +0200] conn=5 op=993 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:11 +0200] conn=5 op=993 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:12 +0200] conn=5 op=994 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:12 +0200] conn=5 op=994 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:14 +0200] conn=5 op=995 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:14 +0200] conn=5 op=995 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:15 +0200] conn=5 op=997 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:15 +0200] conn=5 op=997 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:15 +0200] conn=5 op=998 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:15 +0200] conn=5 op=998 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:16 +0200] conn=5 op=999 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:16 +0200] conn=5 op=999 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:16 +0200] conn=5 op=1000 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:16 +0200] conn=5 op=1000 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:17 +0200] conn=5 op=1001 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:17 +0200] conn=5 op=1001 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:17 +0200] conn=5 op=1002 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:17 +0200] conn=5 op=1002 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:18 +0200] conn=5 op=1003 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:18 +0200] conn=5 op=1003 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:18 +0200] conn=5 op=1004 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:18 +0200] conn=5 op=1004 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:19 +0200] conn=5 op=1005 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:19 +0200] conn=5 op=1005 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:25 +0200] conn=5 op=1006 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:25 +0200] conn=5 op=1006 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:26 +0200] conn=5 op=1008 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:26 +0200] conn=5 op=1008 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:26 +0200] conn=5 op=1009 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:26 +0200] conn=5 op=1009 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:27 +0200] conn=5 op=1010 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:27 +0200] conn=5 op=1010 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:27 +0200] conn=5 op=1011 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:27 +0200] conn=5 op=1011 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:28 +0200] conn=5 op=1012 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:28 +0200] conn=5 op=1012 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:28 +0200] conn=5 op=1013 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:28 +0200] conn=5 op=1013 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:29 +0200] conn=5 op=1014 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:29 +0200] conn=5 op=1014 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:30 +0200] conn=5 op=1015 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:30 +0200] conn=5 op=1015 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:31 +0200] conn=5 op=1016 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:31 +0200] conn=5 op=1016 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:31 +0200] conn=5 op=1017 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:31 +0200] conn=5 op=1017 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:32 +0200] conn=5 op=1019 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:32 +0200] conn=5 op=1019 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:32 +0200] conn=5 op=1020 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:32 +0200] conn=5 op=1020 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:33 +0200] conn=5 op=1021 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:33 +0200] conn=5 op=1021 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:33 +0200] conn=5 op=1022 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:33 +0200] conn=5 op=1022 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:34 +0200] conn=5 op=1023 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:34 +0200] conn=5 op=1023 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:34 +0200] conn=5 op=1024 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:34 +0200] conn=5 op=1024 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:35 +0200] conn=5 op=1025 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:35 +0200] conn=5 op=1025 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:36 +0200] conn=5 op=1026 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:36 +0200] conn=5 op=1026 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:37 +0200] conn=5 op=1027 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:37 +0200] conn=5 op=1027 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:40 +0200] conn=5 op=1029 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:40 +0200] conn=5 op=1029 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:41 +0200] conn=5 op=1030 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:41 +0200] conn=5 op=1030 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:41 +0200] conn=5 op=1031 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:41 +0200] conn=5 op=1031 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:42 +0200] conn=5 op=1032 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:42 +0200] conn=5 op=1032 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:42 +0200] conn=5 op=1033 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:42 +0200] conn=5 op=1033 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:43 +0200] conn=5 op=1034 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:43 +0200] conn=5 op=1034 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:47 +0200] conn=5 op=1036 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:47 +0200] conn=5 op=1036 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:48 +0200] conn=5 op=1037 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:48 +0200] conn=5 op=1037 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:48 +0200] conn=5 op=1038 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:48 +0200] conn=5 op=1038 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:49 +0200] conn=5 op=1039 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:49 +0200] conn=5 op=1039 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:49 +0200] conn=5 op=1040 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:49 +0200] conn=5 op=1040 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:50 +0200] conn=5 op=1042 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:50 +0200] conn=5 op=1042 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:50 +0200] conn=5 op=1043 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:50 +0200] conn=5 op=1043 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:51 +0200] conn=5 op=1044 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:51 +0200] conn=5 op=1044 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:56 +0200] conn=5 op=1045 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:22:56 +0200] conn=5 op=1045 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:22:57 +0200] conn=5 op=1047 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:22:57 +0200] conn=5 op=1047 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:01 +0200] conn=5 op=1048 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:01 +0200] conn=5 op=1048 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:02 +0200] conn=5 op=1049 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:02 +0200] conn=5 op=1049 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:03 +0200] conn=5 op=1051 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:03 +0200] conn=5 op=1051 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:04 +0200] conn=5 op=1052 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:04 +0200] conn=5 op=1052 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:04 +0200] conn=5 op=1053 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:04 +0200] conn=5 op=1053 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:05 +0200] conn=5 op=1054 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:05 +0200] conn=5 op=1054 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:05 +0200] conn=5 op=1055 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:05 +0200] conn=5 op=1055 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:06 +0200] conn=5 op=1056 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:06 +0200] conn=5 op=1056 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:10 +0200] conn=5 op=1057 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:10 +0200] conn=5 op=1057 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:11 +0200] conn=5 op=1059 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:11 +0200] conn=5 op=1059 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:11 +0200] conn=5 op=1060 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:11 +0200] conn=5 op=1060 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:12 +0200] conn=5 op=1061 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:12 +0200] conn=5 op=1061 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:18 +0200] conn=5 op=1062 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:18 +0200] conn=5 op=1062 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:19 +0200] conn=5 op=1064 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:19 +0200] conn=5 op=1064 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:19 +0200] conn=5 op=1065 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:19 +0200] conn=5 op=1065 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:20 +0200] conn=5 op=1066 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:20 +0200] conn=5 op=1066 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:20 +0200] conn=5 op=1067 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:20 +0200] conn=5 op=1067 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:21 +0200] conn=5 op=1068 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:21 +0200] conn=5 op=1068 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:21 +0200] conn=5 op=1069 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:21 +0200] conn=5 op=1069 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:22 +0200] conn=5 op=1070 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:22 +0200] conn=5 op=1070 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:22 +0200] conn=5 op=1071 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:22 +0200] conn=5 op=1071 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:23 +0200] conn=5 op=1072 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:23 +0200] conn=5 op=1072 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:24 +0200] conn=5 op=1073 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:24 +0200] conn=5 op=1073 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:25 +0200] conn=5 op=1075 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:25 +0200] conn=5 op=1075 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:26 +0200] conn=5 op=1076 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:26 +0200] conn=5 op=1076 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:27 +0200] conn=5 op=1077 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:27 +0200] conn=5 op=1077 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:33 +0200] conn=5 op=1078 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:33 +0200] conn=5 op=1078 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:34 +0200] conn=5 op=1080 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:34 +0200] conn=5 op=1080 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:40 +0200] conn=5 op=1081 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:40 +0200] conn=5 op=1081 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:41 +0200] conn=5 op=1083 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:41 +0200] conn=5 op=1083 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:41 +0200] conn=5 op=1084 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:41 +0200] conn=5 op=1084 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:42 +0200] conn=5 op=1085 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:42 +0200] conn=5 op=1085 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:42 +0200] conn=5 op=1086 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:42 +0200] conn=5 op=1086 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:43 +0200] conn=5 op=1087 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:43 +0200] conn=5 op=1087 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:43 +0200] conn=5 op=1088 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:43 +0200] conn=5 op=1088 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:44 +0200] conn=5 op=1089 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:44 +0200] conn=5 op=1089 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:44 +0200] conn=5 op=1090 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:44 +0200] conn=5 op=1090 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:45 +0200] conn=5 op=1091 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:45 +0200] conn=5 op=1091 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:45 +0200] conn=5 op=1092 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:45 +0200] conn=5 op=1092 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:46 +0200] conn=5 op=1093 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:46 +0200] conn=5 op=1093 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:46 +0200] conn=5 op=1094 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:46 +0200] conn=5 op=1094 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:47 +0200] conn=5 op=1096 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:47 +0200] conn=5 op=1096 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:54 +0200] conn=5 op=1097 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:54 +0200] conn=5 op=1097 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:55 +0200] conn=5 op=1099 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:55 +0200] conn=5 op=1099 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:55 +0200] conn=5 op=1100 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:55 +0200] conn=5 op=1100 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:56 +0200] conn=5 op=1101 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:57 +0200] conn=5 op=1101 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:23:57 +0200] conn=5 op=1102 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:57 +0200] conn=5 op=1102 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:58 +0200] conn=5 op=1103 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:58 +0200] conn=5 op=1103 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:58 +0200] conn=5 op=1104 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:23:58 +0200] conn=5 op=1104 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:23:59 +0200] conn=5 op=1105 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:23:59 +0200] conn=5 op=1105 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:01 +0200] conn=5 op=1106 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:01 +0200] conn=5 op=1106 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:02 +0200] conn=5 op=1108 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:02 +0200] conn=5 op=1108 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:02 +0200] conn=5 op=1109 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:02 +0200] conn=5 op=1109 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:03 +0200] conn=5 op=1110 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:03 +0200] conn=5 op=1110 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:03 +0200] conn=5 op=1111 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:03 +0200] conn=5 op=1111 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:04 +0200] conn=5 op=1112 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:04 +0200] conn=5 op=1112 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:04 +0200] conn=5 op=1113 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:04 +0200] conn=5 op=1113 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:05 +0200] conn=5 op=1114 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:05 +0200] conn=5 op=1114 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:06 +0200] conn=5 op=1115 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:06 +0200] conn=5 op=1115 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:07 +0200] conn=5 op=1116 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:07 +0200] conn=5 op=1116 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:07 +0200] conn=5 op=1117 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:07 +0200] conn=5 op=1117 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:08 +0200] conn=5 op=1119 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:08 +0200] conn=5 op=1119 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:08 +0200] conn=5 op=1120 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:08 +0200] conn=5 op=1120 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:09 +0200] conn=5 op=1121 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:09 +0200] conn=5 op=1121 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:10 +0200] conn=5 op=1122 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:10 +0200] conn=5 op=1122 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:11 +0200] conn=5 op=1123 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:11 +0200] conn=5 op=1123 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:11 +0200] conn=5 op=1124 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:11 +0200] conn=5 op=1124 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:12 +0200] conn=5 op=1125 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:12 +0200] conn=5 op=1125 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:12 +0200] conn=5 op=1126 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:12 +0200] conn=5 op=1126 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:13 +0200] conn=5 op=1127 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:13 +0200] conn=5 op=1127 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:13 +0200] conn=5 op=1128 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:13 +0200] conn=5 op=1128 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:14 +0200] conn=5 op=1130 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:14 +0200] conn=5 op=1130 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:14 +0200] conn=5 op=1131 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:14 +0200] conn=5 op=1131 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:15 +0200] conn=5 op=1132 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:15 +0200] conn=5 op=1132 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:18 +0200] conn=5 op=1133 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:18 +0200] conn=5 op=1133 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:19 +0200] conn=5 op=1134 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:19 +0200] conn=5 op=1134 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:20 +0200] conn=5 op=1136 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:20 +0200] conn=5 op=1136 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:21 +0200] conn=5 op=1137 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:21 +0200] conn=5 op=1137 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:24 +0200] conn=5 op=1138 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:24 +0200] conn=5 op=1138 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:25 +0200] conn=5 op=1139 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:25 +0200] conn=5 op=1139 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:25 +0200] conn=5 op=1140 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:25 +0200] conn=5 op=1140 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:26 +0200] conn=5 op=1142 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:26 +0200] conn=5 op=1142 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:26 +0200] conn=5 op=1143 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:26 +0200] conn=5 op=1143 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:28 +0200] conn=5 op=1144 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:28 +0200] conn=5 op=1144 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:28 +0200] conn=5 op=1145 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:28 +0200] conn=5 op=1145 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:29 +0200] conn=5 op=1146 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:29 +0200] conn=5 op=1146 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:29 +0200] conn=5 op=1147 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:29 +0200] conn=5 op=1147 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:30 +0200] conn=5 op=1148 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:30 +0200] conn=5 op=1148 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:33 +0200] conn=5 op=1149 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:33 +0200] conn=5 op=1149 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:34 +0200] conn=5 op=1151 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:34 +0200] conn=5 op=1151 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:34 +0200] conn=5 op=1152 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:34 +0200] conn=5 op=1152 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:35 +0200] conn=5 op=1153 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:35 +0200] conn=5 op=1153 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:35 +0200] conn=5 op=1154 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:35 +0200] conn=5 op=1154 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:36 +0200] conn=5 op=1155 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:36 +0200] conn=5 op=1155 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:37 +0200] conn=5 op=1156 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:37 +0200] conn=5 op=1156 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:38 +0200] conn=5 op=1157 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:38 +0200] conn=5 op=1157 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:41 +0200] conn=5 op=1158 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:41 +0200] conn=5 op=1158 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:42 +0200] conn=5 op=1160 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:42 +0200] conn=5 op=1160 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:42 +0200] conn=5 op=1161 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:42 +0200] conn=5 op=1161 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:43 +0200] conn=5 op=1162 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:43 +0200] conn=5 op=1162 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:43 +0200] conn=5 op=1163 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:43 +0200] conn=5 op=1163 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:44 +0200] conn=5 op=1164 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:44 +0200] conn=5 op=1164 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:44 +0200] conn=5 op=1165 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:44 +0200] conn=5 op=1165 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:45 +0200] conn=5 op=1166 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:45 +0200] conn=5 op=1166 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:45 +0200] conn=5 op=1167 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:45 +0200] conn=5 op=1167 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:46 +0200] conn=5 op=1168 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:46 +0200] conn=5 op=1168 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:46 +0200] conn=5 op=1169 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:46 +0200] conn=5 op=1169 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:47 +0200] conn=5 op=1170 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:47 +0200] conn=5 op=1170 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:49 +0200] conn=5 op=1172 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:49 +0200] conn=5 op=1172 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:50 +0200] conn=5 op=1173 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:50 +0200] conn=5 op=1173 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:54 +0200] conn=5 op=1174 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:54 +0200] conn=5 op=1174 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:55 +0200] conn=5 op=1176 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:55 +0200] conn=5 op=1176 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:55 +0200] conn=5 op=1177 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:55 +0200] conn=5 op=1177 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:56 +0200] conn=5 op=1178 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:56 +0200] conn=5 op=1178 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:56 +0200] conn=5 op=1179 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:24:56 +0200] conn=5 op=1179 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:24:57 +0200] conn=5 op=1180 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:24:57 +0200] conn=5 op=1180 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:01 +0200] conn=5 op=1181 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:01 +0200] conn=5 op=1181 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:02 +0200] conn=5 op=1183 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:02 +0200] conn=5 op=1183 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:03 +0200] conn=5 op=1184 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:03 +0200] conn=5 op=1184 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:04 +0200] conn=5 op=1185 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:04 +0200] conn=5 op=1185 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:07 +0200] conn=5 op=1186 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:07 +0200] conn=5 op=1186 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:08 +0200] conn=5 op=1188 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:08 +0200] conn=5 op=1188 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:10 +0200] conn=5 op=1189 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:10 +0200] conn=5 op=1189 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:11 +0200] conn=5 op=1190 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:11 +0200] conn=5 op=1190 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:11 +0200] conn=5 op=1191 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:11 +0200] conn=5 op=1191 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:12 +0200] conn=5 op=1192 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:12 +0200] conn=5 op=1192 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:18 +0200] conn=5 op=1193 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:18 +0200] conn=5 op=1193 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:19 +0200] conn=5 op=1195 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:19 +0200] conn=5 op=1195 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:19 +0200] conn=5 op=1196 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:19 +0200] conn=5 op=1196 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:20 +0200] conn=5 op=1197 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:20 +0200] conn=5 op=1197 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:24 +0200] conn=5 op=1198 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:24 +0200] conn=5 op=1198 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:25 +0200] conn=5 op=1200 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:25 +0200] conn=5 op=1200 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:25 +0200] conn=5 op=1201 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:25 +0200] conn=5 op=1201 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:26 +0200] conn=5 op=1202 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:26 +0200] conn=5 op=1202 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:26 +0200] conn=5 op=1203 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:26 +0200] conn=5 op=1203 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:27 +0200] conn=5 op=1204 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:27 +0200] conn=5 op=1204 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:27 +0200] conn=5 op=1205 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:27 +0200] conn=5 op=1205 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:28 +0200] conn=5 op=1206 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:28 +0200] conn=5 op=1206 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:28 +0200] conn=5 op=1207 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:28 +0200] conn=5 op=1207 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:30 +0200] conn=5 op=1208 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:30 +0200] conn=5 op=1208 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:35 +0200] conn=5 op=1210 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:35 +0200] conn=5 op=1210 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:36 +0200] conn=5 op=1211 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:36 +0200] conn=5 op=1211 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:36 +0200] conn=5 op=1212 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:36 +0200] conn=5 op=1212 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:37 +0200] conn=5 op=1214 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:37 +0200] conn=5 op=1214 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:39 +0200] conn=5 op=1215 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:39 +0200] conn=5 op=1215 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:40 +0200] conn=5 op=1216 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:40 +0200] conn=5 op=1216 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:40 +0200] conn=5 op=1217 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:40 +0200] conn=5 op=1217 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:41 +0200] conn=5 op=1218 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:41 +0200] conn=5 op=1218 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:44 +0200] conn=5 op=1219 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:44 +0200] conn=5 op=1219 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:45 +0200] conn=5 op=1221 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:45 +0200] conn=5 op=1221 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:51 +0200] conn=5 op=1222 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:51 +0200] conn=5 op=1222 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:52 +0200] conn=5 op=1224 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:52 +0200] conn=5 op=1224 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:52 +0200] conn=5 op=1225 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:52 +0200] conn=5 op=1225 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:53 +0200] conn=5 op=1226 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:53 +0200] conn=5 op=1226 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:55 +0200] conn=5 op=1227 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:55 +0200] conn=5 op=1227 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:56 +0200] conn=5 op=1228 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:56 +0200] conn=5 op=1228 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:56 +0200] conn=5 op=1229 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:56 +0200] conn=5 op=1229 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:57 +0200] conn=5 op=1230 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:25:57 +0200] conn=5 op=1230 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:25:59 +0200] conn=5 op=1232 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:25:59 +0200] conn=5 op=1232 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:00 +0200] conn=5 op=1233 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:00 +0200] conn=5 op=1233 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:00 +0200] conn=5 op=1234 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:00 +0200] conn=5 op=1234 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:01 +0200] conn=5 op=1235 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:01 +0200] conn=5 op=1235 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:01 +0200] conn=5 op=1236 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:01 +0200] conn=5 op=1236 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:02 +0200] conn=5 op=1237 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:02 +0200] conn=5 op=1237 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:02 +0200] conn=5 op=1238 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:02 +0200] conn=5 op=1238 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:03 +0200] conn=5 op=1239 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:03 +0200] conn=5 op=1239 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:05 +0200] conn=5 op=1241 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:05 +0200] conn=5 op=1241 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:06 +0200] conn=5 op=1242 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:06 +0200] conn=5 op=1242 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:06 +0200] conn=5 op=1243 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:06 +0200] conn=5 op=1243 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:07 +0200] conn=5 op=1244 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:07 +0200] conn=5 op=1244 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:07 +0200] conn=5 op=1245 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:07 +0200] conn=5 op=1245 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:08 +0200] conn=5 op=1246 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:08 +0200] conn=5 op=1246 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:09 +0200] conn=5 op=1247 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:09 +0200] conn=5 op=1247 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:10 +0200] conn=5 op=1249 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:10 +0200] conn=5 op=1249 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:10 +0200] conn=5 op=1250 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:10 +0200] conn=5 op=1250 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:11 +0200] conn=5 op=1251 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:11 +0200] conn=5 op=1251 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:12 +0200] conn=5 op=1252 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:12 +0200] conn=5 op=1252 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:13 +0200] conn=5 op=1253 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:13 +0200] conn=5 op=1253 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:14 +0200] conn=5 op=1254 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:14 +0200] conn=5 op=1254 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:15 +0200] conn=5 op=1255 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:15 +0200] conn=5 op=1255 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:15 +0200] conn=5 op=1256 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:15 +0200] conn=5 op=1256 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:16 +0200] conn=5 op=1258 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:16 +0200] conn=5 op=1258 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:16 +0200] conn=5 op=1259 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:16 +0200] conn=5 op=1259 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:17 +0200] conn=5 op=1260 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:17 +0200] conn=5 op=1260 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:17 +0200] conn=5 op=1261 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:17 +0200] conn=5 op=1261 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:18 +0200] conn=5 op=1262 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:18 +0200] conn=5 op=1262 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:21 +0200] conn=5 op=1263 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:21 +0200] conn=5 op=1263 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:22 +0200] conn=5 op=1265 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:22 +0200] conn=5 op=1265 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:22 +0200] conn=5 op=1266 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:22 +0200] conn=5 op=1266 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:23 +0200] conn=5 op=1267 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:23 +0200] conn=5 op=1267 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:24 +0200] conn=5 op=1268 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:24 +0200] conn=5 op=1268 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:25 +0200] conn=5 op=1269 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:25 +0200] conn=5 op=1269 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:25 +0200] conn=5 op=1270 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:25 +0200] conn=5 op=1270 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:26 +0200] conn=5 op=1271 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:26 +0200] conn=5 op=1271 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:27 +0200] conn=5 op=1272 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:27 +0200] conn=5 op=1272 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:28 +0200] conn=5 op=1274 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:28 +0200] conn=5 op=1274 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:28 +0200] conn=5 op=1275 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:28 +0200] conn=5 op=1275 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:29 +0200] conn=5 op=1276 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:29 +0200] conn=5 op=1276 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:29 +0200] conn=5 op=1277 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:29 +0200] conn=5 op=1277 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:30 +0200] conn=5 op=1278 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:30 +0200] conn=5 op=1278 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:30 +0200] conn=5 op=1279 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:30 +0200] conn=5 op=1279 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:31 +0200] conn=5 op=1280 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:31 +0200] conn=5 op=1280 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:31 +0200] conn=5 op=1281 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:31 +0200] conn=5 op=1281 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:33 +0200] conn=5 op=1282 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:33 +0200] conn=5 op=1282 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:33 +0200] conn=5 op=1283 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:33 +0200] conn=5 op=1283 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:34 +0200] conn=5 op=1285 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:34 +0200] conn=5 op=1285 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:34 +0200] conn=5 op=1286 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:34 +0200] conn=5 op=1286 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:35 +0200] conn=5 op=1287 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:35 +0200] conn=5 op=1287 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:35 +0200] conn=5 op=1288 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:35 +0200] conn=5 op=1288 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:36 +0200] conn=5 op=1289 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:36 +0200] conn=5 op=1289 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:36 +0200] conn=5 op=1290 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:36 +0200] conn=5 op=1290 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:37 +0200] conn=5 op=1291 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:37 +0200] conn=5 op=1291 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:40 +0200] conn=5 op=1292 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:40 +0200] conn=5 op=1292 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:41 +0200] conn=5 op=1294 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:41 +0200] conn=5 op=1294 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:41 +0200] conn=5 op=1295 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:41 +0200] conn=5 op=1295 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:42 +0200] conn=5 op=1296 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:42 +0200] conn=5 op=1296 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:48 +0200] conn=5 op=1297 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:48 +0200] conn=5 op=1297 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:49 +0200] conn=5 op=1299 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:49 +0200] conn=5 op=1299 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:50 +0200] conn=5 op=1300 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:50 +0200] conn=5 op=1300 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:51 +0200] conn=5 op=1301 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:51 +0200] conn=5 op=1301 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:51 +0200] conn=5 op=1302 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:51 +0200] conn=5 op=1302 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:52 +0200] conn=5 op=1303 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:52 +0200] conn=5 op=1303 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:56 +0200] conn=5 op=1304 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:26:56 +0200] conn=5 op=1304 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:26:57 +0200] conn=5 op=1306 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:26:57 +0200] conn=5 op=1306 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:01 +0200] conn=5 op=1307 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:01 +0200] conn=5 op=1307 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:02 +0200] conn=5 op=1308 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:02 +0200] conn=5 op=1308 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:03 +0200] conn=5 op=1309 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:03 +0200] conn=5 op=1309 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:27:04 +0200] conn=5 op=1311 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:04 +0200] conn=5 op=1311 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:04 +0200] conn=5 op=1312 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:04 +0200] conn=5 op=1312 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:05 +0200] conn=5 op=1313 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:05 +0200] conn=5 op=1313 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:09 +0200] conn=5 op=1314 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:09 +0200] conn=5 op=1314 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:10 +0200] conn=5 op=1316 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:10 +0200] conn=5 op=1316 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:10 +0200] conn=5 op=1317 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:10 +0200] conn=5 op=1317 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:11 +0200] conn=5 op=1318 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:11 +0200] conn=5 op=1318 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:11 +0200] conn=5 op=1319 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:11 +0200] conn=5 op=1319 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:12 +0200] conn=5 op=1320 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:12 +0200] conn=5 op=1320 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:13 +0200] conn=5 op=1321 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:13 +0200] conn=5 op=1321 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:14 +0200] conn=5 op=1322 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:14 +0200] conn=5 op=1322 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:14 +0200] conn=5 op=1323 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:14 +0200] conn=5 op=1323 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:15 +0200] conn=5 op=1324 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:15 +0200] conn=5 op=1324 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:17 +0200] conn=5 op=1326 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:17 +0200] conn=5 op=1326 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:18 +0200] conn=5 op=1327 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:18 +0200] conn=5 op=1327 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:18 +0200] conn=5 op=1328 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:18 +0200] conn=5 op=1328 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:19 +0200] conn=5 op=1329 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:19 +0200] conn=5 op=1329 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:19 +0200] conn=5 op=1330 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:19 +0200] conn=5 op=1330 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:20 +0200] conn=5 op=1331 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:20 +0200] conn=5 op=1331 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:24 +0200] conn=5 op=1332 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:24 +0200] conn=5 op=1332 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:25 +0200] conn=5 op=1334 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:25 +0200] conn=5 op=1334 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:31 +0200] conn=5 op=1335 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:31 +0200] conn=5 op=1335 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:32 +0200] conn=5 op=1337 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:32 +0200] conn=5 op=1337 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:34 +0200] conn=5 op=1338 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:34 +0200] conn=5 op=1338 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:35 +0200] conn=5 op=1339 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:35 +0200] conn=5 op=1339 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:36 +0200] conn=5 op=1340 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:36 +0200] conn=5 op=1340 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:37 +0200] conn=5 op=1341 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:37 +0200] conn=5 op=1341 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:37 +0200] conn=5 op=1342 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:37 +0200] conn=5 op=1342 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:38 +0200] conn=5 op=1344 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:38 +0200] conn=5 op=1344 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:39 +0200] conn=5 op=1345 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:39 +0200] conn=5 op=1345 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:40 +0200] conn=5 op=1346 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:40 +0200] conn=5 op=1346 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:40 +0200] conn=5 op=1347 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:40 +0200] conn=5 op=1347 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:41 +0200] conn=5 op=1348 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:41 +0200] conn=5 op=1348 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:42 +0200] conn=5 op=1349 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:42 +0200] conn=5 op=1349 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:43 +0200] conn=5 op=1350 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:43 +0200] conn=5 op=1350 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:43 +0200] conn=5 op=1351 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:43 +0200] conn=5 op=1351 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:44 +0200] conn=5 op=1353 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:44 +0200] conn=5 op=1353 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:45 +0200] conn=5 op=1354 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:45 +0200] conn=5 op=1354 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:46 +0200] conn=5 op=1355 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:46 +0200] conn=5 op=1355 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:46 +0200] conn=5 op=1356 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:46 +0200] conn=5 op=1356 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:47 +0200] conn=5 op=1357 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:47 +0200] conn=5 op=1357 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:47 +0200] conn=5 op=1358 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:47 +0200] conn=5 op=1358 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:48 +0200] conn=5 op=1359 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:48 +0200] conn=5 op=1359 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:48 +0200] conn=5 op=1360 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:48 +0200] conn=5 op=1360 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:49 +0200] conn=5 op=1361 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:49 +0200] conn=5 op=1361 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:49 +0200] conn=5 op=1362 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:49 +0200] conn=5 op=1362 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:50 +0200] conn=5 op=1364 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:50 +0200] conn=5 op=1364 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:55 +0200] conn=5 op=1365 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:55 +0200] conn=5 op=1365 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:56 +0200] conn=5 op=1367 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:56 +0200] conn=5 op=1367 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:56 +0200] conn=5 op=1368 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:56 +0200] conn=5 op=1368 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:57 +0200] conn=5 op=1369 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:27:57 +0200] conn=5 op=1369 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:27:59 +0200] conn=5 op=1370 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:27:59 +0200] conn=5 op=1370 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:00 +0200] conn=5 op=1371 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:00 +0200] conn=5 op=1371 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:00 +0200] conn=5 op=1372 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:00 +0200] conn=5 op=1372 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:01 +0200] conn=5 op=1373 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:01 +0200] conn=5 op=1373 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:01 +0200] conn=5 op=1374 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:01 +0200] conn=5 op=1374 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:02 +0200] conn=5 op=1376 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:02 +0200] conn=5 op=1376 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:02 +0200] conn=5 op=1377 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:02 +0200] conn=5 op=1377 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:03 +0200] conn=5 op=1378 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:03 +0200] conn=5 op=1378 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:03 +0200] conn=5 op=1379 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:03 +0200] conn=5 op=1379 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:04 +0200] conn=5 op=1380 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:04 +0200] conn=5 op=1380 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:04 +0200] conn=5 op=1381 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:04 +0200] conn=5 op=1381 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:05 +0200] conn=5 op=1382 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:05 +0200] conn=5 op=1382 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:06 +0200] conn=5 op=1383 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:06 +0200] conn=5 op=1383 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:07 +0200] conn=5 op=1384 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:07 +0200] conn=5 op=1384 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:07 +0200] conn=5 op=1385 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:07 +0200] conn=5 op=1385 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:08 +0200] conn=5 op=1387 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:08 +0200] conn=5 op=1387 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:09 +0200] conn=5 op=1388 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:09 +0200] conn=5 op=1388 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:10 +0200] conn=5 op=1389 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:10 +0200] conn=5 op=1389 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:10 +0200] conn=5 op=1390 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:10 +0200] conn=5 op=1390 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:11 +0200] conn=5 op=1391 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:11 +0200] conn=5 op=1391 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:16 +0200] conn=5 op=1392 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:16 +0200] conn=5 op=1392 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:17 +0200] conn=5 op=1394 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:18 +0200] conn=5 op=1394 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:28:24 +0200] conn=5 op=1395 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:24 +0200] conn=5 op=1395 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:25 +0200] conn=5 op=1397 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:25 +0200] conn=5 op=1397 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:25 +0200] conn=5 op=1398 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:25 +0200] conn=5 op=1398 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:26 +0200] conn=5 op=1399 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:26 +0200] conn=5 op=1399 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:29 +0200] conn=5 op=1400 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:29 +0200] conn=5 op=1400 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:30 +0200] conn=5 op=1401 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:30 +0200] conn=5 op=1401 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:30 +0200] conn=5 op=1402 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:30 +0200] conn=5 op=1402 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:31 +0200] conn=5 op=1404 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:31 +0200] conn=5 op=1404 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:37 +0200] conn=5 op=1405 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:37 +0200] conn=5 op=1405 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:38 +0200] conn=5 op=1407 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:38 +0200] conn=5 op=1407 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:38 +0200] conn=5 op=1408 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:38 +0200] conn=5 op=1408 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:39 +0200] conn=5 op=1409 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:39 +0200] conn=5 op=1409 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:39 +0200] conn=5 op=1410 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:39 +0200] conn=5 op=1410 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:40 +0200] conn=5 op=1411 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:40 +0200] conn=5 op=1411 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:41 +0200] conn=5 op=1412 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:41 +0200] conn=5 op=1412 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:42 +0200] conn=5 op=1413 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:42 +0200] conn=5 op=1413 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:42 +0200] conn=5 op=1414 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:42 +0200] conn=5 op=1414 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:43 +0200] conn=5 op=1415 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:43 +0200] conn=5 op=1415 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:46 +0200] conn=5 op=1417 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:46 +0200] conn=5 op=1417 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:47 +0200] conn=5 op=1418 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:47 +0200] conn=5 op=1418 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:48 +0200] conn=5 op=1419 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:48 +0200] conn=5 op=1419 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:49 +0200] conn=5 op=1420 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:49 +0200] conn=5 op=1420 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:49 +0200] conn=5 op=1421 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:49 +0200] conn=5 op=1421 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:50 +0200] conn=5 op=1423 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:50 +0200] conn=5 op=1423 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:54 +0200] conn=5 op=1424 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:54 +0200] conn=5 op=1424 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:55 +0200] conn=5 op=1425 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:55 +0200] conn=5 op=1425 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:56 +0200] conn=5 op=1426 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:56 +0200] conn=5 op=1426 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:28:57 +0200] conn=5 op=1428 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:57 +0200] conn=5 op=1428 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:57 +0200] conn=5 op=1429 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:57 +0200] conn=5 op=1429 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:58 +0200] conn=5 op=1430 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:28:58 +0200] conn=5 op=1430 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:28:59 +0200] conn=5 op=1431 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:28:59 +0200] conn=5 op=1431 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:00 +0200] conn=5 op=1432 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:00 +0200] conn=5 op=1432 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:00 +0200] conn=5 op=1433 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:00 +0200] conn=5 op=1433 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:01 +0200] conn=5 op=1434 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:01 +0200] conn=5 op=1434 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:01 +0200] conn=5 op=1435 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:01 +0200] conn=5 op=1435 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:02 +0200] conn=5 op=1437 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:02 +0200] conn=5 op=1437 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:02 +0200] conn=5 op=1438 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:02 +0200] conn=5 op=1438 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:03 +0200] conn=5 op=1439 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:03 +0200] conn=5 op=1439 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:03 +0200] conn=5 op=1440 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:03 +0200] conn=5 op=1440 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:04 +0200] conn=5 op=1441 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:04 +0200] conn=5 op=1441 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:04 +0200] conn=5 op=1442 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:04 +0200] conn=5 op=1442 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:05 +0200] conn=5 op=1443 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:05 +0200] conn=5 op=1443 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:09 +0200] conn=5 op=1444 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:09 +0200] conn=5 op=1444 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:10 +0200] conn=5 op=1446 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:10 +0200] conn=5 op=1446 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:10 +0200] conn=5 op=1447 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:10 +0200] conn=5 op=1447 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:11 +0200] conn=5 op=1448 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:11 +0200] conn=5 op=1448 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:11 +0200] conn=5 op=1449 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:11 +0200] conn=5 op=1449 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:12 +0200] conn=5 op=1450 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:12 +0200] conn=5 op=1450 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:12 +0200] conn=5 op=1451 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:12 +0200] conn=5 op=1451 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:13 +0200] conn=5 op=1452 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:13 +0200] conn=5 op=1452 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:13 +0200] conn=5 op=1453 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:13 +0200] conn=5 op=1453 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:14 +0200] conn=5 op=1454 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:14 +0200] conn=5 op=1454 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:14 +0200] conn=5 op=1455 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:14 +0200] conn=5 op=1455 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:15 +0200] conn=5 op=1456 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:15 +0200] conn=5 op=1456 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:20 +0200] conn=5 op=1458 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:20 +0200] conn=5 op=1458 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:21 +0200] conn=5 op=1459 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:21 +0200] conn=5 op=1459 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:22 +0200] conn=5 op=1460 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:22 +0200] conn=5 op=1460 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:29:23 +0200] conn=5 op=1462 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:23 +0200] conn=5 op=1462 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:23 +0200] conn=5 op=1463 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:23 +0200] conn=5 op=1463 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:24 +0200] conn=5 op=1464 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:24 +0200] conn=5 op=1464 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:24 +0200] conn=5 op=1465 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:24 +0200] conn=5 op=1465 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:25 +0200] conn=5 op=1466 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:25 +0200] conn=5 op=1466 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:25 +0200] conn=5 op=1467 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:25 +0200] conn=5 op=1467 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:26 +0200] conn=5 op=1468 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:26 +0200] conn=5 op=1468 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:28 +0200] conn=5 op=1469 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:28 +0200] conn=5 op=1469 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:29 +0200] conn=5 op=1471 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:29 +0200] conn=5 op=1471 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:35 +0200] conn=5 op=1472 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:35 +0200] conn=5 op=1472 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:36 +0200] conn=5 op=1474 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:36 +0200] conn=5 op=1474 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:39 +0200] conn=5 op=1475 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:39 +0200] conn=5 op=1475 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:40 +0200] conn=5 op=1476 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:40 +0200] conn=5 op=1476 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:40 +0200] conn=5 op=1477 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:40 +0200] conn=5 op=1477 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:41 +0200] conn=5 op=1478 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:41 +0200] conn=5 op=1478 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:41 +0200] conn=5 op=1479 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:41 +0200] conn=5 op=1479 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:42 +0200] conn=5 op=1481 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:42 +0200] conn=5 op=1481 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:44 +0200] conn=5 op=1482 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:44 +0200] conn=5 op=1482 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:45 +0200] conn=5 op=1483 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:45 +0200] conn=5 op=1483 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:45 +0200] conn=5 op=1484 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:45 +0200] conn=5 op=1484 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:46 +0200] conn=5 op=1485 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:46 +0200] conn=5 op=1485 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:46 +0200] conn=5 op=1486 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:46 +0200] conn=5 op=1486 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:47 +0200] conn=5 op=1487 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:47 +0200] conn=5 op=1487 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:51 +0200] conn=5 op=1489 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:51 +0200] conn=5 op=1489 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:52 +0200] conn=5 op=1490 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:52 +0200] conn=5 op=1490 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:52 +0200] conn=5 op=1491 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:52 +0200] conn=5 op=1491 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:53 +0200] conn=5 op=1492 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:53 +0200] conn=5 op=1492 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:54 +0200] conn=5 op=1493 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:54 +0200] conn=5 op=1493 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:29:55 +0200] conn=5 op=1495 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:55 +0200] conn=5 op=1495 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:55 +0200] conn=5 op=1496 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:55 +0200] conn=5 op=1496 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:56 +0200] conn=5 op=1497 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:56 +0200] conn=5 op=1497 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:56 +0200] conn=5 op=1498 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:29:56 +0200] conn=5 op=1498 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:29:57 +0200] conn=5 op=1499 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:29:57 +0200] conn=5 op=1499 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:00 +0200] conn=5 op=1500 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:00 +0200] conn=5 op=1500 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:01 +0200] conn=5 op=1502 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:01 +0200] conn=5 op=1502 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:01 +0200] conn=5 op=1503 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:01 +0200] conn=5 op=1503 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:02 +0200] conn=5 op=1504 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:02 +0200] conn=5 op=1504 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:02 +0200] conn=5 op=1505 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:02 +0200] conn=5 op=1505 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:03 +0200] conn=5 op=1506 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:03 +0200] conn=5 op=1506 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:09 +0200] conn=5 op=1507 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:09 +0200] conn=5 op=1507 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:10 +0200] conn=5 op=1509 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:10 +0200] conn=5 op=1509 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:10 +0200] conn=5 op=1510 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:10 +0200] conn=5 op=1510 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:11 +0200] conn=5 op=1511 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:11 +0200] conn=5 op=1511 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:11 +0200] conn=5 op=1512 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:11 +0200] conn=5 op=1512 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:12 +0200] conn=5 op=1513 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:12 +0200] conn=5 op=1513 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:12 +0200] conn=5 op=1514 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:12 +0200] conn=5 op=1514 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:13 +0200] conn=5 op=1515 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:13 +0200] conn=5 op=1515 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:16 +0200] conn=5 op=1516 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:16 +0200] conn=5 op=1516 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:17 +0200] conn=5 op=1518 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:17 +0200] conn=5 op=1518 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:19 +0200] conn=5 op=1519 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:19 +0200] conn=5 op=1519 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:20 +0200] conn=5 op=1520 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:20 +0200] conn=5 op=1520 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:20 +0200] conn=5 op=1521 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:20 +0200] conn=5 op=1521 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:21 +0200] conn=5 op=1522 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:21 +0200] conn=5 op=1522 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:24 +0200] conn=5 op=1523 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:24 +0200] conn=5 op=1523 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:25 +0200] conn=5 op=1525 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:25 +0200] conn=5 op=1525 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:25 +0200] conn=5 op=1526 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:25 +0200] conn=5 op=1526 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:26 +0200] conn=5 op=1527 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:26 +0200] conn=5 op=1527 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:32 +0200] conn=5 op=1528 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:32 +0200] conn=5 op=1528 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:33 +0200] conn=5 op=1530 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:33 +0200] conn=5 op=1530 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:41 +0200] conn=5 op=1531 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:41 +0200] conn=5 op=1531 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:42 +0200] conn=5 op=1533 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:42 +0200] conn=5 op=1533 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:42 +0200] conn=5 op=1534 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:42 +0200] conn=5 op=1534 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:43 +0200] conn=5 op=1535 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:43 +0200] conn=5 op=1535 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:43 +0200] conn=5 op=1536 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:43 +0200] conn=5 op=1536 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:44 +0200] conn=5 op=1537 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:44 +0200] conn=5 op=1537 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:49 +0200] conn=5 op=1538 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:49 +0200] conn=5 op=1538 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:50 +0200] conn=5 op=1540 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:50 +0200] conn=5 op=1540 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:50 +0200] conn=5 op=1541 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:50 +0200] conn=5 op=1541 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:51 +0200] conn=5 op=1542 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:51 +0200] conn=5 op=1542 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:55 +0200] conn=5 op=1543 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:55 +0200] conn=5 op=1543 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:56 +0200] conn=5 op=1545 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:56 +0200] conn=5 op=1545 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:56 +0200] conn=5 op=1546 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:30:56 +0200] conn=5 op=1546 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:30:57 +0200] conn=5 op=1547 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:30:57 +0200] conn=5 op=1547 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:01 +0200] conn=5 op=1548 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:01 +0200] conn=5 op=1548 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:02 +0200] conn=5 op=1550 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:02 +0200] conn=5 op=1550 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:03 +0200] conn=5 op=1551 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:03 +0200] conn=5 op=1551 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:04 +0200] conn=5 op=1552 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:04 +0200] conn=5 op=1552 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:04 +0200] conn=5 op=1553 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:04 +0200] conn=5 op=1553 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:05 +0200] conn=5 op=1554 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:05 +0200] conn=5 op=1554 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:05 +0200] conn=5 op=1555 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:05 +0200] conn=5 op=1555 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:06 +0200] conn=5 op=1556 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:06 +0200] conn=5 op=1556 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:06 +0200] conn=5 op=1557 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:06 +0200] conn=5 op=1557 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:07 +0200] conn=5 op=1558 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:07 +0200] conn=5 op=1558 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:10 +0200] conn=5 op=1560 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:10 +0200] conn=5 op=1560 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:11 +0200] conn=5 op=1561 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:11 +0200] conn=5 op=1561 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:11 +0200] conn=5 op=1562 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:11 +0200] conn=5 op=1562 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:12 +0200] conn=5 op=1563 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:12 +0200] conn=5 op=1563 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:12 +0200] conn=5 op=1564 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:12 +0200] conn=5 op=1564 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:13 +0200] conn=5 op=1565 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:13 +0200] conn=5 op=1565 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:17 +0200] conn=5 op=1567 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:17 +0200] conn=5 op=1567 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:18 +0200] conn=5 op=1568 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:18 +0200] conn=5 op=1568 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:20 +0200] conn=5 op=1569 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:20 +0200] conn=5 op=1569 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:21 +0200] conn=5 op=1571 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:21 +0200] conn=5 op=1571 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:23 +0200] conn=5 op=1572 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:23 +0200] conn=5 op=1572 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:24 +0200] conn=5 op=1573 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:24 +0200] conn=5 op=1573 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:25 +0200] conn=5 op=1574 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:25 +0200] conn=5 op=1574 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:26 +0200] conn=5 op=1575 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:26 +0200] conn=5 op=1575 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:26 +0200] conn=5 op=1576 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:26 +0200] conn=5 op=1576 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:27 +0200] conn=5 op=1578 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:27 +0200] conn=5 op=1578 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:32 +0200] conn=5 op=1579 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:32 +0200] conn=5 op=1579 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:33 +0200] conn=5 op=1581 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:33 +0200] conn=5 op=1581 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:33 +0200] conn=5 op=1582 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:33 +0200] conn=5 op=1582 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:34 +0200] conn=5 op=1583 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:34 +0200] conn=5 op=1583 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:35 +0200] conn=5 op=1584 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:35 +0200] conn=5 op=1584 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:36 +0200] conn=5 op=1585 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:36 +0200] conn=5 op=1585 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:36 +0200] conn=5 op=1586 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:36 +0200] conn=5 op=1586 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:37 +0200] conn=5 op=1587 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:37 +0200] conn=5 op=1587 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:37 +0200] conn=5 op=1588 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:37 +0200] conn=5 op=1588 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:38 +0200] conn=5 op=1589 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:38 +0200] conn=5 op=1589 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:40 +0200] conn=5 op=1591 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:40 +0200] conn=5 op=1591 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:41 +0200] conn=5 op=1592 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:41 +0200] conn=5 op=1592 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:42 +0200] conn=5 op=1593 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:42 +0200] conn=5 op=1593 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:43 +0200] conn=5 op=1594 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:43 +0200] conn=5 op=1594 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:48 +0200] conn=5 op=1595 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:48 +0200] conn=5 op=1595 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:49 +0200] conn=5 op=1597 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:49 +0200] conn=5 op=1597 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:49 +0200] conn=5 op=1598 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:49 +0200] conn=5 op=1598 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:51 +0200] conn=5 op=1599 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:51 +0200] conn=5 op=1599 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:52 +0200] conn=5 op=1600 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:52 +0200] conn=5 op=1600 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:53 +0200] conn=5 op=1601 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:53 +0200] conn=5 op=1601 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:55 +0200] conn=5 op=1602 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:55 +0200] conn=5 op=1602 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:56 +0200] conn=5 op=1604 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:56 +0200] conn=5 op=1604 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:57 +0200] conn=5 op=1605 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:57 +0200] conn=5 op=1605 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:58 +0200] conn=5 op=1606 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:58 +0200] conn=5 op=1606 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:58 +0200] conn=5 op=1607 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:58 +0200] conn=5 op=1607 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:59 +0200] conn=5 op=1608 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:31:59 +0200] conn=5 op=1608 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:31:59 +0200] conn=5 op=1609 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:31:59 +0200] conn=5 op=1609 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:00 +0200] conn=5 op=1610 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:00 +0200] conn=5 op=1610 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:02 +0200] conn=5 op=1611 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:02 +0200] conn=5 op=1611 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:03 +0200] conn=5 op=1613 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:03 +0200] conn=5 op=1613 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:04 +0200] conn=5 op=1614 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:04 +0200] conn=5 op=1614 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:05 +0200] conn=5 op=1615 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:05 +0200] conn=5 op=1615 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:05 +0200] conn=5 op=1616 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:05 +0200] conn=5 op=1616 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:06 +0200] conn=5 op=1617 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:06 +0200] conn=5 op=1617 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:06 +0200] conn=5 op=1618 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:06 +0200] conn=5 op=1618 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:07 +0200] conn=5 op=1619 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:07 +0200] conn=5 op=1619 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:10 +0200] conn=5 op=1620 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:10 +0200] conn=5 op=1620 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:11 +0200] conn=5 op=1622 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:11 +0200] conn=5 op=1622 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:13 +0200] conn=5 op=1623 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:13 +0200] conn=5 op=1623 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:14 +0200] conn=5 op=1624 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:14 +0200] conn=5 op=1624 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:14 +0200] conn=5 op=1625 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:14 +0200] conn=5 op=1625 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:15 +0200] conn=5 op=1626 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:15 +0200] conn=5 op=1626 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:23 +0200] conn=5 op=1627 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:23 +0200] conn=5 op=1627 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:24 +0200] conn=5 op=1629 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:24 +0200] conn=5 op=1629 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:26 +0200] conn=5 op=1630 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:26 +0200] conn=5 op=1630 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:27 +0200] conn=5 op=1631 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:27 +0200] conn=5 op=1631 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:30 +0200] conn=5 op=1632 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:30 +0200] conn=5 op=1632 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:31 +0200] conn=5 op=1634 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:31 +0200] conn=5 op=1634 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:31 +0200] conn=5 op=1635 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:31 +0200] conn=5 op=1635 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:32 +0200] conn=5 op=1636 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:32 +0200] conn=5 op=1636 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:37 +0200] conn=5 op=1637 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:37 +0200] conn=5 op=1637 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:38 +0200] conn=5 op=1639 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:38 +0200] conn=5 op=1639 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:40 +0200] conn=5 op=1640 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:40 +0200] conn=5 op=1640 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:41 +0200] conn=5 op=1641 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:41 +0200] conn=5 op=1641 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:43 +0200] conn=5 op=1642 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:43 +0200] conn=5 op=1642 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:44 +0200] conn=5 op=1644 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:44 +0200] conn=5 op=1644 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:45 +0200] conn=5 op=1645 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:45 +0200] conn=5 op=1645 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:46 +0200] conn=5 op=1646 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:46 +0200] conn=5 op=1646 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:47 +0200] conn=5 op=1647 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:47 +0200] conn=5 op=1647 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:48 +0200] conn=5 op=1648 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:48 +0200] conn=5 op=1648 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:48 +0200] conn=5 op=1649 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:48 +0200] conn=5 op=1649 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:49 +0200] conn=5 op=1650 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:49 +0200] conn=5 op=1650 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:49 +0200] conn=5 op=1651 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:49 +0200] conn=5 op=1651 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:50 +0200] conn=5 op=1653 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:50 +0200] conn=5 op=1653 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:50 +0200] conn=5 op=1654 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:50 +0200] conn=5 op=1654 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:51 +0200] conn=5 op=1655 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:51 +0200] conn=5 op=1655 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:51 +0200] conn=5 op=1656 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:51 +0200] conn=5 op=1656 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:52 +0200] conn=5 op=1657 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:52 +0200] conn=5 op=1657 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:56 +0200] conn=5 op=1658 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:56 +0200] conn=5 op=1658 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:57 +0200] conn=5 op=1660 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:57 +0200] conn=5 op=1660 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:57 +0200] conn=5 op=1661 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:32:57 +0200] conn=5 op=1661 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:32:58 +0200] conn=5 op=1662 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:32:58 +0200] conn=5 op=1662 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:00 +0200] conn=5 op=1663 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:00 +0200] conn=5 op=1663 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:01 +0200] conn=5 op=1664 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:01 +0200] conn=5 op=1664 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:01 +0200] conn=5 op=1665 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:01 +0200] conn=5 op=1665 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:02 +0200] conn=5 op=1666 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:02 +0200] conn=5 op=1666 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:02 +0200] conn=5 op=1667 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:02 +0200] conn=5 op=1667 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:03 +0200] conn=5 op=1669 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:03 +0200] conn=5 op=1669 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:03 +0200] conn=5 op=1670 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:03 +0200] conn=5 op=1670 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:04 +0200] conn=5 op=1671 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:04 +0200] conn=5 op=1671 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:04 +0200] conn=5 op=1672 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:04 +0200] conn=5 op=1672 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:05 +0200] conn=5 op=1673 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:05 +0200] conn=5 op=1673 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:05 +0200] conn=5 op=1674 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:05 +0200] conn=5 op=1674 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:06 +0200] conn=5 op=1675 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:06 +0200] conn=5 op=1675 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:06 +0200] conn=5 op=1676 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:06 +0200] conn=5 op=1676 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:08 +0200] conn=5 op=1677 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:08 +0200] conn=5 op=1677 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:11 +0200] conn=5 op=1679 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:11 +0200] conn=5 op=1679 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:12 +0200] conn=5 op=1680 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:12 +0200] conn=5 op=1680 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:12 +0200] conn=5 op=1681 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:12 +0200] conn=5 op=1681 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:13 +0200] conn=5 op=1682 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:13 +0200] conn=5 op=1682 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:13 +0200] conn=5 op=1683 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:13 +0200] conn=5 op=1683 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:14 +0200] conn=5 op=1684 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:14 +0200] conn=5 op=1684 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:14 +0200] conn=5 op=1685 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:14 +0200] conn=5 op=1685 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:15 +0200] conn=5 op=1687 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:15 +0200] conn=5 op=1687 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:16 +0200] conn=5 op=1688 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:16 +0200] conn=5 op=1688 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:17 +0200] conn=5 op=1689 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:17 +0200] conn=5 op=1689 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:19 +0200] conn=5 op=1690 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:19 +0200] conn=5 op=1690 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:20 +0200] conn=5 op=1691 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:20 +0200] conn=5 op=1691 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:20 +0200] conn=5 op=1692 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:20 +0200] conn=5 op=1692 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:21 +0200] conn=5 op=1694 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:21 +0200] conn=5 op=1694 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:21 +0200] conn=5 op=1695 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:21 +0200] conn=5 op=1695 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:22 +0200] conn=5 op=1696 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:22 +0200] conn=5 op=1696 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:22 +0200] conn=5 op=1697 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:22 +0200] conn=5 op=1697 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:23 +0200] conn=5 op=1698 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:23 +0200] conn=5 op=1698 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:27 +0200] conn=5 op=1699 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:27 +0200] conn=5 op=1699 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:28 +0200] conn=5 op=1701 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:28 +0200] conn=5 op=1701 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:28 +0200] conn=5 op=1702 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:28 +0200] conn=5 op=1702 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:29 +0200] conn=5 op=1703 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:29 +0200] conn=5 op=1703 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:29 +0200] conn=5 op=1704 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:29 +0200] conn=5 op=1704 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:30 +0200] conn=5 op=1705 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:30 +0200] conn=5 op=1705 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:32 +0200] conn=5 op=1706 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:32 +0200] conn=5 op=1706 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:33 +0200] conn=5 op=1707 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:33 +0200] conn=5 op=1707 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:33 +0200] conn=5 op=1708 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:33 +0200] conn=5 op=1708 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:34 +0200] conn=5 op=1710 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:34 +0200] conn=5 op=1710 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:34 +0200] conn=5 op=1711 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:34 +0200] conn=5 op=1711 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:35 +0200] conn=5 op=1712 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:35 +0200] conn=5 op=1712 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:35 +0200] conn=5 op=1713 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:35 +0200] conn=5 op=1713 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:36 +0200] conn=5 op=1714 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:36 +0200] conn=5 op=1714 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:42 +0200] conn=5 op=1715 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:42 +0200] conn=5 op=1715 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:43 +0200] conn=5 op=1717 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:43 +0200] conn=5 op=1717 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:43 +0200] conn=5 op=1718 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:43 +0200] conn=5 op=1718 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:44 +0200] conn=5 op=1719 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:44 +0200] conn=5 op=1719 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:46 +0200] conn=5 op=1720 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:46 +0200] conn=5 op=1720 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:47 +0200] conn=5 op=1721 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:47 +0200] conn=5 op=1721 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:47 +0200] conn=5 op=1722 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:47 +0200] conn=5 op=1722 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:48 +0200] conn=5 op=1723 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:48 +0200] conn=5 op=1723 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:48 +0200] conn=5 op=1724 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:48 +0200] conn=5 op=1724 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:49 +0200] conn=5 op=1726 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:49 +0200] conn=5 op=1726 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:50 +0200] conn=5 op=1727 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:50 +0200] conn=5 op=1727 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:51 +0200] conn=5 op=1728 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:51 +0200] conn=5 op=1728 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:51 +0200] conn=5 op=1729 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:51 +0200] conn=5 op=1729 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:52 +0200] conn=5 op=1730 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:52 +0200] conn=5 op=1730 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:52 +0200] conn=5 op=1731 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:52 +0200] conn=5 op=1731 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:53 +0200] conn=5 op=1732 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:53 +0200] conn=5 op=1732 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:55 +0200] conn=5 op=1733 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:55 +0200] conn=5 op=1733 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:56 +0200] conn=5 op=1735 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:56 +0200] conn=5 op=1735 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:56 +0200] conn=5 op=1736 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:56 +0200] conn=5 op=1736 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:57 +0200] conn=5 op=1737 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:33:57 +0200] conn=5 op=1737 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:33:59 +0200] conn=5 op=1738 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:33:59 +0200] conn=5 op=1738 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:00 +0200] conn=5 op=1739 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:00 +0200] conn=5 op=1739 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:01 +0200] conn=5 op=1740 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:01 +0200] conn=5 op=1740 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:02 +0200] conn=5 op=1742 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:02 +0200] conn=5 op=1742 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:02 +0200] conn=5 op=1743 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:02 +0200] conn=5 op=1743 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:03 +0200] conn=5 op=1744 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:03 +0200] conn=5 op=1744 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:03 +0200] conn=5 op=1745 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:03 +0200] conn=5 op=1745 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:04 +0200] conn=5 op=1746 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:04 +0200] conn=5 op=1746 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:10 +0200] conn=5 op=1747 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:10 +0200] conn=5 op=1747 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:11 +0200] conn=5 op=1749 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:11 +0200] conn=5 op=1749 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:11 +0200] conn=5 op=1750 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:11 +0200] conn=5 op=1750 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:12 +0200] conn=5 op=1751 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:12 +0200] conn=5 op=1751 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:12 +0200] conn=5 op=1752 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:12 +0200] conn=5 op=1752 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:13 +0200] conn=5 op=1753 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:13 +0200] conn=5 op=1753 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:15 +0200] conn=5 op=1754 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:15 +0200] conn=5 op=1754 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:16 +0200] conn=5 op=1755 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:16 +0200] conn=5 op=1755 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:17 +0200] conn=5 op=1756 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:17 +0200] conn=5 op=1756 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:34:18 +0200] conn=5 op=1758 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:18 +0200] conn=5 op=1758 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:18 +0200] conn=5 op=1759 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:18 +0200] conn=5 op=1759 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:19 +0200] conn=5 op=1760 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:19 +0200] conn=5 op=1760 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:25 +0200] conn=5 op=1761 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:25 +0200] conn=5 op=1761 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:26 +0200] conn=5 op=1763 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:26 +0200] conn=5 op=1763 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:28 +0200] conn=5 op=1764 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:28 +0200] conn=5 op=1764 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:29 +0200] conn=5 op=1765 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:29 +0200] conn=5 op=1765 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:29 +0200] conn=5 op=1766 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:29 +0200] conn=5 op=1766 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:30 +0200] conn=5 op=1767 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:30 +0200] conn=5 op=1767 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:30 +0200] conn=5 op=1768 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:30 +0200] conn=5 op=1768 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:31 +0200] conn=5 op=1769 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:31 +0200] conn=5 op=1769 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:36 +0200] conn=5 op=1771 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:36 +0200] conn=5 op=1771 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:37 +0200] conn=5 op=1772 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:37 +0200] conn=5 op=1772 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:38 +0200] conn=5 op=1773 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:38 +0200] conn=5 op=1773 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:34:39 +0200] conn=5 op=1775 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:39 +0200] conn=5 op=1775 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:44 +0200] conn=5 op=1776 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:44 +0200] conn=5 op=1776 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:46 +0200] conn=5 op=1778 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:46 +0200] conn=5 op=1778 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:46 +0200] conn=5 op=1779 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:46 +0200] conn=5 op=1779 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:47 +0200] conn=5 op=1780 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:47 +0200] conn=5 op=1780 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:49 +0200] conn=5 op=1781 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:49 +0200] conn=5 op=1781 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:50 +0200] conn=5 op=1782 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:50 +0200] conn=5 op=1782 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:50 +0200] conn=5 op=1783 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:50 +0200] conn=5 op=1783 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:51 +0200] conn=5 op=1785 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:51 +0200] conn=5 op=1785 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:51 +0200] conn=5 op=1786 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:51 +0200] conn=5 op=1786 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:52 +0200] conn=5 op=1787 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:52 +0200] conn=5 op=1787 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:52 +0200] conn=5 op=1788 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:52 +0200] conn=5 op=1788 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:53 +0200] conn=5 op=1789 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:53 +0200] conn=5 op=1789 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:54 +0200] conn=5 op=1790 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:54 +0200] conn=5 op=1790 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:55 +0200] conn=5 op=1791 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:55 +0200] conn=5 op=1791 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:55 +0200] conn=5 op=1792 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:55 +0200] conn=5 op=1792 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:56 +0200] conn=5 op=1793 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:56 +0200] conn=5 op=1793 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:56 +0200] conn=5 op=1794 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:56 +0200] conn=5 op=1794 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:57 +0200] conn=5 op=1796 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:57 +0200] conn=5 op=1796 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:57 +0200] conn=5 op=1797 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:34:57 +0200] conn=5 op=1797 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:34:58 +0200] conn=5 op=1798 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:34:58 +0200] conn=5 op=1798 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:00 +0200] conn=5 op=1799 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:00 +0200] conn=5 op=1799 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:01 +0200] conn=5 op=1800 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:01 +0200] conn=5 op=1800 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:01 +0200] conn=5 op=1801 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:01 +0200] conn=5 op=1801 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:02 +0200] conn=5 op=1802 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:02 +0200] conn=5 op=1802 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:04 +0200] conn=5 op=1804 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:04 +0200] conn=5 op=1804 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:05 +0200] conn=5 op=1805 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:05 +0200] conn=5 op=1805 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:05 +0200] conn=5 op=1806 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:05 +0200] conn=5 op=1806 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:06 +0200] conn=5 op=1807 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:06 +0200] conn=5 op=1807 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:11 +0200] conn=5 op=1808 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:11 +0200] conn=5 op=1808 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:12 +0200] conn=5 op=1810 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:12 +0200] conn=5 op=1810 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:14 +0200] conn=5 op=1811 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:14 +0200] conn=5 op=1811 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:15 +0200] conn=5 op=1812 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:15 +0200] conn=5 op=1812 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:18 +0200] conn=5 op=1813 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:18 +0200] conn=5 op=1813 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:19 +0200] conn=5 op=1815 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:19 +0200] conn=5 op=1815 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:20 +0200] conn=5 op=1816 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:20 +0200] conn=5 op=1816 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:21 +0200] conn=5 op=1817 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:21 +0200] conn=5 op=1817 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:24 +0200] conn=5 op=1818 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:24 +0200] conn=5 op=1818 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:25 +0200] conn=5 op=1820 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:25 +0200] conn=5 op=1820 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:25 +0200] conn=5 op=1821 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:25 +0200] conn=5 op=1821 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:26 +0200] conn=5 op=1822 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:26 +0200] conn=5 op=1822 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:29 +0200] conn=5 op=1823 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:29 +0200] conn=5 op=1823 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:30 +0200] conn=5 op=1824 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:30 +0200] conn=5 op=1824 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:30 +0200] conn=5 op=1825 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:30 +0200] conn=5 op=1825 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:31 +0200] conn=5 op=1827 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:31 +0200] conn=5 op=1827 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:40 +0200] conn=5 op=1828 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:40 +0200] conn=5 op=1828 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:41 +0200] conn=5 op=1830 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:41 +0200] conn=5 op=1830 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:45 +0200] conn=5 op=1831 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:45 +0200] conn=5 op=1831 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:46 +0200] conn=5 op=1832 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:46 +0200] conn=5 op=1832 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:46 +0200] conn=5 op=1833 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:35:46 +0200] conn=5 op=1833 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:35:48 +0200] conn=5 op=1835 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:35:48 +0200] conn=5 op=1835 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:01 +0200] conn=5 op=1836 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:01 +0200] conn=5 op=1836 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:02 +0200] conn=5 op=1838 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:02 +0200] conn=5 op=1838 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:06 +0200] conn=5 op=1839 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:06 +0200] conn=5 op=1839 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:07 +0200] conn=5 op=1840 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:07 +0200] conn=5 op=1840 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:10 +0200] conn=5 op=1842 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:10 +0200] conn=5 op=1842 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:11 +0200] conn=5 op=1843 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:11 +0200] conn=5 op=1843 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:14 +0200] conn=5 op=1844 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:14 +0200] conn=5 op=1844 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:15 +0200] conn=5 op=1846 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:15 +0200] conn=5 op=1846 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:15 +0200] conn=5 op=1847 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:15 +0200] conn=5 op=1847 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:16 +0200] conn=5 op=1848 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:16 +0200] conn=5 op=1848 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:25 +0200] conn=5 op=1849 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:25 +0200] conn=5 op=1849 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:26 +0200] conn=5 op=1851 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:26 +0200] conn=5 op=1851 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:36 +0200] conn=5 op=1852 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:36 +0200] conn=5 op=1852 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:37 +0200] conn=5 op=1854 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:37 +0200] conn=5 op=1854 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:42 +0200] conn=5 op=1855 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:42 +0200] conn=5 op=1855 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:43 +0200] conn=5 op=1857 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:43 +0200] conn=5 op=1857 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:43 +0200] conn=5 op=1858 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:43 +0200] conn=5 op=1858 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:44 +0200] conn=5 op=1859 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:44 +0200] conn=5 op=1859 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:44 +0200] conn=5 op=1860 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:44 +0200] conn=5 op=1860 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:45 +0200] conn=5 op=1861 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:45 +0200] conn=5 op=1861 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:52 +0200] conn=5 op=1862 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:36:52 +0200] conn=5 op=1862 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:36:53 +0200] conn=5 op=1864 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:36:53 +0200] conn=5 op=1864 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:01 +0200] conn=5 op=1865 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:01 +0200] conn=5 op=1865 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:02 +0200] conn=5 op=1867 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:02 +0200] conn=5 op=1867 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:02 +0200] conn=5 op=1868 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:02 +0200] conn=5 op=1868 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:03 +0200] conn=5 op=1869 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:03 +0200] conn=5 op=1869 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:05 +0200] conn=5 op=1870 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:05 +0200] conn=5 op=1870 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:06 +0200] conn=5 op=1871 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:06 +0200] conn=5 op=1871 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:06 +0200] conn=5 op=1872 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:06 +0200] conn=5 op=1872 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:07 +0200] conn=5 op=1873 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:07 +0200] conn=5 op=1873 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:07 +0200] conn=5 op=1874 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:07 +0200] conn=5 op=1874 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:08 +0200] conn=5 op=1876 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:08 +0200] conn=5 op=1876 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:08 +0200] conn=5 op=1877 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:08 +0200] conn=5 op=1877 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:09 +0200] conn=5 op=1878 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:09 +0200] conn=5 op=1878 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:10 +0200] conn=5 op=1879 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:10 +0200] conn=5 op=1879 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:11 +0200] conn=5 op=1880 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:11 +0200] conn=5 op=1880 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:13 +0200] conn=5 op=1881 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:13 +0200] conn=5 op=1881 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:14 +0200] conn=5 op=1883 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:14 +0200] conn=5 op=1883 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:18 +0200] conn=5 op=1884 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:18 +0200] conn=5 op=1884 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:19 +0200] conn=5 op=1885 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:19 +0200] conn=5 op=1885 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:19 +0200] conn=5 op=1886 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:19 +0200] conn=5 op=1886 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:20 +0200] conn=5 op=1888 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:20 +0200] conn=5 op=1888 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:22 +0200] conn=5 op=1889 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:22 +0200] conn=5 op=1889 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:23 +0200] conn=5 op=1890 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:23 +0200] conn=5 op=1890 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:26 +0200] conn=5 op=1891 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:26 +0200] conn=5 op=1891 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:27 +0200] conn=5 op=1893 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:27 +0200] conn=5 op=1893 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:31 +0200] conn=5 op=1894 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:31 +0200] conn=5 op=1894 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:32 +0200] conn=5 op=1895 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:32 +0200] conn=5 op=1895 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:33 +0200] conn=5 op=1897 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:33 +0200] conn=5 op=1897 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:34 +0200] conn=5 op=1898 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:34 +0200] conn=5 op=1898 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:40 +0200] conn=5 op=1899 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:40 +0200] conn=5 op=1899 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:41 +0200] conn=5 op=1901 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:41 +0200] conn=5 op=1901 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:42 +0200] conn=5 op=1902 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:42 +0200] conn=5 op=1902 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:43 +0200] conn=5 op=1903 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:43 +0200] conn=5 op=1903 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:50 +0200] conn=5 op=1904 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:50 +0200] conn=5 op=1904 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:51 +0200] conn=5 op=1906 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:51 +0200] conn=5 op=1906 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:51 +0200] conn=5 op=1907 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:51 +0200] conn=5 op=1907 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:52 +0200] conn=5 op=1908 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:52 +0200] conn=5 op=1908 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:58 +0200] conn=5 op=1909 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:58 +0200] conn=5 op=1909 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:59 +0200] conn=5 op=1911 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:37:59 +0200] conn=5 op=1911 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:37:59 +0200] conn=5 op=1912 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:37:59 +0200] conn=5 op=1912 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:00 +0200] conn=5 op=1913 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:00 +0200] conn=5 op=1913 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:01 +0200] conn=5 op=1914 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:01 +0200] conn=5 op=1914 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:02 +0200] conn=5 op=1915 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:02 +0200] conn=5 op=1915 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:03 +0200] conn=5 op=1916 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:03 +0200] conn=5 op=1916 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:04 +0200] conn=5 op=1917 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:04 +0200] conn=5 op=1917 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:06 +0200] conn=5 op=1919 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:06 +0200] conn=5 op=1919 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:07 +0200] conn=5 op=1920 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:07 +0200] conn=5 op=1920 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:07 +0200] conn=5 op=1921 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:07 +0200] conn=5 op=1921 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:08 +0200] conn=5 op=1922 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:08 +0200] conn=5 op=1922 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:08 +0200] conn=5 op=1923 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:08 +0200] conn=5 op=1923 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:09 +0200] conn=5 op=1924 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:09 +0200] conn=5 op=1924 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:10 +0200] conn=5 op=1925 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:10 +0200] conn=5 op=1925 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:11 +0200] conn=5 op=1927 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:11 +0200] conn=5 op=1927 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:12 +0200] conn=5 op=1928 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:12 +0200] conn=5 op=1928 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:14 +0200] conn=5 op=1929 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:14 +0200] conn=5 op=1929 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:20 +0200] conn=5 op=1930 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:20 +0200] conn=5 op=1930 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:21 +0200] conn=5 op=1932 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:21 +0200] conn=5 op=1932 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:22 +0200] conn=5 op=1933 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:22 +0200] conn=5 op=1933 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:23 +0200] conn=5 op=1934 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:23 +0200] conn=5 op=1934 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:26 +0200] conn=5 op=1935 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:26 +0200] conn=5 op=1935 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:27 +0200] conn=5 op=1937 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:27 +0200] conn=5 op=1937 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:28 +0200] conn=5 op=1938 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:28 +0200] conn=5 op=1938 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:29 +0200] conn=5 op=1939 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:29 +0200] conn=5 op=1939 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:29 +0200] conn=5 op=1940 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:29 +0200] conn=5 op=1940 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:30 +0200] conn=5 op=1941 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:30 +0200] conn=5 op=1941 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:30 +0200] conn=5 op=1942 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:30 +0200] conn=5 op=1942 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:31 +0200] conn=5 op=1943 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:31 +0200] conn=5 op=1943 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:33 +0200] conn=5 op=1944 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:33 +0200] conn=5 op=1944 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:34 +0200] conn=5 op=1946 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:34 +0200] conn=5 op=1946 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:37 +0200] conn=5 op=1947 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:37 +0200] conn=5 op=1947 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:38 +0200] conn=5 op=1948 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:38 +0200] conn=5 op=1948 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:40 +0200] conn=5 op=1949 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:40 +0200] conn=5 op=1949 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:41 +0200] conn=5 op=1951 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:41 +0200] conn=5 op=1951 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:44 +0200] conn=5 op=1952 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:44 +0200] conn=5 op=1952 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:45 +0200] conn=5 op=1953 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:45 +0200] conn=5 op=1953 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:46 +0200] conn=5 op=1954 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:46 +0200] conn=5 op=1954 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:47 +0200] conn=5 op=1956 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:47 +0200] conn=5 op=1956 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:49 +0200] conn=5 op=1957 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:49 +0200] conn=5 op=1957 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:50 +0200] conn=5 op=1958 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:50 +0200] conn=5 op=1958 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:50 +0200] conn=5 op=1959 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:50 +0200] conn=5 op=1959 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:51 +0200] conn=5 op=1960 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:51 +0200] conn=5 op=1960 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:51 +0200] conn=5 op=1961 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:51 +0200] conn=5 op=1961 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:52 +0200] conn=5 op=1962 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:52 +0200] conn=5 op=1962 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:55 +0200] conn=5 op=1964 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:55 +0200] conn=5 op=1964 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:56 +0200] conn=5 op=1965 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:56 +0200] conn=5 op=1965 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:56 +0200] conn=5 op=1966 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:56 +0200] conn=5 op=1966 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:57 +0200] conn=5 op=1967 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:57 +0200] conn=5 op=1967 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:58 +0200] conn=5 op=1968 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:38:58 +0200] conn=5 op=1968 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:38:59 +0200] conn=5 op=1970 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:38:59 +0200] conn=5 op=1970 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:01 +0200] conn=5 op=1971 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:01 +0200] conn=5 op=1971 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:02 +0200] conn=5 op=1972 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:02 +0200] conn=5 op=1972 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:05 +0200] conn=5 op=1973 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:05 +0200] conn=5 op=1973 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:06 +0200] conn=5 op=1975 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:06 +0200] conn=5 op=1975 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:07 +0200] conn=5 op=1976 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:07 +0200] conn=5 op=1976 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:08 +0200] conn=5 op=1977 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:08 +0200] conn=5 op=1977 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:13 +0200] conn=5 op=1978 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:13 +0200] conn=5 op=1978 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:14 +0200] conn=5 op=1980 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:14 +0200] conn=5 op=1980 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:14 +0200] conn=5 op=1981 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:14 +0200] conn=5 op=1981 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:15 +0200] conn=5 op=1982 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:15 +0200] conn=5 op=1982 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:16 +0200] conn=5 op=1983 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:16 +0200] conn=5 op=1983 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:17 +0200] conn=5 op=1984 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:17 +0200] conn=5 op=1984 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:25 +0200] conn=5 op=1985 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:25 +0200] conn=5 op=1985 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:26 +0200] conn=5 op=1987 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:26 +0200] conn=5 op=1987 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:27 +0200] conn=5 op=1988 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:27 +0200] conn=5 op=1988 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:28 +0200] conn=5 op=1989 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:28 +0200] conn=5 op=1989 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:31 +0200] conn=5 op=1990 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:31 +0200] conn=5 op=1990 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:32 +0200] conn=5 op=1992 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:32 +0200] conn=5 op=1992 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:32 +0200] conn=5 op=1993 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:32 +0200] conn=5 op=1993 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:33 +0200] conn=5 op=1994 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:33 +0200] conn=5 op=1994 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:35 +0200] conn=5 op=1995 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:35 +0200] conn=5 op=1995 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:36 +0200] conn=5 op=1996 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:36 +0200] conn=5 op=1996 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:42 +0200] conn=5 op=1997 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:42 +0200] conn=5 op=1997 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:43 +0200] conn=5 op=1999 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:43 +0200] conn=5 op=1999 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:46 +0200] conn=5 op=2000 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:46 +0200] conn=5 op=2000 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:47 +0200] conn=5 op=2001 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:47 +0200] conn=5 op=2001 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:47 +0200] conn=5 op=2002 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:47 +0200] conn=5 op=2002 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:48 +0200] conn=5 op=2003 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:48 +0200] conn=5 op=2003 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:52 +0200] conn=5 op=2005 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:52 +0200] conn=5 op=2005 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:53 +0200] conn=5 op=2006 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:53 +0200] conn=5 op=2006 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:55 +0200] conn=5 op=2007 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:55 +0200] conn=5 op=2007 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:56 +0200] conn=5 op=2009 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:56 +0200] conn=5 op=2009 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:57 +0200] conn=5 op=2010 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:57 +0200] conn=5 op=2010 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:58 +0200] conn=5 op=2011 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:58 +0200] conn=5 op=2011 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:58 +0200] conn=5 op=2012 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:58 +0200] conn=5 op=2012 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:59 +0200] conn=5 op=2013 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:39:59 +0200] conn=5 op=2013 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:39:59 +0200] conn=5 op=2014 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:39:59 +0200] conn=5 op=2014 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:00 +0200] conn=5 op=2015 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:00 +0200] conn=5 op=2015 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:01 +0200] conn=5 op=2016 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:01 +0200] conn=5 op=2016 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:02 +0200] conn=5 op=2018 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:02 +0200] conn=5 op=2018 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:02 +0200] conn=5 op=2019 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:02 +0200] conn=5 op=2019 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:03 +0200] conn=5 op=2020 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:03 +0200] conn=5 op=2020 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:03 +0200] conn=5 op=2021 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:03 +0200] conn=5 op=2021 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:04 +0200] conn=5 op=2022 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:04 +0200] conn=5 op=2022 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:06 +0200] conn=5 op=2023 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:06 +0200] conn=5 op=2023 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:07 +0200] conn=5 op=2024 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:07 +0200] conn=5 op=2024 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:19 +0200] conn=5 op=2026 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:19 +0200] conn=5 op=2026 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:20 +0200] conn=5 op=2028 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:20 +0200] conn=5 op=2028 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:24 +0200] conn=5 op=2029 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:24 +0200] conn=5 op=2029 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:26 +0200] conn=5 op=2030 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:26 +0200] conn=5 op=2030 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:26 +0200] conn=5 op=2031 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:26 +0200] conn=5 op=2031 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:27 +0200] conn=5 op=2033 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:27 +0200] conn=5 op=2033 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:27 +0200] conn=5 op=2034 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:27 +0200] conn=5 op=2034 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:28 +0200] conn=5 op=2035 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:28 +0200] conn=5 op=2035 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:41 +0200] conn=5 op=2036 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:41 +0200] conn=5 op=2036 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:42 +0200] conn=5 op=2038 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:42 +0200] conn=5 op=2038 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:42 +0200] conn=5 op=2039 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:42 +0200] conn=5 op=2039 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:43 +0200] conn=5 op=2040 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:43 +0200] conn=5 op=2040 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:44 +0200] conn=5 op=2041 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:44 +0200] conn=5 op=2041 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:45 +0200] conn=5 op=2042 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:45 +0200] conn=5 op=2042 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:45 +0200] conn=5 op=2043 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:45 +0200] conn=5 op=2043 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:46 +0200] conn=5 op=2044 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:46 +0200] conn=5 op=2044 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:47 +0200] conn=5 op=2045 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:47 +0200] conn=5 op=2045 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:48 +0200] conn=5 op=2047 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:48 +0200] conn=5 op=2047 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:54 +0200] conn=5 op=2048 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:54 +0200] conn=5 op=2048 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:55 +0200] conn=5 op=2050 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:56 +0200] conn=5 op=2050 RESULT err=0 tag=120 nentries=0 etime=1 [15/Apr/2015:17:40:56 +0200] conn=5 op=2051 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:56 +0200] conn=5 op=2051 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:57 +0200] conn=5 op=2052 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:57 +0200] conn=5 op=2052 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:57 +0200] conn=5 op=2053 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:57 +0200] conn=5 op=2053 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:58 +0200] conn=5 op=2054 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:58 +0200] conn=5 op=2054 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:58 +0200] conn=5 op=2055 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:40:58 +0200] conn=5 op=2055 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:40:59 +0200] conn=5 op=2056 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:40:59 +0200] conn=5 op=2056 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:41:01 +0200] conn=5 op=2057 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:41:01 +0200] conn=5 op=2057 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:41:02 +0200] conn=5 op=2059 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:41:02 +0200] conn=5 op=2059 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:41:07 +0200] conn=5 op=2060 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [15/Apr/2015:17:41:07 +0200] conn=5 op=2060 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:41:08 +0200] conn=5 op=2062 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [15/Apr/2015:17:41:08 +0200] conn=5 op=2062 RESULT err=0 tag=120 nentries=0 etime=0 [15/Apr/2015:17:41:14 +0200] conn=6 fd=64 slot=64 connection from local to /var/run/slapd-EXAMPLE-COM.socket [15/Apr/2015:17:41:14 +0200] conn=6 AUTOBIND dn="cn=Directory Manager" [15/Apr/2015:17:41:14 +0200] conn=6 op=0 BIND dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL [15/Apr/2015:17:41:14 +0200] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=Directory Manager" [15/Apr/2015:17:41:14 +0200] conn=6 op=1 SRCH base="cn=mapping tree,cn=config" scope=2 filter="(&(objectClass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=lix,dc=polytechnique,dc=fr))" attrs=ALL [15/Apr/2015:17:41:14 +0200] conn=6 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [15/Apr/2015:17:41:14 +0200] conn=6 op=2 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses" [15/Apr/2015:17:41:14 +0200] conn=6 op=2 RESULT err=0 tag=101 nentries=1 etime=0 -------------- next part -------------- 389-Directory/1.3.3.1 B2015.077.2022 ipa1.example.com:389 (/etc/dirsrv/slapd-EXAMPLE-COM) [15/Apr/2015:16:39:35 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:16:39:35 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 969842, procpages: 54358 [15/Apr/2015:16:39:35 +0200] - Import allocates 1551744KB import cache. [15/Apr/2015:16:39:35 +0200] - import userRoot: Beginning import job... [15/Apr/2015:16:39:35 +0200] - import userRoot: Index buffering enabled with bucket size 100 [15/Apr/2015:16:39:35 +0200] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [15/Apr/2015:16:39:35 +0200] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [15/Apr/2015:16:39:35 +0200] - import userRoot: Workers finished; cleaning up... [15/Apr/2015:16:39:36 +0200] - import userRoot: Workers cleaned up. [15/Apr/2015:16:39:36 +0200] - import userRoot: Cleaning up producer thread... [15/Apr/2015:16:39:36 +0200] - import userRoot: Indexing complete. Post-processing... [15/Apr/2015:16:39:36 +0200] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Apr/2015:16:39:36 +0200] - import userRoot: Generating numSubordinates complete. [15/Apr/2015:16:39:36 +0200] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Apr/2015:16:39:36 +0200] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Apr/2015:16:39:36 +0200] - Nothing to do to build ancestorid index [15/Apr/2015:16:39:36 +0200] - import userRoot: Created ancestorid index (new idl). [15/Apr/2015:16:39:36 +0200] - import userRoot: Flushing caches... [15/Apr/2015:16:39:36 +0200] - import userRoot: Closing files... [15/Apr/2015:16:39:36 +0200] - All database threads now stopped [15/Apr/2015:16:39:36 +0200] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [15/Apr/2015:16:39:36 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:16:39:36 +0200] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Apr/2015:16:39:36 +0200] - I'm resizing my cache now...cache was 1588985856 and is now 6400000 [15/Apr/2015:16:39:37 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:16:39:39 +0200] - slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [15/Apr/2015:16:39:39 +0200] - slapd shutting down - waiting for 22 threads to terminate [15/Apr/2015:16:39:39 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:16:39:39 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:16:39:39 +0200] - All database threads now stopped [15/Apr/2015:16:39:39 +0200] - slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [15/Apr/2015:16:39:39 +0200] - slapd stopped. [15/Apr/2015:16:39:40 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:16:39:40 +0200] - I'm resizing my cache now...cache was 6400000 and is now 5120000 [15/Apr/2015:16:39:40 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:16:39:40 +0200] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [15/Apr/2015:16:55:42 +0200] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [15/Apr/2015:16:55:42 +0200] - slapd shutting down - waiting for 29 threads to terminate [15/Apr/2015:16:55:42 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:16:55:42 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:16:55:42 +0200] - All database threads now stopped [15/Apr/2015:16:55:42 +0200] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [15/Apr/2015:16:55:42 +0200] - slapd stopped. [15/Apr/2015:17:02:03 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:17:02:03 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 969842, procpages: 54358 [15/Apr/2015:17:02:03 +0200] - Import allocates 1551744KB import cache. [15/Apr/2015:17:02:03 +0200] - import userRoot: Beginning import job... [15/Apr/2015:17:02:03 +0200] - import userRoot: Index buffering enabled with bucket size 100 [15/Apr/2015:17:02:03 +0200] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [15/Apr/2015:17:02:03 +0200] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [15/Apr/2015:17:02:03 +0200] - import userRoot: Workers finished; cleaning up... [15/Apr/2015:17:02:04 +0200] - import userRoot: Workers cleaned up. [15/Apr/2015:17:02:04 +0200] - import userRoot: Cleaning up producer thread... [15/Apr/2015:17:02:04 +0200] - import userRoot: Indexing complete. Post-processing... [15/Apr/2015:17:02:04 +0200] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Apr/2015:17:02:04 +0200] - import userRoot: Generating numSubordinates complete. [15/Apr/2015:17:02:04 +0200] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Apr/2015:17:02:04 +0200] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Apr/2015:17:02:04 +0200] - Nothing to do to build ancestorid index [15/Apr/2015:17:02:04 +0200] - import userRoot: Created ancestorid index (new idl). [15/Apr/2015:17:02:04 +0200] - import userRoot: Flushing caches... [15/Apr/2015:17:02:04 +0200] - import userRoot: Closing files... [15/Apr/2015:17:02:04 +0200] - All database threads now stopped [15/Apr/2015:17:02:04 +0200] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [15/Apr/2015:17:02:04 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:02:04 +0200] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Apr/2015:17:02:04 +0200] - I'm resizing my cache now...cache was 1588985856 and is now 6400000 [15/Apr/2015:17:02:04 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:02:04 +0200] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Apr/2015:17:02:04 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [15/Apr/2015:17:02:04 +0200] - libdb: BDB0126 mmap: Invalid argument [15/Apr/2015:17:02:05 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:17:02:05 +0200] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [15/Apr/2015:17:05:49 +0200] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [15/Apr/2015:17:05:49 +0200] - slapd shutting down - waiting for 27 threads to terminate [15/Apr/2015:17:05:49 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:17:05:49 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:17:05:49 +0200] - All database threads now stopped [15/Apr/2015:17:05:50 +0200] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [15/Apr/2015:17:05:50 +0200] - slapd stopped. [15/Apr/2015:17:06:23 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:17:06:23 +0200] - check_and_set_import_cache: pagesize: 4096, pages: 969842, procpages: 54357 [15/Apr/2015:17:06:23 +0200] - Import allocates 1551744KB import cache. [15/Apr/2015:17:06:23 +0200] - import userRoot: Beginning import job... [15/Apr/2015:17:06:23 +0200] - import userRoot: Index buffering enabled with bucket size 100 [15/Apr/2015:17:06:23 +0200] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [15/Apr/2015:17:06:23 +0200] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [15/Apr/2015:17:06:24 +0200] - import userRoot: Workers finished; cleaning up... [15/Apr/2015:17:06:24 +0200] - import userRoot: Workers cleaned up. [15/Apr/2015:17:06:24 +0200] - import userRoot: Cleaning up producer thread... [15/Apr/2015:17:06:24 +0200] - import userRoot: Indexing complete. Post-processing... [15/Apr/2015:17:06:24 +0200] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Apr/2015:17:06:24 +0200] - import userRoot: Generating numSubordinates complete. [15/Apr/2015:17:06:24 +0200] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Apr/2015:17:06:24 +0200] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Apr/2015:17:06:24 +0200] - Nothing to do to build ancestorid index [15/Apr/2015:17:06:24 +0200] - import userRoot: Created ancestorid index (new idl). [15/Apr/2015:17:06:24 +0200] - import userRoot: Flushing caches... [15/Apr/2015:17:06:24 +0200] - import userRoot: Closing files... [15/Apr/2015:17:06:24 +0200] - All database threads now stopped [15/Apr/2015:17:06:24 +0200] - import userRoot: Import complete. Processed 1 entries in 1 seconds. (1.00 entries/sec) [15/Apr/2015:17:06:24 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:06:24 +0200] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Apr/2015:17:06:25 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:06:25 +0200] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [15/Apr/2015:17:06:25 +0200] - I'm resizing my cache now...cache was 1588985856 and is now 6400000 [15/Apr/2015:17:06:25 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:17:06:25 +0200] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [15/Apr/2015:17:06:26 +0200] - Warning: Adding configuration attribute "nsslapd-security" [15/Apr/2015:17:06:27 +0200] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [15/Apr/2015:17:06:27 +0200] - slapd shutting down - waiting for 27 threads to terminate [15/Apr/2015:17:06:27 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:17:06:27 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:17:06:27 +0200] - All database threads now stopped [15/Apr/2015:17:06:27 +0200] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [15/Apr/2015:17:06:27 +0200] - slapd stopped. [15/Apr/2015:17:06:28 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Apr/2015:17:06:28 +0200] - SSL alert: Configured NSS Ciphers [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Apr/2015:17:06:28 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:06:28 +0200] - I'm resizing my cache now...cache was 6400000 and is now 5120000 [15/Apr/2015:17:06:28 +0200] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [15/Apr/2015:17:06:28 +0200] attrcrypt - Key for cipher AES successfully generated and stored [15/Apr/2015:17:06:28 +0200] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [15/Apr/2015:17:06:28 +0200] attrcrypt - Key for cipher 3DES successfully generated and stored [15/Apr/2015:17:06:28 +0200] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Apr/2015:17:06:28 +0200] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Apr/2015:17:06:28 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:17:06:28 +0200] - Listening on All Interfaces port 636 for LDAPS requests [15/Apr/2015:17:06:28 +0200] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [15/Apr/2015:17:06:29 +0200] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [15/Apr/2015:17:06:29 +0200] - slapd shutting down - waiting for 30 threads to terminate [15/Apr/2015:17:06:29 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:17:06:29 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:17:06:29 +0200] - All database threads now stopped [15/Apr/2015:17:06:29 +0200] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [15/Apr/2015:17:06:29 +0200] - slapd stopped. [15/Apr/2015:17:06:31 +0200] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Apr/2015:17:06:31 +0200] - SSL alert: Configured NSS Ciphers [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [15/Apr/2015:17:06:31 +0200] - 389-Directory/1.3.3.1 B2015.077.2022 starting up [15/Apr/2015:17:06:31 +0200] - I'm resizing my cache now...cache was 5120000 and is now 4096000 [15/Apr/2015:17:06:31 +0200] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [15/Apr/2015:17:06:31 +0200] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [15/Apr/2015:17:06:31 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests [15/Apr/2015:17:06:31 +0200] - Listening on All Interfaces port 636 for LDAPS requests [15/Apr/2015:17:06:31 +0200] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt="cn=meToipa.example.com" (ipa:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going offline; disabling replication [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries -- average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0% [15/Apr/2015:17:07:13 +0200] - import userRoot: Processed 1399 entries -- average rate 35.0/sec, recent rate 35.0/sec, hit ratio 0% [15/Apr/2015:17:07:33 +0200] - import userRoot: Processed 1399 entries -- average rate 23.3/sec, recent rate 0.0/sec, hit ratio 0% [15/Apr/2015:17:07:53 +0200] - import userRoot: Processed 1399 entries -- average rate 17.5/sec, recent rate 0.0/sec, hit ratio 0% [15/Apr/2015:17:08:13 +0200] - import userRoot: Processed 1399 entries -- average rate 14.0/sec, recent rate 0.0/sec, hit ratio 0% [15/Apr/2015:17:08:33 +0200] - import userRoot: Processed 1399 entries -- average rate 11.6/sec, recent rate 0.0/sec, hit ratio 0% [15/Apr/2015:17:08:38 +0200] - import userRoot: Workers finished; cleaning up... [15/Apr/2015:17:08:38 +0200] - import userRoot: Workers cleaned up. [15/Apr/2015:17:08:38 +0200] - import userRoot: Indexing complete. Post-processing... [15/Apr/2015:17:08:38 +0200] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [15/Apr/2015:17:08:38 +0200] - import userRoot: Generating numSubordinates complete. [15/Apr/2015:17:08:38 +0200] - import userRoot: Gathering ancestorid non-leaf IDs... [15/Apr/2015:17:08:38 +0200] - import userRoot: Finished gathering ancestorid non-leaf IDs. [15/Apr/2015:17:08:38 +0200] - import userRoot: Creating ancestorid index (new idl)... [15/Apr/2015:17:08:38 +0200] - import userRoot: Created ancestorid index (new idl). [15/Apr/2015:17:08:38 +0200] - import userRoot: Flushing caches... [15/Apr/2015:17:08:38 +0200] - import userRoot: Closing files... [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication [15/Apr/2015:17:08:39 +0200] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=lix,dc=polytechnique,dc=fr--no CoS Templates found, which should be added before the CoS Definition. [15/Apr/2015:17:41:16 +0200] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [15/Apr/2015:17:41:16 +0200] - slapd shutting down - closing down internal subsystems and plugins [15/Apr/2015:17:41:16 +0200] - Waiting for 4 database threads to stop [15/Apr/2015:17:41:16 +0200] - All database threads now stopped [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [15/Apr/2015:17:41:16 +0200] - slapd stopped. From simo at redhat.com Wed Apr 15 18:56:37 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 15 Apr 2015 14:56:37 -0400 Subject: [Freeipa-users] Freeipa4 - AD SSH logins In-Reply-To: References: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> <20150415180001.GF4797@redhat.com> Message-ID: <1429124197.2776.64.camel@willson.usersys.redhat.com> On Wed, 2015-04-15 at 14:19 -0400, Aric Wilisch wrote: > So I would have to setup an ID View Override for every user in AD that needs to login to to a FreeIPA host? If you just need a different default shell you should set the default_shell option in sssd.conf > I guess I?m having trouble understanding why it wouldn?t just use the > defaults set into FreeIPA? The Default home directory is set to /home > and the default shell is set to /bin/bash. If it doesn't please open a bug, we probably should. > This is a lot of work to go to unless there?s a way to set it globally > for the entire domain. Also noticing sudo doesn?t work for those users > even though I have the ad_admins group added to the sudo group I > created. Is ad_admins a posix group ? sudo understands only those, also you need to make sure clients are using the sssd_sudo plugin for external users/groups (IIRC). Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Apr 15 18:58:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Apr 2015 21:58:23 +0300 Subject: [Freeipa-users] Freeipa4 - AD SSH logins In-Reply-To: References: <177C9C22-D387-4A5F-962A-5AABA3975FE4@gmail.com> <20150415180001.GF4797@redhat.com> Message-ID: <20150415185823.GG4797@redhat.com> On Wed, 15 Apr 2015, Aric Wilisch wrote: >So I would have to setup an ID View Override for every user in AD that >needs to login to to a FreeIPA host? > >I guess I?m having trouble understanding why it wouldn?t just use the >defaults set into FreeIPA? The Default home directory is set to /home >and the default shell is set to /bin/bash. Because you have options on how you would set identity mapping for AD users, there is no single way to apply these defaults. - You can have POSIX attributes defined in Active Directory. - this means you can use any existing tool on Windows to set POSIX attributes for each user manually or with automation tools - FreeIPA will notice the attributes and configure ID ranges of the trusted domains to pick up POSIX attributes from Active Directory - SSSD will use ID range type to pull POSIX attributes from Active Directory - You can have POSIX attributes generated automatically for AD users by FreeIPA - this means some safe defaults will be applied by SSSD running on IPA master, these are based on sssd.conf options for subdomain_* - these defaults will affect AD users' only UID/GID information for client-side SSSD <1.12 because old SSSD doesn't know how to pick up the rest of attributes - for SSSD >= 1.12 the defaults from IPA master will be honored by IPA clients automatically - in both cases ID View 'Default Trust View' can be used to configure POSIX attributes for AD users explicitly. There are no templates though. If templating is needed in ID Views, a ticket could be filed. Perhaps it is a good idea but it will take time to implement in FreeIPA (management), SSSD and slapi-nis (application of defaults). >This is a lot of work to go to unless there?s a way to set it globally >for the entire domain. Also noticing sudo doesn?t work for those users >even though I have the ad_admins group added to the sudo group I >created. Open a separate thread and provide SSSD logs, our debugging capabilities are distinguishable from magic and thus require help from you. ;) -- / Alexander Bokovoy From rmeggins at redhat.com Wed Apr 15 19:37:14 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2015 13:37:14 -0600 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: <552E98C3.8020900@redhat.com> Message-ID: <552EBDEA.6040604@redhat.com> On 04/15/2015 12:43 PM, James James wrote: > Here the log > > 2015-04-15 18:58 GMT+02:00 Rich Megginson >: > > On 04/15/2015 09:46 AM, James James wrote: >> Hello, >> >> I have been looking to solve my problem but I 'm asking for some >> help. >> >> The replication begins but cannot be completed .... >> >> I want to install a new fresh replica but I've always got this >> error : >> >> [21/35]: configure dirsrv ccache >> [22/35]: enable SASL mapping fallback >> [23/35]: restarting directory server >> [24/35]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 127 seconds elapsed >> Update in progress yet not in progress >> >> Update in progress yet not in progress >> >> [ipa.example.com ] reports: Update >> failed! Status: [10 Total update abortedLDAP error: Referral] >> >> [error] RuntimeError: Failed to start replication >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Failed to start replication >> >> >> On the master I have this message : >> 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV >> Task: Successfully cleaned rid(19). >> [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - >> agmt="cn=meToipa1.example.com " >> (ipa1:389): Replica has a different generation ID than the local >> data. >> [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning >> total update of replica "agmt="cn=meToipa1.example.com >> " (ipa1:389)". > > What is happening on the consumer (ipa1.example.com > ) error and access log at this time? > [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going offline; disabling replication [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries -- average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0% ... [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication So it would appear that initialization finished successfully. But then . . . > >> [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - >> agmt="cn=meToipa1.example.com " >> (ipa1:389): Unable to receive the response for a startReplication >> extended operation to consumer (Can't contact LDAP server). Will >> retry later. > [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [15/Apr/2015:17:41:16 +0200] - slapd stopped. So the server is down. Did someone or some process shutdown the replica at this time? >> [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not >> send startTLS request: error -1 (Can't contact LDAP server) errno >> 107 (Transport endpoint is not connected) >> >> Any hints will be useful. >> >> Thanks. >> >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rob.verduijn at gmail.com Wed Apr 15 20:30:48 2015 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Wed, 15 Apr 2015 22:30:48 +0200 Subject: [Freeipa-users] indirect automount offsets Message-ID: Hello, I'm trying to figure out how to use automounts in freeipa with offsets. currently I have this: the default location containing 3 maps auto.direct auto.home auto.master auto.direct is empty auto.home contains: key : * mount information : -rw nfs.example.com:/homes/& auto.master contains key : /- mount-information : auto.direct key: /home mount information : auto.home in autofs file this would be : auto.master : /- /etc/auto.direct /home /etc/auto.home and auto.home would contain: test -rw nfs.example.com:/homes/& now I would like to do the automount indirect offset like this : test / -rw nfs.example.com:/homes/test \ /newfolder nfs2.example.com:/newfolder \ /anotherfolder nfs3.example.com:/anotherfolder \ /anotherfolder/2deep nfs4.example.com:/2deep which would automount the newfolder like this : /home/test/newfolder and anotherfolder like this /home/test/anotherfolder and 2deep like this /home/test/anotherfolder/2deep is this possible in freeipa ? Rob From jreg2k at gmail.com Wed Apr 15 20:58:32 2015 From: jreg2k at gmail.com (James James) Date: Wed, 15 Apr 2015 22:58:32 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <552EBDEA.6040604@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> Message-ID: Nothing on the replica .. maybye a process on the master. How can I check that ? 2015-04-15 21:37 GMT+02:00 Rich Megginson : > On 04/15/2015 12:43 PM, James James wrote: > > Here the log > > 2015-04-15 18:58 GMT+02:00 Rich Megginson : > >> On 04/15/2015 09:46 AM, James James wrote: >> >> Hello, >> >> I have been looking to solve my problem but I 'm asking for some help. >> >> The replication begins but cannot be completed .... >> >> I want to install a new fresh replica but I've always got this error : >> >> [21/35]: configure dirsrv ccache >> [22/35]: enable SASL mapping fallback >> [23/35]: restarting directory server >> [24/35]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 127 seconds elapsed >> Update in progress yet not in progress >> >> Update in progress yet not in progress >> >> [ipa.example.com] reports: Update failed! Status: [10 Total update >> abortedLDAP error: Referral] >> >> [error] RuntimeError: Failed to start replication >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Failed to start replication >> >> >> On the master I have this message : >> 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task: >> Successfully cleaned rid(19). >> [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt="cn= >> meToipa1.example.com" (ipa1:389): Replica has a different generation ID >> than the local data. >> [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total >> update of replica "agmt="cn=meToipa1.example.com" (ipa1:389)". >> >> >> What is happening on the consumer (ipa1.example.com) error and access >> log at this time? >> > > [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going > offline; disabling replication > [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to access the > database > [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries -- > average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0% > ... > [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. > Processed 1539 entries in 126 seconds. (12.21 entries/sec) > [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is > coming online; enabling replication > > So it would appear that initialization finished successfully. But then . > . . > > >> [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt="cn= >> meToipa1.example.com" (ipa1:389): Unable to receive the response for a >> startReplication extended operation to consumer (Can't contact LDAP >> server). Will retry later. >> >> > [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack > objects - freed 2 op stack objects > [15/Apr/2015:17:41:16 +0200] - slapd stopped. > > So the server is down. Did someone or some process shutdown the replica > at this time? > > [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send >> startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport >> endpoint is not connected) >> >> Any hints will be useful. >> >> Thanks. >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 15 21:46:21 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2015 15:46:21 -0600 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> Message-ID: <552EDC2D.9070609@redhat.com> On 04/15/2015 02:58 PM, James James wrote: > Nothing on the replica .. maybye a process on the master. How can I > check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: > > 2015-04-15 21:37 GMT+02:00 Rich Megginson >: > > On 04/15/2015 12:43 PM, James James wrote: >> Here the log >> >> 2015-04-15 18:58 GMT+02:00 Rich Megginson > >: >> >> On 04/15/2015 09:46 AM, James James wrote: >>> Hello, >>> >>> I have been looking to solve my problem but I 'm asking for >>> some help. >>> >>> The replication begins but cannot be completed .... >>> >>> I want to install a new fresh replica but I've always got >>> this error : >>> >>> [21/35]: configure dirsrv ccache >>> [22/35]: enable SASL mapping fallback >>> [23/35]: restarting directory server >>> [24/35]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress, 127 seconds elapsed >>> Update in progress yet not in progress >>> >>> Update in progress yet not in progress >> in progress yet not in progress???? The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? >>> >>> [ipa.example.com ] reports: Update >>> failed! Status: [10 Total update abortedLDAP error: Referral] >>> >>> [error] RuntimeError: Failed to start replication >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Failed to start replication >>> >>> >>> On the master I have this message : >>> 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - >>> CleanAllRUV Task: Successfully cleaned rid(19). >>> [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - >>> agmt="cn=meToipa1.example.com " >>> (ipa1:389): Replica has a different generation ID than the >>> local data. >>> [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - >>> Beginning total update of replica >>> "agmt="cn=meToipa1.example.com >>> " (ipa1:389)". >> >> What is happening on the consumer (ipa1.example.com >> ) error and access log at this time? >> > > [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr > is going offline; disabling replication > [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 > entries -- average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0% > ... > [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. > Processed 1539 entries in 126 seconds. (12.21 entries/sec) > [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr > is coming online; enabling replication > > So it would appear that initialization finished successfully. But > then . . . > >> >>> [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - >>> agmt="cn=meToipa1.example.com " >>> (ipa1:389): Unable to receive the response for a >>> startReplication extended operation to consumer (Can't >>> contact LDAP server). Will retry later. >> > > [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work > q stack objects - freed 2 op stack objects > [15/Apr/2015:17:41:16 +0200] - slapd stopped. > > So the server is down. Did someone or some process shutdown the > replica at this time? > >>> [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could >>> not send startTLS request: error -1 (Can't contact LDAP >>> server) errno 107 (Transport endpoint is not connected) >>> >>> Any hints will be useful. >>> >>> Thanks. >>> >>> >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.fer.ordas at unicyber.co.uk Wed Apr 15 22:46:41 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Wed, 15 Apr 2015 23:46:41 +0100 Subject: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence. In-Reply-To: <20150415050324.GC4797@redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> <63ef58000058fb06d4aea3b27a3877f8@unicyber.co.uk> <20150415050324.GC4797@redhat.com> Message-ID: <58c173492af1e3d40b13544bc5f39110@unicyber.co.uk> Hi Alexander I do trust the diagnostics and I thank you so much for that explanation as I know now now a bit better what to expect or for the less what is the sequence it follows. This does not seem to be a port issue (below windows): PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 111/tcp open rpcbind 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server And after executing the command: ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password I get : =========== s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=112, this_data=112, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10 smb_signing_md5: sequence number 8 smb_signing_sign_pdu: sent SMB signature of [0000] 4E 30 9B AA AD 9D FA E9 N0...... s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 smb_signing_md5: sequence number 9 smb_signing_check_pdu: seq 9: got good SMB signature of [0000] 34 AA E5 B9 B4 BB AD 3D 4......= s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0 s4_tevent: Destroying timer event 0x7fbb7c0a1910 "dcerpc_timeout_handler" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660 s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660 netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x00000080 (128) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 0: NETLOGON_HAS_IP 0: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_NO_LOGON_SERVERS trusted_dc_name : * trusted_dc_name : '' tc_connection_status : WERR_NO_LOGON_SERVERS result : WERR_OK rpc reply data: [0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........ ........ [0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........ ........ [0020] 01 00 00 00 00 00 00 00 00 00 00 00 ........ .... s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0 smb_signing_md5: sequence number 10 smb_signing_sign_pdu: sent SMB signature of [0000] 91 10 6B 3B E8 98 AA B9 ..k;.... s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 0x7fbb7c3179d0 s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout" s4_tevent: Cancel immediate event 0x7fbb7c3179d0 "tevent_queue_immediate_trigger" [Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: [jsonserver_session] admin at LDAP.COMPANY.COM: trust_add(u'ad_domain.company.com', trust_type=u'ad', realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False, version=u'2.114'): RemoteRetrieveError ============ So to me that seems to be samba related. If try to mount any of the remote AD shares into the IPA server manually , it does perfectly well with the above user details.(this is without kerberos so -k) The netbios for AD and IPA are different (so no complaints there) and It by the IPA side of the business it has been initialised using : ipa-adtrust-install -- ipa-adtrust-install --netbios-name=LDAP_BIOS_NAME -a password -U -- Apologies for all this but I am trying to get through the process as far as I can. Thanks On 2015-04-15 06:03, Alexander Bokovoy wrote: > On Tue, 14 Apr 2015, g.fer.ordas at unicyber.co.uk wrote: >> Hi >> >> Dealing with AD --> Cert Trust I am reaching the following step: >> >> ipa trust-add ad.company.com --admin --password >> Active Directory domain administrator's password: >> ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most >> likely it is a DNS or firewall issue >> >> >> Reaching this far I do not know what the issue is .. Nevertheless and >> before start playing around with the DNS further more.... > The issue is what reported above -- at request of IPA DC to validate > the > trust, AD DC tried to resolve IPA DC via SRV records and then tried to > contact its Samba instance on its own to complete validation of the > trust. Either step might fail, after which AD DC would report back to > IPA DC that it was unable to reach it. > > This diagnostics wasn't added for nothing, you need to trust it. :) > >> >> >> if I run the following it seems to successfully establish the trust by >> the IPA side of the business >> >> # ipa trust-add --type=ad "ad_domain" --trust-secret >> >> So this part seems find by the look of it.. > It works because it does not communicate with AD DCs here, only with > IPA's Samba instance. > >> I also had to manually add the AD host and the remote CIFS resource >> but I am getting instead: >> >> ipa trust-fetch-domains corp.hootsuitemedia.com >> ipa: ERROR: AD domain controller complains about communication >> sequence. It may mean unsynchronized time on both sides, for example > This doesn't work because AD DC did not complete the trust validation > and cannot trust IPA Kerberos tickets, thus refusing operation. > Unfortunately, reporting in SMB protocol is less than perfect so we > only > are able to get guesses at what has happened. > > In any case, running trust-fetch-domains makes no sense until you > complete validation. > > And to complete validation you really need to fix issues with either > DNS > or firewall so that AD DCs are capable to reach proper IPA DCs. > > And all IPA DCs should be initialized with ipa-adtrust-install > currently. From rcritten at redhat.com Thu Apr 16 00:22:57 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Apr 2015 20:22:57 -0400 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <552EDC2D.9070609@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> Message-ID: <552F00E1.2020006@redhat.com> Rich Megginson wrote: > On 04/15/2015 02:58 PM, James James wrote: >> Nothing on the replica .. maybye a process on the master. How can I >> check that ? > > I have no idea. But it seems highly unlikely that a process on the > master is able to shutdown a process on the replica . . . > > I would say that there is some problem with the ipa-replica-install not > properly checking the status - see below: > >> >> 2015-04-15 21:37 GMT+02:00 Rich Megginson > >: >> >> On 04/15/2015 12:43 PM, James James wrote: >>> Here the log >>> >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson >> >: >>> >>> On 04/15/2015 09:46 AM, James James wrote: >>>> Hello, >>>> >>>> I have been looking to solve my problem but I 'm asking for >>>> some help. >>>> >>>> The replication begins but cannot be completed .... >>>> >>>> I want to install a new fresh replica but I've always got >>>> this error : >>>> >>>> [21/35]: configure dirsrv ccache >>>> [22/35]: enable SASL mapping fallback >>>> [23/35]: restarting directory server >>>> [24/35]: setting up initial replication >>>> Starting replication, please wait until this has completed. >>>> Update in progress, 127 seconds elapsed >>>> Update in progress yet not in progress >>>> >>>> Update in progress yet not in progress >>> > > in progress yet not in progress???? The error log below clearly shows > that replica init succeeded after 127 seconds. > > IPA-ers - wasn't there some bug about checking replica status properly? > The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints "Update in progress, %d seconds elapsed". Once it gets a status, the update is done, and it looks at nsds5ReplicaLastInitStatus. If it isn't empty, doesn't include 'replica busy' or 'Total update succeeded' then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, ir prints Update in progress yet not in progress and tries the loop again. AFAICT this part of a replica install doesn't restart 389-ds. /var/log/ipareplica-install.log may hold some details. rob From tlau at tetrioncapital.com Thu Apr 16 02:17:07 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Thu, 16 Apr 2015 10:17:07 +0800 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: <552D1F25.4030200@redhat.com> References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> <552D1F25.4030200@redhat.com> Message-ID: Hi, I just checked with developer, there is no authentication related code in the program, we could treat it as normal cron job. is that possible to make sssd less contact with FreeIPA? for example, refresh all user info every 5 minutes, else use cache info. On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal wrote: > On 04/13/2015 10:41 PM, Thomas Lau wrote: >> >> Hi, >> >> It's an in-house program which runs on one kerberos user. > > You need to look what this program is doing. > I suspect it is doing some sort of kinit itself and does not rely on the PAM > stack, i.e it bypasses SSSD in the given scenario. > Can this be the case? > > >> >> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: >>> >>> On 04/13/2015 08:23 AM, Thomas Lau wrote: >>> >>> Hi, >>> >>> These problem appear randomly, sometime it still work even under heavy >>> packet loss, some times would be like this. So its hard to catch. >>> >>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >>>> >>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>>> >>>>> Hi all, >>>>> >>>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>>> between IPA server and client having heavy packet loss, following >>>>> error would occur: >>>>> >>>>> CRON[20637]: Authentication service cannot retrieve authentication info >>>>> >>>>> I have cache credentials and store password if offline enabled on >>>>> sssd, how these problem would still happening? >>> >>> >>> It might be that the cause of the problem is actually the packet loss or >>> some kind of delay. >>> SSSD might not think that it is offline but cron job itself times out and >>> reports failure. >>> Do you know what operation in the job fails? >>> >>> >>>>> >>>>> sssd.conf: >>>>> >>>>> cache_credentials = True >>>>> krb5_store_password_if_offline = True >>>> >>>> Did the use log in at least once offline? You can verify if the password >>>> has been cached using the ldbsearch utility. It would be best to catch >>>> the occurence of the problem in logs. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Thomas Lau Director of Infrastructure Tetrion Capital Limited Direct: +852-3976-8903 Mobile: +852-9323-9670 Address: 20/F, IFC 1, Central district, Hong Kong From dpal at redhat.com Thu Apr 16 03:10:39 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 15 Apr 2015 23:10:39 -0400 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> <552D1F25.4030200@redhat.com> Message-ID: <552F282F.80900@redhat.com> On 04/15/2015 10:17 PM, Thomas Lau wrote: > Hi, > > I just checked with developer, there is no authentication related code > in the program, we could treat it as normal cron job. > > is that possible to make sssd less contact with FreeIPA? for example, > refresh all user info every 5 minutes, else use cache info. OK, thanks for clarification. Then it is SSSD. It would be hard to understand where the problem is. For authentication SSSD does online if it knows that it is online. Packet loss can cause it to loose connection and time out. It might not failing over to offline mode as it is "semi online" because of the packet loss and retries. The SSSD logs would really be helpful to diagnose the issue. Also https://fedorahosted.org/sssd/ticket/1807 might be what you are looking for. It is being worked on for the next release. > On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal wrote: >> On 04/13/2015 10:41 PM, Thomas Lau wrote: >>> Hi, >>> >>> It's an in-house program which runs on one kerberos user. >> You need to look what this program is doing. >> I suspect it is doing some sort of kinit itself and does not rely on the PAM >> stack, i.e it bypasses SSSD in the given scenario. >> Can this be the case? >> >> >>> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: >>>> On 04/13/2015 08:23 AM, Thomas Lau wrote: >>>> >>>> Hi, >>>> >>>> These problem appear randomly, sometime it still work even under heavy >>>> packet loss, some times would be like this. So its hard to catch. >>>> >>>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >>>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>>>> Hi all, >>>>>> >>>>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>>>> between IPA server and client having heavy packet loss, following >>>>>> error would occur: >>>>>> >>>>>> CRON[20637]: Authentication service cannot retrieve authentication info >>>>>> >>>>>> I have cache credentials and store password if offline enabled on >>>>>> sssd, how these problem would still happening? >>>> >>>> It might be that the cause of the problem is actually the packet loss or >>>> some kind of delay. >>>> SSSD might not think that it is offline but cron job itself times out and >>>> reports failure. >>>> Do you know what operation in the job fails? >>>> >>>> >>>>>> sssd.conf: >>>>>> >>>>>> cache_credentials = True >>>>>> krb5_store_password_if_offline = True >>>>> Did the use log in at least once offline? You can verify if the password >>>>> has been cached using the ldbsearch utility. It would be best to catch >>>>> the occurence of the problem in logs. >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rcritten at redhat.com Thu Apr 16 03:36:44 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Apr 2015 23:36:44 -0400 Subject: [Freeipa-users] indirect automount offsets In-Reply-To: References: Message-ID: <552F2E4C.1070103@redhat.com> Rob Verduijn wrote: > Hello, > > I'm trying to figure out how to use automounts in freeipa with offsets. > > currently I have this: > the default location containing 3 maps > auto.direct > auto.home > auto.master > > auto.direct is empty > auto.home contains: > key : * mount information : -rw nfs.example.com:/homes/& > auto.master contains > key : /- mount-information : auto.direct > key: /home mount information : auto.home > > in autofs file this would be : > auto.master : > /- /etc/auto.direct > /home /etc/auto.home > > and auto.home would contain: > test -rw nfs.example.com:/homes/& > > now I would like to do the automount indirect offset like this : > test / -rw nfs.example.com:/homes/test \ > /newfolder nfs2.example.com:/newfolder \ > /anotherfolder nfs3.example.com:/anotherfolder \ > /anotherfolder/2deep nfs4.example.com:/2deep > > which would automount the newfolder like this : > /home/test/newfolder > and anotherfolder like this > /home/test/anotherfolder > and 2deep like this > /home/test/anotherfolder/2deep > > is this possible in freeipa ? > Rob > If it's possible with LDAP-stored autofs it should be possible with IPA. I've typically used much simpler configurations with automount. Theoreticaly it should work just the way you'd set it in a file, as you've posted. Did you try it? You'd set --key=test --info='/ -rw ...' rob From abokovoy at redhat.com Thu Apr 16 04:41:24 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Apr 2015 07:41:24 +0300 Subject: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence. In-Reply-To: <58c173492af1e3d40b13544bc5f39110@unicyber.co.uk> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> <63ef58000058fb06d4aea3b27a3877f8@unicyber.co.uk> <20150415050324.GC4797@redhat.com> <58c173492af1e3d40b13544bc5f39110@unicyber.co.uk> Message-ID: <20150416044124.GH4797@redhat.com> On Wed, 15 Apr 2015, g.fer.ordas at unicyber.co.uk wrote: >Hi Alexander > >I do trust the diagnostics and I thank you so much for that >explanation as I know now now a bit better what to expect or for the >less what is the sequence it follows. > > >This does not seem to be a port issue (below windows): >PORT STATE SERVICE >53/tcp open domain >80/tcp open http >88/tcp open kerberos-sec >111/tcp open rpcbind >135/tcp open msrpc >139/tcp open netbios-ssn >389/tcp open ldap >445/tcp open microsoft-ds >464/tcp open kpasswd5 >593/tcp open http-rpc-epmap >636/tcp open ldapssl >3268/tcp open globalcatLDAP >3269/tcp open globalcatLDAPssl >3389/tcp open ms-wbt-server > >And after executing the command: >ipa trust-add --type=ad ad_domain.company.com --admin ad_user --password > >I get : >=========== >s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 >s4_tevent: Added timed event "dcerpc_timeout_handler": 0x7fbb7c0a1910 >s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 >s4_tevent: Schedule immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 >num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, >data_total=112, this_data=112, max_data=4280, param_offset=84, >param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 >s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c434b10 >smb_signing_md5: sequence number 8 >smb_signing_sign_pdu: sent SMB signature of >[0000] 4E 30 9B AA AD 9D FA E9 N0...... >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": >0x7fbb7c3179d0 >s4_tevent: Run immediate event "dcerpc_io_trigger": 0x7fbb7c00f170 >s4_tevent: Run immediate event "tevent_queue_immediate_trigger": >0x7fbb7c3179d0 >smb_signing_md5: sequence number 9 >smb_signing_check_pdu: seq 9: got good SMB signature of >[0000] 34 AA E5 B9 B4 BB AD 3D 4......= >s4_tevent: Destroying timer event 0x7fbb7c434b10 "tevent_req_timedout" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c532dd0 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c532dd0 >s4_tevent: Destroying timer event 0x7fbb7c0a1910 >"dcerpc_timeout_handler" >s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7fbb7c0a1660 >s4_tevent: Run immediate event "tevent_req_trigger": 0x7fbb7c0a1660 > netr_LogonControl2Ex: struct netr_LogonControl2Ex > out: struct netr_LogonControl2Ex > query : * > query : union >netr_CONTROL_QUERY_INFORMATION(case 2) > info2 : * > info2: struct netr_NETLOGON_INFO_2 > flags : 0x00000080 (128) > 0: NETLOGON_REPLICATION_NEEDED > 0: NETLOGON_REPLICATION_IN_PROGRESS > 0: NETLOGON_FULL_SYNC_REPLICATION > 0: NETLOGON_REDO_NEEDED > 0: NETLOGON_HAS_IP > 0: NETLOGON_HAS_TIMESERV > 0: NETLOGON_DNS_UPDATE_FAILURE > 1: NETLOGON_VERIFY_STATUS_RETURNED > pdc_connection_status : WERR_NO_LOGON_SERVERS > trusted_dc_name : * > trusted_dc_name : '' > tc_connection_status : WERR_NO_LOGON_SERVERS > result : WERR_OK >rpc reply data: >[0000] 02 00 00 00 00 00 02 00 80 00 00 00 1F 05 00 00 ........ >........ >[0010] 04 00 02 00 1F 05 00 00 01 00 00 00 00 00 00 00 ........ >........ >[0020] 01 00 00 00 00 00 00 00 00 00 00 00 ........ .... >s4_tevent: Added timed event "tevent_req_timedout": 0x7fbb7c23ced0 >smb_signing_md5: sequence number 10 >smb_signing_sign_pdu: sent SMB signature of >[0000] 91 10 6B 3B E8 98 AA B9 ..k;.... >s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": >0x7fbb7c3179d0 >s4_tevent: Destroying timer event 0x7fbb7c23ced0 "tevent_req_timedout" >s4_tevent: Cancel immediate event 0x7fbb7c3179d0 >"tevent_queue_immediate_trigger" >[Wed Apr 15 22:17:08.729930 2015] [:error] [pid 4810] ipa: INFO: >[jsonserver_session] admin at LDAP.COMPANY.COM: >trust_add(u'ad_domain.company.com', trust_type=u'ad', >realm_admin=u'ad_user', realm_passwd=u'********', all=False, >raw=False, version=u'2.114'): RemoteRetrieveError >============ > >So to me that seems to be samba related. No, it is not, at least so far all evidence is only telling that AD DC cannot talk to IPA DC. From the above netr_NETLOGON_INFO_2 structure it is pretty clear: "AD DC tried to verify trust and was unable to contact logon servers (DCs) of IPA". >If try to mount any of the remote AD shares into the IPA server >manually , it does perfectly well with the above user details.(this is >without kerberos so -k) If you mount something on IPA server, it means connection goes from IPA server to AD DC, not the other way around. You need to make sure the opposite direction (connection initiated by AD DC towards IPA server) would work. -- / Alexander Bokovoy From jreg2k at gmail.com Thu Apr 16 04:44:14 2015 From: jreg2k at gmail.com (James James) Date: Thu, 16 Apr 2015 06:44:14 +0200 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: <552F00E1.2020006@redhat.com> References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> Message-ID: The ipareplica-install.log file in attachment ... 2015-04-16 2:22 GMT+02:00 Rob Crittenden : > Rich Megginson wrote: > > On 04/15/2015 02:58 PM, James James wrote: > >> Nothing on the replica .. maybye a process on the master. How can I > >> check that ? > > > > I have no idea. But it seems highly unlikely that a process on the > > master is able to shutdown a process on the replica . . . > > > > I would say that there is some problem with the ipa-replica-install not > > properly checking the status - see below: > > > >> > >> 2015-04-15 21:37 GMT+02:00 Rich Megginson >> >: > >> > >> On 04/15/2015 12:43 PM, James James wrote: > >>> Here the log > >>> > >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson >>> >: > >>> > >>> On 04/15/2015 09:46 AM, James James wrote: > >>>> Hello, > >>>> > >>>> I have been looking to solve my problem but I 'm asking for > >>>> some help. > >>>> > >>>> The replication begins but cannot be completed .... > >>>> > >>>> I want to install a new fresh replica but I've always got > >>>> this error : > >>>> > >>>> [21/35]: configure dirsrv ccache > >>>> [22/35]: enable SASL mapping fallback > >>>> [23/35]: restarting directory server > >>>> [24/35]: setting up initial replication > >>>> Starting replication, please wait until this has completed. > >>>> Update in progress, 127 seconds elapsed > >>>> Update in progress yet not in progress > >>>> > >>>> Update in progress yet not in progress > >>> > > > > in progress yet not in progress???? The error log below clearly shows > > that replica init succeeded after 127 seconds. > > > > IPA-ers - wasn't there some bug about checking replica status properly? > > > > The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress > and nsds5ReplicaLastInitStatus. > > It loops looking for nsds5BeginReplicaRefresh. If there is no value it > prints "Update in progress, %d seconds elapsed". Once it gets a status, > the update is done, and it looks at nsds5ReplicaLastInitStatus. If it > isn't empty, doesn't include 'replica busy' or 'Total update succeeded' > then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, > ir prints Update in progress yet not in progress and tries the loop again. > > AFAICT this part of a replica install doesn't restart 389-ds. > > /var/log/ipareplica-install.log may hold some details. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipareplica-install.log Type: text/x-log Size: 57867 bytes Desc: not available URL: From Alexander.Frolushkin at megafon.ru Thu Apr 16 07:52:05 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Thu, 16 Apr 2015 07:52:05 +0000 Subject: [Freeipa-users] Errors in dirsrv logs Message-ID: Hello again. Now, in addition to connection - conn=xxxx fd=xxx Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. messages, we have on six of our 16 servers NSMMReplicationPlugin - changelog program - agmt="cn=meTonw-rhidm01.unix.ad.com" (nw-rhidm01:389): CSN 552de186000b00110000 not found, we aren't as up to date, or we purged Maybe it begins to generate this error after one of our masters was re-initialized. Is there any way to fix it without complete replicas reinstallation? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rob.verduijn at gmail.com Thu Apr 16 08:17:17 2015 From: rob.verduijn at gmail.com (Rob Verduijn) Date: Thu, 16 Apr 2015 10:17:17 +0200 Subject: [Freeipa-users] indirect automount offsets In-Reply-To: <552F2E4C.1070103@redhat.com> References: <552F2E4C.1070103@redhat.com> Message-ID: Hello, It indeed works --key=* --info='/ -rw nfs.example.com:/homes/& /subdir -rw nfs2.example.com:/subdir' however the directory is not mounted. I know it works because when running automount in debug mode I see mounted nfs.example.com:/homes/test on /home/test and then it tries to mount the subdir do_mount_autofs_offset: mount offset /home/test/subdir at /home/test however it fails with the error mount_autofs_offset: can't create mount directory: /home/test/subdir, Permission denied failed to mount offset as a test I set an acl on the /exports/homes dir on the fileserver. setfacl -R -m other:rwx /exports/homes setfacl -R -m d:other:rwx /eports/homes and created the mountpoint in the home directory (it failed when it does not exist do to root squash I guess) mkdir /exports/homes/test/subdir and the offset subdir mount is mounted by autofs on the client. any ideas on how to set the privileges in such a way that not everybody requires access to the exports ? Rob Verduijn 2015-04-16 5:36 GMT+02:00 Rob Crittenden : > Rob Verduijn wrote: >> Hello, >> >> I'm trying to figure out how to use automounts in freeipa with offsets. >> >> currently I have this: >> the default location containing 3 maps >> auto.direct >> auto.home >> auto.master >> >> auto.direct is empty >> auto.home contains: >> key : * mount information : -rw nfs.example.com:/homes/& >> auto.master contains >> key : /- mount-information : auto.direct >> key: /home mount information : auto.home >> >> in autofs file this would be : >> auto.master : >> /- /etc/auto.direct >> /home /etc/auto.home >> >> and auto.home would contain: >> test -rw nfs.example.com:/homes/& >> >> now I would like to do the automount indirect offset like this : >> test / -rw nfs.example.com:/homes/test \ >> /newfolder nfs2.example.com:/newfolder \ >> /anotherfolder nfs3.example.com:/anotherfolder \ >> /anotherfolder/2deep nfs4.example.com:/2deep >> >> which would automount the newfolder like this : >> /home/test/newfolder >> and anotherfolder like this >> /home/test/anotherfolder >> and 2deep like this >> /home/test/anotherfolder/2deep >> >> is this possible in freeipa ? >> Rob >> > > If it's possible with LDAP-stored autofs it should be possible with IPA. > I've typically used much simpler configurations with automount. > > Theoreticaly it should work just the way you'd set it in a file, as > you've posted. Did you try it? You'd set --key=test --info='/ -rw ...' > > rob From tbordaz at redhat.com Thu Apr 16 10:14:14 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Apr 2015 12:14:14 +0200 Subject: [Freeipa-users] Errors in dirsrv logs In-Reply-To: References: Message-ID: <552F8B76.5010601@redhat.com> On 04/16/2015 09:52 AM, Alexander Frolushkin wrote: > > Hello again. > > Now, in addition to > > connection - conn=xxxx fd=xxx Incoming BER Element was too long, max > allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute > in cn=config to increase. > > messages, we have on six of our 16 servers > > NSMMReplicationPlugin - changelog program - > agmt="cn=meTonw-rhidm01.unix.ad.com" (nw-rhidm01:389): CSN > 552de186000b00110000 not found, we aren't as up to date, or we purged > > Maybe it begins to generate this error after one of our masters was > re-initialized. > > Is there any way to fix it without complete replicas reinstallation? > Did you reinstall replicas ? It could be that the replicaId=17 does not exist anymore and you may need to do cleanruv. what is the output of ipa-replica-manage list-ruv ? thanks thierry > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tlau at tetrioncapital.com Thu Apr 16 10:40:25 2015 From: tlau at tetrioncapital.com (Thomas Lau) Date: Thu, 16 Apr 2015 18:40:25 +0800 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: <552F282F.80900@redhat.com> References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> <552D1F25.4030200@redhat.com> <552F282F.80900@redhat.com> Message-ID: I think the semi-online status cause SSSD confused about what to do and causing it to timeout. So that means no fix for now. On Thu, Apr 16, 2015 at 11:10 AM, Dmitri Pal wrote: > On 04/15/2015 10:17 PM, Thomas Lau wrote: >> >> Hi, >> >> I just checked with developer, there is no authentication related code >> in the program, we could treat it as normal cron job. >> >> is that possible to make sssd less contact with FreeIPA? for example, >> refresh all user info every 5 minutes, else use cache info. > > > OK, thanks for clarification. > Then it is SSSD. > > It would be hard to understand where the problem is. > For authentication SSSD does online if it knows that it is online. Packet > loss can cause it to loose connection and time out. > It might not failing over to offline mode as it is "semi online" because of > the packet loss and retries. > > The SSSD logs would really be helpful to diagnose the issue. > Also https://fedorahosted.org/sssd/ticket/1807 might be what you are looking > for. It is being worked on for the next release. > > >> On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal wrote: >>> >>> On 04/13/2015 10:41 PM, Thomas Lau wrote: >>>> >>>> Hi, >>>> >>>> It's an in-house program which runs on one kerberos user. >>> >>> You need to look what this program is doing. >>> I suspect it is doing some sort of kinit itself and does not rely on the >>> PAM >>> stack, i.e it bypasses SSSD in the given scenario. >>> Can this be the case? >>> >>> >>>> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: >>>>> >>>>> On 04/13/2015 08:23 AM, Thomas Lau wrote: >>>>> >>>>> Hi, >>>>> >>>>> These problem appear randomly, sometime it still work even under heavy >>>>> packet loss, some times would be like this. So its hard to catch. >>>>> >>>>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >>>>>> >>>>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>>>>> between IPA server and client having heavy packet loss, following >>>>>>> error would occur: >>>>>>> >>>>>>> CRON[20637]: Authentication service cannot retrieve authentication >>>>>>> info >>>>>>> >>>>>>> I have cache credentials and store password if offline enabled on >>>>>>> sssd, how these problem would still happening? >>>>> >>>>> >>>>> It might be that the cause of the problem is actually the packet loss >>>>> or >>>>> some kind of delay. >>>>> SSSD might not think that it is offline but cron job itself times out >>>>> and >>>>> reports failure. >>>>> Do you know what operation in the job fails? >>>>> >>>>> >>>>>>> sssd.conf: >>>>>>> >>>>>>> cache_credentials = True >>>>>>> krb5_store_password_if_offline = True >>>>>> >>>>>> Did the use log in at least once offline? You can verify if the >>>>>> password >>>>>> has been cached using the ldbsearch utility. It would be best to catch >>>>>> the occurence of the problem in logs. >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Thomas Lau Director of Infrastructure Tetrion Capital Limited Direct: +852-3976-8903 Mobile: +852-9323-9670 Address: 20/F, IFC 1, Central district, Hong Kong From dpal at redhat.com Thu Apr 16 13:01:23 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 16 Apr 2015 09:01:23 -0400 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> <552D1F25.4030200@redhat.com> <552F282F.80900@redhat.com> Message-ID: <552FB2A3.3030507@redhat.com> On 04/16/2015 06:40 AM, Thomas Lau wrote: > I think the semi-online status cause SSSD confused about what to do > and causing it to timeout. > > So that means no fix for now. Not for right now. Please try to capture logs, If you mange to reproduce the issue and provide logs we would be able to see what causes it and address it. > > On Thu, Apr 16, 2015 at 11:10 AM, Dmitri Pal wrote: >> On 04/15/2015 10:17 PM, Thomas Lau wrote: >>> Hi, >>> >>> I just checked with developer, there is no authentication related code >>> in the program, we could treat it as normal cron job. >>> >>> is that possible to make sssd less contact with FreeIPA? for example, >>> refresh all user info every 5 minutes, else use cache info. >> >> OK, thanks for clarification. >> Then it is SSSD. >> >> It would be hard to understand where the problem is. >> For authentication SSSD does online if it knows that it is online. Packet >> loss can cause it to loose connection and time out. >> It might not failing over to offline mode as it is "semi online" because of >> the packet loss and retries. >> >> The SSSD logs would really be helpful to diagnose the issue. >> Also https://fedorahosted.org/sssd/ticket/1807 might be what you are looking >> for. It is being worked on for the next release. >> >> >>> On Tue, Apr 14, 2015 at 10:07 PM, Dmitri Pal wrote: >>>> On 04/13/2015 10:41 PM, Thomas Lau wrote: >>>>> Hi, >>>>> >>>>> It's an in-house program which runs on one kerberos user. >>>> You need to look what this program is doing. >>>> I suspect it is doing some sort of kinit itself and does not rely on the >>>> PAM >>>> stack, i.e it bypasses SSSD in the given scenario. >>>> Can this be the case? >>>> >>>> >>>>> On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal wrote: >>>>>> On 04/13/2015 08:23 AM, Thomas Lau wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> These problem appear randomly, sometime it still work even under heavy >>>>>> packet loss, some times would be like this. So its hard to catch. >>>>>> >>>>>> On Apr 13, 2015 3:22 PM, "Jakub Hrozek" wrote: >>>>>>> On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> We have cronjob which running on a FreeIPA LDAP user; When connection >>>>>>>> between IPA server and client having heavy packet loss, following >>>>>>>> error would occur: >>>>>>>> >>>>>>>> CRON[20637]: Authentication service cannot retrieve authentication >>>>>>>> info >>>>>>>> >>>>>>>> I have cache credentials and store password if offline enabled on >>>>>>>> sssd, how these problem would still happening? >>>>>> >>>>>> It might be that the cause of the problem is actually the packet loss >>>>>> or >>>>>> some kind of delay. >>>>>> SSSD might not think that it is offline but cron job itself times out >>>>>> and >>>>>> reports failure. >>>>>> Do you know what operation in the job fails? >>>>>> >>>>>> >>>>>>>> sssd.conf: >>>>>>>> >>>>>>>> cache_credentials = True >>>>>>>> krb5_store_password_if_offline = True >>>>>>> Did the use log in at least once offline? You can verify if the >>>>>>> password >>>>>>> has been cached using the ldbsearch utility. It would be best to catch >>>>>>> the occurence of the problem in logs. >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thank you, >>>>>> Dmitri Pal >>>>>> >>>>>> Sr. Engineering Manager IdM portfolio >>>>>> Red Hat, Inc. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From matthew.joseph at lmco.com Thu Apr 16 13:13:56 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 16 Apr 2015 13:13:56 +0000 Subject: [Freeipa-users] Usernames not being seen on IPA Master Message-ID: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> Hello, I'm running into an issue where a new user account created on the master server is not being seen for changing file permissions and such. I can login using the newly created user account but when I try to change permissions on a file/directory it comes up with the following error; Chown: changing ownership of 'username' : Invalid argument Now if I go to my replica IPA server it works fine. I deleted the user and created it again with the same username, gave the account a different UID and when I tried to permission the directory again it states the same error as above. I changed the permissions on the replica server and went back to the master and looked at the permissions of the directory and it's showing the old UID. I can login as the new user and the permissions are fine, the user can create and modify files in that directory. When I run ipa user-find -all -raw username it brings up all of the correct information that I entered for the account. I searched for the old UID that was used with this account before but it doesn't seem to exist in IPA. I've tried restarting the IPA service and remounting the directory that contains the required folders but with no luck. I cleared the SSSD and the NSCD cache. Does IPA have another cache that needs to be cleared or anything like that? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Apr 16 13:20:17 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Apr 2015 15:20:17 +0200 Subject: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info In-Reply-To: <552FB2A3.3030507@redhat.com> References: <20150413071459.GA28555@hendrix.arn.redhat.com> <552C3659.1060801@redhat.com> <552D1F25.4030200@redhat.com> <552F282F.80900@redhat.com> <552FB2A3.3030507@redhat.com> Message-ID: <20150416132017.GJ2859@hendrix> On Thu, Apr 16, 2015 at 09:01:23AM -0400, Dmitri Pal wrote: > On 04/16/2015 06:40 AM, Thomas Lau wrote: > >I think the semi-online status cause SSSD confused about what to do > >and causing it to timeout. > > > >So that means no fix for now. > Not for right now. > Please try to capture logs, If you mange to reproduce the issue and provide > logs we would be able to see what causes it and address it. Right. What we're looking for is a reason why SSSD went offline in the first place. I know SSSD logging can produce a big amount of data. But you can try to not increase the log level beyond what amount of data is OK for you and configure logrotate to gzip the logs more often. From jhrozek at redhat.com Thu Apr 16 13:24:39 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Apr 2015 15:24:39 +0200 Subject: [Freeipa-users] Usernames not being seen on IPA Master In-Reply-To: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> Message-ID: <20150416132439.GK2859@hendrix> On Thu, Apr 16, 2015 at 01:13:56PM +0000, Joseph, Matthew (EXP) wrote: > Hello, > > I'm running into an issue where a new user account created on the master server is not being seen for changing file permissions and such. Is the new user visible on the master itself via the standard system interfaces (getent passwd $newuser, id $user) ? > I can login using the newly created user account but when I try to change permissions on a file/directory it comes up with the following error; > Chown: changing ownership of 'username' : Invalid argument Can you strace the chown invocation so that we're sure what part really fails? > > Now if I go to my replica IPA server it works fine. > > I deleted the user and created it again with the same username, gave the account a different UID and when I tried to permission the directory again it states the same error as above. Please note that file ownership is defined by IDs, not usernames, so if you recreate a user with different ID, you need to chown all his previously used files. > I changed the permissions on the replica server and went back to the master and looked at the permissions of the directory and it's showing the old UID. I can login as the new user and the permissions are fine, the user can create and modify files in that directory. > > When I run ipa user-find -all -raw username it brings up all of the correct information that I entered for the account. > I searched for the old UID that was used with this account before but it doesn't seem to exist in IPA. > > I've tried restarting the IPA service and remounting the directory that contains the required folders but with no luck. > I cleared the SSSD and the NSCD cache. Using nscd along with SSSD is discouraged. We recommend to disable nscd, at last for the maps that SSSD caches. SSSD provides its own fast in-memory cache, so you won't lose performance. > > Does IPA have another cache that needs to be cleared or anything like that? > > > Thanks, > > Matt > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From matthew.joseph at lmco.com Thu Apr 16 13:42:52 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 16 Apr 2015 13:42:52 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Usernames not being seen on IPA Master In-Reply-To: <20150416132439.GK2859@hendrix> References: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> <20150416132439.GK2859@hendrix> Message-ID: <9621CE4454B9514B9E709C1719B2B943F49A70@HCXDSPM1.ca.lmco.com> Hey Jakub, Getent passwd returns all of the IPA users when searching either the username or UID. Yes I know that permissions are defined by UID/GID, used a new UID that has not been previously used for this new account for this test. Good to know, I disabled the nscd service. Here is the output of the strace for chown on a directory. execve("/bin/chown", ["chown", "wpooh", "/home/wpooh"], [/* 32 vars */]) = 0 brk(0) = 0x1095000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b698000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\341\0044\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1918016, ...}) = 0 mmap(0x3404e00000, 3741864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3404e00000 mprotect(0x3404f89000, 2093056, PROT_NONE) = 0 mmap(0x3405188000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x188000) = 0x3405188000 mmap(0x340518d000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x340518d000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b674000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b673000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b672000 arch_prctl(ARCH_SET_FS, 0x7f5f4b673700) = 0 mprotect(0x3405188000, 16384, PROT_READ) = 0 mprotect(0x340481f000, 4096, PROT_READ) = 0 munmap(0x7f5f4b675000, 142486) = 0 brk(0) = 0x1095000 brk(0x10b6000) = 0x10b6000 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0 mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f457e1000 close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1734, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1734 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f5f4b697000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3) = 0 open("/lib64/libnss_files.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f455d3000 mprotect(0x7f5f455df000, 2097152, PROT_NONE) = 0 mmap(0x7f5f457df000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f5f457df000 close(3) = 0 mprotect(0x7f5f457df000, 4096, PROT_READ) = 0 munmap(0x7f5f4b675000, 142486) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) fstat(3, {st_mode=S_IFREG|0644, st_size=3404, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3404 read(3, "", 4096) = 0 close(3) = 0 munmap(0x7f5f4b697000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3) = 0 open("/lib64/libnss_ldap.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=44328, ...}) = 0 mmap(NULL, 2139496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f453c8000 mprotect(0x7f5f453d3000, 2093056, PROT_NONE) = 0 mmap(0x7f5f455d2000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f5f455d2000 close(3) = 0 munmap(0x7f5f4b675000, 142486) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3) = 0 open("/lib64/libnss_sss.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=23792, ...}) = 0 mmap(NULL, 2119312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f451c2000 mprotect(0x7f5f451c8000, 2093056, PROT_NONE) = 0 mmap(0x7f5f453c7000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f5f453c7000 close(3) = 0 munmap(0x7f5f4b675000, 142486) = 0 getpid() = 20913 fstat(-1, 0x7fff2d84dca0) = -1 EBADF (Bad file descriptor) socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "\1\0\0\0", 4) = 4 poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "\1\0\0\0", 4) = 4 poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "\26\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) write(3, "wpooh\0", 6) = 6 poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "J\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) read(3, "\1\0\0\0\0\0\0\0(\n\0\0\320\7\0\0wpooh\0*\0Winnie P"..., 58) = 58 newfstatat(AT_FDCWD, "/home/wpooh", {st_mode=S_IFDIR|S_ISUID|S_ISGID|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 fchownat(AT_FDCWD, "/home/wpooh", 2600, 4294967295, 0) = -1 EINVAL (Invalid argument) open("/usr/share/locale/locale.alias", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 read(4, "# Locale name alias data base.\n#"..., 4096) = 2512 read(4, "", 4096) = 0 close(4) = 0 munmap(0x7f5f4b697000, 4096) = 0 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=435, ...}) = 0 mmap(NULL, 435, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7f5f4b697000 close(4) = 0 write(2, "chown: ", 7) = 7 write(2, "changing ownership of `/home/wpo"..., 35) = 35 open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, ": Invalid argument", 18) = 18 write(2, "\n", 1) = 1 close(1) = 0 close(2) = 0 close(3) = 0 exit_group(1) = ? Thanks, Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jakub Hrozek Sent: Thursday, April 16, 2015 10:25 AM To: freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Usernames not being seen on IPA Master On Thu, Apr 16, 2015 at 01:13:56PM +0000, Joseph, Matthew (EXP) wrote: > Hello, > > I'm running into an issue where a new user account created on the master server is not being seen for changing file permissions and such. Is the new user visible on the master itself via the standard system interfaces (getent passwd $newuser, id $user) ? > I can login using the newly created user account but when I try to change permissions on a file/directory it comes up with the following error; > Chown: changing ownership of 'username' : Invalid argument Can you strace the chown invocation so that we're sure what part really fails? > > Now if I go to my replica IPA server it works fine. > > I deleted the user and created it again with the same username, gave the account a different UID and when I tried to permission the directory again it states the same error as above. Please note that file ownership is defined by IDs, not usernames, so if you recreate a user with different ID, you need to chown all his previously used files. > I changed the permissions on the replica server and went back to the master and looked at the permissions of the directory and it's showing the old UID. I can login as the new user and the permissions are fine, the user can create and modify files in that directory. > > When I run ipa user-find -all -raw username it brings up all of the correct information that I entered for the account. > I searched for the old UID that was used with this account before but it doesn't seem to exist in IPA. > > I've tried restarting the IPA service and remounting the directory that contains the required folders but with no luck. > I cleared the SSSD and the NSCD cache. Using nscd along with SSSD is discouraged. We recommend to disable nscd, at last for the maps that SSSD caches. SSSD provides its own fast in-memory cache, so you won't lose performance. > > Does IPA have another cache that needs to be cleared or anything like that? > > > Thanks, > > Matt > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From jhrozek at redhat.com Thu Apr 16 13:55:40 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 16 Apr 2015 15:55:40 +0200 Subject: [Freeipa-users] EXTERNAL: Re: Usernames not being seen on IPA Master In-Reply-To: <9621CE4454B9514B9E709C1719B2B943F49A70@HCXDSPM1.ca.lmco.com> References: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> <20150416132439.GK2859@hendrix> <9621CE4454B9514B9E709C1719B2B943F49A70@HCXDSPM1.ca.lmco.com> Message-ID: <20150416135540.GL2859@hendrix> On Thu, Apr 16, 2015 at 01:42:52PM +0000, Joseph, Matthew (EXP) wrote: > Hey Jakub, > > Getent passwd returns all of the IPA users when searching either the username or UID. > Yes I know that permissions are defined by UID/GID, used a new UID that has not been previously used for this new account for this test. > > Good to know, I disabled the nscd service. > > Here is the output of the strace for chown on a directory. > > execve("/bin/chown", ["chown", "wpooh", "/home/wpooh"], [/* 32 vars */]) = 0 > brk(0) = 0x1095000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b698000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\341\0044\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=1918016, ...}) = 0 > mmap(0x3404e00000, 3741864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3404e00000 > mprotect(0x3404f89000, 2093056, PROT_NONE) = 0 > mmap(0x3405188000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x188000) = 0x3405188000 > mmap(0x340518d000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x340518d000 > close(3) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b674000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b673000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b672000 > arch_prctl(ARCH_SET_FS, 0x7f5f4b673700) = 0 > mprotect(0x3405188000, 16384, PROT_READ) = 0 > mprotect(0x340481f000, 4096, PROT_READ) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > brk(0) = 0x1095000 > brk(0x10b6000) = 0x10b6000 > open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0 > mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f457e1000 > close(3) = 0 > socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/nsswitch.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1734, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 > read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1734 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f5f4b697000, 4096) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_files.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 > mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f455d3000 > mprotect(0x7f5f455df000, 2097152, PROT_NONE) = 0 > mmap(0x7f5f457df000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f5f457df000 > close(3) = 0 > mprotect(0x7f5f457df000, 4096, PROT_READ) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) > fstat(3, {st_mode=S_IFREG|0644, st_size=3404, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3404 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f5f4b697000, 4096) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_ldap.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=44328, ...}) = 0 > mmap(NULL, 2139496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f453c8000 > mprotect(0x7f5f453d3000, 2093056, PROT_NONE) = 0 > mmap(0x7f5f455d2000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f5f455d2000 > close(3) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > socket(PF_FILE, SOCK_STREAM, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_sss.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=23792, ...}) = 0 > mmap(NULL, 2119312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f451c2000 > mprotect(0x7f5f451c8000, 2093056, PROT_NONE) = 0 > mmap(0x7f5f453c7000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f5f453c7000 > close(3) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > getpid() = 20913 > fstat(-1, 0x7fff2d84dca0) = -1 EBADF (Bad file descriptor) > socket(PF_FILE, SOCK_STREAM, 0) = 3 > fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) > fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > fcntl(3, F_GETFD) = 0 > fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > connect(3, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0 > fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\1\0\0\0", 4) = 4 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\1\0\0\0", 4) = 4 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\26\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "wpooh\0", 6) = 6 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "J\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\1\0\0\0\0\0\0\0(\n\0\0\320\7\0\0wpooh\0*\0Winnie P"..., 58) = 58 > newfstatat(AT_FDCWD, "/home/wpooh", {st_mode=S_IFDIR|S_ISUID|S_ISGID|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 > fchownat(AT_FDCWD, "/home/wpooh", 2600, 4294967295, 0) = -1 EINVAL (Invalid argument) So fchownat is called with UID 2600, GID 4294967295 and flags 0 and returns EINVAL. The fchownat() manpage says that EINVAL is returned when "Invalid flag specified in flags". 0 is certainly a valid flag, so I assume it must be something else (the manpage also says that "Depending on the filesystem, errors other than those listed below can be returned.") What UID and GID does the user have? The GID seems suspicious to me, it's 2^32, which shouldn't happen. Does the same error happen with all files (ie touch /tmp/somefile, chown /tmp/somefile) ? From rmeggins at redhat.com Thu Apr 16 13:58:26 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Apr 2015 07:58:26 -0600 Subject: [Freeipa-users] Errors in dirsrv logs In-Reply-To: References: Message-ID: <552FC002.7020600@redhat.com> On 04/16/2015 01:52 AM, Alexander Frolushkin wrote: > > Hello again. > > Now, in addition to > > connection - conn=xxxx fd=xxx Incoming BER Element was too long, max > allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute > in cn=config to increase. > > messages, we have on six of our 16 servers > > NSMMReplicationPlugin - changelog program - > agmt="cn=meTonw-rhidm01.unix.ad.com" (nw-rhidm01:389): CSN > 552de186000b00110000 not found, we aren't as up to date, or we purged > > Maybe it begins to generate this error after one of our masters was > re-initialized. > > Is there any way to fix it without complete replicas reinstallation? > Not that I know of. What version of 389-ds-base is this? rpm -q 389-ds-base > WBR, > > Alexander Frolushkin > > Cell +79232508764 > > Work +79232507764 > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Thu Apr 16 13:59:50 2015 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 16 Apr 2015 13:59:50 +0000 Subject: [Freeipa-users] EXTERNAL: Re: Usernames not being seen on IPA Master In-Reply-To: <20150416135540.GL2859@hendrix> References: <9621CE4454B9514B9E709C1719B2B943F49A4C@HCXDSPM1.ca.lmco.com> <20150416132439.GK2859@hendrix> <9621CE4454B9514B9E709C1719B2B943F49A70@HCXDSPM1.ca.lmco.com> <20150416135540.GL2859@hendrix> Message-ID: <9621CE4454B9514B9E709C1719B2B943F49A8F@HCXDSPM1.ca.lmco.com> The UID is 2600 and the GID is 2000. It's a common group which all of our users are in. Yeah the error comes when trying to change ownership of files/directory (new or old). Just seems a bit odd the replica server is able to change ownership of files/directories fine. Matt -----Original Message----- From: Jakub Hrozek [mailto:jhrozek at redhat.com] Sent: Thursday, April 16, 2015 10:56 AM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Usernames not being seen on IPA Master On Thu, Apr 16, 2015 at 01:42:52PM +0000, Joseph, Matthew (EXP) wrote: > Hey Jakub, > > Getent passwd returns all of the IPA users when searching either the username or UID. > Yes I know that permissions are defined by UID/GID, used a new UID that has not been previously used for this new account for this test. > > Good to know, I disabled the nscd service. > > Here is the output of the strace for chown on a directory. > > execve("/bin/chown", ["chown", "wpooh", "/home/wpooh"], [/* 32 vars */]) = 0 > brk(0) = 0x1095000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b698000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\355\341\0044\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=1918016, ...}) = 0 > mmap(0x3404e00000, 3741864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3404e00000 > mprotect(0x3404f89000, 2093056, PROT_NONE) = 0 > mmap(0x3405188000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x188000) = 0x3405188000 > mmap(0x340518d000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x340518d000 > close(3) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b674000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b673000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b672000 > arch_prctl(ARCH_SET_FS, 0x7f5f4b673700) = 0 > mprotect(0x3405188000, 16384, PROT_READ) = 0 > mprotect(0x340481f000, 4096, PROT_READ) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > brk(0) = 0x1095000 > brk(0x10b6000) = 0x10b6000 > open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0 > mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f457e1000 > close(3) = 0 > socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/nsswitch.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1734, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 > read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1734 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f5f4b697000, 4096) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_files.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 > mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f455d3000 > mprotect(0x7f5f455df000, 2097152, PROT_NONE) = 0 > mmap(0x7f5f457df000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f5f457df000 > close(3) = 0 > mprotect(0x7f5f457df000, 4096, PROT_READ) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) > fstat(3, {st_mode=S_IFREG|0644, st_size=3404, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 3404 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7f5f4b697000, 4096) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_ldap.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=44328, ...}) = 0 > mmap(NULL, 2139496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f453c8000 > mprotect(0x7f5f453d3000, 2093056, PROT_NONE) = 0 > mmap(0x7f5f455d2000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f5f455d2000 > close(3) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > socket(PF_FILE, SOCK_STREAM, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 110) = -1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 > mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 > close(3) = 0 > open("/lib64/libnss_sss.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=23792, ...}) = 0 > mmap(NULL, 2119312, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f451c2000 > mprotect(0x7f5f451c8000, 2093056, PROT_NONE) = 0 > mmap(0x7f5f453c7000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f5f453c7000 > close(3) = 0 > munmap(0x7f5f4b675000, 142486) = 0 > getpid() = 20913 > fstat(-1, 0x7fff2d84dca0) = -1 EBADF (Bad file descriptor) > socket(PF_FILE, SOCK_STREAM, 0) = 3 > fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) > fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > fcntl(3, F_GETFD) = 0 > fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > connect(3, {sa_family=AF_FILE, path="/var/lib/sss/pipes/nss"}, 110) = 0 > fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\1\0\0\0", 4) = 4 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\1\0\0\0", 4) = 4 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "\26\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}]) > write(3, "wpooh\0", 6) = 6 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "J\0\0\0\21\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 > poll([{fd=3, events=POLLIN}], 1, 300000) = 1 ([{fd=3, revents=POLLIN}]) > read(3, "\1\0\0\0\0\0\0\0(\n\0\0\320\7\0\0wpooh\0*\0Winnie P"..., 58) = 58 > newfstatat(AT_FDCWD, "/home/wpooh", {st_mode=S_IFDIR|S_ISUID|S_ISGID|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 > fchownat(AT_FDCWD, "/home/wpooh", 2600, 4294967295, 0) = -1 EINVAL (Invalid argument) So fchownat is called with UID 2600, GID 4294967295 and flags 0 and returns EINVAL. The fchownat() manpage says that EINVAL is returned when "Invalid flag specified in flags". 0 is certainly a valid flag, so I assume it must be something else (the manpage also says that "Depending on the filesystem, errors other than those listed below can be returned.") What UID and GID does the user have? The GID seems suspicious to me, it's 2^32, which shouldn't happen. Does the same error happen with all files (ie touch /tmp/somefile, chown /tmp/somefile) ? From wgraboyes at cenic.org Thu Apr 16 19:11:01 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Thu, 16 Apr 2015 12:11:01 -0700 Subject: [Freeipa-users] Transition old master server to new server. Message-ID: <55300945.3080208@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi All, I have been searching for a while and cannot seem to find an answer to the question of how to promote a replicate to a master, and use that as the new master. My original master is on ipa-server-3.0.0-37.el6.x86_64, and I am upgrading to ipa-server-4.1.0-18.el7.centos.3.x86_64 (these are both centos boxes, 6.6 and 7.1 respectively). I found some older fedora documentation that doesn't seem to be relevant any longer. If there is documentation out there that would be a great help, if not I could certainly use some pointers. Thanks, Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVMAlFAAoJEJFMz73A1+zrxWYQAIsllC0oBay8lGb/Y+7MbhYm LjO2a6PRWipSee3toXnKQAkQH+aQqy58DyTfl0soC2BdHWTmLwCJEvtvireLKrox tFaDyP4zhrr8fm/c1iOODmcwNRxbeG8qonCbqs2jPvvnKoMXcRx7aN47fY+Ssrw9 gD9O+s2ldeGrs+kwXvNhU5NDt3hy0ZZA36brD3sK50xYsMzI3k5JXIWP9wDmH/ZJ J4XmisHvt+7+GqXJN0OSUJObVPBNstO+SocN+mdk3dJB408n+YD2RlNTu3nPq5GH I+xN5NzcgGxPhKlubVLGzryxuBMy1W5sbVW1dZFfMqzGOI71l1vwK5eoLtag82mx TepYfeKbbj1nem8WznEbYkd7pqjg34Qb5wAkwzT2gb8OLyf8/gy5Kh9TAWrzu98F +PeCS+dXT75lwOAYhOrpYvbpgkBPZQ84kA58KTDTtfQLEMtKS3bIxcF5xC4AFpcn arseNyLGJA2gImaD8Jl7/eeBpv9pQ9EH1rTiuYBtEXw0wQnhHk160ZLlc1gWINsj yNuCOch6XKkolGg5jujNbZlna7VNv0DC2ubtGQm7SsccSFwvxgwdd5h7TU09f1H4 WebJ2/L4a4fwZ2DQDywI7u47Rzau39v3lUo84F36Sz4/ScgVRhzMArFPEzcCKfWI mvhDIWsIEanKMrhNAIIp =f6fp -----END PGP SIGNATURE----- From john.1209 at yahoo.com Thu Apr 16 19:18:10 2015 From: john.1209 at yahoo.com (John Williams) Date: Thu, 16 Apr 2015 19:18:10 +0000 (UTC) Subject: [Freeipa-users] Expired Certs In-Reply-To: <552844CC.7040305@redhat.com> References: <552844CC.7040305@redhat.com> Message-ID: <415182303.5562058.1429211890131.JavaMail.yahoo@mail.yahoo.com> [ snip ] > > [root at ipa ~]# date > Thu Apr 10 00:13:51 EDT 2014 > [root at ipa ~]# /etc/init.d/certmonger restart > Stopping certmonger:? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [? OK? ] > Starting certmonger:? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? [? OK? ] > [root at ipa ~]# You are going way to far back in time AFAICT. The certs expired on April 5 of this year so you don't need to go back to 2014. Just go back to April 3 or 4. You'll also need to restart IPA before kicking certmonger ipactl restart rob Thanks Rob, Following your advice, it looks like only one of the eight certificates are now monitoring. ?Check out the following: [root at ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. ?Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. ?Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. ?Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? ?Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 16 20:00:15 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 16 Apr 2015 16:00:15 -0400 Subject: [Freeipa-users] Transition old master server to new server. In-Reply-To: <55300945.3080208@cenic.org> References: <55300945.3080208@cenic.org> Message-ID: <553014CF.7020500@redhat.com> On 04/16/2015 03:11 PM, William Graboyes wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi All, > > I have been searching for a while and cannot seem to find an answer to > the question of how to promote a replicate to a master, and use that > as the new master. > > My original master is on ipa-server-3.0.0-37.el6.x86_64, and I am > upgrading to ipa-server-4.1.0-18.el7.centos.3.x86_64 (these are both > centos boxes, 6.6 and 7.1 respectively). > > I found some older fedora documentation that doesn't seem to be > relevant any longer. If there is documentation out there that would > be a great help, if not I could certainly use some pointers. > > Thanks, > Bill > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > Comment: GPGTools - https://gpgtools.org > > iQIcBAEBCgAGBQJVMAlFAAoJEJFMz73A1+zrxWYQAIsllC0oBay8lGb/Y+7MbhYm > LjO2a6PRWipSee3toXnKQAkQH+aQqy58DyTfl0soC2BdHWTmLwCJEvtvireLKrox > tFaDyP4zhrr8fm/c1iOODmcwNRxbeG8qonCbqs2jPvvnKoMXcRx7aN47fY+Ssrw9 > gD9O+s2ldeGrs+kwXvNhU5NDt3hy0ZZA36brD3sK50xYsMzI3k5JXIWP9wDmH/ZJ > J4XmisHvt+7+GqXJN0OSUJObVPBNstO+SocN+mdk3dJB408n+YD2RlNTu3nPq5GH > I+xN5NzcgGxPhKlubVLGzryxuBMy1W5sbVW1dZFfMqzGOI71l1vwK5eoLtag82mx > TepYfeKbbj1nem8WznEbYkd7pqjg34Qb5wAkwzT2gb8OLyf8/gy5Kh9TAWrzu98F > +PeCS+dXT75lwOAYhOrpYvbpgkBPZQ84kA58KTDTtfQLEMtKS3bIxcF5xC4AFpcn > arseNyLGJA2gImaD8Jl7/eeBpv9pQ9EH1rTiuYBtEXw0wQnhHk160ZLlc1gWINsj > yNuCOch6XKkolGg5jujNbZlna7VNv0DC2ubtGQm7SsccSFwvxgwdd5h7TU09f1H4 > WebJ2/L4a4fwZ2DQDywI7u47Rzau39v3lUo84F36Sz4/ScgVRhzMArFPEzcCKfWI > mvhDIWsIEanKMrhNAIIp > =f6fp > -----END PGP SIGNATURE----- > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html and search for the substring "promot". There will be several sections you want to become familiar with. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From bwp.pearson at gmail.com Thu Apr 16 23:46:55 2015 From: bwp.pearson at gmail.com (Bryan Pearson) Date: Thu, 16 Apr 2015 19:46:55 -0400 Subject: [Freeipa-users] posix ids not propgating Message-ID: I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --------------- 1 range matched --------------- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 1920200000 Number of IDs in the range: 300000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 1689700000 - replace: dnaMaxValue dnaMaxValue: 1689799999 ^D modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" *** From rmeggins at redhat.com Fri Apr 17 02:52:11 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Apr 2015 20:52:11 -0600 Subject: [Freeipa-users] Replication seems to begin but failed after 127 seconds ... In-Reply-To: References: <552E98C3.8020900@redhat.com> <552EBDEA.6040604@redhat.com> <552EDC2D.9070609@redhat.com> <552F00E1.2020006@redhat.com> Message-ID: <5530755B.1030403@redhat.com> On 04/15/2015 10:44 PM, James James wrote: > The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=ldap://ipa.example.com:389 conn= 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url=ldaps://ipa1.example.com:636 conn= 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 368, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 969, in setup_replication raise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. > > 2015-04-16 2:22 GMT+02:00 Rob Crittenden >: > > Rich Megginson wrote: > > On 04/15/2015 02:58 PM, James James wrote: > >> Nothing on the replica .. maybye a process on the master. How can I > >> check that ? > > > > I have no idea. But it seems highly unlikely that a process on the > > master is able to shutdown a process on the replica . . . > > > > I would say that there is some problem with the > ipa-replica-install not > > properly checking the status - see below: > > > >> > >> 2015-04-15 21:37 GMT+02:00 Rich Megginson > >> >>: > >> > >> On 04/15/2015 12:43 PM, James James wrote: > >>> Here the log > >>> > >>> 2015-04-15 18:58 GMT+02:00 Rich Megginson > > >>> >>: > >>> > >>> On 04/15/2015 09:46 AM, James James wrote: > >>>> Hello, > >>>> > >>>> I have been looking to solve my problem but I 'm > asking for > >>>> some help. > >>>> > >>>> The replication begins but cannot be completed .... > >>>> > >>>> I want to install a new fresh replica but I've always got > >>>> this error : > >>>> > >>>> [21/35]: configure dirsrv ccache > >>>> [22/35]: enable SASL mapping fallback > >>>> [23/35]: restarting directory server > >>>> [24/35]: setting up initial replication > >>>> Starting replication, please wait until this has > completed. > >>>> Update in progress, 127 seconds elapsed > >>>> Update in progress yet not in progress > >>>> > >>>> Update in progress yet not in progress > >>> > > > > in progress yet not in progress???? The error log below clearly > shows > > that replica init succeeded after 127 seconds. > > > > IPA-ers - wasn't there some bug about checking replica status > properly? > > > > The loop looks at nsds5BeginReplicaRefresh, > nsds5replicaUpdateInProgress > and nsds5ReplicaLastInitStatus. > > It loops looking for nsds5BeginReplicaRefresh. If there is no value it > prints "Update in progress, %d seconds elapsed". Once it gets a > status, > the update is done, and it looks at nsds5ReplicaLastInitStatus. If it > isn't empty, doesn't include 'replica busy' or 'Total update > succeeded' > then it looks to see if nsds5replicaUpdateInProgress is TRUE. If > it is, > ir prints Update in progress yet not in progress and tries the > loop again. > > AFAICT this part of a replica install doesn't restart 389-ds. > > /var/log/ipareplica-install.log may hold some details. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Apr 17 06:31:56 2015 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Apr 2015 08:31:56 +0200 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: References: Message-ID: <5530A8DC.2010609@redhat.com> On 17.4.2015 01:46, Bryan Pearson wrote: > I ran this comand on each of my IPA servers and one returned usable > response: ipa idrange-find > > --------------- > 1 range matched > --------------- > Range name: HOSTNAME.LAN_id_range > First Posix ID of the range: 1920200000 > Number of IDs in the range: 300000 > Range type: local domain range > ---------------------------- > Number of entries returned 1 > ---------------------------- > > While trying to add a new user on one of the other severs I recieve: > *** > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable to proceed. > *** Is your original master server running and reachable? According to https://bugzilla.redhat.com/show_bug.cgi?id=1211366 ID ranges are distributed from original master to replicas only on first use (not immediately after replica installation) so you need to add a user on replica before you take the original master off-line. Petr^2 Spacek > Should I go forward on other masters and do: > > *** > ldapmodify -x -D 'cn=Directory Manager' -W > Enter LDAP Password: > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: dnaNextValue > dnaNextValue: 1689700000 > - > replace: dnaMaxValue > dnaMaxValue: 1689799999 > ^D > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > *** -- Petr^2 Spacek From andrew.holway at gmail.com Fri Apr 17 07:14:33 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Fri, 17 Apr 2015 09:14:33 +0200 Subject: [Freeipa-users] Critique Message-ID: In an obviously blatant promotion exercise and attempt to build page rank.... Please could I have some critique on this article? http://otternetworks.de/tech/freeipa-technical-brief/ Your feedback would be really appreciated Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 17 07:31:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Apr 2015 10:31:26 +0300 Subject: [Freeipa-users] Critique In-Reply-To: References: Message-ID: <20150417073126.GR4797@redhat.com> On Fri, 17 Apr 2015, Andrew Holway wrote: >In an obviously blatant promotion exercise and attempt to build page >rank.... > >Please could I have some critique on this article? > >http://otternetworks.de/tech/freeipa-technical-brief/ > >Your feedback would be really appreciated Thanks for the nice article showing how to enable OpenVPN with two-factor authentication. My notes: - Title is misleading as article is about setting up OpenVPN with two-factor auth, not really about FreeIPA itself - You mention "Using a completely standard client OpenVPN configuration with only one addition ?auth-user-pass? to prompt for a password we are able to use OpenVPN to log into a network using password+OTP." However, there is no config example that shows it. I would add that, along the lines of using PAM plugin. - It would probably be good to mention that by using PAM authentication plugin you also get HBAC rules from FreeIPA to fine tune which users can actually use this VPN concentrator. As it is, any user from your system would be able to use VPN but most probably you'd want to limit them by group membership and it is better to achieve by using HBAC rules. -- / Alexander Bokovoy From jpazdziora at redhat.com Fri Apr 17 07:33:52 2015 From: jpazdziora at redhat.com (Jan Pazdziora) Date: Fri, 17 Apr 2015 09:33:52 +0200 Subject: [Freeipa-users] Critique In-Reply-To: References: Message-ID: <20150417073352.GP5056@redhat.com> On Fri, Apr 17, 2015 at 09:14:33AM +0200, Andrew Holway wrote: > In an obviously blatant promotion exercise and attempt to build page > rank.... > > Please could I have some critique on this article? > > http://otternetworks.de/tech/freeipa-technical-brief/ > > Your feedback would be really appreciated Nice. One detail -- Red Hat prefers its name to be spelled "Red Hat". -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat From sbose at redhat.com Fri Apr 17 07:53:00 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 17 Apr 2015 09:53:00 +0200 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: References: Message-ID: <20150417075300.GM1308@p.redhat.com> On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > I ran this comand on each of my IPA servers and one returned usable > response: ipa idrange-find > > --------------- > 1 range matched > --------------- > Range name: HOSTNAME.LAN_id_range > First Posix ID of the range: 1920200000 > Number of IDs in the range: 300000 > Range type: local domain range > ---------------------------- > Number of entries returned 1 > ---------------------------- > > While trying to add a new user on one of the other severs I recieve: > *** > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable to proceed. > *** This is expected, unfortunately the idranges used to manage different idranges in environments with trust and the range used by the DNA plugin to assign IDs to local users and groups are currently not connected. There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. bye, Sumit > > Should I go forward on other masters and do: > > *** > ldapmodify -x -D 'cn=Directory Manager' -W > Enter LDAP Password: > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: dnaNextValue > dnaNextValue: 1689700000 > - > replace: dnaMaxValue > dnaMaxValue: 1689799999 > ^D > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > *** > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From bwp.pearson at gmail.com Fri Apr 17 10:36:24 2015 From: bwp.pearson at gmail.com (Bryan Pearson) Date: Fri, 17 Apr 2015 06:36:24 -0400 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: <20150417075300.GM1308@p.redhat.com> References: <20150417075300.GM1308@p.redhat.com> Message-ID: Should I add the same range to this machine or give each one it's own id range? On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > > I ran this comand on each of my IPA servers and one returned usable > > response: ipa idrange-find > > > > --------------- > > 1 range matched > > --------------- > > Range name: HOSTNAME.LAN_id_range > > First Posix ID of the range: 1920200000 > > Number of IDs in the range: 300000 > > Range type: local domain range > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > > > While trying to add a new user on one of the other severs I recieve: > > *** > > Operations error: Allocation of a new value for range cn=posix > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > > failed! Unable to proceed. > > *** > > This is expected, unfortunately the idranges used to manage different > idranges in environments with trust and the range used by the DNA plugin > to assign IDs to local users and groups are currently not connected. > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix > this. > > bye, > Sumit > > > > > Should I go forward on other masters and do: > > > > *** > > ldapmodify -x -D 'cn=Directory Manager' -W > > Enter LDAP Password: > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > > changetype: modify > > replace: dnaNextValue > > dnaNextValue: 1689700000 > > - > > replace: dnaMaxValue > > dnaMaxValue: 1689799999 > > ^D > > > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config" > > *** > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Apr 17 11:08:27 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 17 Apr 2015 13:08:27 +0200 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: References: <20150417075300.GM1308@p.redhat.com> Message-ID: <20150417110827.GO1308@p.redhat.com> On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: > Should I add the same range to this machine or give each one it's own id > range? The ranges are global for the whole IPA domain. The idranges manages with the ipa tool have their data in the replicated tree hence changes are available on all replicas. The DNA plugin has its own scheme to distribute the data, see e.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html for details. bye, Sumit > On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: > > > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > > > I ran this comand on each of my IPA servers and one returned usable > > > response: ipa idrange-find > > > > > > --------------- > > > 1 range matched > > > --------------- > > > Range name: HOSTNAME.LAN_id_range > > > First Posix ID of the range: 1920200000 > > > Number of IDs in the range: 300000 > > > Range type: local domain range > > > ---------------------------- > > > Number of entries returned 1 > > > ---------------------------- > > > > > > While trying to add a new user on one of the other severs I recieve: > > > *** > > > Operations error: Allocation of a new value for range cn=posix > > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > > > failed! Unable to proceed. > > > *** > > > > This is expected, unfortunately the idranges used to manage different > > idranges in environments with trust and the range used by the DNA plugin > > to assign IDs to local users and groups are currently not connected. > > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix > > this. > > > > bye, > > Sumit > > > > > > > > Should I go forward on other masters and do: > > > > > > *** > > > ldapmodify -x -D 'cn=Directory Manager' -W > > > Enter LDAP Password: > > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config > > > changetype: modify > > > replace: dnaNextValue > > > dnaNextValue: 1689700000 > > > - > > > replace: dnaMaxValue > > > dnaMaxValue: 1689799999 > > > ^D > > > > > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > > > Plugin,cn=plugins,cn=config" > > > *** > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > From bwp.pearson at gmail.com Fri Apr 17 13:13:30 2015 From: bwp.pearson at gmail.com (Bryan Pearson) Date: Fri, 17 Apr 2015 09:13:30 -0400 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: <20150417110827.GO1308@p.redhat.com> References: <20150417075300.GM1308@p.redhat.com> <20150417110827.GO1308@p.redhat.com> Message-ID: I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # posix-ids, dna, ipa, etc, EXAMPLE.lan dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: nsContainer objectClass: top cn: posix-ids # ipa3.EXAMPLE.lan + 0, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=0,cn=posix-ids,cn=dna ,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 0 dnaSecurePortNum: 636 dnaPortNum: 0 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa3.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=d na,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 99997 dnaSecurePortNum: 636 dnaPortNum: 389 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa4.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa4.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ip a,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa4.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # ipa2.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa2.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn =dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa2.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 Bryan On Fri, Apr 17, 2015 at 7:08 AM, Sumit Bose wrote: > On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: >> Should I add the same range to this machine or give each one it's own id >> range? > > The ranges are global for the whole IPA domain. The idranges manages > with the ipa tool have their data in the replicated tree hence changes > are available on all replicas. The DNA plugin has its own scheme to > distribute the data, see e.g. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html > > for details. > > bye, > Sumit >> On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: >> >> > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: >> > > I ran this comand on each of my IPA servers and one returned usable >> > > response: ipa idrange-find >> > > >> > > --------------- >> > > 1 range matched >> > > --------------- >> > > Range name: HOSTNAME.LAN_id_range >> > > First Posix ID of the range: 1920200000 >> > > Number of IDs in the range: 300000 >> > > Range type: local domain range >> > > ---------------------------- >> > > Number of entries returned 1 >> > > ---------------------------- >> > > >> > > While trying to add a new user on one of the other severs I recieve: >> > > *** >> > > Operations error: Allocation of a new value for range cn=posix >> > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config >> > > failed! Unable to proceed. >> > > *** >> > >> > This is expected, unfortunately the idranges used to manage different >> > idranges in environments with trust and the range used by the DNA plugin >> > to assign IDs to local users and groups are currently not connected. >> > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix >> > this. >> > >> > bye, >> > Sumit >> > >> > > >> > > Should I go forward on other masters and do: >> > > >> > > *** >> > > ldapmodify -x -D 'cn=Directory Manager' -W >> > > Enter LDAP Password: >> > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> > Plugin,cn=plugins,cn=config >> > > changetype: modify >> > > replace: dnaNextValue >> > > dnaNextValue: 1689700000 >> > > - >> > > replace: dnaMaxValue >> > > dnaMaxValue: 1689799999 >> > > ^D >> > > >> > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment >> > > Plugin,cn=plugins,cn=config" >> > > *** >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > From rcritten at redhat.com Fri Apr 17 13:19:25 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2015 09:19:25 -0400 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: References: <20150417075300.GM1308@p.redhat.com> <20150417110827.GO1308@p.redhat.com> Message-ID: <5531085D.4080505@redhat.com> Bryan Pearson wrote: > I believe that my master dna server isnt currently being used, so I did this. > > ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan > Enter LDAP Password: That's not the right location to search for the DNA configuration. See http://blog-rcritten.rhcloud.com/?p=50 rob From david.dejaeghere at gmail.com Fri Apr 17 13:23:51 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Fri, 17 Apr 2015 15:23:51 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> Message-ID: Hi, Any more things I can try out? How do we proceed? Kind Regards, D 2015-04-15 11:48 GMT+02:00 David Dejaeghere : > Hi Honza, > > That gave me the exact same output. Any ideas? > > Regards, > > D > > 2015-04-15 7:33 GMT+02:00 Jan Cholasta : > >> Hi, >> >> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): >> >>> David Dejaeghere wrote: >>> >>>> Hi Rob, >>>> >>>> So you want to output of the command using pk12 with server cert and >>>> key? or with the ca chain in there too? >>>> >>>> >>> Oddly enough it is failing in exactly the same place. Those GoDaddy CA >>> certs are still being loaded from somewhere, I'm not sure where, and I >>> suspect that is the source of the problem. >>> >> >> They are in the default CA certificate bundle (in the ca-certificate >> package). I guess NSS loads it automatically. >> >> >>> I'm going to forward the log to a colleague who has worked on this code >>> more recently than I have. Maybe he will have an idea. >>> >> >> Could you try if the following works? >> >> # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt >> /root/ca-bundle.trust.crt >> >> # update-ca-trust >> >> # ipa-replica-prepare ... >> >> # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust- >> source/ca-bundle.trust.crt >> >> # update-ca-trust >> >> >>> rob >>> >>> >> Honza >> >> -- >> Jan Cholasta >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Fri Apr 17 13:27:06 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Apr 2015 15:27:06 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> Message-ID: <55310A2A.9060701@redhat.com> Hi, I don't have any new information. I'm trying to reproduce the problem but had no luck so far. Honza Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a): > Hi, > > Any more things I can try out? How do we proceed? > > Kind Regards, > > D > > 2015-04-15 11:48 GMT+02:00 David Dejaeghere >: > > Hi Honza, > > That gave me the exact same output. Any ideas? > > Regards, > > D > > 2015-04-15 7:33 GMT+02:00 Jan Cholasta >: > > Hi, > > Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): > > David Dejaeghere wrote: > > Hi Rob, > > So you want to output of the command using pk12 with > server cert and > key? or with the ca chain in there too? > > > Oddly enough it is failing in exactly the same place. Those > GoDaddy CA > certs are still being loaded from somewhere, I'm not sure > where, and I > suspect that is the source of the problem. > > > They are in the default CA certificate bundle (in the > ca-certificate package). I guess NSS loads it automatically. > > > I'm going to forward the log to a colleague who has worked > on this code > more recently than I have. Maybe he will have an idea. > > > Could you try if the following works? > > # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt > /root/ca-bundle.trust.crt > > # update-ca-trust > > # ipa-replica-prepare ... > > # mv /root/ca-bundle.trust.crt > /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt > > # update-ca-trust > > > rob > > > Honza > > -- > Jan Cholasta > > > -- Jan Cholasta From bwp.pearson at gmail.com Fri Apr 17 13:30:21 2015 From: bwp.pearson at gmail.com (Bryan Pearson) Date: Fri, 17 Apr 2015 09:30:21 -0400 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: <5531085D.4080505@redhat.com> References: <20150417075300.GM1308@p.redhat.com> <20150417110827.GO1308@p.redhat.com> <5531085D.4080505@redhat.com> Message-ID: Am I mistaken in your example: "You can find the master it is trying to talk to here: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" Mine: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Bryan On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden wrote: > Bryan Pearson wrote: >> I believe that my master dna server isnt currently being used, so I did this. >> >> ldapsearch -x -D 'cn=Directory Manager' -W -b >> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan >> Enter LDAP Password: > > That's not the right location to search for the DNA configuration. See > http://blog-rcritten.rhcloud.com/?p=50 > > rob > From john.1209 at yahoo.com Fri Apr 17 13:28:00 2015 From: john.1209 at yahoo.com (John Williams) Date: Fri, 17 Apr 2015 13:28:00 +0000 (UTC) Subject: [Freeipa-users] Expired Certs In-Reply-To: <552844CC.7040305@redhat.com> References: <552844CC.7040305@redhat.com> Message-ID: <1650969340.6157855.1429277280191.JavaMail.yahoo@mail.yahoo.com> > You are going way to far back in time AFAICT. The certs expired on April > 5 of this year so you don't need to go back to 2014. Just go back to > April 3 or 4. > You'll also need to restart IPA before kicking certmonger ipactl restart > rob ******* ?SNIP ******* Thanks!! Following your advice, it looks like only one of the eight certificates are now monitoring. ?Check out the following: [root at ipa ~]# getcert list | grep -A1 status status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Error 60 connecting to https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with known CA certificates.-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. ?Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: CA_UNREACHABLE ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will retry: 4301 (RPC failed at server. ?Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)).-- status: MONITORING ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, giving up: 2100 (RPC failed at server. ?Insufficient access: hostname in subject of request 'ipa.infra.idef' does not match principal hostname 'ipa'). How can I get the remaining certs fixed as well? ?Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 17 13:40:58 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2015 09:40:58 -0400 Subject: [Freeipa-users] posix ids not propgating In-Reply-To: References: <20150417075300.GM1308@p.redhat.com> <20150417110827.GO1308@p.redhat.com> <5531085D.4080505@redhat.com> Message-ID: <55310D6A.7050607@redhat.com> Bryan Pearson wrote: > Am I mistaken in your example: > > "You can find the master it is trying to talk to here: > $ ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" > > Mine: > $ ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan You're not sharing enough information. A list of DNA hosts tells us nothing when we don't know which host you're having a problem on, if a host is down or has been replaced, etc. I'd poke around the DNA plugin configuration in cn=config on each master to see what the actual DNA configuration is. You have one with the default max 1000, next 1001 expired configuration pointing at a host that is either down or has no ranges. Or easier, if you are running IPA 3.3+ then ipa-replica-manage has some DNA commands which makes this easier to figure out and fix. You don't want to set overlapping ranges. rob > Bryan > > > On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden wrote: >> Bryan Pearson wrote: >>> I believe that my master dna server isnt currently being used, so I did this. >>> >>> ldapsearch -x -D 'cn=Directory Manager' -W -b >>> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan >>> Enter LDAP Password: >> >> That's not the right location to search for the DNA configuration. See >> http://blog-rcritten.rhcloud.com/?p=50 >> >> rob >> From rcritten at redhat.com Fri Apr 17 13:42:53 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 17 Apr 2015 09:42:53 -0400 Subject: [Freeipa-users] Expired Certs In-Reply-To: <1650969340.6157855.1429277280191.JavaMail.yahoo@mail.yahoo.com> References: <552844CC.7040305@redhat.com> <1650969340.6157855.1429277280191.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55310DDD.90003@redhat.com> John Williams wrote: > >> You are going way to far back in time AFAICT. The certs expired on April >> 5 of this year so you don't need to go back to 2014. Just go back to >> April 3 or 4. > >> You'll also need to restart IPA before kicking certmonger ipactl restart > >> rob > > > > > ******* SNIP ******* > > Thanks!! > > > Following your advice, it looks like only one of the eight certificates > are now monitoring. Check out the following: It's impossible to see what is going on with this output, other than the fact that your hostname seems to be using the shortname rather than FQDN (or order is bad in /etc/hosts), based on the error for the cert in MONITORING. rob > > > [root at ipa ~]# getcert list | grep -A1 status > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > -- > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > -- > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > -- > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > -- > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with known CA certificates. > -- > status: CA_UNREACHABLE > ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will > retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Invalid Credential.)). > -- > status: CA_UNREACHABLE > ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will > retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: EXCEPTION (Invalid Credential.)). > -- > status: MONITORING > ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request, > giving up: 2100 (RPC failed at server. Insufficient access: hostname in > subject of request 'ipa.infra.idef' does not match principal hostname > 'ipa'). > > How can I get the remaining certs fixed as well? Thanks in advance. > > > From Joshua.Gould at osumc.edu Fri Apr 17 14:29:31 2015 From: Joshua.Gould at osumc.edu (Gould, Joshua) Date: Fri, 17 Apr 2015 10:29:31 -0400 Subject: [Freeipa-users] LDAP bind failing on new IPA setup Message-ID: We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA [root sssd]# ipa trust-show Realm name: example.com Realm name: EXAMPLE.COM Domain NetBIOS name: EXAMPLE Domain Security Identifier: S-1-5-21- Trust direction: Two-way trust Trust type: Active Directory domain [root sssd]# ipa idrange-find --all ---------------- 2 ranges matched ---------------- dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com Range name: EXAMPLE.COM_id_range First Posix ID of the range: 2000000 Number of IDs in the range: 900000 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21- Range type: Active Directory domain range iparangetyperaw: ipa-ad-trust objectclass: ipatrustedaddomainrange, ipaIDrange dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com Range name: UNIX.EXAMPLE.COM_id_range First Posix ID of the range: 369600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range iparangetyperaw: ipa-local objectclass: top, ipaIDrange, ipaDomainIDRange ---------------------------- Number of entries returned 2 ---------------------------- [root sssd]# I see that the bind fails but I?m not sure why. Here are the errors. Could someone point me in the right direction please? (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400) (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service EXAMPLE.COM (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x0200): Found address for server domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 70 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8734] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8734] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], ldap[0x7f6ca7b89f20] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x1000): Waiting for child [8734]. (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x0100): child [8734] finished successfully. (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], expired on [1429366284] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1429280784 (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/ipa_server.unix.EXAMPLE.COM (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)] (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'domain_controller.EXAMPLE.COM' as 'not working' (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'domain_controller.EXAMPLE.COM' as 'not working' -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 17 14:49:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 17 Apr 2015 17:49:44 +0300 Subject: [Freeipa-users] LDAP bind failing on new IPA setup In-Reply-To: References: Message-ID: <20150417144944.GA4797@redhat.com> On Fri, 17 Apr 2015, Gould, Joshua wrote: >We setup our new IPA server (RHEL7) with a trust against our AD domain. >The trust and ID range look right in IPA > >[root sssd]# ipa trust-show >Realm name: example.com > Realm name: EXAMPLE.COM > Domain NetBIOS name: EXAMPLE > Domain Security Identifier: S-1-5-21- > Trust direction: Two-way trust > Trust type: Active Directory domain >[root sssd]# ipa idrange-find --all >---------------- >2 ranges matched >---------------- > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com > Range name: EXAMPLE.COM_id_range > First Posix ID of the range: 2000000 > Number of IDs in the range: 900000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: S-1-5-21- > Range type: Active Directory domain range > iparangetyperaw: ipa-ad-trust > objectclass: ipatrustedaddomainrange, ipaIDrange > > dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > Range name: UNIX.EXAMPLE.COM_id_range > First Posix ID of the range: 369600000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > iparangetyperaw: ipa-local > objectclass: top, ipaIDrange, ipaDomainIDRange >---------------------------- >Number of entries returned 2 >---------------------------- Either you obfuscated too much or your setup makes little sense as IPA local domain ID range is for unix.example.com while your realm is EXAMPLE.COM and AD realm is EXAMPLE.COM. This is not going to work -- IPA and AD has to have different realms. >[root sssd]# > >I see that the bind fails but I?m not sure why. Here are the errors. >Could someone point me in the right direction please? A single line you need to look at is this: (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)] KDC policy rejects request is Kerberos way of saying "My realm doesn't trust your realm, go away". In order to know what exactly is wrong, do following (it is all written in the troubleshooting section of the trust documentation on FreeIPA wiki): 1. add 'log level = 100' to [global] section of /usr/share/ipa/smb.conf.empty 2. Without restarting anything, re-establish trust with 'ipa trust-add ...'. 3. Look into /var/log/http/error_log to see a response for something like this: s4_tevent: Run immediate event "tevent_req_trigger": 0x7f5ccc084a40 netr_LogonControl2Ex: struct netr_LogonControl2Ex out: struct netr_LogonControl2Ex query : * query : union netr_CONTROL_QUERY_INFORMATION(case 2) info2 : * info2: struct netr_NETLOGON_INFO_2 flags : 0x000000b0 (176) 0: NETLOGON_REPLICATION_NEEDED 0: NETLOGON_REPLICATION_IN_PROGRESS 0: NETLOGON_FULL_SYNC_REPLICATION 0: NETLOGON_REDO_NEEDED 1: NETLOGON_HAS_IP 1: NETLOGON_HAS_TIMESERV 0: NETLOGON_DNS_UPDATE_FAILURE 1: NETLOGON_VERIFY_STATUS_RETURNED pdc_connection_status : WERR_OK trusted_dc_name : * trusted_dc_name : '\\rh7-1.ipacloud7.test' tc_connection_status : WERR_OK result : WERR_OK If instead of WERR_OK in pdc_connection_status you have something else, that is telling an error. Show us the output like above. -- / Alexander Bokovoy From sbose at redhat.com Fri Apr 17 14:58:40 2015 From: sbose at redhat.com (Sumit Bose) Date: Fri, 17 Apr 2015 16:58:40 +0200 Subject: [Freeipa-users] LDAP bind failing on new IPA setup In-Reply-To: References: Message-ID: <20150417145840.GQ1308@p.redhat.com> On Fri, Apr 17, 2015 at 10:29:31AM -0400, Gould, Joshua wrote: > We setup our new IPA server (RHEL7) with a trust against our AD domain. The trust and ID range look right in IPA > > [root sssd]# ipa trust-show > Realm name: example.com > Realm name: EXAMPLE.COM > Domain NetBIOS name: EXAMPLE > Domain Security Identifier: S-1-5-21- > Trust direction: Two-way trust > Trust type: Active Directory domain > [root sssd]# ipa idrange-find --all > ---------------- > 2 ranges matched > ---------------- > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=examle,dc=com > Range name: EXAMPLE.COM_id_range > First Posix ID of the range: 2000000 > Number of IDs in the range: 900000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: S-1-5-21- > Range type: Active Directory domain range > iparangetyperaw: ipa-ad-trust > objectclass: ipatrustedaddomainrange, ipaIDrange > > dn: cn=UNIX.EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > Range name: UNIX.EXAMPLE.COM_id_range > First Posix ID of the range: 369600000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > iparangetyperaw: ipa-local > objectclass: top, ipaIDrange, ipaDomainIDRange > ---------------------------- > Number of entries returned 2 > ---------------------------- > [root sssd]# > > I see that the bind fails but I?m not sure why. Here are the errors. Could someone point me in the right direction please? > > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/xxx, UNIX.EXAMPLE.COM, 86400) > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service EXAMPLE.COM > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'EXAMPLE.COM' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [get_server_status] (0x1000): Status of server 'domain_controller.EXAMPLE.COM' is 'name resolved' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [be_resolve_server_process] (0x0200): Found address for server domain_controller.EXAMPLE.COM: [1.2.3.4] TTL 3600 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 70 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8734] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8734] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f6ca7b71b70], connected[1], ops[(nil)], ldap[0x7f6ca7b89f20] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [write_pipe_handler] (0x0400): All data has been sent! > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x1000): Waiting for child [8734]. > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [child_sig_handler] (0x0100): child [8734] finished successfully. > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_UNIX.EXAMPLE.COM], expired on [1429366284] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1429280784 > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: host/ipa_server.unix.EXAMPLE.COM > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC policy rejects request)] This error typically indicates there were some issues during adding the trust, most probable the validation did not succeed completely. The most probable reasons here are firewalls between AD and IPA and DNS issues. Please check on the AD side that SRV records like _ldap._tcp.dc._msdcs.unix.example.com and _ldap._tcp.unix.example.com can be resolved on the AD side. bye, Sumit > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'domain_controller.EXAMPLE.COM' as 'not working' > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP > (Fri Apr 17 10:11:24 2015) [sssd[be[unix.EXAMPLE.COM]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'domain_controller.EXAMPLE.COM' as 'not working' > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From janellenicole80 at gmail.com Fri Apr 17 15:16:41 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 17 Apr 2015 08:16:41 -0700 Subject: [Freeipa-users] 4.1.4 and OTP Message-ID: <553123D9.5090800@gmail.com> Hi, Is anyone else having issues with OTP since upgrading? For the life of me I can't get it to accept "Sync" for the tokens. No matter what is put in, it just keeps saying the username, password or tokens entered are incorrect. To make it simple - I am tryign this on a brand new CentOS 7.1 system with a clean/fresh install of FreeIPA 4.1.4 and yet it just refuses to work. I create a user -- configure them. They work just fine with a password. Then add a token. Sync with FreeOTP and that all works. Then going back to the web UI and do Sync OTP and it simply refuses to accept any values. And yet the same user can login to the regular web UI with their password. I have tried setting the user to both Password and OTP for auth methods. And also just OTP and nothing works. Hints? Am I missing a step? ~J From aalam at paperlesspost.com Fri Apr 17 16:11:24 2015 From: aalam at paperlesspost.com (Ash Alam) Date: Fri, 17 Apr 2015 12:11:24 -0400 Subject: [Freeipa-users] Pro/Con on Admin accounts Message-ID: Hello I wanted to get some input on what your approach is for admin accounts. In the past i approached it where you have a user `John Doe` he has a normal user account for everyday tasks (wifi, anything that talks ldap). He also has an admin account for when he needs to administer ipa, active directory etc. There are few groups of thought around this. Mine being that admin permissions should not be granted to accounts that are not specifically create to administer ipa/ad. I have worked at places where admin and user accounts were one in the same and others where they were separated. Currently i have an opportunity to start fresh and wanted to get some input as to what the best approach would be. Freeipa and its developers are security conscious and its built around security so getting your though on this would be great. Thank You -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 17 16:44:47 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 12:44:47 -0400 Subject: [Freeipa-users] Critique In-Reply-To: <20150417073352.GP5056@redhat.com> References: <20150417073352.GP5056@redhat.com> Message-ID: <5531387F.9020109@redhat.com> On 04/17/2015 03:33 AM, Jan Pazdziora wrote: > On Fri, Apr 17, 2015 at 09:14:33AM +0200, Andrew Holway wrote: >> In an obviously blatant promotion exercise and attempt to build page >> rank.... >> >> Please could I have some critique on this article? >> >> http://otternetworks.de/tech/freeipa-technical-brief/ >> >> Your feedback would be really appreciated > Nice. > > One detail -- Red Hat prefers its name to be spelled "Red Hat". > Yes. Great article. I agree with other comments. It seems that you really have two parts: overview of the technologies and OpenVPN setup. May be it would make sense to have two parts of the article. Then the title can be "Overview of the modern Open Source Identity Management technologies and their use to provide 2FA with OpenVPN". A bit long but right to the point. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Fri Apr 17 16:53:47 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 12:53:47 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <553123D9.5090800@gmail.com> References: <553123D9.5090800@gmail.com> Message-ID: <55313A9B.2030408@redhat.com> On 04/17/2015 11:16 AM, Janelle wrote: > Hi, > > Is anyone else having issues with OTP since upgrading? For the life of > me I can't get it to accept "Sync" for the tokens. No matter what is > put in, it just keeps saying the username, password or tokens entered > are incorrect. > > To make it simple - I am tryign this on a brand new CentOS 7.1 system > with a clean/fresh install of FreeIPA 4.1.4 and yet it just refuses to > work. > > I create a user -- configure them. They work just fine with a > password. Then add a token. Sync with FreeOTP and that all works. Then > going back to the web UI and do Sync OTP and it simply refuses to > accept any values. And yet the same user can login to the regular web > UI with their password. > > I have tried setting the user to both Password and OTP for auth > methods. And also just OTP and nothing works. Please look in the logs to see what is going on. You would need to look at the KDC, http and DS logs on the server to sort out what is going on. Do you change the password for the user first after creating him? Can you reproduce the problem with demo instance? http://www.freeipa.org/page/Demo If you can then we can take a look at the logs right away. > > Hints? Am I missing a step? > > ~J > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Fri Apr 17 17:01:19 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 13:01:19 -0400 Subject: [Freeipa-users] Pro/Con on Admin accounts In-Reply-To: References: Message-ID: <55313C5F.5080600@redhat.com> On 04/17/2015 12:11 PM, Ash Alam wrote: > Hello > > I wanted to get some input on what your approach is for admin > accounts. In the past i approached it where you have a user `John Doe` > he has a normal user account for everyday tasks (wifi, anything that > talks ldap). He also has an admin account for when he needs to > administer ipa, active directory etc. > > There are few groups of thought around this. Mine being that admin > permissions should not be granted to accounts that are not > specifically create to administer ipa/ad. I have worked at places > where admin and user accounts were one in the same and others where > they were separated. > > Currently i have an opportunity to start fresh and wanted to get some > input as to what the best approach would be. Freeipa and its > developers are security conscious and its built around security so > getting your though on this would be great. > > Thank You > > I do not think there is a clear cut rule you can follow. This is why you have the experience with both approaches. The question that I would ask is how significantly the administrative activity is logically segregated from end user activity in your environment. If there are a lot of areas that only special accounts can get to and no end user can routinely access then probably having a logical separation of the accounts would be better. If admins and users can access the same systems and applications and just have different privileges then you need to focus on access control anyways so having separate accounts would be more overhead than gain. But this is just my take on this. Others might disagree. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Fri Apr 17 17:20:26 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 17 Apr 2015 10:20:26 -0700 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <55313A9B.2030408@redhat.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> Message-ID: <553140DA.7020001@gmail.com> On 4/17/15 9:53 AM, Dmitri Pal wrote: > On 04/17/2015 11:16 AM, Janelle wrote: >> Hi, >> >> Is anyone else having issues with OTP since upgrading? For the life >> of me I can't get it to accept "Sync" for the tokens. No matter what >> is put in, it just keeps saying the username, password or tokens >> entered are incorrect. >> >> To make it simple - I am tryign this on a brand new CentOS 7.1 system >> with a clean/fresh install of FreeIPA 4.1.4 and yet it just refuses >> to work. >> >> I create a user -- configure them. They work just fine with a >> password. Then add a token. Sync with FreeOTP and that all works. >> Then going back to the web UI and do Sync OTP and it simply refuses >> to accept any values. And yet the same user can login to the regular >> web UI with their password. >> >> I have tried setting the user to both Password and OTP for auth >> methods. And also just OTP and nothing works. > > Please look in the logs to see what is going on. > You would need to look at the KDC, http and DS logs on the server to > sort out what is going on. > > Do you change the password for the user first after creating him? > > Can you reproduce the problem with demo instance? > http://www.freeipa.org/page/Demo > If you can then we can take a look at the logs right away. > Hints? Am I missing a step? > > ~J > It appears to be the UI. If I go through the steps and let it "fail", I can still login using OTP to servers. I made the assumption that the error itself was not an error.. :-) ~J From asacamano at gmail.com Fri Apr 17 17:32:00 2015 From: asacamano at gmail.com (Andrew Sacamano) Date: Fri, 17 Apr 2015 11:32:00 -0600 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client Message-ID: Hi everyone, I've spent a couple of days digging around the web, watching logs, and poking things, and I'm stuck getting sudo working with IPA on a new box I've just set up. I have had it working in the past on a test box, but something about this box is blocking me, and I can't for the life of me figure out what. The basic symptom is that I can log into the Ubuntu box as an IPA user, but sudo is always denied: [root at security-core-1 log]# ssh dru at jenkins dru at jenkins's password: ... Could not chdir to home directory /home/dru: No such file or directory dru at jenkins:/$ sudo -l [sudo] password for dru: Sorry, user dru may not run sudo on jenkins. I've appended version output, config files, sample logs, and ipa config - which I think is all of the relevant material, but I'll gladly share more if it's needed. Thanks so much in advance for any debugging advice, hints, or help! Cheers, Andrew =========== Version info =========== Server: # ipa --version VERSION: 4.1.0, API_VERSION: 2.112 # cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) Client: # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS" #sssd --version 1.11.5 =========== hostname, nisdomainname, config files, etc. =========== On the client: # hostname jenkins.us-ca1.prod.mydomain.com # nisdomainname mydomain.com # getent netgroup rdn | grep $HOSTNAME rdn (jenkins.us-ca1.prod.mydomain.com,-,mydomain.com) # cat /etc/sssd/sssd.conf [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = jenkins.us-ca1.prod.mydomain.com chpass_provider = ipa ipa_server = _srv_, security-core-1.prod.mydomain.com dns_discovery_domain = mydomain.com sudo_provider=ipa [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] debug_level = 9 [autofs] [ssh] [pac] # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss sudoers: files sss =================== Host & group & user info in IPA =================== # ipa host-show jenkins.us-ca1.prod.mydomain.com Host name: jenkins.us-ca1.prod.mydomain.com Certificate: ... Principal name: host/jenkins.us-ca1.prod.mydomain.com at MYDOMAIN.COM Password: False Member of host-groups: rdn Member of Sudo rule: priv_sudo_anywhere, dru_security Keytab: True Managed by: jenkins.us-ca1.prod.mydomain.com Subject: CN=jenkins.us-ca1.prod.mydomain.com,O=MYDOMAIN.COM Serial Number: 14 Serial Number (hex): 0xE Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Not Before: Fri Apr 10 17:43:10 2015 UTC Not After: Mon Apr 10 17:43:10 2017 UTC Fingerprint (MD5): ... Fingerprint (SHA1): ... SSH public key fingerprint: ... # ipa sudorule-show priv_sudo_anywhere Rule name: priv_sudo_anywhere Description: Allow anyone with priv_sudo_anywhere to actually run sudo anywhere Enabled: TRUE Command category: all RunAs User category: all RunAs Group category: all User Groups: priv_sudo_anywhere Hosts: jenkins.us-ca1.prod.mydomain.com Host Groups: security, dev-infrastructure, rdn, dev, prod # ipa group-show priv_sudo_anywhere Group name: priv_sudo_anywhere Description: Give the privilege to SSH anywhere. GID: 19000007 Member users: dru, ... Member groups: role_prod_engineer Member of Sudo rule: priv_sudo_anywhere, ... Member of HBAC rule: sudo_anywhere_anywhere Indirect Member users: .... =================== Relevant (I think) log entries =================== # tail -f /var/log/sssd/sssd_sudo.log ... (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 0x15b6520 (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Fri Apr 17 17:20:16 2015) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] .... (From a different attempt to run sudo) # tail -f /var/log/auth.log ... Apr 17 17:20:55 jenkins sshd[3335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= security-core-1.prod.mydomain.com user=dru Apr 17 17:20:55 jenkins sshd[3335]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= security-core-1.prod.mydomain.com user=dru Apr 17 17:20:56 jenkins sshd[3335]: Accepted password for dru from 10.100.0.1 port 39910 ssh2 Apr 17 17:20:56 jenkins sshd[3335]: pam_unix(sshd:session): session opened for user dru by (uid=0) Apr 17 17:20:56 jenkins sshd[3335]: pam_systemd(sshd:session): Failed to create session: No such file or directory Apr 17 17:21:10 jenkins sudo: pam_unix(sudo:auth): authentication failure; logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru Apr 17 17:21:11 jenkins sudo: pam_sss(sudo:auth): authentication success; logname=dru uid=19000001 euid=0 tty=/dev/pts/3 ruser=dru rhost= user=dru Apr 17 17:21:11 jenkins sudo: dru : command not allowed ; TTY=pts/3 ; PWD=/ ; USER=root ; COMMAND=list -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 17 20:19:11 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 16:19:11 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <553140DA.7020001@gmail.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> Message-ID: <55316ABF.1000606@redhat.com> On 04/17/2015 01:20 PM, Janelle wrote: > On 4/17/15 9:53 AM, Dmitri Pal wrote: >> On 04/17/2015 11:16 AM, Janelle wrote: >>> Hi, >>> >>> Is anyone else having issues with OTP since upgrading? For the life >>> of me I can't get it to accept "Sync" for the tokens. No matter what >>> is put in, it just keeps saying the username, password or tokens >>> entered are incorrect. >>> >>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it just >>> refuses to work. >>> >>> I create a user -- configure them. They work just fine with a >>> password. Then add a token. Sync with FreeOTP and that all works. >>> Then going back to the web UI and do Sync OTP and it simply refuses >>> to accept any values. And yet the same user can login to the regular >>> web UI with their password. >>> >>> I have tried setting the user to both Password and OTP for auth >>> methods. And also just OTP and nothing works. >> >> Please look in the logs to see what is going on. >> You would need to look at the KDC, http and DS logs on the server to >> sort out what is going on. >> >> Do you change the password for the user first after creating him? >> >> Can you reproduce the problem with demo instance? >> http://www.freeipa.org/page/Demo >> If you can then we can take a look at the logs right away. >> Hints? Am I missing a step? >> >> ~J >> > It appears to be the UI. If I go through the steps and let it "fail", > I can still login using OTP to servers. I made the assumption that the > error itself was not an error.. :-) > > ~J > I am not sure I get what you are saying. Do you still see the problem or you misinterpreted the UI and now the problem is gone? If you did is there any recommendation how to improve the UI not to confuse people? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From lslebodn at redhat.com Fri Apr 17 20:28:23 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 17 Apr 2015 22:28:23 +0200 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: References: Message-ID: <20150417202822.GA13306@mail.corp.redhat.com> On (17/04/15 11:32), Andrew Sacamano wrote: >Hi everyone, > > >I've spent a couple of days digging around the web, watching logs, and >poking things, and I'm stuck getting sudo working with IPA on a new box >I've just set up. I have had it working in the past on a test box, but >something about this box is blocking me, and I can't for the life of me >figure out what. > > >The basic symptom is that I can log into the Ubuntu box as an IPA user, but >sudo is always denied: > > >[root at security-core-1 log]# ssh dru at jenkins > >dru at jenkins's password: > >... > >Could not chdir to home directory /home/dru: No such file or directory > >dru at jenkins:/$ sudo -l > >[sudo] password for dru: > >Sorry, user dru may not run sudo on jenkins. > > >I've appended version output, config files, sample logs, and ipa config - >which I think is all of the relevant material, but I'll gladly share more >if it's needed. > > >Thanks so much in advance for any debugging advice, hints, or help! > > I looked to the configuration files and they look good. I have few hints which might help you with troubleshooting * please ensure you have installed package sudo and not sudo-ldap. The second one is not build with sssd support. * please read about sudo caching in sssd man sssd-sudo -> THE SUDO RULE CACHING MECHANISM * please test simple sudo rules first. (all hosts, one user instead of groups, ...) * check whether sudo rules are cached by sssd (use ldb-tools) If previous hints does not help then you need to enable debugging in sudo and analyse log file. @see slide 18 in presentation[1] LS [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf From janellenicole80 at gmail.com Fri Apr 17 20:52:09 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 17 Apr 2015 13:52:09 -0700 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <55316ABF.1000606@redhat.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> Message-ID: <55317279.3010107@gmail.com> On 4/17/15 1:19 PM, Dmitri Pal wrote: > On 04/17/2015 01:20 PM, Janelle wrote: >> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>> On 04/17/2015 11:16 AM, Janelle wrote: >>>> Hi, >>>> >>>> Is anyone else having issues with OTP since upgrading? For the life >>>> of me I can't get it to accept "Sync" for the tokens. No matter >>>> what is put in, it just keeps saying the username, password or >>>> tokens entered are incorrect. >>>> >>>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it just >>>> refuses to work. >>>> >>>> I create a user -- configure them. They work just fine with a >>>> password. Then add a token. Sync with FreeOTP and that all works. >>>> Then going back to the web UI and do Sync OTP and it simply refuses >>>> to accept any values. And yet the same user can login to the >>>> regular web UI with their password. >>>> >>>> I have tried setting the user to both Password and OTP for auth >>>> methods. And also just OTP and nothing works. >>> >>> Please look in the logs to see what is going on. >>> You would need to look at the KDC, http and DS logs on the server to >>> sort out what is going on. >>> >>> Do you change the password for the user first after creating him? >>> >>> Can you reproduce the problem with demo instance? >>> http://www.freeipa.org/page/Demo >>> If you can then we can take a look at the logs right away. >>> Hints? Am I missing a step? >>> >>> ~J >>> >> It appears to be the UI. If I go through the steps and let it "fail", >> I can still login using OTP to servers. I made the assumption that >> the error itself was not an error.. :-) >> >> ~J >> > I am not sure I get what you are saying. Do you still see the problem > or you misinterpreted the UI and now the problem is gone? If you did > is there any recommendation how to improve the UI not to confuse people? > The problem exists -- this is what it shows: HOWEVER, it is still WORKING. Meaning, even if you get this error, if you attempt to login with your FreeOTP token, it WORKS. ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ibghicgh. Type: image/png Size: 33523 bytes Desc: not available URL: From asacamano at gmail.com Fri Apr 17 21:14:34 2015 From: asacamano at gmail.com (Andrew Sacamano) Date: Fri, 17 Apr 2015 15:14:34 -0600 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: <20150417202822.GA13306@mail.corp.redhat.com> References: <20150417202822.GA13306@mail.corp.redhat.com> Message-ID: Thanks Lukas, I'm very glad to have concrete debugging suggestions. I'll investigate as you suggest and report back. Thanks again, Andrew On Fri, Apr 17, 2015 at 2:28 PM, Lukas Slebodnik wrote: > On (17/04/15 11:32), Andrew Sacamano wrote: > >Hi everyone, > > > > > >I've spent a couple of days digging around the web, watching logs, and > >poking things, and I'm stuck getting sudo working with IPA on a new box > >I've just set up. I have had it working in the past on a test box, but > >something about this box is blocking me, and I can't for the life of me > >figure out what. > > > > > >The basic symptom is that I can log into the Ubuntu box as an IPA user, > but > >sudo is always denied: > > > > > >[root at security-core-1 log]# ssh dru at jenkins > > > >dru at jenkins's password: > > > >... > > > >Could not chdir to home directory /home/dru: No such file or directory > > > >dru at jenkins:/$ sudo -l > > > >[sudo] password for dru: > > > >Sorry, user dru may not run sudo on jenkins. > > > > > >I've appended version output, config files, sample logs, and ipa config - > >which I think is all of the relevant material, but I'll gladly share more > >if it's needed. > > > > > >Thanks so much in advance for any debugging advice, hints, or help! > > > > > > I looked to the configuration files and they look good. > > I have few hints which might help you with troubleshooting > * please ensure you have installed package sudo and not sudo-ldap. > The second one is not build with sssd support. > * please read about sudo caching in sssd > man sssd-sudo -> THE SUDO RULE CACHING MECHANISM > * please test simple sudo rules first. > (all hosts, one user instead of groups, ...) > * check whether sudo rules are cached by sssd (use ldb-tools) > > If previous hints does not help then you need to enable > debugging in sudo and analyse log file. > @see slide 18 in presentation[1] > > LS > > [1] http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 17 23:36:40 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 19:36:40 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <55317279.3010107@gmail.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> Message-ID: <55319908.60109@redhat.com> On 04/17/2015 04:52 PM, Janelle wrote: > On 4/17/15 1:19 PM, Dmitri Pal wrote: >> On 04/17/2015 01:20 PM, Janelle wrote: >>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>> Hi, >>>>> >>>>> Is anyone else having issues with OTP since upgrading? For the >>>>> life of me I can't get it to accept "Sync" for the tokens. No >>>>> matter what is put in, it just keeps saying the username, password >>>>> or tokens entered are incorrect. >>>>> >>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it just >>>>> refuses to work. >>>>> >>>>> I create a user -- configure them. They work just fine with a >>>>> password. Then add a token. Sync with FreeOTP and that all works. >>>>> Then going back to the web UI and do Sync OTP and it simply >>>>> refuses to accept any values. And yet the same user can login to >>>>> the regular web UI with their password. >>>>> >>>>> I have tried setting the user to both Password and OTP for auth >>>>> methods. And also just OTP and nothing works. >>>> >>>> Please look in the logs to see what is going on. >>>> You would need to look at the KDC, http and DS logs on the server >>>> to sort out what is going on. >>>> >>>> Do you change the password for the user first after creating him? >>>> >>>> Can you reproduce the problem with demo instance? >>>> http://www.freeipa.org/page/Demo >>>> If you can then we can take a look at the logs right away. >>>> Hints? Am I missing a step? >>>> >>>> ~J >>>> >>> It appears to be the UI. If I go through the steps and let it >>> "fail", I can still login using OTP to servers. I made the >>> assumption that the error itself was not an error.. :-) >>> >>> ~J >>> >> I am not sure I get what you are saying. Do you still see the problem >> or you misinterpreted the UI and now the problem is gone? If you did >> is there any recommendation how to improve the UI not to confuse people? >> > The problem exists -- this is what it shows: > HOWEVER, it is still WORKING. Meaning, even if you get this error, if > you attempt to login with your FreeOTP token, it WORKS. > > ~J > > > > Does it give you this error when you use password or password and token? Can you please describe the flow of steps in more details? I start browser, go here, click here, enter this, etc. Are you using SSSD to login to servers? Is SSSD configured with IPA provider or you configured it for LDAP manually. There is a difference between LDAP and Kerberos authentication. May be the following article will help you to understand the expectations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp I suspect it is some combination of flags and protocols that is confusing. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 33523 bytes Desc: not available URL: From janellenicole80 at gmail.com Sat Apr 18 00:07:04 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 17 Apr 2015 17:07:04 -0700 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <55319908.60109@redhat.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> Message-ID: <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> > On Apr 17, 2015, at 16:36, Dmitri Pal wrote: > >> On 04/17/2015 04:52 PM, Janelle wrote: >>> On 4/17/15 1:19 PM, Dmitri Pal wrote: >>>> On 04/17/2015 01:20 PM, Janelle wrote: >>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>>> Hi, >>>>>> >>>>>> Is anyone else having issues with OTP since upgrading? For the life of me I can't get it to accept "Sync" for the tokens. No matter what is put in, it just keeps saying the username, password or tokens entered are incorrect. >>>>>> >>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 system with a clean/fresh install of FreeIPA 4.1.4 and yet it just refuses to work. >>>>>> >>>>>> I create a user -- configure them. They work just fine with a password. Then add a token. Sync with FreeOTP and that all works. Then going back to the web UI and do Sync OTP and it simply refuses to accept any values. And yet the same user can login to the regular web UI with their password. >>>>>> >>>>>> I have tried setting the user to both Password and OTP for auth methods. And also just OTP and nothing works. >>>>> >>>>> Please look in the logs to see what is going on. >>>>> You would need to look at the KDC, http and DS logs on the server to sort out what is going on. >>>>> >>>>> Do you change the password for the user first after creating him? >>>>> >>>>> Can you reproduce the problem with demo instance? >>>>> http://www.freeipa.org/page/Demo >>>>> If you can then we can take a look at the logs right away. >>>>> Hints? Am I missing a step? >>>>> >>>>> ~J >>>>> >>>> It appears to be the UI. If I go through the steps and let it "fail", I can still login using OTP to servers. I made the assumption that the error itself was not an error.. :-) >>>> >>>> ~J >>>> >>> I am not sure I get what you are saying. Do you still see the problem or you misinterpreted the UI and now the problem is gone? If you did is there any recommendation how to improve the UI not to confuse people? >>> >> The problem exists -- this is what it shows: >> HOWEVER, it is still WORKING. Meaning, even if you get this error, if you attempt to login with your FreeOTP token, it WORKS. >> >> ~J >> >> >> >> > > Does it give you this error when you use password or password and token? > Can you please describe the flow of steps in more details? > I start browser, go here, click here, enter this, etc. > > Are you using SSSD to login to servers? Is SSSD configured with IPA provider or you configured it for LDAP manually. There is a difference between LDAP and Kerberos authentication. > > May be the following article will help you to understand the expectations: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp > > > > I suspect it is some combination of flags and protocols that is confusing Simple. And my test made it simple. Stand up new vm running fc21/freeipa. Configure user. Add password. Add token. Login to the vm with the user created using password. Kerberos ticket assigned, all is well. Login to web interface with admin. Change user to OTP only. Go to web UI and click sync OTP. Enter username, password and 2 OTP sequences. Click sync. Error appears. Now, ssh to same vm using OTP username. Enter password + OTP value. Login successful. Logout. Repeat, but try JUST the password, and it fails. ??? ~J -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: mime-attachment.png Type: image/png Size: 33523 bytes Desc: not available URL: From dpal at redhat.com Sat Apr 18 00:59:57 2015 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 17 Apr 2015 20:59:57 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> Message-ID: <5531AC8D.3070900@redhat.com> On 04/17/2015 08:07 PM, Janelle wrote: > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal > wrote: > >> On 04/17/2015 04:52 PM, Janelle wrote: >>> On 4/17/15 1:19 PM, Dmitri Pal wrote: >>>> On 04/17/2015 01:20 PM, Janelle wrote: >>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Is anyone else having issues with OTP since upgrading? For the >>>>>>> life of me I can't get it to accept "Sync" for the tokens. No >>>>>>> matter what is put in, it just keeps saying the username, >>>>>>> password or tokens entered are incorrect. >>>>>>> >>>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it >>>>>>> just refuses to work. >>>>>>> >>>>>>> I create a user -- configure them. They work just fine with a >>>>>>> password. Then add a token. Sync with FreeOTP and that all >>>>>>> works. Then going back to the web UI and do Sync OTP and it >>>>>>> simply refuses to accept any values. And yet the same user can >>>>>>> login to the regular web UI with their password. >>>>>>> >>>>>>> I have tried setting the user to both Password and OTP for auth >>>>>>> methods. And also just OTP and nothing works. >>>>>> >>>>>> Please look in the logs to see what is going on. >>>>>> You would need to look at the KDC, http and DS logs on the server >>>>>> to sort out what is going on. >>>>>> >>>>>> Do you change the password for the user first after creating him? >>>>>> >>>>>> Can you reproduce the problem with demo instance? >>>>>> http://www.freeipa.org/page/Demo >>>>>> If you can then we can take a look at the logs right away. >>>>>> Hints? Am I missing a step? >>>>>> >>>>>> ~J >>>>>> >>>>> It appears to be the UI. If I go through the steps and let it >>>>> "fail", I can still login using OTP to servers. I made the >>>>> assumption that the error itself was not an error.. :-) >>>>> >>>>> ~J >>>>> >>>> I am not sure I get what you are saying. Do you still see the >>>> problem or you misinterpreted the UI and now the problem is gone? >>>> If you did is there any recommendation how to improve the UI not to >>>> confuse people? >>>> >>> The problem exists -- this is what it shows: >>> HOWEVER, it is still WORKING. Meaning, even if you get this error, >>> if you attempt to login with your FreeOTP token, it WORKS. >>> >>> ~J >>> >>> >>> >>> >> >> Does it give you this error when you use password or password and token? >> Can you please describe the flow of steps in more details? >> I start browser, go here, click here, enter this, etc. >> >> Are you using SSSD to login to servers? Is SSSD configured with IPA >> provider or you configured it for LDAP manually. There is a >> difference between LDAP and Kerberos authentication. >> >> May be the following article will help you to understand the >> expectations: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp >> >> >> >> I suspect it is some combination of flags and protocols that is confusing > > Simple. And my test made it simple. > Stand up new vm running fc21/freeipa. > Configure user. > Add password. > Add token. > > Login to the vm with the user created using password. Kerberos ticket > assigned, all is well. > > Login to web interface with admin. Change user to OTP only. > Go to web UI and click sync OTP. > Enter username, password and 2 OTP sequences. Click sync. Error appears. > > Now, ssh to same vm using OTP username. Enter password + OTP value. > Login successful. I can reproduce this issue with demo instance. I will file a bug later today. I think it is a bug with sync. Which token do you use time based or event based? > > Logout. > Repeat, but try JUST the password, and it fails. > > ??? > ~J -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamen at dollarshaveclub.com Sat Apr 18 01:12:03 2015 From: benjamen at dollarshaveclub.com (Benjamen Keroack) Date: Fri, 17 Apr 2015 18:12:03 -0700 Subject: [Freeipa-users] External group membership Message-ID: Hi, We have a number of local groups on our IPA-managed servers that we add LDAP/IPA users to. This works fine locally on the server on an ad hoc basis: $ usermod -a -G local-group test.user However I'm trying to do this as part of user provisioning in IPA via user groups. I've created external user groups in IPA, then added those external groups to the user groups that new users are added to via automember rules. For example: local-group [external] -> [is a member of] -> developers [IPA group] Then I SSH into one of the servers as a user who is a member of developers: test.user at qa$ groups test.user developers qa_users I do not see 'local-group' membership, even after restarting sssd/rebooting. Is it possible to achieve this kind of automatic local group membership? The only alternative I can see would be to write a SUID binary that .bash_profile runs on login to add them to the applicable groups, which seems like a bad hack. This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty. Thanks for any help, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benjamen at dollarshaveclub.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Sat Apr 18 03:21:19 2015 From: janellenicole80 at gmail.com (Janelle) Date: Fri, 17 Apr 2015 20:21:19 -0700 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <5531AC8D.3070900@redhat.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> <5531AC8D.3070900@redhat.com> Message-ID: <5531CDAF.1080506@gmail.com> On 4/17/15 5:59 PM, Dmitri Pal wrote: > On 04/17/2015 08:07 PM, Janelle wrote: >> >> >> >> >> On Apr 17, 2015, at 16:36, Dmitri Pal > > wrote: >> >>> On 04/17/2015 04:52 PM, Janelle wrote: >>>> On 4/17/15 1:19 PM, Dmitri Pal wrote: >>>>> On 04/17/2015 01:20 PM, Janelle wrote: >>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>>>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Is anyone else having issues with OTP since upgrading? For the >>>>>>>> life of me I can't get it to accept "Sync" for the tokens. No >>>>>>>> matter what is put in, it just keeps saying the username, >>>>>>>> password or tokens entered are incorrect. >>>>>>>> >>>>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>>>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it >>>>>>>> just refuses to work. >>>>>>>> >>>>>>>> I create a user -- configure them. They work just fine with a >>>>>>>> password. Then add a token. Sync with FreeOTP and that all >>>>>>>> works. Then going back to the web UI and do Sync OTP and it >>>>>>>> simply refuses to accept any values. And yet the same user can >>>>>>>> login to the regular web UI with their password. >>>>>>>> >>>>>>>> I have tried setting the user to both Password and OTP for auth >>>>>>>> methods. And also just OTP and nothing works. >>>>>>> >>>>>>> Please look in the logs to see what is going on. >>>>>>> You would need to look at the KDC, http and DS logs on the >>>>>>> server to sort out what is going on. >>>>>>> >>>>>>> Do you change the password for the user first after creating him? >>>>>>> >>>>>>> Can you reproduce the problem with demo instance? >>>>>>> http://www.freeipa.org/page/Demo >>>>>>> If you can then we can take a look at the logs right away. >>>>>>> Hints? Am I missing a step? >>>>>>> >>>>>>> ~J >>>>>>> >>>>>> It appears to be the UI. If I go through the steps and let it >>>>>> "fail", I can still login using OTP to servers. I made the >>>>>> assumption that the error itself was not an error.. :-) >>>>>> >>>>>> ~J >>>>>> >>>>> I am not sure I get what you are saying. Do you still see the >>>>> problem or you misinterpreted the UI and now the problem is gone? >>>>> If you did is there any recommendation how to improve the UI not >>>>> to confuse people? >>>>> >>>> The problem exists -- this is what it shows: >>>> HOWEVER, it is still WORKING. Meaning, even if you get this error, >>>> if you attempt to login with your FreeOTP token, it WORKS. >>>> >>>> ~J >>>> >>>> >>>> >>>> >>> >>> Does it give you this error when you use password or password and token? >>> Can you please describe the flow of steps in more details? >>> I start browser, go here, click here, enter this, etc. >>> >>> Are you using SSSD to login to servers? Is SSSD configured with IPA >>> provider or you configured it for LDAP manually. There is a >>> difference between LDAP and Kerberos authentication. >>> >>> May be the following article will help you to understand the >>> expectations: >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp >>> >>> >>> >>> I suspect it is some combination of flags and protocols that is >>> confusing >> >> Simple. And my test made it simple. >> Stand up new vm running fc21/freeipa. >> Configure user. >> Add password. >> Add token. >> >> Login to the vm with the user created using password. Kerberos ticket >> assigned, all is well. >> >> Login to web interface with admin. Change user to OTP only. >> Go to web UI and click sync OTP. >> Enter username, password and 2 OTP sequences. Click sync. Error appears. >> >> Now, ssh to same vm using OTP username. Enter password + OTP value. >> Login successful. > > I can reproduce this issue with demo instance. > I will file a bug later today. > I think it is a bug with sync. > Which token do you use time based or event based? TOTP... Hmm, makes me wonder - with HOTP fail the same? Off to try it. ~J PS - is there a way to sync a token from command line? I can't think of a way, but maybe... -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Apr 18 04:03:11 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 18 Apr 2015 00:03:11 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <5531CDAF.1080506@gmail.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> <5531AC8D.3070900@redhat.com> <5531CDAF.1080506@gmail.com> Message-ID: <5531D77F.9010105@redhat.com> On 04/17/2015 11:21 PM, Janelle wrote: > On 4/17/15 5:59 PM, Dmitri Pal wrote: >> On 04/17/2015 08:07 PM, Janelle wrote: >>> >>> >>> >>> >>> On Apr 17, 2015, at 16:36, Dmitri Pal >> > wrote: >>> >>>> On 04/17/2015 04:52 PM, Janelle wrote: >>>>> On 4/17/15 1:19 PM, Dmitri Pal wrote: >>>>>> On 04/17/2015 01:20 PM, Janelle wrote: >>>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>>>>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Is anyone else having issues with OTP since upgrading? For the >>>>>>>>> life of me I can't get it to accept "Sync" for the tokens. No >>>>>>>>> matter what is put in, it just keeps saying the username, >>>>>>>>> password or tokens entered are incorrect. >>>>>>>>> >>>>>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 >>>>>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it >>>>>>>>> just refuses to work. >>>>>>>>> >>>>>>>>> I create a user -- configure them. They work just fine with a >>>>>>>>> password. Then add a token. Sync with FreeOTP and that all >>>>>>>>> works. Then going back to the web UI and do Sync OTP and it >>>>>>>>> simply refuses to accept any values. And yet the same user can >>>>>>>>> login to the regular web UI with their password. >>>>>>>>> >>>>>>>>> I have tried setting the user to both Password and OTP for >>>>>>>>> auth methods. And also just OTP and nothing works. >>>>>>>> >>>>>>>> Please look in the logs to see what is going on. >>>>>>>> You would need to look at the KDC, http and DS logs on the >>>>>>>> server to sort out what is going on. >>>>>>>> >>>>>>>> Do you change the password for the user first after creating him? >>>>>>>> >>>>>>>> Can you reproduce the problem with demo instance? >>>>>>>> http://www.freeipa.org/page/Demo >>>>>>>> If you can then we can take a look at the logs right away. >>>>>>>> Hints? Am I missing a step? >>>>>>>> >>>>>>>> ~J >>>>>>>> >>>>>>> It appears to be the UI. If I go through the steps and let it >>>>>>> "fail", I can still login using OTP to servers. I made the >>>>>>> assumption that the error itself was not an error.. :-) >>>>>>> >>>>>>> ~J >>>>>>> >>>>>> I am not sure I get what you are saying. Do you still see the >>>>>> problem or you misinterpreted the UI and now the problem is gone? >>>>>> If you did is there any recommendation how to improve the UI not >>>>>> to confuse people? >>>>>> >>>>> The problem exists -- this is what it shows: >>>>> HOWEVER, it is still WORKING. Meaning, even if you get this error, >>>>> if you attempt to login with your FreeOTP token, it WORKS. >>>>> >>>>> ~J >>>>> >>>>> >>>>> >>>>> >>>> >>>> Does it give you this error when you use password or password and >>>> token? >>>> Can you please describe the flow of steps in more details? >>>> I start browser, go here, click here, enter this, etc. >>>> >>>> Are you using SSSD to login to servers? Is SSSD configured with IPA >>>> provider or you configured it for LDAP manually. There is a >>>> difference between LDAP and Kerberos authentication. >>>> >>>> May be the following article will help you to understand the >>>> expectations: >>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp >>>> >>>> >>>> >>>> I suspect it is some combination of flags and protocols that is >>>> confusing >>> >>> Simple. And my test made it simple. >>> Stand up new vm running fc21/freeipa. >>> Configure user. >>> Add password. >>> Add token. >>> >>> Login to the vm with the user created using password. Kerberos >>> ticket assigned, all is well. >>> >>> Login to web interface with admin. Change user to OTP only. >>> Go to web UI and click sync OTP. >>> Enter username, password and 2 OTP sequences. Click sync. Error appears. >>> >>> Now, ssh to same vm using OTP username. Enter password + OTP value. >>> Login successful. >> >> I can reproduce this issue with demo instance. >> I will file a bug later today. >> I think it is a bug with sync. >> Which token do you use time based or event based? > TOTP... > > Hmm, makes me wonder - with HOTP fail the same? Off to try it. > > ~J > > PS - is there a way to sync a token from command line? I can't think > of a way, but maybe... Yes, there is a command line. But you do not really need to sync it. So far it works without syncing as you have noticed. It seems that the bug is with TOTP token. With HOTP token it seems to work fine. I filed a ticket https://fedorahosted.org/freeipa/ticket/4990 I also filed another ticket https://fedorahosted.org/freeipa/ticket/4991 And another one https://fedorahosted.org/freeipa/ticket/4992 > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Apr 18 04:07:24 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 18 Apr 2015 00:07:24 -0400 Subject: [Freeipa-users] External group membership In-Reply-To: References: Message-ID: <5531D87C.7010907@redhat.com> On 04/17/2015 09:12 PM, Benjamen Keroack wrote: > Hi, > > We have a number of local groups on our IPA-managed servers that we > add LDAP/IPA users to. This works fine locally on the server on an ad > hoc basis: > > $ usermod -a -G local-group test.user > > However I'm trying to do this as part of user provisioning in IPA via > user groups. I've created external user groups in IPA, then added > those external groups to the user groups that new users are added to > via automember rules. For example: > > local-group [external] -> [is a member of] -> developers [IPA group] > > Then I SSH into one of the servers as a user who is a member of > developers: > > test.user at qa$ groups > test.user developers qa_users > > I do not see 'local-group' membership, even after restarting > sssd/rebooting. Is it possible to achieve this kind of automatic local > group membership? The only alternative I can see would be to write a > SUID binary that .bash_profile runs on login to add them to the > applicable groups, which seems like a bad hack. > > This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty. > > Thanks for any help, > > -- > Benjamen Keroack > /Infrastructure/DevOps Engineer/ > benjamen at dollarshaveclub.com > > > It looks like you are looking for this: https://fedorahosted.org/sssd/ticket/1591 It is on the roadmap for 1.13 alpha which should be out in couple months. Would you be interested to test? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From asacamano at gmail.com Sun Apr 19 18:51:30 2015 From: asacamano at gmail.com (Andrew Sacamano) Date: Sun, 19 Apr 2015 12:51:30 -0600 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: References: <20150417202822.GA13306@mail.corp.redhat.com> Message-ID: Thanks again Lukas, These turned out to be very helpful debugging suggestions, and were the critical part of getting the problem solved - the pointer to ldb-tools was extremely helpful in identifying where the issue was happening! With them, I was able to see the right sudo rules were being cached, and that the change from sudo working to sudo not working happened not because of the host, but because of the user, and in particular, the user being a listed explicitly, or only as part of a group. The user's groups were being listed in the user's entry in the cache, but not when running the "id" command. Some quick googling, and I discovered that in Ubuntu 14.04, the sssd option "enumerate" defaults to false, which meant that the group memberships were not taking effect, which meant that sudo rules based on membership in a group weren't working. Setting enumerate to true got everything working. Many thanks again! -Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sun Apr 19 23:07:43 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 19 Apr 2015 19:07:43 -0400 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: References: <20150417202822.GA13306@mail.corp.redhat.com> Message-ID: <5534353F.4040208@redhat.com> On 04/19/2015 02:51 PM, Andrew Sacamano wrote: > Thanks again Lukas, > > These turned out to be very helpful debugging suggestions, and were > the critical part of getting the problem solved - the pointer to > ldb-tools was extremely helpful in identifying where the issue was > happening! > > With them, I was able to see the right sudo rules were being cached, > and that the change from sudo working to sudo not working happened not > because of the host, but because of the user, and in particular, the > user being a listed explicitly, or only as part of a group. The > user's groups were being listed in the user's entry in the cache, but > not when running the "id" command. Some quick googling, and I > discovered that in Ubuntu 14.04, the sssd option "enumerate" defaults > to false, which meant that the group memberships were not taking > effect, which meant that sudo rules based on membership in a group > weren't working. Setting enumerate to true got everything working. Enumerate is generally discouraged. The fact that enumeration helped means that something was not correct in the cache. It seems it just masked the issue not solved it. > > Many thanks again! > > -Andrew > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon Apr 20 07:29:58 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 20 Apr 2015 09:29:58 +0200 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: References: <20150417202822.GA13306@mail.corp.redhat.com> Message-ID: <20150420072957.GC30713@mail.corp.redhat.com> On (19/04/15 12:51), Andrew Sacamano wrote: >Thanks again Lukas, > >These turned out to be very helpful debugging suggestions, and were the >critical part of getting the problem solved - the pointer to ldb-tools was >extremely helpful in identifying where the issue was happening! > >With them, I was able to see the right sudo rules were being cached, and >that the change from sudo working to sudo not working happened not because >of the host, but because of the user, and in particular, the user being a >listed explicitly, or only as part of a group. The user's groups were >being listed in the user's entry in the cache, but not when running the >"id" command. Some quick googling, and I discovered that in Ubuntu 14.04, >the sssd option "enumerate" defaults to false, which meant that the group >memberships were not taking effect, which meant that sudo rules based on >membership in a group weren't working. Setting enumerate to true got >everything working. > If you have a problem with "id" might be caused by https://fedorahosted.org/sssd/ticket/2471 You can fix the bug with ammending configuration. put ldap_group_object_class = ipaUserGroup into domain section of sssd.conf It should work even with disabled enumeration. LS From john.obaterspok at gmail.com Mon Apr 20 09:41:51 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Mon, 20 Apr 2015 11:41:51 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <20150415130853.GC893@mail.corp.redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <20150415065313.GI2859@hendrix> <20150415130853.GC893@mail.corp.redhat.com> Message-ID: 2015-04-15 15:08 GMT+02:00 Lukas Slebodnik : > On (15/04/15 08:53), Jakub Hrozek wrote: > >I pushed the selinux performance patches upstream yesterday. They will > make > >their way to 7.2, 6.7 and I guess Lukas might also cherry-pick them for > >Fedora. > > > Packages for fedora 21,22 are built. > You just need to wait utill they are available in updates testing > or you can download packages from koji. > > https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22 > https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21 > > Please test and provide karma. Karma provided. For my setup I'm finally back to the 3-4 seconds login time for a user with only a handful of groups. Thanks! -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Mon Apr 20 10:00:57 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 20 Apr 2015 10:00:57 +0000 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update Message-ID: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> Hello! We found our host enrollment role does not work after ipa server update. Now user having this role get this error: Joining realm failed: No permission to join this host to the IPA domain. Maybe now we need to add some addition permissions to this role, can someone to point out which permissions is required to add new host to domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Mon Apr 20 10:23:13 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 20 Apr 2015 12:23:13 +0200 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> Message-ID: <5534D391.2030306@redhat.com> On 04/20/2015 12:00 PM, Alexander Frolushkin wrote: > Hello! > We found our host enrollment role does not work after ipa server update. > Now user having this role get this error: > Joining realm failed: No permission to join this host to the IPA domain. > > Maybe now we need to add some addition permissions to this role, can someone to point out which permissions is required to add new host to domain? > > WBR, > Alexander Frolushkin > Cell +79232508764 > Work +79232507764 > > > ________________________________ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > > > Hello! This thread seams to solve similar issue: https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html -- David Kupka From Alexander.Frolushkin at megafon.ru Mon Apr 20 11:06:18 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 20 Apr 2015 11:06:18 +0000 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: <5534D391.2030306@redhat.com> References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> Message-ID: >Hello! >This thread seams to solve similar issue: >https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html Thank You, but... On 3.3 I used this thread to make it work. But on 4.1: User, able to enroll: memberofindirect: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Replication Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru User, not able to enroll: memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: ipaUniqueID=05b0d3f4-d2e1-11e4-b40b-00505698162f,cn=sudorules,cn=sudo,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru I used to try made it looks as close as possible in terms of permissions (replication agreement not looks like a required permission). But - first one works (enroll a new host to IPA), second one - not. -- David Kupka ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From Alexander.Frolushkin at megafon.ru Mon Apr 20 11:21:02 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Mon, 20 Apr 2015 11:21:02 +0000 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> Message-ID: Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't. Only difference this group brings in permissions - a number of replication agreement permissions... -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Alexander Frolushkin Sent: Monday, April 20, 2015 5:06 PM To: 'David Kupka'; freeipa-users at redhat.com Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update >Hello! >This thread seams to solve similar issue: >https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html Thank You, but... On 3.3 I used this thread to make it work. But on 4.1: User, able to enroll: memberofindirect: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Replication Administrators,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru User, not able to enroll: memberofindirect: cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Modify Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Modify DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Read DNA Range,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add Hosts,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: ipaUniqueID=05b0d3f4-d2e1-11e4-b40b-00505698162f,cn=sudorules,cn=sudo,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=Host Enrollment,cn=privileges,cn=pbac,dc=unix,dc=megafon,dc=ru memberofindirect: cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru I used to try made it looks as close as possible in terms of permissions (replication agreement not looks like a required permission). But - first one works (enroll a new host to IPA), second one - not. -- David Kupka ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From david.dejaeghere at gmail.com Mon Apr 20 12:17:07 2015 From: david.dejaeghere at gmail.com (David Dejaeghere) Date: Mon, 20 Apr 2015 14:17:07 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: <55310A2A.9060701@redhat.com> References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> <55310A2A.9060701@redhat.com> Message-ID: Hi, Let me know how I can assist. In the meantime could I setup a replica using a different certificate? Self signed or anything like that? Regards, D 2015-04-17 15:27 GMT+02:00 Jan Cholasta : > Hi, > > I don't have any new information. I'm trying to reproduce the problem but > had no luck so far. > > Honza > > Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a): > >> Hi, >> >> Any more things I can try out? How do we proceed? >> >> Kind Regards, >> >> D >> >> 2015-04-15 11:48 GMT+02:00 David Dejaeghere > >: >> >> Hi Honza, >> >> That gave me the exact same output. Any ideas? >> >> Regards, >> >> D >> >> 2015-04-15 7:33 GMT+02:00 Jan Cholasta > >: >> >> Hi, >> >> Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): >> >> David Dejaeghere wrote: >> >> Hi Rob, >> >> So you want to output of the command using pk12 with >> server cert and >> key? or with the ca chain in there too? >> >> >> Oddly enough it is failing in exactly the same place. Those >> GoDaddy CA >> certs are still being loaded from somewhere, I'm not sure >> where, and I >> suspect that is the source of the problem. >> >> >> They are in the default CA certificate bundle (in the >> ca-certificate package). I guess NSS loads it automatically. >> >> >> I'm going to forward the log to a colleague who has worked >> on this code >> more recently than I have. Maybe he will have an idea. >> >> >> Could you try if the following works? >> >> # mv /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> /root/ca-bundle.trust.crt >> >> # update-ca-trust >> >> # ipa-replica-prepare ... >> >> # mv /root/ca-bundle.trust.crt >> /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt >> >> # update-ca-trust >> >> >> rob >> >> >> Honza >> >> -- >> Jan Cholasta >> >> >> >> > > -- > Jan Cholasta > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sdutina at gmail.com Mon Apr 20 14:13:03 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Mon, 20 Apr 2015 14:13:03 +0000 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients Message-ID: Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? Thank you! -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 20 14:30:19 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Apr 2015 17:30:19 +0300 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: References: Message-ID: <20150420143019.GF4797@redhat.com> On Mon, 20 Apr 2015, Srdjan Dutina wrote: >Hi, > >Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. > >For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If >yes, does this apply AD users also? SSSD 1.5.1 does not have SUDO support. HBAC support in 1.5.1 will mot likely not work with compat tree that is required for legacy clients to support AD users. I don't think this was even tested. -- / Alexander Bokovoy From rcritten at redhat.com Mon Apr 20 14:41:00 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Apr 2015 10:41:00 -0400 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> Message-ID: <55350FFC.7030308@redhat.com> Alexander Frolushkin wrote: > Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't. > Only difference this group brings in permissions - a number of replication agreement permissions... admins can do nearly anything so that's not surprising. For host enrollment these permissions are quite broad IMHO, particularly the replication bits. Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout. At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed. At a glance these permissions look sufficient, and then some. rob From sdutina at gmail.com Mon Apr 20 14:47:43 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Mon, 20 Apr 2015 14:47:43 +0000 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: <20150420143019.GF4797@redhat.com> References: <20150420143019.GF4797@redhat.com> Message-ID: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need "allow_all" disabled because of newer IPA clients. On Mon, Apr 20, 2015 at 4:30 PM Alexander Bokovoy wrote: > On Mon, 20 Apr 2015, Srdjan Dutina wrote: > >Hi, > > > >Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. > > > >For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If > >yes, does this apply AD users also? > SSSD 1.5.1 does not have SUDO support. > > HBAC support in 1.5.1 will mot likely not work with compat tree that is > required for legacy clients to support AD users. I don't think this > was even tested. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 20 14:51:44 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Apr 2015 17:51:44 +0300 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: References: <20150420143019.GF4797@redhat.com> Message-ID: <20150420145144.GH4797@redhat.com> On Mon, 20 Apr 2015, Srdjan Dutina wrote: >Thank for quick answer! > >If I disable HBAC rule, I can still login to Centos 5 client using IPA >user, but not using AD user. Is there a workaround? >I need "allow_all" disabled because of newer IPA clients. There is no workaround so far. -- / Alexander Bokovoy From sdutina at gmail.com Mon Apr 20 14:59:43 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Mon, 20 Apr 2015 14:59:43 +0000 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: <20150420145144.GH4797@redhat.com> References: <20150420143019.GF4797@redhat.com> <20150420145144.GH4797@redhat.com> Message-ID: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: "If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed." Is this true for FreeIPA 4.1.0 also and how could I do this? On Mon, Apr 20, 2015 at 4:51 PM Alexander Bokovoy wrote: > On Mon, 20 Apr 2015, Srdjan Dutina wrote: > >Thank for quick answer! > > > >If I disable HBAC rule, I can still login to Centos 5 client using IPA > >user, but not using AD user. Is there a workaround? > >I need "allow_all" disabled because of newer IPA clients. > There is no workaround so far. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 20 15:03:08 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Apr 2015 18:03:08 +0300 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: References: <20150420143019.GF4797@redhat.com> <20150420145144.GH4797@redhat.com> Message-ID: <20150420150308.GI4797@redhat.com> On Mon, 20 Apr 2015, Srdjan Dutina wrote: >Just found in >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next >sentence: "If you have HBAC's allow_all rule disabled, you will need to >allow system-auth service on the FreeIPA master, so that authentication of >the AD users can be performed." >Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy From sdutina at gmail.com Mon Apr 20 16:08:08 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Mon, 20 Apr 2015 16:08:08 +0000 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: <20150420150308.GI4797@redhat.com> References: <20150420143019.GF4797@redhat.com> <20150420145144.GH4797@redhat.com> <20150420150308.GI4797@redhat.com> Message-ID: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling "allow all" rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy wrote: > On Mon, 20 Apr 2015, Srdjan Dutina wrote: > >Just found in > >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next > >sentence: "If you have HBAC's allow_all rule disabled, you will need to > >allow system-auth service on the FreeIPA master, so that authentication > of > >the AD users can be performed." > >Is this true for FreeIPA 4.1.0 also and how could I do this? > Either you are reading it wrong or I don't get where you want to apply > HBAC rules because this is for IPA masters, not legacy clients per se. > Yes, you nede to create HBAC service named 'system-auth' and grant > access to it to AD users on IPA masters, but all it will allow you is to > authenticate AD users via compat tree. > > If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users > cannot be checked by those rules. > > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 20 21:26:18 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 20 Apr 2015 17:26:18 -0400 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: References: <20150420143019.GF4797@redhat.com> <20150420145144.GH4797@redhat.com> <20150420150308.GI4797@redhat.com> Message-ID: <55356EFA.5080106@redhat.com> On 04/20/2015 12:08 PM, Srdjan Dutina wrote: > Sorry for misunderstanding. > > I understand HBAC rules will not work for Centos 5. I just wanted to > make sure disabling "allow all" rule and adding new HBAC rules won't > interfere with AD users logging on Centos 5. To clarify: CentOS 5 needs to point to compat tree for AD users to authenticate. You need to use LDAP SSSD back end for that not IPA SSSD back end (idenity_provider setting in sssd.conf). Once you use LDAP back end you need to use some other access control configuration not HBAC as HBAC comes when you use IPA SSSD back end only. You can use ldap filter or simple acces provider or something other option that is support in SSSD 1.5 against LDAP. Does this make sense? > > On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy > wrote: > > On Mon, 20 Apr 2015, Srdjan Dutina wrote: > >Just found in > >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > the next > >sentence: "If you have HBAC's allow_all rule disabled, you will > need to > >allow system-auth service on the FreeIPA master, so that > authentication of > >the AD users can be performed." > >Is this true for FreeIPA 4.1.0 also and how could I do this? > Either you are reading it wrong or I don't get where you want to apply > HBAC rules because this is for IPA masters, not legacy clients per se. > Yes, you nede to create HBAC service named 'system-auth' and grant > access to it to AD users on IPA masters, but all it will allow you > is to > authenticate AD users via compat tree. > > If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD > users > cannot be checked by those rules. > > > > -- > / Alexander Bokovoy > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From g.fer.ordas at unicyber.co.uk Mon Apr 20 23:12:59 2015 From: g.fer.ordas at unicyber.co.uk (g.fer.ordas at unicyber.co.uk) Date: Tue, 21 Apr 2015 00:12:59 +0100 Subject: [Freeipa-users] ipa: ERROR: non-public: TypeError -- ipa trust-add crash In-Reply-To: References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> Message-ID: <0d6b89ce12f9447244571cc7d6975b14@unicyber.co.uk> Hi This is for freeipa-server-4.1.4-1.el7.centos.x86_64 When Running: ipa trust-add --type=ad ad.domain.com --admin --password ipa: ERROR: an internal error has occurred Some more info at : /var/log/httpd/error_log ---- num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=116, this_data=116, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 smb_signing_md5: sequence number 14 smb_signing_sign_pdu: sent SMB signature of [0000] FD A6 9F 6B 2F 72 8D 4F ...k/r.O smb_signing_md5: sequence number 15 smb_signing_check_pdu: seq 15: got good SMB signature of [0000] B3 5C 71 C9 1F E4 21 35 .q...!5 rpc reply data: [0000] 00 00 02 00 08 00 00 00 32 00 34 00 04 00 02 00 ........ 2.4..... [0010] 32 00 34 00 08 00 02 00 00 00 00 00 03 00 00 00 2.4..... ........ [0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0040] 00 00 00 00 1A 00 00 00 00 00 00 00 19 00 00 00 ........ ........ [00C0] 6D 00 00 00 00 00 00 00 m....... [Mon Apr 20 22:59:48.849462 2015] [:error] [pid 32475] ipa: ERROR: non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Mon Apr 20 22:59:48.849484 2015] [:error] [pid 32475] Traceback (most recent call last): [Mon Apr 20 22:59:48.849486 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 349, in wsgi_execute [Mon Apr 20 22:59:48.849489 2015] [:error] [pid 32475] result = self.Command[name](*args, **options) [Mon Apr 20 22:59:48.849491 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in __call__ [Mon Apr 20 22:59:48.849492 2015] [:error] [pid 32475] ret = self.run(*args, **options) [Mon Apr 20 22:59:48.849494 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run [Mon Apr 20 22:59:48.849496 2015] [:error] [pid 32475] return self.execute(*args, **options) [Mon Apr 20 22:59:48.849498 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in execute [Mon Apr 20 22:59:48.849500 2015] [:error] [pid 32475] result = self.execute_ad(full_join, *keys, **options) [Mon Apr 20 22:59:48.849502 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in execute_ad [Mon Apr 20 22:59:48.849504 2015] [:error] [pid 32475] self.realm_passwd [Mon Apr 20 22:59:48.849506 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in join_ad_full_credentials [Mon Apr 20 22:59:48.849507 2015] [:error] [pid 32475] self.remote_domain.establish_trust(self.local_domain, trustdom_pass) [Mon Apr 20 22:59:48.849509 2015] [:error] [pid 32475] File "/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in establish_trust [Mon Apr 20 22:59:48.849511 2015] [:error] [pid 32475] self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) [Mon Apr 20 22:59:48.849513 2015] [:error] [pid 32475] TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' [Mon Apr 20 22:59:48.849782 2015] [:error] [pid 32475] ipa: INFO: [jsonserver_kerb] admin at ldap.domain.com: trust_add(u'ad.domain.com', trust_type=u'ad', realm_admin=u'ad_user', realm_passwd=u'********', all=False, raw=False, version=u'2.114'): TypeError ---- Have you seen any of this before? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Mon Apr 20 23:26:27 2015 From: janellenicole80 at gmail.com (Janelle) Date: Mon, 20 Apr 2015 16:26:27 -0700 Subject: [Freeipa-users] understanding RUVs? Message-ID: <55358B23.7060804@gmail.com> Hello, When I was working with OpenLDAP, and AD - and did not deal with "RUV"s the way I am with 389-ds and IPA. I am trying to understand what is "normal" for values. If I am looking at this (and seem to have no replication problems): ipa-replica-manage list-ruv ipa001.example.com:389: 13 ipa002.example.com:389: 12 ipa003.example.com:389: 11 ipa004.example.com:389: 10 ipa005.example.com:389: 7 ipa006.example.com:389: 6 ipa007.example.com:389: 5 ipa008.example.com:389: 3 ipa009.example.com:389: 16 ipa00a.example.com:389: 17 ipa00b.example.com:389: 15 ipa00c.example.com:389: 14 ipa00d.example.com:389: 9 ipa00e.example.com:389: 8 ipa00f.example.com:389: 4 I guess I was wondering, should I be seeing all the same values or should they all be unique based on being "replicated" and the order they were added? Or is it telling me something else? Sorry, I guess I am still trying to wrap my head around replication metadata. Thank you ~J From asacamano at gmail.com Mon Apr 20 23:54:41 2015 From: asacamano at gmail.com (Andrew Sacamano) Date: Mon, 20 Apr 2015 17:54:41 -0600 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: <20150420072957.GC30713@mail.corp.redhat.com> References: <20150417202822.GA13306@mail.corp.redhat.com> <20150420072957.GC30713@mail.corp.redhat.com> Message-ID: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! Thanks again, Andrew On Mon, Apr 20, 2015 at 1:29 AM, Lukas Slebodnik wrote: > On (19/04/15 12:51), Andrew Sacamano wrote: > >Thanks again Lukas, > > > >These turned out to be very helpful debugging suggestions, and were the > >critical part of getting the problem solved - the pointer to ldb-tools was > >extremely helpful in identifying where the issue was happening! > > > >With them, I was able to see the right sudo rules were being cached, and > >that the change from sudo working to sudo not working happened not because > >of the host, but because of the user, and in particular, the user being a > >listed explicitly, or only as part of a group. The user's groups were > >being listed in the user's entry in the cache, but not when running the > >"id" command. Some quick googling, and I discovered that in Ubuntu 14.04, > >the sssd option "enumerate" defaults to false, which meant that the group > >memberships were not taking effect, which meant that sudo rules based on > >membership in a group weren't working. Setting enumerate to true got > >everything working. > > > If you have a problem with "id" might be caused by > https://fedorahosted.org/sssd/ticket/2471 > > You can fix the bug with ammending configuration. > put ldap_group_object_class = ipaUserGroup > into domain section of sssd.conf > > It should work even with disabled enumeration. > > LS > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chamambom at afri-com.net Tue Apr 21 02:19:52 2015 From: chamambom at afri-com.net (Chamambo Martin) Date: Tue, 21 Apr 2015 04:19:52 +0200 Subject: [Freeipa-users] web interface for FREEIPA runtime error Message-ID: <00a101d07bd9$a6918a20$f3b49e60$@afri-com.net> Sometimes when I access the web URL where FreeIPA is installed for general administration ,I encounter this error below. Runtime error Web UI got in unrecoverable state during "metadata" phase I can only restore access after I have restarted the server ,is there a service I can restart or something that can prevent it from happening -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Tue Apr 21 03:28:29 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 21 Apr 2015 03:28:29 +0000 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: <55350FFC.7030308@redhat.com> References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> <55350FFC.7030308@redhat.com> Message-ID: Thank You, I'm stupid enough to forgot about debug mode. Here the problem: Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'fqdn=sib-rhel07.unix.ad.com,cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'. This host is not new, it was removed from domain to test the privileges... WBR, Alexander Frolushkin -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, April 20, 2015 8:41 PM To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; 'David Kupka' Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update Alexander Frolushkin wrote: > Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't. > Only difference this group brings in permissions - a number of replication agreement permissions... admins can do nearly anything so that's not surprising. For host enrollment these permissions are quite broad IMHO, particularly the replication bits. Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout. At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed. At a glance these permissions look sufficient, and then some. rob ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 From abokovoy at redhat.com Tue Apr 21 03:44:03 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 21 Apr 2015 06:44:03 +0300 Subject: [Freeipa-users] ipa: ERROR: non-public: TypeError -- ipa trust-add crash In-Reply-To: <0d6b89ce12f9447244571cc7d6975b14@unicyber.co.uk> References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> <0d6b89ce12f9447244571cc7d6975b14@unicyber.co.uk> Message-ID: <20150421034403.GK4797@redhat.com> On Tue, 21 Apr 2015, g.fer.ordas at unicyber.co.uk wrote: > > >Hi > >This is for freeipa-server-4.1.4-1.el7.centos.x86_64 > >When Running: ipa trust-add --type=ad ad.domain.com --admin >--password >ipa: ERROR: an internal error has occurred > >Some more info at : /var/log/httpd/error_log > >---- >num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, >data_total=116, this_data=116, max_data=4280, param_offset=84, >param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 >smb_signing_md5: sequence number 14 >smb_signing_sign_pdu: sent SMB signature of >[0000] FD A6 9F 6B 2F 72 8D 4F ...k/r.O >smb_signing_md5: sequence number 15 >smb_signing_check_pdu: seq 15: got good SMB signature of >[0000] B3 5C 71 C9 1F E4 21 35 .q...!5 >rpc reply data: >[0000] 00 00 02 00 08 00 00 00 32 00 34 00 04 00 02 00 ........ 2.4..... >[0010] 32 00 34 00 08 00 02 00 00 00 00 00 03 00 00 00 2.4..... ........ >[0020] 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0040] 00 00 00 00 1A 00 00 00 00 00 00 00 19 00 00 00 ........ ........ >[00C0] 6D 00 00 00 00 00 00 00 m....... >[Mon Apr 20 22:59:48.849462 2015] [:error] [pid 32475] ipa: ERROR: >non-public: TypeError: default/librpc/gen_ndr/py_lsa.c:9436: Expected >type 'security.dom_sid' for 'py_dom_sid' of type 'NoneType' >[Mon Apr 20 22:59:48.849484 2015] [:error] [pid 32475] Traceback (most >recent call last): >[Mon Apr 20 22:59:48.849486 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 349, in >wsgi_execute >[Mon Apr 20 22:59:48.849489 2015] [:error] [pid 32475] result = >self.Command[name](*args, **options) >[Mon Apr 20 22:59:48.849491 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 439, in >__call__ >[Mon Apr 20 22:59:48.849492 2015] [:error] [pid 32475] ret = >self.run(*args, **options) >[Mon Apr 20 22:59:48.849494 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 754, in run >[Mon Apr 20 22:59:48.849496 2015] [:error] [pid 32475] return >self.execute(*args, **options) >[Mon Apr 20 22:59:48.849498 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 474, in >execute >[Mon Apr 20 22:59:48.849500 2015] [:error] [pid 32475] result = >self.execute_ad(full_join, *keys, **options) >[Mon Apr 20 22:59:48.849502 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py", line 709, in >execute_ad >[Mon Apr 20 22:59:48.849504 2015] [:error] [pid 32475] self.realm_passwd >[Mon Apr 20 22:59:48.849506 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 1222, in >join_ad_full_credentials >[Mon Apr 20 22:59:48.849507 2015] [:error] [pid 32475] >self.remote_domain.establish_trust(self.local_domain, trustdom_pass) >[Mon Apr 20 22:59:48.849509 2015] [:error] [pid 32475] File >"/usr/lib/python2.7/site-packages/ipaserver/dcerpc.py", line 963, in >establish_trust >[Mon Apr 20 22:59:48.849511 2015] [:error] [pid 32475] >self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) >[Mon Apr 20 22:59:48.849513 2015] [:error] [pid 32475] TypeError: >default/librpc/gen_ndr/py_lsa.c:9436: Expected type 'security.dom_sid' >for 'py_dom_sid' of type 'NoneType' >[Mon Apr 20 22:59:48.849782 2015] [:error] [pid 32475] ipa: INFO: >[jsonserver_kerb] admin at ldap.domain.com: trust_add(u'ad.domain.com', >trust_type=u'ad', realm_admin=u'ad_user', realm_passwd=u'********', >all=False, raw=False, version=u'2.114'): TypeError > >---- > >Have you seen any of this before? No. Can you file a bug or ticket and attach full httpd's error_log there? -- / Alexander Bokovoy From rcritten at redhat.com Tue Apr 21 04:05:48 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2015 00:05:48 -0400 Subject: [Freeipa-users] Found new problem after 3.3 - 4.1 update In-Reply-To: References: <50d81109f22c4fd0b8f0bd80c8e0bbb2@sib-ums01.Megafon.ru> <5534D391.2030306@redhat.com> <55350FFC.7030308@redhat.com> Message-ID: <5535CC9C.6080404@redhat.com> Alexander Frolushkin wrote: > Thank You, I'm stupid enough to forgot about debug mode. > Here the problem: > Insufficient access: Insufficient 'write' privilege to the 'krbLastPwdChange' attribute of entry 'fqdn=sib-rhel07.unix.ad.com,cn=computers,cn=accounts,dc=unix,dc=ad,dc=com'. > > This host is not new, it was removed from domain to test the privileges... Try adding 'Manage host keytab' to your privilege. I'd use the privilege 'Host Enrollment' as a model of the minimum of what you need. This covers only the enrollment bit. Add creating hosts and others as needed. rob > > WBR, > Alexander Frolushkin > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Monday, April 20, 2015 8:41 PM > To: Alexander Frolushkin (SIB); freeipa-users at redhat.com; 'David Kupka' > Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update > > Alexander Frolushkin wrote: >> Very strange. If this user acts as a member of admins group - it can enroll host. If not - it can't. >> Only difference this group brings in permissions - a number of replication agreement permissions... > > admins can do nearly anything so that's not surprising. > > For host enrollment these permissions are quite broad IMHO, particularly the replication bits. > > Run ipa-client-install with the debug flag and you should get more information out of ipa-join. /var/log/ipaclient-install.log will log all fo this so you shouldn't need to try capturing stdout. > > At the same time see if /var/log/httpd/error_log on the IPA master provides any information on why the request was rejected, or at least which operation failed. > > At a glance these permissions look sufficient, and then some. > > rob > > > ________________________________ > > ???????????????????? ?? ???????? ?????????????????? ?????????????????????????? ?????????????????????????? ?????? ???????????????????? ??????, ?????????????? ?????? ????????????????????. ?? ?????????????????? ?????????? ?????????????????????? ???????????????????????????????? ????????????????????, ?????????????? ???? ?????????? ???????? ???????????????? ?????? ???????????????????????? ??????-????????, ?????????? ??????????????????. ???????? ???? ???? ?????????????? ?????????? ??????????????????, ???? ??????????????????????????, ??????????????????????????, ?????????????????????? ?????? ?????????????????????????????? ???????????????????? ?????????????????? ?????? ?????? ?????????? ?????????????????? ?? ??????????????????. ???????? ???? ???????????????? ?????? ?????????????????? ????????????????, ????????????????????, ?????????????????????????????? ???????????????? ?????????????????????? ???? ???????? ?? ?????????????? ???? ???????? ???????????????????? ???????? ???????????????! ??? ?? ??? ??????? ?????????????????? ?????? ?????????? ?? ????????????????????. > > The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. > > (c)20mf50 > From rcritten at redhat.com Tue Apr 21 04:09:16 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2015 00:09:16 -0400 Subject: [Freeipa-users] web interface for FREEIPA runtime error In-Reply-To: <00a101d07bd9$a6918a20$f3b49e60$@afri-com.net> References: <00a101d07bd9$a6918a20$f3b49e60$@afri-com.net> Message-ID: <5535CD6C.1060208@redhat.com> Chamambo Martin wrote: > Sometimes when I access the web URL where FreeIPA is installed for > general administration ,I encounter this error below. > > > > Runtime error > > Web UI got in unrecoverable state during "metadata" phase > > > > I can only restore access after I have restarted the server ,is there a > service I can restart or something that can prevent it from happening I'd check /var/log/httpd/error_log for more information when you see this problem. It may have more details. rob From mkosek at redhat.com Tue Apr 21 07:11:34 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 21 Apr 2015 09:11:34 +0200 Subject: [Freeipa-users] understanding RUVs? In-Reply-To: <55358B23.7060804@gmail.com> References: <55358B23.7060804@gmail.com> Message-ID: <5535F826.7030006@redhat.com> On 04/21/2015 01:26 AM, Janelle wrote: > Hello, > > When I was working with OpenLDAP, and AD - and did not deal with "RUV"s the way > I am with 389-ds and IPA. > > I am trying to understand what is "normal" for values. If I am looking at this > (and seem to have no replication problems): > > ipa-replica-manage list-ruv > > ipa001.example.com:389: 13 > ipa002.example.com:389: 12 > ipa003.example.com:389: 11 > ipa004.example.com:389: 10 > ipa005.example.com:389: 7 > ipa006.example.com:389: 6 > ipa007.example.com:389: 5 > ipa008.example.com:389: 3 > ipa009.example.com:389: 16 > ipa00a.example.com:389: 17 > ipa00b.example.com:389: 15 > ipa00c.example.com:389: 14 > ipa00d.example.com:389: 9 > ipa00e.example.com:389: 8 > ipa00f.example.com:389: 4 > > I guess I was wondering, should I be seeing all the same values or should they > all be unique based on being "replicated" and the order they were added? They should be unique, that's for sure. There is some info on them in Red Hat DS docs: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html#cleanruv I am just not sure if they are replicated or per-server. But given they live in SUFFIX, I assume they are. The list above looks OK to me, so it should not cause the replication problems. But I am rather CCing Thierry to advise here. > Or is > it telling me something else? Sorry, I guess I am still trying to wrap my head > around replication metadata. From tbordaz at redhat.com Tue Apr 21 07:22:47 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 21 Apr 2015 09:22:47 +0200 Subject: [Freeipa-users] understanding RUVs? In-Reply-To: <5535F826.7030006@redhat.com> References: <55358B23.7060804@gmail.com> <5535F826.7030006@redhat.com> Message-ID: <5535FAC7.7030309@redhat.com> On 04/21/2015 09:11 AM, Martin Kosek wrote: > On 04/21/2015 01:26 AM, Janelle wrote: >> Hello, >> >> When I was working with OpenLDAP, and AD - and did not deal with "RUV"s the way >> I am with 389-ds and IPA. >> >> I am trying to understand what is "normal" for values. If I am looking at this >> (and seem to have no replication problems): >> >> ipa-replica-manage list-ruv >> >> ipa001.example.com:389: 13 >> ipa002.example.com:389: 12 >> ipa003.example.com:389: 11 >> ipa004.example.com:389: 10 >> ipa005.example.com:389: 7 >> ipa006.example.com:389: 6 >> ipa007.example.com:389: 5 >> ipa008.example.com:389: 3 >> ipa009.example.com:389: 16 >> ipa00a.example.com:389: 17 >> ipa00b.example.com:389: 15 >> ipa00c.example.com:389: 14 >> ipa00d.example.com:389: 9 >> ipa00e.example.com:389: 8 >> ipa00f.example.com:389: 4 >> >> I guess I was wondering, should I be seeing all the same values or should they >> all be unique based on being "replicated" and the order they were added? > They should be unique, that's for sure. There is some info on them in Red Hat > DS docs: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html#cleanruv > > I am just not sure if they are replicated or per-server. But given they live in > SUFFIX, I assume they are. The list above looks OK to me, so it should not > cause the replication problems. Hello, Yes this RUV is normal. The RUV is a special 389-ds entry that is per server. This entry allows replication protocol (run by the replica agreements) to detect what updates are missing and then send the missing ones. The command list-ruv displays a subset of the attribute values of that entry. It displays url and the replicaId. A normal RUV in a replication topology contains unique replicaId and a url must be listed only once. thanks thierry > > But I am rather CCing Thierry to advise here. > >> Or is >> it telling me something else? Sorry, I guess I am still trying to wrap my head >> around replication metadata. From lkrispen at redhat.com Tue Apr 21 07:38:32 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 21 Apr 2015 09:38:32 +0200 Subject: [Freeipa-users] understanding RUVs? In-Reply-To: <55358B23.7060804@gmail.com> References: <55358B23.7060804@gmail.com> Message-ID: <5535FE78.7030509@redhat.com> On 04/21/2015 01:26 AM, Janelle wrote: > Hello, > > When I was working with OpenLDAP, and AD - and did not deal with > "RUV"s the way I am with 389-ds and IPA. > > I am trying to understand what is "normal" for values. If I am looking > at this (and seem to have no replication problems): > > ipa-replica-manage list-ruv > > ipa001.example.com:389: 13 > ipa002.example.com:389: 12 > ipa003.example.com:389: 11 > ipa004.example.com:389: 10 > ipa005.example.com:389: 7 > ipa006.example.com:389: 6 > ipa007.example.com:389: 5 > ipa008.example.com:389: 3 > ipa009.example.com:389: 16 > ipa00a.example.com:389: 17 > ipa00b.example.com:389: 15 > ipa00c.example.com:389: 14 > ipa00d.example.com:389: 9 > ipa00e.example.com:389: 8 > ipa00f.example.com:389: 4 > > I guess I was wondering, should I be seeing all the same values or > should they all be unique based on being "replicated" and the order > they were added? Or is it telling me something else? Sorry, I guess I > am still trying to wrap my head around replication metadata. the output of list-ruv lists the replicaids and the corresponding servers the replica knows about. It should be unique and exactly match the servers (with their replicaid) deployed in your topology. If there are more ruvs, you probably have removed a server and should clean the ruv, if you have less than replication from the missing replica in the list did not get propagated to this server. But the output of list-ruv only shows part of the RUV, the "real" ruv looks like this: ldapsearch -LLL -o ldif-wrap=no -h localhost -p 30522 -x -D "cn=directory manager" -w ..... -b "cn=config" "objectclass=nsds5replica" nsds50ruv dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 51dc3bac000000640000 nsds50ruv: {replica 100 ldap://localhost:30522} 5506ce51000000640000 55254d91000000640000 nsds50ruv: {replica 200 ldap://localhost:4945} 5506cf8e000000c80000 5506cf8e000000c80000 The most important part is the last field, eg 55254d91000000640000 it is the csn of the last change this server has seen for replicaid 100 (0x64). In a replication session the ruvs of the supplier and consumer are compared to detect if the supplier has changes the consumer has not yet seen. So the ruvs have to be managed per server. Ludwig > > Thank you > ~J > From sdutina at gmail.com Tue Apr 21 08:07:58 2015 From: sdutina at gmail.com (Srdjan Dutina) Date: Tue, 21 Apr 2015 08:07:58 +0000 Subject: [Freeipa-users] HBAC and SUDO rules for legacy clients In-Reply-To: References: <20150420143019.GF4797@redhat.com> <20150420145144.GH4797@redhat.com> <20150420150308.GI4797@redhat.com> Message-ID: Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina wrote: > Sorry for misunderstanding. > > I understand HBAC rules will not work for Centos 5. I just wanted to make > sure disabling "allow all" rule and adding new HBAC rules won't interfere > with AD users logging on Centos 5. > > On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy > wrote: > >> On Mon, 20 Apr 2015, Srdjan Dutina wrote: >> >Just found in >> >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next >> >sentence: "If you have HBAC's allow_all rule disabled, you will need to >> >allow system-auth service on the FreeIPA master, so that authentication >> of >> >the AD users can be performed." >> >Is this true for FreeIPA 4.1.0 also and how could I do this? >> Either you are reading it wrong or I don't get where you want to apply >> HBAC rules because this is for IPA masters, not legacy clients per se. >> Yes, you nede to create HBAC service named 'system-auth' and grant >> access to it to AD users on IPA masters, but all it will allow you is to >> authenticate AD users via compat tree. >> >> If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users >> cannot be checked by those rules. >> >> >> >> -- >> / Alexander Bokovoy >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Apr 21 11:37:08 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Apr 2015 13:37:08 +0200 Subject: [Freeipa-users] web interface for FREEIPA runtime error In-Reply-To: <5535CD6C.1060208@redhat.com> References: <00a101d07bd9$a6918a20$f3b49e60$@afri-com.net> <5535CD6C.1060208@redhat.com> Message-ID: <55363664.2020903@redhat.com> On 04/21/2015 06:09 AM, Rob Crittenden wrote: > Chamambo Martin wrote: >> Sometimes when I access the web URL where FreeIPA is installed for >> general administration ,I encounter this error below. >> >> >> >> Runtime error >> >> Web UI got in unrecoverable state during "metadata" phase >> >> >> >> I can only restore access after I have restarted the server ,is there a >> service I can restart or something that can prevent it from happening > > I'd check /var/log/httpd/error_log for more information when you see > this problem. It may have more details. > > rob > The service which you can try to restart is httpd. Does the UI procude any other error notification. E.g. an error dialog with some message. If you open a browser developer tools/console tab. Do you see there any errors? Does it work if you hard-reload the web page (usually ctrl+F5). -- Petr Vobornik From rmj at ast.cam.ac.uk Tue Apr 21 17:13:46 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 21 Apr 2015 18:13:46 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa Message-ID: <5536854A.4090209@ast.cam.ac.uk> Hi I also need to integrate Solaris 10 clients with freeipa servers. I've been round many resources, eg freeipa wiki, Fedora and Red Hat manuals, various bug trackers and the freeipa-users mailing list. It looks to me as if this: https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html might be the best guide available, although I'm not sure what changes I might need to make because I'm actually on Solaris 10 rather than 11. Can anyone advise please? There is a comment in the above post: "Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards." My automount maps are already called eg auto.master, auto.home on my ipa server and I'm sure I've seen a post somewhere suggesting an attributeMap can fix this issue, but I can't find it now, so maybe I am mistaken. Am I on the right track? Is anyone familiar with that fix. Thanks Roderick Johnstone From lslebodn at redhat.com Tue Apr 21 19:45:57 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 21 Apr 2015 21:45:57 +0200 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: References: <20150417202822.GA13306@mail.corp.redhat.com> <20150420072957.GC30713@mail.corp.redhat.com> Message-ID: <20150421194556.GA6409@mail.corp.redhat.com> On (20/04/15 17:54), Andrew Sacamano wrote: >Thanks again, Lukas! > >I was wondering if the overlaps of names was a problem, so I redid parts of >my IPA setup to rename them - thanks for pointing out the ticket! > >Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked >- which saves me the trouble of tracking that down in six months when my >IPA domain grows and the performance issues associated with enumerate begin >to manifest. > >Many thanks - you are extraordinarily helpful. My colleagues and I are >quite grateful for all your advice! > You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. LS From wgraboyes at cenic.org Tue Apr 21 21:28:49 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Tue, 21 Apr 2015 14:28:49 -0700 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command Message-ID: <5536C111.1000706@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi List, I am having yet another issue, when I run the following command: ipa-cacert-manage renew --external-ca It does output the CSR, however the CN is not a valid name (Certificate Authority). Is it possible to change the output of this command to use an external CA that requires a proper common name to be in the CSR? What I am trying to do is change from the internal self signed certs to an external CA signing system. Thanks, Bill -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVNsERAAoJEJFMz73A1+zr1MQP/3PEctODz82OFkd9ObkqrbPf qOzXBXrSFvwuikWfLggSNt+rUgSqtoQ6MJb52Bn0GkezP0nREvUiuuBitCxD+7m+ M4Uar3G40sT9VZpSD1pPH7dhXSANdfy2lHSrZwCIGPzgC7rYKL8ZmGqE/TEstq77 25k6R+wQ5HCtt451NCQu7PtN2w4xgY1cl7TIlXuSUCHtp5PjmsvuW1nNIGkvhUXi Hu/SjbDXqS5f4anUtSJPTC6AE/V3PV7Uvgg4uQen/p5AJ7rPzgQHPujO/yiWKLS2 YELC7ukfZoP6IhjzZqHT2fN5s0SXdeRkXUWbVtmAT1hbnLwS56xwtTkgHSKhzA6u xAYQl4Iq5MhX9IFLawjCu2VJrkvgUNikL/8C062zZDnCCciihMTikjb04V9ib3hU q9R4TfGZQDWsOUIg+fw6UCQLL8Kpzq3zHTR95CVx2CW8x2DdRnnzj9/5ZS+OuB3C RF/5L25VYUiwGMyOpY97jyHJmo/MVMwofciY1jxKZ2ZxGUpxBA3NXIatojMUz7mU ZjxINqO7ZwY+JwEF8bX1JsloybHppDIYANLdFBb2A14DlczjEyI/Lnbi93PU89JO 7QyucbzDkL3e5eYBGewAPsyXWKa1lPM8CO4WkRJ+/2YMKmJcONNjG3l6za1CsbDl 8eHv7wb0ulvi3dyvsBSj =7dQX -----END PGP SIGNATURE----- From janellenicole80 at gmail.com Tue Apr 21 21:51:54 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 21 Apr 2015 14:51:54 -0700 Subject: [Freeipa-users] group membership listing? Message-ID: <5536C67A.2090208@gmail.com> Hello - and happy day before Earth Day, Perhaps this is an easy one and related to replication, BUT: $ id some-user-name If I run that on every IPA master, should the listing not be identical? In other words, the listing of the uid, gid and groups, should show up in exactly the same order? uid=12345(some-user) gid=101(agroup) groups=101(agroup), 102(another), 103(another2) What if one replica listed it as: uid=12345(some-user) gid=101(agroup) groups=101(agroup), 103(another2), 102(another) But all the others listed as the first line? Is that indication of a problem? Janelle From rcritten at redhat.com Tue Apr 21 21:55:45 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2015 17:55:45 -0400 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <5536C111.1000706@cenic.org> References: <5536C111.1000706@cenic.org> Message-ID: <5536C761.7090704@redhat.com> William Graboyes wrote: > Hi List, > > I am having yet another issue, when I run the following command: > ipa-cacert-manage renew --external-ca > > It does output the CSR, however the CN is not a valid name > (Certificate Authority). Is it possible to change the output of this > command to use an external CA that requires a proper common name to be > in the CSR? > > What I am trying to do is change from the internal self signed certs > to an external CA signing system. > What isn't valid about the name? This would make the IPA CA a subordinate of the external CA. Is that what you want? rob From rcritten at redhat.com Tue Apr 21 22:25:45 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2015 18:25:45 -0400 Subject: [Freeipa-users] group membership listing? In-Reply-To: <5536C67A.2090208@gmail.com> References: <5536C67A.2090208@gmail.com> Message-ID: <5536CE69.4010507@redhat.com> Janelle wrote: > Hello - and happy day before Earth Day, > > Perhaps this is an easy one and related to replication, BUT: > > $ id some-user-name > > If I run that on every IPA master, should the listing not be identical? > In other words, the listing of the uid, gid and groups, should show up > in exactly the same order? > > uid=12345(some-user) gid=101(agroup) groups=101(agroup), 102(another), > 103(another2) > > What if one replica listed it as: > > uid=12345(some-user) gid=101(agroup) groups=101(agroup), 103(another2), > 102(another) > > But all the others listed as the first line? Is that indication of a > problem? It may be related to the fact that LDAP doesn't guarantee order and no sorting is done. It is probably not a big deal as long as all the data is there. The SSSD guys may have an opinion on it too. rob From mmalek at iisg.agh.edu.pl Tue Apr 21 22:43:47 2015 From: mmalek at iisg.agh.edu.pl (Mateusz Malek) Date: Wed, 22 Apr 2015 00:43:47 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <20150415130853.GC893@mail.corp.redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <20150415065313.GI2859@hendrix> <20150415130853.GC893@mail.corp.redhat.com> Message-ID: <5536D2A3.2010100@iisg.agh.edu.pl> On 15.04.2015 at 15:08, Lukas Slebodnik wrote: > On 04/10/2015 08:13 AM, Mateusz Malek wrote: >>>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, however >>>>>> I've hit some weird performance problems. When I'm using IPA, it takes >>>>>> about 5-7 (or even more) seconds to get shell prompt after entering user >>>>>> password (...) > Packages for fedora 21,22 are built. > You just need to wait utill they are available in updates testing > or you can download packages from koji. > > https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22 > https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21 > > Please test and provide karma. Well, it took me a long time, but I can confirm that with these packages logon times seem fine. Thank you all for quick help! Now I'm only waiting for updated packages to apper in CentOS/RHEL repositories; in my test environment I'm perfectly fine with backporting them on my own. Best regards Mateusz Ma?ek From mmalek at iisg.agh.edu.pl Tue Apr 21 23:02:02 2015 From: mmalek at iisg.agh.edu.pl (Mateusz Malek) Date: Wed, 22 Apr 2015 01:02:02 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <552D6ADE.1040309@redhat.com> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <552D5DFB.8050602@redhat.com> <552D6ADE.1040309@redhat.com> Message-ID: <5536D6EA.4020801@iisg.agh.edu.pl> On 14.04.2015 at 21:30, Rich Megginson wrote: > On 04/14/2015 12:35 PM, thierry bordaz wrote: >>>>> On 04/10/2015 08:13 AM, Mateusz Malek wrote: >>>>>> I'm about to migrate my OpenLDAP-based environment to FreeIPA, >>>>>> however >>>>>> I've hit some weird performance problems. When I'm using IPA, it >>>>>> takes >>>>>> about 5-7 (or even more) seconds to get shell prompt after >>>>>> entering user >>>>>> password (...) >> When such long requests happened, you may take several pstack of the >> 389-ds process. Ideally you can timestamp the pstack output so that >> it is easier to correlate with DS access logs. >> Providing pstacks+access/errors logs would really help to know if >> there is a bottleneck. > > See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs > > You'll need to do "debuginfo-install ipa-server slapi-nis" > I've tried looking into captured information, but I think that there's nothing suspicious. With selinux_provider patched speed is pretty good - FreeIPA has more to do during user logon than our existing setup had (obtaining Kerberos ticket and processing HBAC rules is definitely more complex than single lookup with pam_ldap/nss_ldap) and I'll probably blame those longer LDAP search times (that happen from time to time) on our datastore performance. Thank you all, again. Best regards Mateusz Ma?ek From Alexander.Frolushkin at megafon.ru Wed Apr 22 04:47:00 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Wed, 22 Apr 2015 04:47:00 +0000 Subject: [Freeipa-users] Problems with users from AD trusted domain after update to IPA 4.1 Message-ID: Hello. Not sure it happened after update, but now we are on 4.1 and on some servers we have only AD groups if it is primary for user, and have no IPA groups with AD external group in members. Fro example, on the IPA server we have # id afrolushkin at ad.com uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) groups=236658172(afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com) here group 236658193(sib-dwh-sa-admins at ad.com) have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary for user. Group, primary for this user - 236667642(rhidm-sa-admins at ad.com) also have IPA group, but it is not displayed in id command. On some other servers (IPA clients) it displays ONLY AD groups: # id afrolushkin at megafon.ru uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) groups=236658172(afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com) This is a big problem for us, because on that servers we cannot use HBAC & sudo, also we don't think primary AD group is a exception and cannot be used in IPA authorization. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Apr 22 05:23:25 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Apr 2015 08:23:25 +0300 Subject: [Freeipa-users] group membership listing? In-Reply-To: <5536CE69.4010507@redhat.com> References: <5536C67A.2090208@gmail.com> <5536CE69.4010507@redhat.com> Message-ID: <20150422052325.GA26437@redhat.com> On Tue, 21 Apr 2015, Rob Crittenden wrote: >Janelle wrote: >> Hello - and happy day before Earth Day, >> >> Perhaps this is an easy one and related to replication, BUT: >> >> $ id some-user-name >> >> If I run that on every IPA master, should the listing not be identical? >> In other words, the listing of the uid, gid and groups, should show up >> in exactly the same order? >> >> uid=12345(some-user) gid=101(agroup) groups=101(agroup), 102(another), >> 103(another2) >> >> What if one replica listed it as: >> >> uid=12345(some-user) gid=101(agroup) groups=101(agroup), 103(another2), >> 102(another) >> >> But all the others listed as the first line? Is that indication of a >> problem? > >It may be related to the fact that LDAP doesn't guarantee order and no >sorting is done. It is probably not a big deal as long as all the data >is there. Not even LDAP but POSIX in general does not give you an ordered guarantee for groups you are member of. There is a primary group always and the rest of groups are 'supplementary', without any ordering. -- / Alexander Bokovoy From abokovoy at redhat.com Wed Apr 22 05:26:53 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Apr 2015 08:26:53 +0300 Subject: [Freeipa-users] Problems with users from AD trusted domain after update to IPA 4.1 In-Reply-To: References: Message-ID: <20150422052653.GB26437@redhat.com> On Wed, 22 Apr 2015, Alexander Frolushkin wrote: >Hello. >Not sure it happened after update, but now we are on 4.1 and on some >servers we have only AD groups if it is primary for user, and have no >IPA groups with AD external group in members. Fro example, on the IPA >server we have ># id afrolushkin at ad.com >uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) >groups=236658172(afrolushkin at ad.com),236658193(sib-dwh-sa-admins at ad.com),810800020(sib-dwh-sa-admins),236667642(rhidm-sa-admins at ad.com) >here group >236658193(sib-dwh-sa-admins at ad.com) >have a IPA group 810800020(sib-dwh-sa-admins), and it is not primary >for user. Group, primary for this user - >236667642(rhidm-sa-admins at ad.com) also >have IPA group, but it is not displayed in id command. >On some other servers (IPA clients) it displays ONLY AD groups: ># id afrolushkin at megafon.ru >uid=236658172(afrolushkin at ad.com) gid=236658172(afrolushkin at ad.com) >groups=236658172(afrolushkin at ad.com),236667642(rhidm-sa-admins at ad.com),236658193(sib-dwh-sa-admins at ad.com) > >This is a big problem for us, because on that servers we cannot use >HBAC & sudo, also we don't think primary AD group is a exception and >cannot be used in IPA authorization. If it is a big problem, make sure you are gathering all the logs and deployment information first to pin point what exactly you are running. See https://fedorahosted.org/sssd/wiki/Troubleshooting for general SSSD troubleshooting. -- / Alexander Bokovoy From tjaalton at ubuntu.com Wed Apr 22 07:16:16 2015 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Wed, 22 Apr 2015 10:16:16 +0300 Subject: [Freeipa-users] Stuck getting sudo working with Ubuntu client In-Reply-To: <20150421194556.GA6409@mail.corp.redhat.com> References: <20150417202822.GA13306@mail.corp.redhat.com> <20150420072957.GC30713@mail.corp.redhat.com> <20150421194556.GA6409@mail.corp.redhat.com> Message-ID: <55374AC0.4030608@ubuntu.com> On 21.04.2015 22:45, Lukas Slebodnik wrote: > On (20/04/15 17:54), Andrew Sacamano wrote: >> Thanks again, Lukas! >> >> I was wondering if the overlaps of names was a problem, so I redid parts of >> my IPA setup to rename them - thanks for pointing out the ticket! >> >> Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked >> - which saves me the trouble of tracking that down in six months when my >> IPA domain grows and the performance issues associated with enumerate begin >> to manifest. >> >> Many thanks - you are extraordinarily helpful. My colleagues and I are >> quite grateful for all your advice! >> > You are welcome, > I'm glad I could help. > > You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t From jhrozek at redhat.com Wed Apr 22 08:19:45 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 22 Apr 2015 10:19:45 +0200 Subject: [Freeipa-users] Slow user logon with IPA In-Reply-To: <5536D2A3.2010100@iisg.agh.edu.pl> References: <5527BE61.8000001@iisg.agh.edu.pl> <5527FCB8.3030602@redhat.com> <20150410184815.GU2718@hendrix> <552D33F0.4010207@iisg.agh.edu.pl> <20150415065313.GI2859@hendrix> <20150415130853.GC893@mail.corp.redhat.com> <5536D2A3.2010100@iisg.agh.edu.pl> Message-ID: <20150422081945.GC11595@hendrix.brq.redhat.com> On Wed, Apr 22, 2015 at 12:43:47AM +0200, Mateusz Malek wrote: > > > On 15.04.2015 at 15:08, Lukas Slebodnik wrote: > >On 04/10/2015 08:13 AM, Mateusz Malek wrote: > >>>>>>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however > >>>>>>I've hit some weird performance problems. When I'm using IPA, it takes > >>>>>>about 5-7 (or even more) seconds to get shell prompt after entering user > >>>>>>password (...) > >Packages for fedora 21,22 are built. > >You just need to wait utill they are available in updates testing > >or you can download packages from koji. > > > >https://admin.fedoraproject.org/updates/sssd-1.12.4-4.fc22 > >https://admin.fedoraproject.org/updates/sssd-1.12.4-3.fc21 > > > >Please test and provide karma. > > Well, it took me a long time, but I can confirm that with these packages > logon times seem fine. Thank you all for quick help! > > Now I'm only waiting for updated packages to apper in CentOS/RHEL > repositories; in my test environment I'm perfectly fine with backporting > them on my own. Currently the fix is scheduled to appear in 7.2 only. If you need the fix sooner, then we need a support case open.. The fix is also present in 6.7 to avoid regressing compared to 6.6 From sanju.a at tcs.com Wed Apr 22 11:32:49 2015 From: sanju.a at tcs.com (Sanju A) Date: Wed, 22 Apr 2015 17:02:49 +0530 Subject: [Freeipa-users] Users home directory with 755 permission instead of 700 Message-ID: Dear All, Permission of all users in our 300 + machines are created with 755 instead of 700. I have checked the same in forums and got the one. http://stackoverflow.com/questions/23040225/incorrect-permissions-when-home-directory-is-automatically-created-in-freeipa Let me know whether I have to change the settings in the IPA server configuration or anything has to be changed through IPA console. Regards Sanju Abraham =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 22 13:30:42 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 22 Apr 2015 09:30:42 -0400 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5536854A.4090209@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> Message-ID: <5537A282.8060700@redhat.com> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: > Hi > > I also need to integrate Solaris 10 clients with freeipa servers. > > I've been round many resources, eg freeipa wiki, Fedora and Red Hat > manuals, various bug trackers and the freeipa-users mailing list. > > It looks to me as if this: > https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html > > might be the best guide available, although I'm not sure what changes > I might need to make because I'm actually on Solaris 10 rather than 11. > > Can anyone advise please? > > There is a comment in the above post: > "Make sure that the automount maps in ipaserver is named auto_* and > NOT auto.* so they are compatible with Solaris name standards." > > My automount maps are already called eg auto.master, auto.home on my > ipa server and I'm sure I've seen a post somewhere suggesting an > attributeMap can fix this issue, but I can't find it now, so maybe I > am mistaken. > > Am I on the right track? Is anyone familiar with that fix. > > Thanks > > Roderick Johnstone > We are not strong in Solaris so you really need to search user archives or wait for someone who accomplished Solaris integration to chime in here on the list. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From jesse.johnson at redhat.com Wed Apr 22 14:57:07 2015 From: jesse.johnson at redhat.com (Jesse Johnson) Date: Wed, 22 Apr 2015 10:57:07 -0400 (EDT) Subject: [Freeipa-users] IdM Replica Install SSH failure. In-Reply-To: <1270867307.3143220.1429714390220.JavaMail.zimbra@redhat.com> Message-ID: <1410063867.3146067.1429714627495.JavaMail.zimbra@redhat.com> ALL, I'm attempting to complete a replica install and the system is bombing out on the gssapi portion of the SSH key configuration. I can ssh and selinux is permissive. Could not SSH into remote host. Error output: OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to [] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA Warning: Permanently added ',' (ECDSA) to the list of known hosts. debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic Connection closed by Could not SSH to remote host. Any help would be appreciated. Jesse P. Johnson CISSP RHC{A,DS,E,SA} ISC^2: 384989 RH: 120-117-320 C: 757-232-3110 From cory at pithoslabs.com Wed Apr 22 16:40:32 2015 From: cory at pithoslabs.com (Cory Carlton) Date: Wed, 22 Apr 2015 11:40:32 -0500 Subject: [Freeipa-users] DNS lookups after replica(master) added Message-ID: Hey all, I for some reason do not ever get responses from doing DNS lookups to my new servers that have been stood up and replicated as Masters with CA, and DNS options entered at command line. Is there any trick or configuration to allow anonymous for my servers without IPA Client installed to talk to these? it does not allow lookups, Ip-tables have even been turned off for testing. telnet to server via 53 Works Stand alone IPA server LDAP DNS Kerberose usages [root at DOMAIN ~]# ipa dnsconfig-show --rights --all --raw --------------------------------- Global DNS configuration is empty --------------------------------- dn: cn=dns,dc=int,dc=DOMAIN,dc=com aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com" or userattr = "parent[0,1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy': u'rscwo', 'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo', 'idnsforwarders': u'rscwo', 'idnspersistentsearch': u'rscwo', 'idnszonerefresh': u'rscwo', 'aci': u'rscwo', 'nsaccountlock': u'rscwo'} cn: dns objectclass: idnsConfigObject objectclass: nsContainer objectclass: top -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmj at ast.cam.ac.uk Wed Apr 22 17:03:27 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Wed, 22 Apr 2015 18:03:27 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5537A282.8060700@redhat.com> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> Message-ID: <5537D45F.9010108@ast.cam.ac.uk> On 22/04/15 14:30, Dmitri Pal wrote: > On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >> Hi >> >> I also need to integrate Solaris 10 clients with freeipa servers. >> >> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >> manuals, various bug trackers and the freeipa-users mailing list. >> >> It looks to me as if this: >> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >> >> might be the best guide available, although I'm not sure what changes >> I might need to make because I'm actually on Solaris 10 rather than 11. >> >> Can anyone advise please? >> >> There is a comment in the above post: >> "Make sure that the automount maps in ipaserver is named auto_* and >> NOT auto.* so they are compatible with Solaris name standards." >> >> My automount maps are already called eg auto.master, auto.home on my >> ipa server and I'm sure I've seen a post somewhere suggesting an >> attributeMap can fix this issue, but I can't find it now, so maybe I >> am mistaken. >> >> Am I on the right track? Is anyone familiar with that fix. >> >> Thanks >> >> Roderick Johnstone >> > We are not strong in Solaris so you really need to search user archives > or wait for someone who accomplished Solaris integration to chime in > here on the list. > Dmitri I had gathered that from previous postings to the list and was indeed hoping that one of the Solaris experts might comment. By the way, there are various suggestions on the list of putting the best Solaris instructions on the wiki. Is that still a possibility? I'd be happy to help, but I'm not experienced with connecting Solaris to ipa yet! Roderick From benjamen at dollarshaveclub.com Wed Apr 22 17:21:40 2015 From: benjamen at dollarshaveclub.com (Benjamen Keroack) Date: Wed, 22 Apr 2015 10:21:40 -0700 Subject: [Freeipa-users] External group membership In-Reply-To: <5531D87C.7010907@redhat.com> References: <5531D87C.7010907@redhat.com> Message-ID: Hi Dmitri, I'd be happy to test sssd 1.13 alpha. Is there any easy was to install on Ubuntu, or do I need to pull and compile from source? Thanks, On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal wrote: > On 04/17/2015 09:12 PM, Benjamen Keroack wrote: > > Hi, > > We have a number of local groups on our IPA-managed servers that we add > LDAP/IPA users to. This works fine locally on the server on an ad hoc basis: > > $ usermod -a -G local-group test.user > > However I'm trying to do this as part of user provisioning in IPA via > user groups. I've created external user groups in IPA, then added those > external groups to the user groups that new users are added to via > automember rules. For example: > > local-group [external] -> [is a member of] -> developers [IPA group] > > Then I SSH into one of the servers as a user who is a member of > developers: > > test.user at qa$ groups > test.user developers qa_users > > I do not see 'local-group' membership, even after restarting > sssd/rebooting. Is it possible to achieve this kind of automatic local > group membership? The only alternative I can see would be to write a SUID > binary that .bash_profile runs on login to add them to the applicable > groups, which seems like a bad hack. > > This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu Trusty. > > Thanks for any help, > > -- > Benjamen Keroack > *Infrastructure/DevOps Engineer* > benjamen at dollarshaveclub.com > > > > > It looks like you are looking for this: > https://fedorahosted.org/sssd/ticket/1591 > It is on the roadmap for 1.13 alpha which should be out in couple months. > Would you be interested to test? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benjamen at dollarshaveclub.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Apr 22 18:52:06 2015 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Apr 2015 20:52:06 +0200 Subject: [Freeipa-users] DNS lookups after replica(master) added In-Reply-To: References: Message-ID: <5537EDD6.4030804@redhat.com> On 22/04/15 18:40, Cory Carlton wrote: > Hey all, > > I for some reason do not ever get responses from doing DNS lookups to > my new servers that have been stood up and replicated as Masters with > CA, and DNS options entered at command line. > > Is there any trick or configuration to allow anonymous for my servers > without IPA Client installed to talk to these? > > it does not allow lookups, > Ip-tables have even been turned off for testing. > telnet to server via 53 Works > Stand alone IPA server LDAP DNS Kerberose usages > > > [root at DOMAIN ~]# ipa dnsconfig-show --rights --all --raw > --------------------------------- > Global DNS configuration is empty > --------------------------------- > dn: cn=dns,dc=int,dc=DOMAIN,dc=com > aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow > (read,search,compare) groupdn = "ldap:///cn=Read DNS > Entries,cn=permissions,cn=pbac,dc=int,dc=DOMAIN,dc=com" or userattr = > "parent[0,1].managedby#GROUPDN";) > aci: (target = > "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl > "Add DNS entries in a zone";allow (add) userattr = > "parent[1].managedby#GROUPDN";) > aci: (target = > "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl > "Remove DNS entries from a zone";allow (delete) userattr = > "parent[1].managedby#GROUPDN";) > aci: (targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl > || dnsclass || arecord || aaaarecord || a6record || nsrecord || > cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || > mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || > keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || > certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || > nsecrecord || idnsname || idnszoneactive || idnssoamname || > idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || > idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery > || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || > idnsforwarders")(target = > "ldap:///idnsname=*,cn=dns,dc=int,dc=DOMAIN,dc=com")(version 3.0;acl > "Update DNS entries in a zone";allow (write) userattr = > "parent[0,1].managedby#GROUPDN";) > attributelevelrights: {'cn': u'rscwo', 'idnsforwardpolicy': > u'rscwo', 'objectclass': u'rscwo', 'idnsallowsyncptr': u'rscwo', > 'idnsforwarders': u'rscwo', 'idnspersistentsearch': u'rscwo', > 'idnszonerefresh': u'rscwo', 'aci': u'rscwo', 'nsaccountlock': u'rscwo'} > cn: dns > objectclass: idnsConfigObject > objectclass: nsContainer > objectclass: top > > Hello, Can you share more details please? What is your IPA version? What is your zone, how do you test it (dig/host command?), output from these commands. Do you have any errors in named log on replicas? journalctl -u named or journalctl -u named-pkcs11 (depends on IPA version) Is /etc/resolv.conf configured properly on client? What kind of anonymous connections do you mind to DNS server? Standard DNS queries? nsupdate? Martin -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 23 03:25:23 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 22 Apr 2015 23:25:23 -0400 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5537D45F.9010108@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> Message-ID: <55386623.6000900@redhat.com> Roderick Johnstone wrote: > On 22/04/15 14:30, Dmitri Pal wrote: >> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>> Hi >>> >>> I also need to integrate Solaris 10 clients with freeipa servers. >>> >>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>> manuals, various bug trackers and the freeipa-users mailing list. >>> >>> It looks to me as if this: >>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>> >>> might be the best guide available, although I'm not sure what changes >>> I might need to make because I'm actually on Solaris 10 rather than 11. >>> >>> Can anyone advise please? >>> >>> There is a comment in the above post: >>> "Make sure that the automount maps in ipaserver is named auto_* and >>> NOT auto.* so they are compatible with Solaris name standards." >>> >>> My automount maps are already called eg auto.master, auto.home on my >>> ipa server and I'm sure I've seen a post somewhere suggesting an >>> attributeMap can fix this issue, but I can't find it now, so maybe I >>> am mistaken. >>> >>> Am I on the right track? Is anyone familiar with that fix. >>> >>> Thanks >>> >>> Roderick Johnstone >>> >> We are not strong in Solaris so you really need to search user archives >> or wait for someone who accomplished Solaris integration to chime in >> here on the list. >> > > Dmitri > > I had gathered that from previous postings to the list and was indeed > hoping that one of the Solaris experts might comment. > > By the way, there are various suggestions on the list of putting the > best Solaris instructions on the wiki. Is that still a possibility? I'd > be happy to help, but I'm not experienced with connecting Solaris to ipa > yet! > > Roderick > A few weeks back I added what I thought were the most relevant threads and pointers. The mailing list thread you refer to was converted into some documentation bugs and tickets. I referenced those at http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources If there is anything I can improve here just let me know. rob From munna.hadoop at gmail.com Thu Apr 23 03:42:59 2015 From: munna.hadoop at gmail.com (Shaik M) Date: Thu, 23 Apr 2015 11:42:59 +0800 Subject: [Freeipa-users] kadmin.local to manage FreeIPA Kerberos Message-ID: Hi, We have recently deployed FreeIPA for our Hadoop environment. Recently, Ambari community released 2.0, where this version supports MIT kerberos. Which means Ambri create the all service principals using with "kadmin.local". As I know, "kadmin.local" wont work for FreeIPA kerberos to create the principals. :( Please let me know, is there any alternative ways to create the principals using with "kadmin.local",. It will great helpful for us if can do with "kadmin.local", or-else we have to move back to MIT Kerberos. Regards, Shaik -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Apr 23 05:40:27 2015 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Apr 2015 07:40:27 +0200 Subject: [Freeipa-users] ipa-replica-prepare failing In-Reply-To: References: <552689C5.40405@redhat.com> <5526D585.6050606@redhat.com> <5527E65F.2090102@redhat.com> <55284D7A.2030801@redhat.com> <552BD271.5010608@redhat.com> <552D5298.6040608@redhat.com> <552DF829.4060209@redhat.com> <55310A2A.9060701@redhat.com> Message-ID: <553885CB.3090505@redhat.com> Hi, yes, you can definitely use a different certificate in the meantime, although it can't be self-signed. Honza Dne 20.4.2015 v 14:17 David Dejaeghere napsal(a): > Hi, > > Let me know how I can assist. > In the meantime could I setup a replica using a different certificate? > Self signed or anything like that? > > Regards, > > D > > 2015-04-17 15:27 GMT+02:00 Jan Cholasta >: > > Hi, > > I don't have any new information. I'm trying to reproduce the > problem but had no luck so far. > > Honza > > Dne 17.4.2015 v 15:23 David Dejaeghere napsal(a): > > Hi, > > Any more things I can try out? How do we proceed? > > Kind Regards, > > D > > 2015-04-15 11:48 GMT+02:00 David Dejaeghere > > >>: > > Hi Honza, > > That gave me the exact same output. Any ideas? > > Regards, > > D > > 2015-04-15 7:33 GMT+02:00 Jan Cholasta > >>: > > Hi, > > Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): > > David Dejaeghere wrote: > > Hi Rob, > > So you want to output of the command using pk12 > with > server cert and > key? or with the ca chain in there too? > > > Oddly enough it is failing in exactly the same > place. Those > GoDaddy CA > certs are still being loaded from somewhere, I'm > not sure > where, and I > suspect that is the source of the problem. > > > They are in the default CA certificate bundle (in the > ca-certificate package). I guess NSS loads it > automatically. > > > I'm going to forward the log to a colleague who has > worked > on this code > more recently than I have. Maybe he will have an idea. > > > Could you try if the following works? > > # mv > /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt > /root/ca-bundle.trust.crt > > # update-ca-trust > > # ipa-replica-prepare ... > > # mv /root/ca-bundle.trust.crt > /usr/share/pki/ca-trust-__source/ca-bundle.trust.crt > > # update-ca-trust > > > rob > > > Honza > > -- > Jan Cholasta > > > > > > -- > Jan Cholasta > > -- Jan Cholasta From abokovoy at redhat.com Thu Apr 23 05:51:43 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 23 Apr 2015 08:51:43 +0300 Subject: [Freeipa-users] kadmin.local to manage FreeIPA Kerberos In-Reply-To: References: Message-ID: <20150423055142.GK26437@redhat.com> On Thu, 23 Apr 2015, Shaik M wrote: >Hi, > >We have recently deployed FreeIPA for our Hadoop environment. > >Recently, Ambari community released 2.0, where this version supports MIT >kerberos. Which means Ambri create the all service principals using with > "kadmin.local". > >As I know, "kadmin.local" wont work for FreeIPA kerberos to create the >principals. :( > >Please let me know, is there any alternative ways to create the principals >using with "kadmin.local",. > >It will great helpful for us if can do with "kadmin.local", or-else we have >to move back to MIT Kerberos. No, at this time it is not possible to use. I've looked at the Ambari code and it shouldn't be hard to implement FreeIPA-specific KerberosOperationHandler that does proper thing by calling out IPA tools. Part of problem with MITKerberosOperationHandler.java is that you have no way to pass any arguments and options to kadmin/kadmin.local at all, so even to make it working will go with patching that code. At this point it is easier to rewrite it to use 'ipa' and ipa-getkeytab utilities altogether because the code is trivial. https://github.com/apache/ambari/blob/ed231beaddaf6347d4defb2fb26d75849c0cafc9/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java -- / Alexander Bokovoy From munna.hadoop at gmail.com Thu Apr 23 06:32:16 2015 From: munna.hadoop at gmail.com (Shaik M) Date: Thu, 23 Apr 2015 14:32:16 +0800 Subject: [Freeipa-users] kadmin.local to manage FreeIPA Kerberos In-Reply-To: <20150423055142.GK26437@redhat.com> References: <20150423055142.GK26437@redhat.com> Message-ID: Hi Alex, Thank you for your prompt reply. Amabri community going to release new version 2.1, where they are providing user specific Kerberos like 1.7. For now i'll go ahead with MIT Kerberos. Regards, Shaik On 23 April 2015 at 13:51, Alexander Bokovoy wrote: > On Thu, 23 Apr 2015, Shaik M wrote: > >> Hi, >> >> We have recently deployed FreeIPA for our Hadoop environment. >> >> Recently, Ambari community released 2.0, where this version supports MIT >> kerberos. Which means Ambri create the all service principals using with >> "kadmin.local". >> >> As I know, "kadmin.local" wont work for FreeIPA kerberos to create the >> principals. :( >> >> Please let me know, is there any alternative ways to create the principals >> using with "kadmin.local",. >> >> It will great helpful for us if can do with "kadmin.local", or-else we >> have >> to move back to MIT Kerberos. >> > No, at this time it is not possible to use. I've looked at the Ambari > code and it shouldn't be hard to implement FreeIPA-specific > KerberosOperationHandler that does proper thing by calling out IPA > tools. > > Part of problem with MITKerberosOperationHandler.java is that you have > no way to pass any arguments and options to kadmin/kadmin.local at all, > so even to make it working will go with patching that code. At this > point it is easier to rewrite it to use 'ipa' and ipa-getkeytab > utilities altogether because the code is trivial. > > > https://github.com/apache/ambari/blob/ed231beaddaf6347d4defb2fb26d75849c0cafc9/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Apr 23 10:32:18 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Apr 2015 12:32:18 +0200 Subject: [Freeipa-users] IdM Replica Install SSH failure. In-Reply-To: <1410063867.3146067.1429714627495.JavaMail.zimbra@redhat.com> References: <1410063867.3146067.1429714627495.JavaMail.zimbra@redhat.com> Message-ID: <5538CA32.10903@redhat.com> On 04/22/2015 04:57 PM, Jesse Johnson wrote: > ALL, > > I'm attempting to complete a replica install and the system is bombing out on the gssapi portion of the SSH key configuration. I can ssh and selinux is permissive. You mean right before beginning of the installation in the connection check? > > Could not SSH into remote host. Error output: > OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 56: Applying options for * > debug1: Connecting to [] port 22. > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug1: identity file /root/.ssh/id_rsa type -1 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.6.1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 > debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none > debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none > debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 > debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: ECDSA > Warning: Permanently added ',' (ECDSA) to the list of known hosts. > debug1: ssh_ecdsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug1: Next authentication method: gssapi-with-mic > Connection closed by > Could not SSH to remote host. > > Any help would be appreciated. > > Jesse P. Johnson CISSP RHC{A,DS,E,SA} > ISC^2: 384989 > RH: 120-117-320 > C: 757-232-3110 There is most likely some problem, the conncheck is already quite proven. You can skip it with --skip-conncheck, but the installation will probably blow up in later stages anyway. So it is good you are investigating the root cause. I would try: - checking that DNS records from your client to the server are OK (both forward DNS record and reverse DNS record for it's IP address). Also check the other side, from master to client, there was a bug in the past. - checking that you can ssh as "admin" user and via Kerberos (you can copy functional krb5.conf from other replica) - ssh via other account and different means (SSH key) may not be sufficient Also, what is the FreeIPA and platform version you are testing this on? From rmj at ast.cam.ac.uk Thu Apr 23 10:59:11 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Thu, 23 Apr 2015 11:59:11 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <55386623.6000900@redhat.com> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> Message-ID: <5538D07F.9030902@ast.cam.ac.uk> On 23/04/15 04:25, Rob Crittenden wrote: > Roderick Johnstone wrote: >> On 22/04/15 14:30, Dmitri Pal wrote: >>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>> Hi >>>> >>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>> >>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>> manuals, various bug trackers and the freeipa-users mailing list. >>>> >>>> It looks to me as if this: >>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>> >>>> might be the best guide available, although I'm not sure what changes >>>> I might need to make because I'm actually on Solaris 10 rather than 11. >>>> >>>> Can anyone advise please? >>>> >>>> There is a comment in the above post: >>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>> NOT auto.* so they are compatible with Solaris name standards." >>>> >>>> My automount maps are already called eg auto.master, auto.home on my >>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>> attributeMap can fix this issue, but I can't find it now, so maybe I >>>> am mistaken. >>>> >>>> Am I on the right track? Is anyone familiar with that fix. >>>> >>>> Thanks >>>> >>>> Roderick Johnstone >>>> >>> We are not strong in Solaris so you really need to search user archives >>> or wait for someone who accomplished Solaris integration to chime in >>> here on the list. >>> >> >> Dmitri >> >> I had gathered that from previous postings to the list and was indeed >> hoping that one of the Solaris experts might comment. >> >> By the way, there are various suggestions on the list of putting the >> best Solaris instructions on the wiki. Is that still a possibility? I'd >> be happy to help, but I'm not experienced with connecting Solaris to ipa >> yet! >> >> Roderick >> > > A few weeks back I added what I thought were the most relevant threads > and pointers. The mailing list thread you refer to was converted into > some documentation bugs and tickets. I referenced those at > http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources > > If there is anything I can improve here just let me know. Rob This page has expanded since I was searching a few weeks ago. Thanks for that. I understand that the project has no direct Solaris expertise. There are some things that could be made easier to follow and others that seem inconsistent with the mailing list thread that I found. Maybe some are just different ways of doing the same thing. I started to point some some differences in this email, but its probably best if I go through the mailing list link that I found and the web page you referenced, systematically, and list what the differences are. I'll be in touch when I have done that. In the meantime I noticed a few of small html link issues on the web page you referenced... 1) Under the section Solaris 8/9/10 / Configuring Client Authentication the link to the reference files in /var/ldap (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), for me, resolves to the top level "Open Source Community page" http://community.redhat.com/software/. I do however see the files correctly linked from the section "Client Configuration Files" at bottom of the page. 2) There is the same issue for the links to the nsswitch.conf and pam.conf files linked in items 2 and 4 below the above - sorry, its hard to describe well where these links are. And it would be good if the patch ("Patch to update Solaris documentation") that is referred to in Solaris 8/9/10 / Additional resources could be applied to the original document and the patched document made available, or at least the information in it. Thanks Roderick > > rob > From rcritten at redhat.com Thu Apr 23 13:14:28 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Apr 2015 09:14:28 -0400 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5538D07F.9030902@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> Message-ID: <5538F034.3050902@redhat.com> Roderick Johnstone wrote: > On 23/04/15 04:25, Rob Crittenden wrote: >> Roderick Johnstone wrote: >>> On 22/04/15 14:30, Dmitri Pal wrote: >>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>> Hi >>>>> >>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>> >>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>> >>>>> It looks to me as if this: >>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>> >>>>> >>>>> might be the best guide available, although I'm not sure what changes >>>>> I might need to make because I'm actually on Solaris 10 rather than >>>>> 11. >>>>> >>>>> Can anyone advise please? >>>>> >>>>> There is a comment in the above post: >>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>> >>>>> My automount maps are already called eg auto.master, auto.home on my >>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>> attributeMap can fix this issue, but I can't find it now, so maybe I >>>>> am mistaken. >>>>> >>>>> Am I on the right track? Is anyone familiar with that fix. >>>>> >>>>> Thanks >>>>> >>>>> Roderick Johnstone >>>>> >>>> We are not strong in Solaris so you really need to search user archives >>>> or wait for someone who accomplished Solaris integration to chime in >>>> here on the list. >>>> >>> >>> Dmitri >>> >>> I had gathered that from previous postings to the list and was indeed >>> hoping that one of the Solaris experts might comment. >>> >>> By the way, there are various suggestions on the list of putting the >>> best Solaris instructions on the wiki. Is that still a possibility? I'd >>> be happy to help, but I'm not experienced with connecting Solaris to ipa >>> yet! >>> >>> Roderick >>> >> >> A few weeks back I added what I thought were the most relevant threads >> and pointers. The mailing list thread you refer to was converted into >> some documentation bugs and tickets. I referenced those at >> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >> >> If there is anything I can improve here just let me know. > > Rob > > This page has expanded since I was searching a few weeks ago. Thanks for > that. I understand that the project has no direct Solaris expertise. > > There are some things that could be made easier to follow and others > that seem inconsistent with the mailing list thread that I found. Maybe > some are just different ways of doing the same thing. > > I started to point some some differences in this email, but its probably > best if I go through the mailing list link that I found and the web page > you referenced, systematically, and list what the differences are. I'll > be in touch when I have done that. > > In the meantime I noticed a few of small html link issues on the web > page you referenced... > > 1) Under the section Solaris 8/9/10 / Configuring Client Authentication > the link to the reference files in /var/ldap > (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), > for me, resolves to the top level "Open Source Community page" > http://community.redhat.com/software/. I do however see the files > correctly linked from the section "Client Configuration Files" at bottom > of the page. Fixed. > > 2) There is the same issue for the links to the nsswitch.conf and > pam.conf files linked in items 2 and 4 below the above - sorry, its hard > to describe well where these links are. Fixed, and fixed a couple of similar issues in other OS's. > And it would be good if the patch ("Patch to update Solaris > documentation") that is referred to in Solaris 8/9/10 / Additional > resources could be applied to the original document and the patched > document made available, or at least the information in it. Unfortunately the upstream doc project that this is patched against was discontinued. The patch is mostly interesting for the two tickets it links to. rob From jesse.johnson at redhat.com Thu Apr 23 13:08:04 2015 From: jesse.johnson at redhat.com (Jesse Johnson) Date: Thu, 23 Apr 2015 09:08:04 -0400 (EDT) Subject: [Freeipa-users] IdM Replica Install SSH failure. In-Reply-To: <5538CA32.10903@redhat.com> References: <1410063867.3146067.1429714627495.JavaMail.zimbra@redhat.com> <5538CA32.10903@redhat.com> Message-ID: <1236633143.3554459.1429794484595.JavaMail.zimbra@redhat.com> Martin, I found out the cause. It was just one of the reverse lookups. Thanks, Jesse P. Johnson CISSP RHC{A,DS,E,SA} ISC^2: 384989 RH: 120-117-320 C: 757-232-3110 ----- Original Message ----- From: "Martin Kosek" To: "Jesse Johnson" , freeipa-users at redhat.com Sent: Thursday, April 23, 2015 6:32:18 AM Subject: Re: [Freeipa-users] IdM Replica Install SSH failure. On 04/22/2015 04:57 PM, Jesse Johnson wrote: > ALL, > > I'm attempting to complete a replica install and the system is bombing out on the gssapi portion of the SSH key configuration. I can ssh and selinux is permissive. You mean right before beginning of the installation in the connection check? > > Could not SSH into remote host. Error output: > OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 56: Applying options for * > debug1: Connecting to [] port 22. > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug1: identity file /root/.ssh/id_rsa type -1 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.6.1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 > debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none > debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none > debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 > debug1: kex: curve25519-sha256 at libssh.org need=16 dh_need=16 > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: ECDSA > Warning: Permanently added ',' (ECDSA) to the list of known hosts. > debug1: ssh_ecdsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug1: Next authentication method: gssapi-with-mic > Connection closed by > Could not SSH to remote host. > > Any help would be appreciated. > > Jesse P. Johnson CISSP RHC{A,DS,E,SA} > ISC^2: 384989 > RH: 120-117-320 > C: 757-232-3110 There is most likely some problem, the conncheck is already quite proven. You can skip it with --skip-conncheck, but the installation will probably blow up in later stages anyway. So it is good you are investigating the root cause. I would try: - checking that DNS records from your client to the server are OK (both forward DNS record and reverse DNS record for it's IP address). Also check the other side, from master to client, there was a bug in the past. - checking that you can ssh as "admin" user and via Kerberos (you can copy functional krb5.conf from other replica) - ssh via other account and different means (SSH key) may not be sufficient Also, what is the FreeIPA and platform version you are testing this on? From harald.dunkel at aixigo.de Thu Apr 23 14:04:21 2015 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Thu, 23 Apr 2015 16:04:21 +0200 Subject: [Freeipa-users] setting up a subdomain Message-ID: <20150423160421.70b4a014@dpcl082.ac.aixigo.de> Hi folks, I am very new to freeipa, so hopefully its allowed to ask: I need a single realm EXAMPLE.COM and DNS zones for example.com , develop.example.com, sales.example.com, etc. freeipa makes it easy to create a subdomain using ipa dnszone-add a.example.com ipa dnszone-mod a.example.com --dynamic-update=TRUE but it appears that all these fancy _ldap._tcp, _kerberos ._tcp etc. records are not generated. Is this on purpose? Is a client foo.a.example.com supposed to look for _ldap._tcp.example.com, if _ldap._tcp.a.example.com cannot be found? The code for creating these basic entries must be somewhere in freeipa, so I wonder if I missed to recognize some command line options here? Is this setup something that freeipa (4.0.5) can handle at all? Every helpful comment is highly appreciated. Regards Harri From esdras.laroque at gmail.com Thu Apr 23 14:33:35 2015 From: esdras.laroque at gmail.com (Esdras La-Roque) Date: Thu, 23 Apr 2015 11:33:35 -0300 Subject: [Freeipa-users] DNS Problem Message-ID: Hi guys. I'm DNS issue in a fresh installation. I've tried reinstalling the IPA several times. My environment: - CentOS 7.0 - IPA 3.3.3 (distro Installation cmd: ipa-server-install --mkhomedir --setup-dns --forwarder=1.2.3.4 The installation finished successfully, but the log shows dns error with ldap: named[3315]: ldap_syncrepl will reconnect in 60 seconds named[3315]: connection to the LDAP server was lost named[3315]: successfully reconnected to LDAP server named[3315]: LDAP instance 'ipa' is being synchronized, please ignore message 'all zones loaded' LDAP error: Critical extension is unavailable: unable to start SyncRepl session: is RFC 4533 supported by LDAP server? named[3315]: ldap_syncrepl will reconnect in 60 seconds And DNS don't work: ~# host ipaserver.mydomain.ipa 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host ipaserver.mydomain.ipa not found: 3(NXDOMAIN) ~# ipa dnsrecord-show mydomin.ipa ipaserver Record name: ipaserver A record: 10.10.10.1 What should I test? Already formatted the server and the problem continues. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Apr 23 14:46:11 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Apr 2015 16:46:11 +0200 Subject: [Freeipa-users] setting up a subdomain In-Reply-To: <20150423160421.70b4a014@dpcl082.ac.aixigo.de> References: <20150423160421.70b4a014@dpcl082.ac.aixigo.de> Message-ID: <553905B3.7070406@redhat.com> On 23.4.2015 16:04, Harald Dunkel wrote: > Hi folks, > > I am very new to freeipa, so hopefully its allowed to ask: > I need a single realm EXAMPLE.COM and DNS zones for example.com , > develop.example.com, sales.example.com, etc. freeipa makes it > easy to create a subdomain using > > ipa dnszone-add a.example.com > ipa dnszone-mod a.example.com --dynamic-update=TRUE > > but it appears that all these fancy _ldap._tcp, _kerberos ._tcp > etc. records are not generated. Is this on purpose? Is a client > foo.a.example.com supposed to look for _ldap._tcp.example.com, > if _ldap._tcp.a.example.com cannot be found? > > The code for creating these basic entries must be somewhere in > freeipa, so I wonder if I missed to recognize some command line > options here? > > Is this setup something that freeipa (4.0.5) can handle at > all? Hello! FreeIPA should automatically create _kerberos TXT record for you and clients should use this record to find the main FreeIPA DNS domain. That should be enough for standard-compliant clients, you do not need to worry about it. Have a nice day! -- Petr^2 Spacek From pspacek at redhat.com Thu Apr 23 14:48:07 2015 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Apr 2015 16:48:07 +0200 Subject: [Freeipa-users] DNS Problem In-Reply-To: References: Message-ID: <55390627.6000506@redhat.com> On 23.4.2015 16:33, Esdras La-Roque wrote: > Hi guys. > > I'm DNS issue in a fresh installation. I've tried reinstalling the IPA > several times. > > My environment: > > - CentOS 7.0 > - IPA 3.3.3 (distro > > Installation cmd: ipa-server-install --mkhomedir --setup-dns > --forwarder=1.2.3.4 > > The installation finished successfully, but the log shows dns error with > ldap: > > named[3315]: ldap_syncrepl will reconnect in 60 seconds > named[3315]: connection to the LDAP server was lost > named[3315]: successfully reconnected to LDAP server > named[3315]: LDAP instance 'ipa' is being synchronized, please ignore > message 'all zones loaded' > LDAP error: Critical extension is unavailable: unable to start SyncRepl > session: is RFC 4533 supported by LDAP server? > named[3315]: ldap_syncrepl will reconnect in 60 seconds It seems that you are mixing CentOS 7.0 and 7.1 packages which is really weird, package dependencies should prevent that. What versions of 389-ds-base and bind-dyndb-ldap packages do you have? $ rpm -q 389-ds-base bind-dyndb-ldap I would recommend you to jump straight to a clean CentOS 7.1 installation and be done with it :-) -- Petr^2 Spacek From esdras.laroque at gmail.com Thu Apr 23 15:01:37 2015 From: esdras.laroque at gmail.com (Esdras La-Roque) Date: Thu, 23 Apr 2015 12:01:37 -0300 Subject: [Freeipa-users] DNS Problem In-Reply-To: <55390627.6000506@redhat.com> References: <55390627.6000506@redhat.com> Message-ID: Hmm.. now makes sense. I have a test environment, which was theoretically installed in the same way, but the version of bind-dyndb-ldap is different. Test environment: bind-dyndb-ldap-3.5-4.el7.x86_64 New installation: bind-dyndb-ldap-6.0-2.el7.x86_64 389-ds are the same: 389-ds-base-1.3.1.6-25.el7.x86_64 Thanks for your help! 2015-04-23 11:48 GMT-03:00 Petr Spacek : > On 23.4.2015 16:33, Esdras La-Roque wrote: > > Hi guys. > > > > I'm DNS issue in a fresh installation. I've tried reinstalling the IPA > > several times. > > > > My environment: > > > > - CentOS 7.0 > > - IPA 3.3.3 (distro > > > > Installation cmd: ipa-server-install --mkhomedir --setup-dns > > --forwarder=1.2.3.4 > > > > The installation finished successfully, but the log shows dns error with > > ldap: > > > > named[3315]: ldap_syncrepl will reconnect in 60 seconds > > named[3315]: connection to the LDAP server was lost > > named[3315]: successfully reconnected to LDAP server > > named[3315]: LDAP instance 'ipa' is being synchronized, please ignore > > message 'all zones loaded' > > LDAP error: Critical extension is unavailable: unable to start SyncRepl > > session: is RFC 4533 supported by LDAP server? > > named[3315]: ldap_syncrepl will reconnect in 60 seconds > > It seems that you are mixing CentOS 7.0 and 7.1 packages which is really > weird, package dependencies should prevent that. > > What versions of 389-ds-base and bind-dyndb-ldap packages do you have? > $ rpm -q 389-ds-base bind-dyndb-ldap > > I would recommend you to jump straight to a clean CentOS 7.1 installation > and > be done with it :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 23 17:38:13 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 23 Apr 2015 13:38:13 -0400 Subject: [Freeipa-users] External group membership In-Reply-To: References: <5531D87C.7010907@redhat.com> Message-ID: <55392E05.10903@redhat.com> On 04/22/2015 01:21 PM, Benjamen Keroack wrote: > Hi Dmitri, > > I'd be happy to test sssd 1.13 alpha. Is there any easy was to install > on Ubuntu, or do I need to pull and compile from source? Fo alpha you probably would need to go from source, but once 1.13 released the disrto owners do a great job of keeping up with the upstream. Please watch for the announcements on the list. > > Thanks, > > On Fri, Apr 17, 2015 at 9:07 PM, Dmitri Pal > wrote: > > On 04/17/2015 09:12 PM, Benjamen Keroack wrote: >> Hi, >> >> We have a number of local groups on our IPA-managed servers that >> we add LDAP/IPA users to. This works fine locally on the server >> on an ad hoc basis: >> >> $ usermod -a -G local-group test.user >> >> However I'm trying to do this as part of user provisioning in IPA >> via user groups. I've created external user groups in IPA, then >> added those external groups to the user groups that new users are >> added to via automember rules. For example: >> >> local-group [external] -> [is a member of] -> developers [IPA group] >> >> Then I SSH into one of the servers as a user who is a member of >> developers: >> >> test.user at qa$ groups >> test.user developers qa_users >> >> I do not see 'local-group' membership, even after restarting >> sssd/rebooting. Is it possible to achieve this kind of automatic >> local group membership? The only alternative I can see would be >> to write a SUID binary that .bash_profile runs on login to add >> them to the applicable groups, which seems like a bad hack. >> >> This is IPA 4.1.0 running on RHEL 7.1. Client servers are Ubuntu >> Trusty. >> >> Thanks for any help, >> >> -- >> Benjamen Keroack >> /Infrastructure/DevOps Engineer/ >> benjamen at dollarshaveclub.com >> >> >> > > It looks like you are looking for this: > https://fedorahosted.org/sssd/ticket/1591 > It is on the roadmap for 1.13 alpha which should be out in couple > months. > Would you be interested to test? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > -- > Benjamen Keroack > /Infrastructure/DevOps Engineer/ > benjamen at dollarshaveclub.com > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From D.Korittki at mittwald.de Fri Apr 24 07:26:31 2015 From: D.Korittki at mittwald.de (Dominik Korittki) Date: Fri, 24 Apr 2015 07:26:31 +0000 Subject: [Freeipa-users] ipa-replica-manage re-initialize and database size Message-ID: <707187C11154EC4EB2421F94818D6CDE0102967A77@MW-EXCHANGE.mw-ks.local> Hello all, I am running two ipa3.3.3 instances in a replication on Centos 7 servers. Last day the rootpartition went full (where the dirsrv databases are stored), because of a big changelog-db. dirsrv managed to do a graceful shutdown. Luckily, the second master was still working properly, so i could recover the first one from it. I resized the partition, booted up again and ran 'ipa-replica-manage re-initialize --from ipa02.internal' Everything seemed to ran fine except for one warnig regarding an issue with the changelog db, heres the log portion of the log /var/log/dirsrv/slapd-INTERNAL/errors on recieving (first) IPA master: [...] [23/Apr/2015:10:41:46 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is going offline; disabling replication [23/Apr/2015:10:41:47 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers finished; cleaning up... [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers cleaned up. [23/Apr/2015:10:41:55 +0200] - import userRoot: Indexing complete. Post-processing... [23/Apr/2015:10:41:55 +0200] - import userRoot: Generating numSubordinates complete. [23/Apr/2015:10:41:55 +0200] - import userRoot: Flushing caches... [23/Apr/2015:10:41:55 +0200] - import userRoot: Closing files... [23/Apr/2015:10:41:55 +0200] - import userRoot: Import complete. Processed 9983 entries in 8 seconds. (1247.88 entries/sec) [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is coming online; enabling replication [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=internal does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [...] I am no expert in LDAP or Directory Server, but i noticed a significant size difference of files in /var/lib/dirsrv/slapd-INTERNAL/cldb/: root at ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578.sema 24M /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578_546f4515000000040000.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578.sema 6,8M /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578_54748540000000600000.db 4,0K /var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 30M total root at ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc.sema 4,7G /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc_546f4515000000040000.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc.sema 3,7M /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc_54748540000000600000.db 4,0K /var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 4,7G total Also, i noticed a difference in the actual database size on both servers: root at ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K /var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,3M /var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K /var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M /var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,4M /var/lib/dirsrv/slapd-INTERNAL/db/ipaca 2,2M /var/lib/dirsrv/slapd-INTERNAL/db/log.0000124384 101M /var/lib/dirsrv/slapd-INTERNAL/db/userRoot 115M total root at ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K /var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,7M /var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K /var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M /var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,3M /var/lib/dirsrv/slapd-INTERNAL/db/ipaca 4,3M /var/lib/dirsrv/slapd-INTERNAL/db/log.0000074356 175M /var/lib/dirsrv/slapd-INTERNAL/db/userRoot 193M total Besides from that, everything seems to be working fine again, including the replication. No errors or warnings regarding this issue are stated in dirsrv-logs. So I'm a bit confused right know wether to believe everything worked fine or not. Is this behaviour of IPA/Directory Server normal? Many thanks in advance! Greetings and a nice day, Dominik Korittki -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Apr 24 08:20:59 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 24 Apr 2015 10:20:59 +0200 Subject: [Freeipa-users] ipa-replica-manage re-initialize and database size In-Reply-To: <707187C11154EC4EB2421F94818D6CDE0102967A77@MW-EXCHANGE.mw-ks.local> References: <707187C11154EC4EB2421F94818D6CDE0102967A77@MW-EXCHANGE.mw-ks.local> Message-ID: <5539FCEB.3000602@redhat.com> On 04/24/2015 09:26 AM, Dominik Korittki wrote: > Hello all, > > I am running two ipa3.3.3 instances in a replication on Centos 7 servers. > Last day the rootpartition went full (where the dirsrv databases are > stored), because of a big changelog-db. > dirsrv managed to do a graceful shutdown. Luckily, the second master > was still working properly, so i could recover the first one from it. > > I resized the partition, booted up again and ran > 'ipa-replica-manage re-initialize --from ipa02.internal' > > Everything seemed to ran fine except for one warnig regarding an issue > with the changelog db, heres the log portion of the log > /var/log/dirsrv/slapd-INTERNAL/errors on recieving (first) IPA master: > [...] > [23/Apr/2015:10:41:46 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=internal is going offline; > disabling replication > [23/Apr/2015:10:41:47 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers finished; > cleaning up... > [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers cleaned up. > [23/Apr/2015:10:41:55 +0200] - import userRoot: Indexing complete. > Post-processing... > [23/Apr/2015:10:41:55 +0200] - import userRoot: Generating > numSubordinates complete. > [23/Apr/2015:10:41:55 +0200] - import userRoot: Flushing caches... > [23/Apr/2015:10:41:55 +0200] - import userRoot: Closing files... > [23/Apr/2015:10:41:55 +0200] - import userRoot: Import complete. > Processed 9983 entries in 8 seconds. (1247.88 entries/sec) > [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=internal is coming online; > enabling replication > [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - > replica_reload_ruv: Warning: new data for replica dc=internal does not > match the data in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be reinitialized. > [...] this shouold be normal. at the moment of initialization, a server has a database and a changelog. The datavase is recreated by initialization and when replication plugin starts it detects that changelog and db no longer match and recreates the changelog. > > I am no expert in LDAP or Directory Server, but i noticed a > significant size difference of files in > /var/lib/dirsrv/slapd-INTERNAL/cldb/: > root at ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* > 0 > /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578.sema > 24M > /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578_546f4515000000040000.db > 0 > /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578.sema > 6,8M > /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578_54748540000000600000.db > 4,0K /var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION > 30M total > > root at ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* > 0 > /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc.sema > 4,7G > /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc_546f4515000000040000.db > 0 > /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc.sema > 3,7M > /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc_54748540000000600000.db > 4,0K /var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION > 4,7G total > > > Also, i noticed a difference in the actual database size on both servers: > root at ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* > 4,0K /var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION > 1,3M /var/lib/dirsrv/slapd-INTERNAL/db/__db.001 > 544K /var/lib/dirsrv/slapd-INTERNAL/db/__db.002 > 9,6M /var/lib/dirsrv/slapd-INTERNAL/db/__db.003 > 1,4M /var/lib/dirsrv/slapd-INTERNAL/db/ipaca > 2,2M /var/lib/dirsrv/slapd-INTERNAL/db/log.0000124384 > 101M /var/lib/dirsrv/slapd-INTERNAL/db/userRoot > 115M total > > root at ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* > 4,0K /var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION > 1,7M /var/lib/dirsrv/slapd-INTERNAL/db/__db.001 > 544K /var/lib/dirsrv/slapd-INTERNAL/db/__db.002 > 9,6M /var/lib/dirsrv/slapd-INTERNAL/db/__db.003 > 1,3M /var/lib/dirsrv/slapd-INTERNAL/db/ipaca > 4,3M /var/lib/dirsrv/slapd-INTERNAL/db/log.0000074356 > 175M /var/lib/dirsrv/slapd-INTERNAL/db/userRoot > 193M total > > Besides from that, everything seems to be working fine again, > including the replication. No errors or warnings regarding this issue > are stated in dirsrv-logs. So I'm a bit confused right know wether to > believe everything worked fine or not. > Is this behaviour of IPA/Directory Server normal? Many thanks in advance! > > > Greetings and a nice day, > Dominik Korittki > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From notify.sina at gmail.com Fri Apr 24 09:11:29 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Fri, 24 Apr 2015 10:11:29 +0100 Subject: [Freeipa-users] Unable to Rebuid Replica Message-ID: Hi! I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'services.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at EXAMPL.COM password: Execute check on remote master Check connection from master to remote replica 'services01.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255 >From the ipa-replica-install.log: 2015-04-24T09:01:57Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-services01.qrios.com.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True, 'setup_ca': True, 'forwarders': [CheckedIPAddress('8.8.8.8'), CheckedIPAddress('8.8.4.4')], 'debug': False, 'conf_ntp': True, 'skip_conncheck': False} 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-04-24T09:01:57Z DEBUG stdout=VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:8443 services01.qrios.com (/etc/httpd/conf.d/nss.conf:84) 2015-04-24T09:01:57Z DEBUG stderr=Syntax OK 2015-04-24T09:02:04Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpo2Cx3jipa/files.tar -d /var/lib/ipa/replica-info-services01.qrios.com.gpg 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg' gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2015-04-24T09:02:04Z DEBUG args=tar xf /tmp/tmpo2Cx3jipa/files.tar -C /tmp/tmpo2Cx3jipa 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr= 2015-04-24T09:02:04Z DEBUG Installing replica file with version 300 (0 means no version in prepared file). 2015-04-24T09:02:04Z DEBUG Check if services01.qrios.com is a primary hostname for localhost 2015-04-24T09:02:04Z DEBUG Primary hostname for localhost: services01.qrios.com 2015-04-24T09:02:04Z DEBUG Search DNS for services01.qrios.com 2015-04-24T09:02:04Z DEBUG Check if services01.qrios.com. is not a CNAME 2015-04-24T09:02:04Z DEBUG Check reverse address of 192.168.2.40 2015-04-24T09:02:04Z DEBUG Found reverse name: services01.qrios.com 2015-04-24T09:02:18Z DEBUG args=/usr/sbin/ipa-replica-conncheck --master services.qrios.com --auto-master-check --realm QRIOS.COM --principal admin --hostname services01.qrios.com --check-ca 2015-04-24T09:02:18Z DEBUG args=/sbin/ip -family inet -oneline address show ...skipping... -unsecure_port=7988 \ -user=pkiuser \ -group=pkiuser \ -redirect conf=/etc/pki-tps1 \ -redirect logs=/var/log/pki-tps1 \ -verbose IMPORTANT: Must be run as root! 2015-04-24T09:02:54Z DEBUG stderr=[error] An instance named pki-ca already exists; please try again. 2015-04-24T09:02:54Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 476, in main (CA, cs) = cainstance.install_replica_ca(config) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 1626, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 626, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() File "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line 770, in create_instance ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 316, in run raise CalledProcessError(p.returncode, args) 2015-04-24T09:02:54Z INFO The ipa-replica-install command failed, exception: CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255 From dbischof at hrz.uni-kassel.de Fri Apr 24 09:44:34 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Fri, 24 Apr 2015 11:44:34 +0200 (CEST) Subject: [Freeipa-users] Unable to Rebuid Replica In-Reply-To: References: Message-ID: Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: > I noticed that my IPA domain masters were out of sync, with users having > to login with different passwords depending on the IPA client they were > connected to. I noticed it was the replica that was the problem, and I > took it down, uninstalled IPA with a "ipa-server-install --uninstall > -U", deleted all the folders based on > Adam Young's blog > (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and > tried to create replica again. It repeatedly fails, and I am hoping for > some insight on how to fix this. Please can anyone help? I'm running > this on RHEL6.6 and I just updated the entire machine. > > Installation logs: > [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with "--setup-ca", otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. From notify.sina at gmail.com Fri Apr 24 11:00:35 2015 From: notify.sina at gmail.com (Sina Owolabi) Date: Fri, 24 Apr 2015 12:00:35 +0100 Subject: [Freeipa-users] Unable to Rebuid Replica In-Reply-To: References: Message-ID: Thanks Daniel! Please what are the downsides of installing without --setup-ca? And how do I make certain both servers have the same number of modules? On Fri, Apr 24, 2015 at 10:44 AM, wrote: > Sina, > > On Fri, 24 Apr 2015, Sina Owolabi wrote: > >> I noticed that my IPA domain masters were out of sync, with users having >> to login with different passwords depending on the IPA client they were >> connected to. I noticed it was the replica that was the problem, and I took >> it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted >> all the folders based on >> Adam Young's blog >> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and >> tried to create replica again. It repeatedly fails, and I am hoping for some >> insight on how to fix this. Please can anyone help? I'm running this on >> RHEL6.6 and I just updated the entire machine. >> >> Installation logs: >> [...] > > > you may have run into this issue: > > https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html > > In short: You may be missing some Apache modules on the IPA master. This > problem occurs only, if you attempt to install your replica with > "--setup-ca", otherwise installation will work. > > > Mit freundlichen Gruessen/With best regards, > > --Daniel. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From dbischof at hrz.uni-kassel.de Fri Apr 24 14:05:48 2015 From: dbischof at hrz.uni-kassel.de (dbischof at hrz.uni-kassel.de) Date: Fri, 24 Apr 2015 16:05:48 +0200 (CEST) Subject: [Freeipa-users] Unable to Rebuid Replica In-Reply-To: References: Message-ID: Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: > Please what are the downsides of installing without --setup-ca? I don't know exactly, sorry. If you install with "--setup-ca" an IPA replica and master only differ in two details: https://www.redhat.com/archives/freeipa-users/2014-July/msg00115.html > And how do I make certain both servers have the same number of modules? You have most likely installed all required modules on both machines. You may not have, however, activated the required Apache modules on the master - at least that was my mistake in the past. Check https://www.redhat.com/archives/freeipa-users/2015-February/msg00041.html for details. --- apachectl -t -D DUMP_MODULES --- shows the active modules of your running Apache on the IPA master. Apache modules are usually enabled/disabled in the Apache configuration file in /etc/httpd. Please be aware that this _may_ be the cause of your problem. There may be a different cause as well. > On Fri, Apr 24, 2015 at 10:44 AM, wrote: >> On Fri, 24 Apr 2015, Sina Owolabi wrote: >> >>> I noticed that my IPA domain masters were out of sync, with users >>> having to login with different passwords depending on the IPA client >>> they were connected to. I noticed it was the replica that was the >>> problem, and I took it down, uninstalled IPA with a >>> "ipa-server-install --uninstall -U", deleted all the folders based on >>> Adam Young's blog >>> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) >>> and tried to create replica again. It repeatedly fails, and I am >>> hoping for some insight on how to fix this. Please can anyone help? >>> I'm running this on RHEL6.6 and I just updated the entire machine. >>> >>> Installation logs: >>> [...] >> >> >> you may have run into this issue: >> >> https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html >> >> In short: You may be missing some Apache modules on the IPA master. >> This problem occurs only, if you attempt to install your replica with >> "--setup-ca", otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. From rcritten at redhat.com Fri Apr 24 14:40:06 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2015 10:40:06 -0400 Subject: [Freeipa-users] Unable to Rebuid Replica In-Reply-To: References: Message-ID: <553A55C6.7080005@redhat.com> dbischof at hrz.uni-kassel.de wrote: > Sina, > > On Fri, 24 Apr 2015, Sina Owolabi wrote: > >> I noticed that my IPA domain masters were out of sync, with users >> having to login with different passwords depending on the IPA client >> they were connected to. I noticed it was the replica that was the >> problem, and I took it down, uninstalled IPA with a >> "ipa-server-install --uninstall -U", deleted all the folders based on >> Adam Young's blog >> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) >> and tried to create replica again. It repeatedly fails, and I am >> hoping for some insight on how to fix this. Please can anyone help? >> I'm running this on RHEL6.6 and I just updated the entire machine. >> >> Installation logs: >> [...] > > you may have run into this issue: > > https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html > > In short: You may be missing some Apache modules on the IPA master. This > problem occurs only, if you attempt to install your replica with > "--setup-ca", otherwise installation will work. Well, he said he had it working at one point so I'm not sure this applies, assuming of course the previous install had a CA. The current problem you're seeing is related to the fact that sometimes when the CA fails to install it isn't marked as having tried in the IPA state tracker so when you uninstall it does nothing with this half-installed CA instance which causes all future install attempts to fail because of this left-over stuff. To remove this pki instance: # /usr/sbin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force Then re-run ipa-server-install --uninstall just to be sure Then try the install again. And before you do any of this, when you deleted this master did you remove the replication agreements first using ipa-replica-manage? If not I'd check to be sure there isn't an existing agreement, and the same with ipa-csreplica-manage. rob From john.obaterspok at gmail.com Fri Apr 24 15:31:46 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Fri, 24 Apr 2015 17:31:46 +0200 Subject: [Freeipa-users] Ticket delegation Message-ID: Hello, I'm on F21 and if I login to my workstation I can then sso using ssh to host X. But then I'm also able to sso from x -> y. If I'm on x and issue klist I see this: klist: No credentials cache found (ticket cache FILE:/tmp/krb5 Should I really be able to do this? --- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From wanderley.mayhe at ibp.org.br Fri Apr 24 15:33:30 2015 From: wanderley.mayhe at ibp.org.br (=?iso-8859-1?Q?Wanderley_Mayh=E9?=) Date: Fri, 24 Apr 2015 12:33:30 -0300 (BRT) Subject: [Freeipa-users] FreeIPA 4 JSON API documentation Message-ID: <005201d07ea4$03966a70$0ac33f50$@ibp.org.br> Where can I find a clear documentation on JSON RPC API to Free IPA latest version (4.x.x)? http://www.freeipa.org/page/Documentation has nothing such as code samples for authenticating, adding or updating users in Linux. I think this cannot be the only documentation available in internet: http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-cur l/ Can anyone share a document or draft containing methods and arguments of FreeIPA API? regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 24 15:47:49 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2015 11:47:49 -0400 Subject: [Freeipa-users] Ticket delegation In-Reply-To: References: Message-ID: <553A65A5.6000809@redhat.com> John Obaterspok wrote: > Hello, > > I'm on F21 and if I login to my workstation I can then sso using ssh to > host X. But then I'm also able to sso from x -> y. > > If I'm on x and issue klist I see this: > klist: No credentials cache found (ticket cache FILE:/tmp/krb5 > > Should I really be able to do this? > > --- john > > Did you add your ssh pubkey? ssh -vv will show you the auth method that it is using. FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it should be using KEYRING:persistent:: rob From rcritten at redhat.com Fri Apr 24 15:51:09 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 24 Apr 2015 11:51:09 -0400 Subject: [Freeipa-users] FreeIPA 4 JSON API documentation In-Reply-To: <005201d07ea4$03966a70$0ac33f50$@ibp.org.br> References: <005201d07ea4$03966a70$0ac33f50$@ibp.org.br> Message-ID: <553A666D.2070006@redhat.com> Wanderley Mayh? wrote: > Where can I find a clear documentation on JSON RPC API to Free IPA > latest version (4.x.x)? > > > > http://www.freeipa.org/page/Documentation has nothing such as code > samples for authenticating, adding or updating users in Linux. > > > > I think this cannot be the only documentation available in internet: > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > > > > Can anyone share a document or *draft* containing methods and arguments > of FreeIPA API? It is being worked onhttps://fedorahosted.org/freeipa/ticket/3129 The API is fairly easy to deduce from the cli using -vv: $ ipa -vv user-show admin ipa: INFO: trying https://gyre.example.com/ipa/json ipa: INFO: Forwarding 'user_show' to json server 'https://gyre.example.com/ipa/json' ipa: INFO: Request: { "id": 0, "method": "user_show", "params": [ [ "admin" ], { "all": false, "no_members": false, "raw": false, "rights": false, "version": "2.114" } ] } ipa: INFO: Response: { "error": null, "id": 0, ... snip rob From christopher.lamb at ch.ibm.com Fri Apr 24 16:58:30 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 24 Apr 2015 18:58:30 +0200 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons Message-ID: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://:389 When I log into the 4.1.0 Web UI, with the default "admin" user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. thanks Chris Lamb p.s. it would be great if the syntax for an IPA "old" to IPA "new" migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format ..... From benjamen at dollarshaveclub.com Fri Apr 24 18:45:23 2015 From: benjamen at dollarshaveclub.com (Benjamen Keroack) Date: Fri, 24 Apr 2015 11:45:23 -0700 Subject: [Freeipa-users] IPA Web UI behind proxy Message-ID: Hi, Does anybody have any experience putting the IPA web UI behind a reverse proxy? In an attempt to allow our users to access the UI without browser warnings and without having to add the root CA certificate to their trusted store (there was some resistance to that idea), I set up an nginx server as a simple reverse proxy. Every request returns an "Unable to verify your Kerberos credentials" error page. The headers returned: $ http -h GET https://proxy/ipa HTTP/1.1 401 Unauthorized Accept-Ranges: bytes Connection: keep-alive Content-Length: 1474 Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Apr 2015 18:43:06 GMT Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT Server: nginx/1.4.6 (Ubuntu) WWW-Authenticate: Negotiate I saw this thread from 2013: https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 I'm sending the proper Host and Referer headers by the proxy as specified, and I modified the Apache rewriting rules to not redirect to the hostname of the backend IPA server. Any ideas how this can be done? Thanks, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benjamen at dollarshaveclub.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.obaterspok at gmail.com Fri Apr 24 20:10:25 2015 From: john.obaterspok at gmail.com (John Obaterspok) Date: Fri, 24 Apr 2015 22:10:25 +0200 Subject: [Freeipa-users] Ticket delegation In-Reply-To: <553A65A5.6000809@redhat.com> References: <553A65A5.6000809@redhat.com> Message-ID: 2015-04-24 17:47 GMT+02:00 Rob Crittenden : > John Obaterspok wrote: > > Hello, > > > > I'm on F21 and if I login to my workstation I can then sso using ssh to > > host X. But then I'm also able to sso from x -> y. > > > > If I'm on x and issue klist I see this: > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5 > > > > Should I really be able to do this? > > > > --- john > > > > > > Did you add your ssh pubkey? ssh -vv will show you the auth method that > it is using. > Of course, I just forgot about it :) For the record, gssapi-with-mic was the auth method. > FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it > should be using KEYRING:persistent:: The host that I ssh'ed into had F20. Thanks Rob! -- john -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Apr 25 05:00:43 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 25 Apr 2015 01:00:43 -0400 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: References: Message-ID: <553B1F7B.7090502@redhat.com> On 04/24/2015 12:58 PM, Christopher Lamb wrote: > Hi > > I am in the process of setting up and configuring a FreeIPA Server 4.1.0. > > I have successfully migrated all the users from an existing FreeIPA Server > 3.0.0 with the following command: > > ipa migrate-ds --group-overwrite-gid > --user-container='cn=users,cn=accounts' > --group-container='cn=groups,cn=accounts' ldap:// server>:389 > > When I log into the 4.1.0 Web UI, with the default "admin" user, on the > Identity/Users overview page, I have buttons for Delete, Add, Enable, > Disable etc. > > If I log in with an imported admin user, these buttons are missing. > > If I log into the old 3.0.0 Web UI, these buttons are available with both > users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. > thanks > > Chris Lamb > > p.s. it would be great if the syntax for an IPA "old" to IPA "new" > migration using ipa migrate-ds was included in the IPA documentation. I had > to dig deep in the migration.py script to find the accepted format ..... > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rcritten at redhat.com Sat Apr 25 05:04:21 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 25 Apr 2015 01:04:21 -0400 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: <553B1F7B.7090502@redhat.com> References: <553B1F7B.7090502@redhat.com> Message-ID: <553B2055.1090000@redhat.com> Dmitri Pal wrote: > On 04/24/2015 12:58 PM, Christopher Lamb wrote: >> Hi >> >> I am in the process of setting up and configuring a FreeIPA Server 4.1.0. >> >> I have successfully migrated all the users from an existing FreeIPA >> Server >> 3.0.0 with the following command: >> >> ipa migrate-ds --group-overwrite-gid >> --user-container='cn=users,cn=accounts' >> --group-container='cn=groups,cn=accounts' ldap://> server>:389 >> >> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >> Identity/Users overview page, I have buttons for Delete, Add, Enable, >> Disable etc. >> >> If I log in with an imported admin user, these buttons are missing. >> >> If I log into the old 3.0.0 Web UI, these buttons are available with both >> users. > > This is most likely because the permissions changed in 4.0 and old admin > does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. >> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >> migration using ipa migrate-ds was included in the IPA documentation. >> I had >> to dig deep in the migration.py script to find the accepted format ..... There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob From baghery.jone at gmail.com Sat Apr 25 05:27:24 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 25 Apr 2015 08:27:24 +0300 Subject: [Freeipa-users] problem with reinstall ipa client Message-ID: hi i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME (ipasrv.linux) and REINSTALL server ipa with same hostname and OS (centos 6.5) server IPA integrate with AD windows (2008) and on Clients first Uninstall IPa-Client with Command ipa-client-install --uninstall but when i want INSTALL ipa-client -install --mkhomedir get ERROR #### LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. #### thnks every body -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat Apr 25 13:08:07 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 25 Apr 2015 09:08:07 -0400 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> Message-ID: <553B91B7.5080800@redhat.com> On 04/25/2015 03:12 AM, Christopher Lamb wrote: > Hi Rob and Dimitri > > Migrating via Replica is the obvious way that I would have gone, had the > FreeIPA /RedHat documentation not suggested the replicas must have the same > version. > > I think the link that put me off from replicating was: > > http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html > > Looking at the link more closely I now see this applies to version > 1.2 ....., but from the page itself that was not obvious. it would be great > if the version to which the IPA documentation applies was more obvious.... > I am sure I am not the only user who enters the documentation via a search > engine. > > The missing buttons turns out to be down to the fact that the admin group > was not migrated, as it is present on both old and new, so while the "old" > admin users were migrated (together with membership of all other groups), > they were not added to the admin group on the new instance. I should have > realised this sooner! > > # ipa user-show xxxx > User login: xxxx > ..... > Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, smb-all, smb-implementation, dba, users > # ipa user-show admin > ..... > Member of groups: ipausers, trust admins, adminonly, admins > > Adding "old" admin user xxxx via cli: > > # ipa group-add-member admins --users=xxxx > > # ipa user-show xxxx > .... > Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, admins, smb-all, smb-implementation, dba, users > > I guess that when the Web UI decides to cooperate, and let me in without > "your session has expired" error (see other ticket), I will have the > missing buttons.... > > Thanks for the help > > Chris > > > > > From: Rob Crittenden > To: dpal at redhat.com, freeipa-users at redhat.com > Date: 25.04.2015 07:05 > Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action > buttons > Sent by: freeipa-users-bounces at redhat.com > > > > Dmitri Pal wrote: >> On 04/24/2015 12:58 PM, Christopher Lamb wrote: >>> Hi >>> >>> I am in the process of setting up and configuring a FreeIPA Server > 4.1.0. >>> I have successfully migrated all the users from an existing FreeIPA >>> Server >>> 3.0.0 with the following command: >>> >>> ipa migrate-ds --group-overwrite-gid >>> --user-container='cn=users,cn=accounts' >>> --group-container='cn=groups,cn=accounts' ldap://>> server>:389 >>> >>> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >>> Identity/Users overview page, I have buttons for Delete, Add, Enable, >>> Disable etc. >>> >>> If I log in with an imported admin user, these buttons are missing. >>> >>> If I log into the old 3.0.0 Web UI, these buttons are available with > both >>> users. >> This is most likely because the permissions changed in 4.0 and old admin >> does not have the privileges that are now default in 4.1. > He migrated rather than upgrading so this doesn't apply. > > So the question is: why did you migrate and not create a replica with > 4.x and migrate that way? > > One needs to be a member of the admins group to be an admin, I'd start > there. > >>> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >>> migration using ipa migrate-ds was included in the IPA documentation. >>> I had >>> to dig deep in the migration.py script to find the accepted format ..... > There is a ticket for this but the expected upgrade path is to install a > replica on the new version and once things are confirmed to be working, > decommission the older ones. > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > I do not know what we can do about the old documentation. It is there but we can't prevent users from finding it. We communicated several times on the list and wiki that the most up to date documentation to use in the on the Red Hat documentation portal [1] as we do no have resources to maintain upstream and downstream versions of the documentation at the same time. It is better to have one up to date set of documentation than to have two incomplete ones. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ (see bottom of the page) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Sat Apr 25 13:16:12 2015 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 25 Apr 2015 09:16:12 -0400 Subject: [Freeipa-users] problem with reinstall ipa client In-Reply-To: References: Message-ID: <553B939C.7030809@redhat.com> On 04/25/2015 01:27 AM, alireza baghery wrote: > hi > i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME (ipasrv.linux) > and REINSTALL server ipa with same hostname and OS (centos 6.5) > server IPA integrate with AD windows (2008) > and on Clients first Uninstall IPa-Client with Command > ipa-client-install --uninstall > but when i want INSTALL ipa-client -install --mkhomedir get ERROR > #### > LDAP Error: Connect error: TLS error -8054:You are attempting to > import a cert with the same issuer/serial as an existing cert, but > that is not the same cert. > #### > thnks every body > > When you install the client IPA issues a cert that is tracked by certmonger on the client. If you uninstall the client the cert might still be there. When then you reinstall the client it tries to get the cert again and since it is a different server but client with the same name you get a mismatch of the cert. The error is about that. Please try this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/manually-unconfig-machines.html However I thought that this was fixed quite some time ago but may be it did not make 6.5. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From baghery.jone at gmail.com Sat Apr 25 13:27:17 2015 From: baghery.jone at gmail.com (alireza baghery) Date: Sat, 25 Apr 2015 16:27:17 +0300 Subject: [Freeipa-users] problem with reinstall ipa client In-Reply-To: References: <553B939C.7030809@redhat.com> Message-ID: thanks i remove /etc/ipa/ca.cert and problem solved On Sat, Apr 25, 2015 at 4:26 PM, alireza baghery wrote: > thanks > i remove /etc/ipa/ca.cert and problem solved > > On Sat, Apr 25, 2015 at 4:16 PM, Dmitri Pal wrote: > >> On 04/25/2015 01:27 AM, alireza baghery wrote: >> >> hi >> i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME >> (ipasrv.linux) >> and REINSTALL server ipa with same hostname and OS (centos 6.5) >> server IPA integrate with AD windows (2008) >> and on Clients first Uninstall IPa-Client with Command >> ipa-client-install --uninstall >> but when i want INSTALL ipa-client -install --mkhomedir get ERROR >> #### >> LDAP Error: Connect error: TLS error -8054:You are attempting to import a >> cert with the same issuer/serial as an existing cert, but that is not the >> same cert. >> #### >> thnks every body >> >> >> When you install the client IPA issues a cert that is tracked by >> certmonger on the client. >> If you uninstall the client the cert might still be there. >> When then you reinstall the client it tries to get the cert again and >> since it is a different server but client with the same name you get a >> mismatch of the cert. The error is about that. >> >> Please try this: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/manually-unconfig-machines.html >> >> However I thought that this was fixed quite some time ago but may be it >> did not make 6.5. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Sat Apr 25 14:28:33 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sat, 25 Apr 2015 16:28:33 +0200 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: <553B91B7.5080800@redhat.com> References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> <553B91B7.5080800@redhat.com> Message-ID: Hi Dmitri I understand, maintaining documentation over multiple versions is hard work. You certainly don't want to prevent users from finding old documentation - as it is important for those of us still running old versions in production, but it would be great if it was immediately clear which version it applies to. Had that been the case, I might have "clicked" earlier, and sought out the equivalent pages in the current docus. Ideally each page would be clearly marked with the version(s) it applies to. As a side note, I tend to search via google (e.g. FreeIPA replicate), and have been using a mixture of Red-hat, Fedora and FreeIPA branded documentation. thanks for your help Chris From: Dmitri Pal To: Christopher Lamb/Switzerland/IBM at IBMCH, Rob Crittenden Cc: freeipa-users at redhat.com Date: 25.04.2015 15:08 Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons On 04/25/2015 03:12 AM, Christopher Lamb wrote: > Hi Rob and Dimitri > > Migrating via Replica is the obvious way that I would have gone, had the > FreeIPA /RedHat documentation not suggested the replicas must have the same > version. > > I think the link that put me off from replicating was: > > http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html > > Looking at the link more closely I now see this applies to version > 1.2 ....., but from the page itself that was not obvious. it would be great > if the version to which the IPA documentation applies was more obvious.... > I am sure I am not the only user who enters the documentation via a search > engine. > > The missing buttons turns out to be down to the fact that the admin group > was not migrated, as it is present on both old and new, so while the "old" > admin users were migrated (together with membership of all other groups), > they were not added to the admin group on the new instance. I should have > realised this sooner! > > # ipa user-show xxxx > User login: xxxx > ..... > Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, smb-all, smb-implementation, dba, users > # ipa user-show admin > ..... > Member of groups: ipausers, trust admins, adminonly, admins > > Adding "old" admin user xxxx via cli: > > # ipa group-add-member admins --users=xxxx > > # ipa user-show xxxx > .... > Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, > smb-software, admins, smb-all, smb-implementation, dba, users > > I guess that when the Web UI decides to cooperate, and let me in without > "your session has expired" error (see other ticket), I will have the > missing buttons.... > > Thanks for the help > > Chris > > > > > From: Rob Crittenden > To: dpal at redhat.com, freeipa-users at redhat.com > Date: 25.04.2015 07:05 > Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action > buttons > Sent by: freeipa-users-bounces at redhat.com > > > > Dmitri Pal wrote: >> On 04/24/2015 12:58 PM, Christopher Lamb wrote: >>> Hi >>> >>> I am in the process of setting up and configuring a FreeIPA Server > 4.1.0. >>> I have successfully migrated all the users from an existing FreeIPA >>> Server >>> 3.0.0 with the following command: >>> >>> ipa migrate-ds --group-overwrite-gid >>> --user-container='cn=users,cn=accounts' >>> --group-container='cn=groups,cn=accounts' ldap://>> server>:389 >>> >>> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >>> Identity/Users overview page, I have buttons for Delete, Add, Enable, >>> Disable etc. >>> >>> If I log in with an imported admin user, these buttons are missing. >>> >>> If I log into the old 3.0.0 Web UI, these buttons are available with > both >>> users. >> This is most likely because the permissions changed in 4.0 and old admin >> does not have the privileges that are now default in 4.1. > He migrated rather than upgrading so this doesn't apply. > > So the question is: why did you migrate and not create a replica with > 4.x and migrate that way? > > One needs to be a member of the admins group to be an admin, I'd start > there. > >>> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >>> migration using ipa migrate-ds was included in the IPA documentation. >>> I had >>> to dig deep in the migration.py script to find the accepted format ..... > There is a ticket for this but the expected upgrade path is to install a > replica on the new version and once things are confirmed to be working, > decommission the older ones. > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > I do not know what we can do about the old documentation. It is there but we can't prevent users from finding it. We communicated several times on the list and wiki that the most up to date documentation to use in the on the Red Hat documentation portal [1] as we do no have resources to maintain upstream and downstream versions of the documentation at the same time. It is better to have one up to date set of documentation than to have two incomplete ones. [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/ (see bottom of the page) -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From christopher.lamb at ch.ibm.com Sat Apr 25 00:58:24 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sat, 25 Apr 2015 02:58:24 +0200 Subject: [Freeipa-users] =?utf-8?q?Web_ui_error_=E2=80=9CYour_session_has_?= =?utf-8?q?expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on_a_remo?= =?utf-8?q?te_client=2E?= Message-ID: Hi All I too am suffering from the infamous Web ui error ?Your session has expired. Please re-login.? using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An ?Old?, soon to be decommissioned v3.0.0, on OEL 6.5 The ?new? instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will ?let me in? - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get ?The password or username you entered is incorrect. ?, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. >From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ From christopher.lamb at ch.ibm.com Sat Apr 25 07:12:38 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Sat, 25 Apr 2015 09:12:38 +0200 Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: <553B2055.1090000@redhat.com> References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> Message-ID: Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat documentation not suggested the replicas must have the same version. I think the link that put me off from replicating was: http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html Looking at the link more closely I now see this applies to version 1.2 ....., but from the page itself that was not obvious. it would be great if the version to which the IPA documentation applies was more obvious.... I am sure I am not the only user who enters the documentation via a search engine. The missing buttons turns out to be down to the fact that the admin group was not migrated, as it is present on both old and new, so while the "old" admin users were migrated (together with membership of all other groups), they were not added to the admin group on the new instance. I should have realised this sooner! # ipa user-show xxxx User login: xxxx ..... Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, smb-all, smb-implementation, dba, users # ipa user-show admin ..... Member of groups: ipausers, trust admins, adminonly, admins Adding "old" admin user xxxx via cli: # ipa group-add-member admins --users=xxxx # ipa user-show xxxx .... Member of groups: smb-delivery, smb-fssadmin, ipausers, smb-development, smb-software, admins, smb-all, smb-implementation, dba, users I guess that when the Web UI decides to cooperate, and let me in without "your session has expired" error (see other ticket), I will have the missing buttons.... Thanks for the help Chris From: Rob Crittenden To: dpal at redhat.com, freeipa-users at redhat.com Date: 25.04.2015 07:05 Subject: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons Sent by: freeipa-users-bounces at redhat.com Dmitri Pal wrote: > On 04/24/2015 12:58 PM, Christopher Lamb wrote: >> Hi >> >> I am in the process of setting up and configuring a FreeIPA Server 4.1.0. >> >> I have successfully migrated all the users from an existing FreeIPA >> Server >> 3.0.0 with the following command: >> >> ipa migrate-ds --group-overwrite-gid >> --user-container='cn=users,cn=accounts' >> --group-container='cn=groups,cn=accounts' ldap://> server>:389 >> >> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >> Identity/Users overview page, I have buttons for Delete, Add, Enable, >> Disable etc. >> >> If I log in with an imported admin user, these buttons are missing. >> >> If I log into the old 3.0.0 Web UI, these buttons are available with both >> users. > > This is most likely because the permissions changed in 4.0 and old admin > does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. >> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >> migration using ipa migrate-ds was included in the IPA documentation. >> I had >> to dig deep in the migration.py script to find the accepted format ..... There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Sun Apr 26 06:23:53 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 26 Apr 2015 02:23:53 -0400 (EDT) Subject: [Freeipa-users] Web UI: Migrated Admins missing action buttons In-Reply-To: References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> Message-ID: <1559142229.7534860.1430029433988.JavaMail.zimbra@redhat.com> ----- Original Message ----- > Hi Rob and Dimitri > > Migrating via Replica is the obvious way that I would have gone, had the > FreeIPA /RedHat documentation not suggested the replicas must have the same > version. > > I think the link that put me off from replicating was: > > http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html > > Looking at the link more closely I now see this applies to version > 1.2 ....., but from the page itself that was not obvious. it would be great > if the version to which the IPA documentation applies was more obvious.... > I am sure I am not the only user who enters the documentation via a search > engine. We really need to remove this version 1.x documentation, it is giving too much confusion. Use documentation at the Red Hat Customer Portal: - versions 3.3 and onwards: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html - version 3.0: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html We have all proper links gathered at http://www.freeipa.org/page/Documentation, it has these links and even more, including HOWTOs for integration with other software. -- / Alexander Bokovoy From lists at fahrendorf.de Sun Apr 26 08:49:12 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Sun, 26 Apr 2015 10:49:12 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages Message-ID: <553CA688.9040009@fahrendorf.de> Hallo after a reboot I get almost thousand of the following messages: DSRetroclPlugin - delete_changerecord: could not delete change record 128755 (rc: 32) The record number changes from 127600 up to 148400. What does this mean? I have searched the web but did not find any hint on this. I use Fedora 21 Server with current IPA packages (Version 4.1.4). Kindly Martin From ftweedal at redhat.com Mon Apr 27 00:32:06 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 27 Apr 2015 10:32:06 +1000 Subject: [Freeipa-users] IPA Web UI behind proxy In-Reply-To: References: Message-ID: <20150427003206.GH4702@dhcp-40-8.bne.redhat.com> On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > Hi, > > Does anybody have any experience putting the IPA web UI behind a reverse > proxy? In an attempt to allow our users to access the UI without browser > warnings and without having to add the root CA certificate to their trusted > store (there was some resistance to that idea), I set up an nginx server as > a simple reverse proxy. > > Every request returns an "Unable to verify your Kerberos credentials" error > page. The headers returned: > > $ http -h GET https://proxy/ipa > HTTP/1.1 401 Unauthorized > Accept-Ranges: bytes > Connection: keep-alive > Content-Length: 1474 > Content-Type: text/html; charset=UTF-8 > Date: Fri, 24 Apr 2015 18:43:06 GMT > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > Server: nginx/1.4.6 (Ubuntu) > WWW-Authenticate: Negotiate > > I saw this thread from 2013: > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > I'm sending the proper Host and Referer headers by the proxy as specified, > and I modified the Apache rewriting rules to not redirect to the hostname > of the backend IPA server. > > Any ideas how this can be done? > Hi Benjamen, You could use a 3rd-party certificate (signed by trusted, public CA) for the Web UI; see the guide: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP If you decide to continue with the Web UI behind a reverse proxy, Simo recent blogged about Kerberos authentication issues with this sort of setup; you may find inspiration here: https://ssimo.org/blog/id_019.html Cheers, Fraser > Thanks, > > -- > Benjamen Keroack > *Infrastructure/DevOps Engineer* > benjamen at dollarshaveclub.com > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From lkrispen at redhat.com Mon Apr 27 07:45:09 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 27 Apr 2015 09:45:09 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <553CA688.9040009@fahrendorf.de> References: <553CA688.9040009@fahrendorf.de> Message-ID: <553DE905.3080108@redhat.com> On 04/26/2015 10:49 AM, Martin (Lists) wrote: > Hallo > > after a reboot I get almost thousand of the following messages: > > DSRetroclPlugin - delete_changerecord: could not delete change record > 128755 (rc: 32) this message comes from changeglog trimming and means that an entry, which should be purged does not exist (any more). the retrocl maintains a first/lastchange and trinming starts at firstchange. if for some reason (race ?) there is an attempt to try to delete the same entry a second time this message should be logged. since the changenumbers in the error message increases, I think changelog trimming moves forward. you could do searches on "cn=changelog" to verify that trimming works. > > The record number changes from 127600 up to 148400. What does this mean? > I have searched the web but did not find any hint on this. > > I use Fedora 21 Server with current IPA packages (Version 4.1.4). > > Kindly > Martin > From mkosek at redhat.com Mon Apr 27 10:51:45 2015 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 27 Apr 2015 12:51:45 +0200 Subject: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons) In-Reply-To: <1559142229.7534860.1430029433988.JavaMail.zimbra@redhat.com> References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> <1559142229.7534860.1430029433988.JavaMail.zimbra@redhat.com> Message-ID: <553E14C1.5060709@redhat.com> On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: > > > ----- Original Message ----- >> Hi Rob and Dimitri >> >> Migrating via Replica is the obvious way that I would have gone, had the >> FreeIPA /RedHat documentation not suggested the replicas must have the same >> version. >> >> I think the link that put me off from replicating was: >> >> http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html >> >> Looking at the link more closely I now see this applies to version >> 1.2 ....., but from the page itself that was not obvious. it would be great >> if the version to which the IPA documentation applies was more obvious.... >> I am sure I am not the only user who enters the documentation via a search >> engine. > We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Martin > Use documentation at the Red Hat Customer Portal: > - versions 3.3 and onwards: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html > > - version 3.0: > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html > > We have all proper links gathered at http://www.freeipa.org/page/Documentation, it has these links and even more, including HOWTOs for integration with other software. From christopher.lamb at ch.ibm.com Mon Apr 27 12:11:57 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 27 Apr 2015 14:11:57 +0200 Subject: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons) In-Reply-To: <553E14C1.5060709@redhat.com> References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> <1559142229.7534860.1430029433988.JavaMail.zimbra@redhat.com> <553E14C1.5060709@redhat.com> Message-ID: Hi Martin Thanks: I am glad others can benefit from my mistakes. Cheers Chrsi From: Martin Kosek To: Alexander Bokovoy , Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com, Robert Crittenden , Simo Sorce , Dmitri Pal Date: 27.04.2015 12:51 Subject: Old FreeIPA upstream guides removed (WAS: Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons) > We really need to remove this version 1.x documentation, it is giving too much confusion. I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 and 2.0.0 guides with a redirection to: http://www.freeipa.org/page/Upstream_User_Guide which contains the reasoning and updated list of deprecated guides and a link to the current documentations. HTH. If anyone needs the old guides, I can zip them and add as a download to Documentation section. Martin From abokovoy at redhat.com Mon Apr 27 12:57:26 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Apr 2015 15:57:26 +0300 Subject: [Freeipa-users] FYI: Fedora 22 and trusts Message-ID: <20150427125726.GR26437@redhat.com> Hi, if you are playing with Fedora 22 beta, your experience with FreeIPA may be rough. When installing freeipa-server-trust-ad make sure to also install samba-common-tools package. Samba packaging was split to allow samba-common to be an architecture-independent package but samba package didn't get dependency to samba-common-tools subpackage which contains /usr/bin/net utility. This utility is used by FreeIPA when you run ipa-adtrust-install. I've submitted update which fixes this issue [1] but until it reaches stable updates of Fedora 22, simply install samba-common-tools in addition to freeipa-server-trust-ad. As with any pre-release software, it is recommended to always run up-to-date system as bugs get fixed almost every day before release. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-5.fc22 -- / Alexander Bokovoy From Ivars.Strazdins at sets.lv Mon Apr 27 13:49:05 2015 From: Ivars.Strazdins at sets.lv (=?utf-8?Q?Ivars_Strazdi=C5=86=C5=A1?=) Date: Mon, 27 Apr 2015 16:49:05 +0300 Subject: [Freeipa-users] default e-mail address and aliases from LDAP Message-ID: <41FE99FD-11D7-49B7-9C5A-94363CF1FFFF@sets.lv> Hi there, I am preparing to move our site e-mail authentication backend to FreeIPA. That is, integrate Postfix with FreeIPA. Let's suppose user has two or more e-mail addresses, joe at site.com joe.user at site.com Currently we use smtp_generic_maps on Postfix side to ensure that mail always leaves site as joe.user at site.com Is there a way to ensure in FreeIPA that user's default address is joe.user at site.com so that Postfix could do a smtp_generic_maps lookup in LDAP server and get the default address? And another question - is it possible to maintain e-mail aliases in FreeIPA? Say, to expand address list at site.com to users joe at site.com , john at site.com and mary at site.com ? Any suggestions are welcome, I am just beginning to work with LDAP. Thanks for you time and kind regards, Ivars -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssorce at redhat.com Mon Apr 27 14:15:25 2015 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 27 Apr 2015 10:15:25 -0400 Subject: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons) In-Reply-To: <553E14C1.5060709@redhat.com> References: <553B1F7B.7090502@redhat.com> <553B2055.1090000@redhat.com> <1559142229.7534860.1430029433988.JavaMail.zimbra@redhat.com> <553E14C1.5060709@redhat.com> Message-ID: <1430144125.13607.74.camel@willson.usersys.redhat.com> On Mon, 2015-04-27 at 12:51 +0200, Martin Kosek wrote: > On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: > > > > > > ----- Original Message ----- > >> Hi Rob and Dimitri > >> > >> Migrating via Replica is the obvious way that I would have gone, had the > >> FreeIPA /RedHat documentation not suggested the replicas must have the same > >> version. > >> > >> I think the link that put me off from replicating was: > >> > >> http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication-Creating_the_Replica_Information_File.html > >> > >> Looking at the link more closely I now see this applies to version > >> 1.2 ....., but from the page itself that was not obvious. it would be great > >> if the version to which the IPA documentation applies was more obvious.... > >> I am sure I am not the only user who enters the documentation via a search > >> engine. > > We really need to remove this version 1.x documentation, it is giving too much confusion. > > I agree, this was the last straw. I just did an update to FreeIPA.org mediawiki > and (besides upgrading to new Mediawiki) replaced the deprecated FreeIPA 1.2.1 > and 2.0.0 guides with a redirection to: > > http://www.freeipa.org/page/Upstream_User_Guide > > which contains the reasoning and updated list of deprecated guides and a link > to the current documentations. > > HTH. If anyone needs the old guides, I can zip them and add as a download to > Documentation section. Yes please, leave the guides available for download. People may need them for historical reasons. Simo. From david.dimovski at biotronik.com Mon Apr 27 16:06:04 2015 From: david.dimovski at biotronik.com (David Dimovski) Date: Mon, 27 Apr 2015 18:06:04 +0200 Subject: [Freeipa-users] Access to IPA Web-UI with different domain names Message-ID: Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Mon Apr 27 16:09:19 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 27 Apr 2015 18:09:19 +0200 Subject: [Freeipa-users] =?utf-8?q?Fw=3A__Web_ui_error_=E2=80=9CYour_sessi?= =?utf-8?q?on_has_expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on?= =?utf-8?q?_a_remote_client=2E?= Message-ID: Hi All I may have found a possible cause of our instance of the "Your session has expired" Web UI error on our new FreeIPA 4.1.0 Server By chance I checked the date on the server hosting FreeIPA 4.1.0. To my surprise, despite running ntpd it was 2 hours in the future! Some moons ago we suffering from clock-skew problems, and had spent a lot of time understanding ntp, and setting up an optimal ntp architecture /config. We were able to completely eliminate clock-skew across all our servers. Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 NTPD servers with 4 RedHat NTPD servers. Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, and time was correct again. Subsequent to this (at least at various points today) I have been able to successfully log into the Web UI from Firefox and Safari on OSX, and Firefox on Windows. On both platforms Chrome (not supported) does not work. I confess I have not had the time to return to the FreeIPA ntp config to see if the 2 hour offset + Web UI session problem can be reproduced, so at the moment this remains a credible, but not proven hypothesis. However I guess that 2 hour offset probably comes from the 2 hour difference between UTC and European Summertime. I think it would be great if the changes made by FreeIPA setup to ntp.conf were optional - we care strongly about the content of that file! Cheers Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36 ----- From: Christopher Lamb/Switzerland/IBM at IBMCH To: freeipa-users at redhat.com Date: 26.04.2015 01:29 Subject: [Freeipa-users] Web ui error ?Your session has expired. Please re-login.? from a browser on a remote client. Sent by: freeipa-users-bounces at redhat.com Hi All I too am suffering from the infamous Web ui error ?Your session has expired. Please re-login.? using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An ?Old?, soon to be decommissioned v3.0.0, on OEL 6.5 The ?new? instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will ?let me in? - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get ?The password or username you entered is incorrect. ?, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. >From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From mbasti at redhat.com Mon Apr 27 16:23:47 2015 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Apr 2015 18:23:47 +0200 Subject: [Freeipa-users] =?utf-8?q?Fw=3A__Web_ui_error_=E2=80=9CYour_sessi?= =?utf-8?q?on_has_expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on?= =?utf-8?q?_a_remote_client=2E?= In-Reply-To: References: Message-ID: <553E6293.7020701@redhat.com> Hello, comments inline Martin On 27/04/15 18:09, Christopher Lamb wrote: > Hi All > > I may have found a possible cause of our instance of the "Your session has > expired" Web UI error on our new FreeIPA 4.1.0 Server > > By chance I checked the date on the server hosting FreeIPA 4.1.0. To my > surprise, despite running ntpd it was 2 hours in the future! Yes, time is important for successful kerberos login. > > Some moons ago we suffering from clock-skew problems, and had spent a lot > of time understanding ntp, and setting up an optimal ntp > architecture /config. We were able to completely eliminate clock-skew > across all our servers. > > Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 > NTPD servers with 4 RedHat NTPD servers. We plan fix this in new version > > Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, > and time was correct again. > > Subsequent to this (at least at various points today) I have been able to > successfully log into the Web UI from Firefox and Safari on OSX, and > Firefox on Windows. On both platforms Chrome (not supported) does not work. > > I confess I have not had the time to return to the FreeIPA ntp config to > see if the 2 hour offset + Web UI session problem can be reproduced, so at > the moment this remains a credible, but not proven hypothesis. > > However I guess that 2 hour offset probably comes from the 2 hour > difference between UTC and European Summertime. > > I think it would be great if the changes made by FreeIPA setup to ntp.conf > were optional - we care strongly about the content of that file! ipa-server-install -N, --no-ntp do not configure ntp > > Cheers > > Chris > > > ----- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36 > ----- > > From: Christopher Lamb/Switzerland/IBM at IBMCH > To: freeipa-users at redhat.com > Date: 26.04.2015 01:29 > Subject: [Freeipa-users] Web ui error ?Your session has expired. Please > re-login.? from a browser on a remote client. > Sent by: freeipa-users-bounces at redhat.com > > > > > Hi All > > I too am suffering from the infamous Web ui error ?Your session has > expired. Please re-login.? using from browser(s) on remote client(s), > similar to the existing tickets: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html > https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html > https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html > > We have 2 FreeIPA installations: > An ?Old?, soon to be decommissioned v3.0.0, on OEL 6.5 > The ?new? instance, v4.1.0, on a fresh install of OEL 7.0 > > The error occurs on both instances. > > I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE > etc) > Very sporadically one of the above browsers will ?let me in? - If I cycle > through all the browsers on various workstations / laptops on my desk > somtimes I get lucky and one will work. > > kinit in a ssh session works. > > SELinux is disabled. > > All IPA Services are running. > > I can find no error(s) in /var/log/httpd/error_log > > In /var/log/krb5kdc.log I get entries like: > Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes > {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for > HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM > Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down > fd 12 > > If I enter a wrong password, I correctly get ?The password or username you > entered is incorrect. ?, + errors in /var/log/httpd/error_log > > None of the browsers have a krb5 ticket installed. > > I get the error with both my user, and the default admin user. > > >From the same browsers I can successfully access the Web UI of the public > demo on https://ipa.demo1.freeipa.org/ipa/ui/ > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Martin Basti From christopher.lamb at ch.ibm.com Mon Apr 27 16:39:58 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Mon, 27 Apr 2015 18:39:58 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in Message-ID: Hi All When I use the logout dropdown the WebUI (top righthand corner of the screen), it logs me out, then immediately reloads and logs me right back in again to the Users screen. This prevents me from logging in with a different user. The FreeIPA Server is 4.1.0 on OEL 7.5. I am using Web UI from an OSX workstation (Firefox and Safari). We did not have this behaviour with FreeIPA 3.0.0 Thanks for your help Chris From benjamen at dollarshaveclub.com Mon Apr 27 16:45:20 2015 From: benjamen at dollarshaveclub.com (Benjamen Keroack) Date: Mon, 27 Apr 2015 09:45:20 -0700 Subject: [Freeipa-users] IPA Web UI behind proxy In-Reply-To: <20150427003206.GH4702@dhcp-40-8.bne.redhat.com> References: <20150427003206.GH4702@dhcp-40-8.bne.redhat.com> Message-ID: Hi Fraser, I actually attempted that procedure ( https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP) but it completely broke my IPA install. I could no longer log in with any users including admin, enrollment/client auth broke, etc. Unfortunately I couldn't find any way to roll back to the self-signed CA cert so I ended up having to do a full re-provision and reinstall. Needless to say, I'm a bit reticent to try that again. On Sun, Apr 26, 2015 at 5:32 PM, Fraser Tweedale wrote: > On Fri, Apr 24, 2015 at 11:45:23AM -0700, Benjamen Keroack wrote: > > Hi, > > > > Does anybody have any experience putting the IPA web UI behind a reverse > > proxy? In an attempt to allow our users to access the UI without browser > > warnings and without having to add the root CA certificate to their > trusted > > store (there was some resistance to that idea), I set up an nginx server > as > > a simple reverse proxy. > > > > Every request returns an "Unable to verify your Kerberos credentials" > error > > page. The headers returned: > > > > $ http -h GET https://proxy/ipa > > HTTP/1.1 401 Unauthorized > > Accept-Ranges: bytes > > Connection: keep-alive > > Content-Length: 1474 > > Content-Type: text/html; charset=UTF-8 > > Date: Fri, 24 Apr 2015 18:43:06 GMT > > Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT > > Server: nginx/1.4.6 (Ubuntu) > > WWW-Authenticate: Negotiate > > > > I saw this thread from 2013: > > > https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 > > > > I'm sending the proper Host and Referer headers by the proxy as > specified, > > and I modified the Apache rewriting rules to not redirect to the hostname > > of the backend IPA server. > > > > Any ideas how this can be done? > > > Hi Benjamen, > > You could use a 3rd-party certificate (signed by trusted, public CA) > for the Web UI; see the guide: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > If you decide to continue with the Web UI behind a reverse proxy, > Simo recent blogged about Kerberos authentication issues with this > sort of setup; you may find inspiration here: > https://ssimo.org/blog/id_019.html > > Cheers, > Fraser > > > Thanks, > > > > -- > > Benjamen Keroack > > *Infrastructure/DevOps Engineer* > > benjamen at dollarshaveclub.com > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benjamen at dollarshaveclub.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Mon Apr 27 16:55:14 2015 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Apr 2015 18:55:14 +0200 Subject: [Freeipa-users] Access to IPA Web-UI with different domain names In-Reply-To: References: Message-ID: <553E69F2.8080400@redhat.com> On 04/27/2015 06:06 PM, David Dimovski wrote: > Hi Folks, > does somebody have a best practice, how to access the IPA Web-UI with > different domain names? > > Example: > Our IPA 4.1 have two different IPs (extern and intern) with two domain > names. The web gui is only accessible from the domain name, which IPA was > registered with (intern domain name). When trying to access with the > extern domain name, IPA is rewriting to the intern domain name. > > After disabling the rewriting, the web ui is accessible from the two > domain names, but the login is not possible from the extern domain name > (only intern domain name), getting the following error: > Logout session expired. > > Does sombody has a idea or a clue? > > Many thanks in advance! > > Best regards > David > > > > Hello! IIUC this is not something FreeIPA supports. When you deploy FreeInPA server it is tied to a domain specified during installation. I think you need to decide whether your FreeIPA domain is internal or external. If it's internal it is inaccessible from outside and you need to first connect to the internal network (e.g. use VPN) and then connect to FreeIPA server. If it's external then everything works as expected. -- David Kupka From zmcneilly at elys.com Mon Apr 27 16:21:27 2015 From: zmcneilly at elys.com (Zach McNeilly) Date: Mon, 27 Apr 2015 12:21:27 -0400 Subject: [Freeipa-users] FreeIPA 4.1.4 and Windows Groups Message-ID: <553E6207.60109@elys.com> Hi all, First I'd like to say thank you for the fantastic product. We've been using FreeIPA since v 1 and it's been fantastic. Recently we've hit a slight snag, however. We used this document (https://www.freeipa.org/page/Windows_authentication_against_FreeIPA) to setup Windows to use FreeIPA for it's back end authentication. This works really well and we are really happy with it. To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install' on our FreeIPA servers, this added several attributes to every user as expected. However, now when users try to log on to a Windows machine with their FreeIPA credentials they can log on but they are no longer in any Windows groups (Administrators or Remote Desktop Users in this case). This was working before running ipa-adtrust-install. If you remove the following attributes from the user Windows works again but samba no longer does: objectclass=ipantuserattrs ipantsecurityidentifier= I've been banging my head against the wall on this for a while, and can't seem to get everything to mesh. Can anyone make any recommendations? Best, Zach From tizzo at computer.org Mon Apr 27 17:08:21 2015 From: tizzo at computer.org (Tony Izzo) Date: Mon, 27 Apr 2015 13:08:21 -0400 Subject: [Freeipa-users] Password expiration not updated with password change Message-ID: I'm currently experimenting with Red Had Identity Management 6.0, and I've noticed that when I create a user, and have them change their password using the "passwd" command, the password is changed in IdM, but the password expiration date is not updated, so that their password remains expired. Furthermore, the "expired" state of the password only seems to apply to logging into the IdM Web UI (these users are members of the "admins" group); users are able to log into any RHEL machine configured as an IdM client, using their updated password, even though the password is supposedly expired. Any advice on what I'm doing wrong? Is the passwd command a valid way for a user to update their own password? Thanks. Tony -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 27 19:26:51 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 27 Apr 2015 15:26:51 -0400 Subject: [Freeipa-users] Password expiration not updated with password change In-Reply-To: References: Message-ID: <553E8D7B.6050005@redhat.com> On 04/27/2015 01:08 PM, Tony Izzo wrote: > I'm currently experimenting with Red Had Identity Management 6.0, This version does not make sense. Did you mean 7.0? > and I've noticed that when I create a user, and have them change their > password using the "passwd" command, the password is changed in IdM, > but the password expiration date is not updated, so that their > password remains expired. Are you sure that the password is actually changed in the central server? How does your PAM stack look like? Do you use SSSD? > > Furthermore, the "expired" state of the password only seems to apply > to logging into the IdM Web UI (these users are members of the > "admins" group); users are able to log into any RHEL machine > configured as an IdM client, using their updated password, even though > the password is supposedly expired. Are you sure you do not have an overlapping local user? > > Any advice on what I'm doing wrong? Is the passwd command a valid way > for a user to update their own password? Thanks. If this is the consistent behavior then I suggest you look at the server logs and see what is going on on the KDC and LDAP side at the moment of the password change. See the troubleshooting guide on the IPA wiki for more hints. > > Tony > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 27 19:30:27 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 27 Apr 2015 15:30:27 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: Message-ID: <553E8E53.6080703@redhat.com> On 04/27/2015 12:39 PM, Christopher Lamb wrote: > Hi All > > When I use the logout dropdown the WebUI (top righthand corner of the > screen), it logs me out, then immediately reloads and logs me right back in > again to the Users screen. > > This prevents me from logging in with a different user. > > The FreeIPA Server is 4.1.0 on OEL 7.5. > > I am using Web UI from an OSX workstation (Firefox and Safari). > > We did not have this behaviour with FreeIPA 3.0.0 > > Thanks for your help > > Chris > Try kdestroy and then logout. I am not sure it worked differently in 3.0 may be you tried 3.0 when your Kerberis ticket already expired. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Mon Apr 27 19:38:53 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 27 Apr 2015 22:38:53 +0300 Subject: [Freeipa-users] FreeIPA 4.1.4 and Windows Groups In-Reply-To: <553E6207.60109@elys.com> References: <553E6207.60109@elys.com> Message-ID: <20150427193853.GA27649@redhat.com> On Mon, 27 Apr 2015, Zach McNeilly wrote: >Hi all, > >First I'd like to say thank you for the fantastic product. We've been >using FreeIPA since v 1 and it's been fantastic. > >Recently we've hit a slight snag, however. We used this document >(https://www.freeipa.org/page/Windows_authentication_against_FreeIPA) >to setup Windows to use FreeIPA for it's back end authentication. This >works really well and we are really happy with it. You know that it is not a supported configuration, right? >To integrate a CIFS server with FreeIPA we ran 'ipa-adtrust-install' >on our FreeIPA servers, this added several attributes to every user as >expected. However, now when users try to log on to a Windows machine >with their FreeIPA credentials they can log on but they are no longer >in any Windows groups (Administrators or Remote Desktop Users in this >case). This was working before running ipa-adtrust-install. > >If you remove the following attributes from the user Windows works >again but samba no longer does: > >objectclass=ipantuserattrs >ipantsecurityidentifier= > >I've been banging my head against the wall on this for a while, and >can't seem to get everything to mesh. Can anyone make any >recommendations? I don't think we can do anything here. Windows takes list of SIDs from Kerberos ticket's MS-PAC which is filled by IPA KDC. The format of MS-PAC includes group list in form of RIDs, i.e. relative identifiers, relative to the domain SID. -- / Alexander Bokovoy From rmeggins at redhat.com Mon Apr 27 20:51:12 2015 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Apr 2015 14:51:12 -0600 Subject: [Freeipa-users] default e-mail address and aliases from LDAP In-Reply-To: <41FE99FD-11D7-49B7-9C5A-94363CF1FFFF@sets.lv> References: <41FE99FD-11D7-49B7-9C5A-94363CF1FFFF@sets.lv> Message-ID: <553EA140.3000209@redhat.com> On 04/27/2015 07:49 AM, Ivars Strazdi?? wrote: > Hi there, > I am preparing to move our site e-mail authentication backend to > FreeIPA. That is, integrate Postfix with FreeIPA. > Let's suppose user has two or more e-mail addresses, > joe at site.com > joe.user at site.com > > Currently we use smtp_generic_maps on Postfix side to ensure that mail > always leaves site as joe.user at site.com > > Is there a way to ensure in FreeIPA that user's default address is > joe.user at site.com so that Postfix could do > a smtp_generic_maps lookup in LDAP server and get the default address? > > And another question - is it possible to maintain e-mail aliases in > FreeIPA? Say, to expand address list at site.com > to users joe at site.com , > john at site.com and mary at site.com > ? > Any suggestions are welcome, I am just beginning to work with LDAP. I myself don't know. However, there are some email howto's on the 389 site: http://www.port389.org/docs/389ds/tech-docs.html#mail Hopefully someone with actual experience integrating Postfix and LDAP will chime in on this thread. If not, try the 389-users at lists.fedoraproject.org list - there are some email server operators there. > > Thanks for you time and kind regards, > Ivars > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 27 21:09:29 2015 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 27 Apr 2015 17:09:29 -0400 Subject: [Freeipa-users] default e-mail address and aliases from LDAP In-Reply-To: <553EA140.3000209@redhat.com> References: <41FE99FD-11D7-49B7-9C5A-94363CF1FFFF@sets.lv> <553EA140.3000209@redhat.com> Message-ID: <553EA589.3070801@redhat.com> On 04/27/2015 04:51 PM, Rich Megginson wrote: > On 04/27/2015 07:49 AM, Ivars Strazdin,s( wrote: >> Hi there, >> I am preparing to move our site e-mail authentication backend to >> FreeIPA. That is, integrate Postfix with FreeIPA. >> Let's suppose user has two or more e-mail addresses, >> joe at site.com >> joe.user at site.com >> >> Currently we use smtp_generic_maps on Postfix side to ensure that >> mail always leaves site as joe.user at site.com >> >> Is there a way to ensure in FreeIPA that user's default address is >> joe.user at site.com so that Postfix could do >> a smtp_generic_maps lookup in LDAP server and get the default address? >> >> And another question - is it possible to maintain e-mail aliases in >> FreeIPA? Say, to expand address list at site.com >> to users joe at site.com , >> john at site.com and mary at site.com >> ? >> Any suggestions are welcome, I am just beginning to work with LDAP. > > I myself don't know. However, there are some email howto's on the 389 > site: http://www.port389.org/docs/389ds/tech-docs.html#mail > > Hopefully someone with actual experience integrating Postfix and LDAP > will chime in on this thread. If not, try the > 389-users at lists.fedoraproject.org list - there are some email server > operators there. > Here is one of the pointers: https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ >> >> Thanks for you time and kind regards, >> Ivars >> >> >> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From techpkiuser at gmail.com Tue Apr 28 05:50:20 2015 From: techpkiuser at gmail.com (Kamal Perera) Date: Tue, 28 Apr 2015 11:20:20 +0530 Subject: [Freeipa-users] How to renew an expired admin certificate Message-ID: Dear All, I'm in the process of regaining one of the old CA systems which was not being used for a long time. In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent interface. Please help me to proceed with the login in to the agent interface. Regards, Kamal -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Tue Apr 28 06:53:59 2015 From: andrew.holway at gmail.com (Andrew Holway) Date: Tue, 28 Apr 2015 08:53:59 +0200 Subject: [Freeipa-users] FreeIPA SAML and Google Apps Message-ID: Hi, Is it yet possible to use FreeIPA as an identity provider to Google Apps via SAML. I understand there was some project afoot.... Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From tiaan at netsys.aero Tue Apr 28 06:58:33 2015 From: tiaan at netsys.aero (Tiaan Wessels) Date: Tue, 28 Apr 2015 06:58:33 +0000 Subject: [Freeipa-users] FreeIPA restarts when changing run-levels Message-ID: <553F2F99.7010604@netsys.co.za> Hi, Is it correct behavior that FreeIPA restarts when changing run-levels between 3 and 5 ? I would have hoped that if it was already running, that changing the run-level between two run-levels for which IPA has both been configured to run, will have no effect if already running (using init-based system) Thanks -- Tiaan Wessels NetSys International Tel: +27 (0)12 349-2056 (Business) +27 (0)12 349-2757 (Facsimile) Web: http://www.netsys.aero From mbasti at redhat.com Tue Apr 28 06:59:27 2015 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Apr 2015 08:59:27 +0200 Subject: [Freeipa-users] FreeIPA SAML and Google Apps In-Reply-To: References: Message-ID: <553F2FCF.8060403@redhat.com> On 28/04/15 08:53, Andrew Holway wrote: > Hi, > > Is it yet possible to use FreeIPA as an identity provider to Google > Apps via SAML. I understand there was some project afoot.... > > Thanks, > > Andrew > > Maybe this would help. https://fedorahosted.org/ipsilon/ -- Martin Basti -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.v.chernyakov at gmail.com Tue Apr 28 10:01:33 2015 From: a.v.chernyakov at gmail.com (=?UTF-8?B?0JDRgNGB0LXQvdC40Lkg0KfQtdGA0L3Rj9C60L7Qsg==?=) Date: Tue, 28 Apr 2015 13:01:33 +0300 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment Message-ID: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - "No more than 20 servers and replicas should be involved in a single Identity Management domain." - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? - Thank you. - (sorry for poor english :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 28 10:26:23 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Apr 2015 13:26:23 +0300 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: References: Message-ID: <20150428102623.GU26437@redhat.com> On Tue, 28 Apr 2015, ??????? ???????? wrote: > - Hi all. > I've got a rather big domain environment with 10 distributed locations, > and I'm considering using FreeIPA as an id manager for linux users and > servers, alongside with existing AD, using trusts. In every location, there > are 2 DCs for windows environment, and I'm thinking about deployment of 2 > freeIPA servers for each location, with replicas. This document states that > I can't use more than 20 servers per IPA domain: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies > > - "No more than 20 servers and replicas should be involved in a single > Identity Management domain." > - How strict is this restriction? Is there any way I can deploy freeIPA > in this situation, assuming that number of locations would increace over > time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy From a.v.chernyakov at gmail.com Tue Apr 28 11:05:01 2015 From: a.v.chernyakov at gmail.com (=?UTF-8?B?0JDRgNGB0LXQvdC40Lkg0KfQtdGA0L3Rj9C60L7Qsg==?=) Date: Tue, 28 Apr 2015 14:05:01 +0300 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: <20150428102623.GU26437@redhat.com> References: <20150428102623.GU26437@redhat.com> Message-ID: Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy : > On Tue, 28 Apr 2015, ??????? ???????? wrote: > >> - Hi all. >> I've got a rather big domain environment with 10 distributed locations, >> and I'm considering using FreeIPA as an id manager for linux users and >> servers, alongside with existing AD, using trusts. In every location, >> there >> are 2 DCs for windows environment, and I'm thinking about deployment of >> 2 >> freeIPA servers for each location, with replicas. This document states >> that >> I can't use more than 20 servers per IPA domain: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies >> >> - "No more than 20 servers and replicas should be involved in a single >> Identity Management domain." >> - How strict is this restriction? Is there any way I can deploy freeIPA >> in this situation, assuming that number of locations would increace over >> time? Is there any other limitations to integrate freeIPA in AD? >> > The limitations described above are for supported configurations > deployed on Red Hat Enterprise Linux. If you want a larger configuration > to be supported, you need to contact your Red Hat representatives and > work out with them exact support statement. > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 28 11:16:30 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Apr 2015 14:16:30 +0300 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: References: <20150428102623.GU26437@redhat.com> Message-ID: <20150428111630.GW26437@redhat.com> On Tue, 28 Apr 2015, ??????? ???????? wrote: >Thank you for quick response. So, did I got it right, that this limitation >is affecting only RedHat support agreement, and not the technical side of >configuration? We're considering the CentOS 7 deployment, and we don't have >Red Hat support agreement. Technically 389-ds can address up to 65535 replicas but this says nothing about actual performance which is always a function of your workload, environment, and a number of other factors. If you hit any issues, without support contract they would be handled by a community -- where we all are -- and may involve longer time. I hope it is clear as people involved are giving out their volunteering effort. >Maybe it's a stupid question, but since we don't have support agreement, >can I still ask questions in RedHat mailing list? (I haven't found any >forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). This mailing list is part of FreeIPA community, we see here a lot of questions from different parties using different distributions. It is hosted by Red Hat but not really tied to Red Hat. Still, if you have concerns on getting your whole infrastructure depending on free software solutions, there are solution providers that would be happy to help you in deploying and supporting them. Just don't expect their contract obligations necessarily extend to the community mailing list. :) -- / Alexander Bokovoy From a.v.chernyakov at gmail.com Tue Apr 28 11:27:01 2015 From: a.v.chernyakov at gmail.com (=?UTF-8?B?0JDRgNGB0LXQvdC40Lkg0KfQtdGA0L3Rj9C60L7Qsg==?=) Date: Tue, 28 Apr 2015 14:27:01 +0300 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: <20150428111630.GW26437@redhat.com> References: <20150428102623.GU26437@redhat.com> <20150428111630.GW26437@redhat.com> Message-ID: OK, everything is clear now. Thank you again. :) 2015-04-28 14:16 GMT+03:00 Alexander Bokovoy : > On Tue, 28 Apr 2015, ??????? ???????? wrote: > >> Thank you for quick response. So, did I got it right, that this limitation >> is affecting only RedHat support agreement, and not the technical side of >> configuration? We're considering the CentOS 7 deployment, and we don't >> have >> Red Hat support agreement. >> > Technically 389-ds can address up to 65535 replicas but this says > nothing about actual performance which is always a function of your > workload, environment, and a number of other factors. > > If you hit any issues, without support contract they would be handled by > a community -- where we all are -- and may involve longer time. I hope it > is clear as people involved are giving out their volunteering effort. > > Maybe it's a stupid question, but since we don't have support agreement, >> can I still ask questions in RedHat mailing list? (I haven't found any >> forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). >> > This mailing list is part of FreeIPA community, we see here a lot of > questions from different parties using different distributions. It is > hosted by Red Hat but not really tied to Red Hat. > > Still, if you have concerns on getting your whole infrastructure > depending on free software solutions, there are solution providers that > would be happy to help you in deploying and supporting them. Just don't > expect their contract obligations necessarily extend to the community > mailing list. :) > > -- > / Alexander Bokovoy > -- ? ?????????, ???????? ?.?. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexander.Frolushkin at megafon.ru Tue Apr 28 11:35:05 2015 From: Alexander.Frolushkin at megafon.ru (Alexander Frolushkin) Date: Tue, 28 Apr 2015 11:35:05 +0000 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: References: <20150428102623.GU26437@redhat.com> Message-ID: <1488fa8d007b4edc8f6a8f0d20d1b607@sib-ums03.Megafon.ru> Hello. We were also planned relatively large deployment (8 sites, 19 IPA servers), and for now our experience told us that Red Hat official support is a must-have option for IPA in mission-critical environment. IPA is still a very fresh solution and it have some issues you may face. WBR, Alexander Frolushkin From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of ??????? ???????? Sent: Tuesday, April 28, 2015 5:05 PM To: Alexander Bokovoy Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] freeIPA and AD in multi-homed environment Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy >: On Tue, 28 Apr 2015, ??????? ???????? wrote: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - "No more than 20 servers and replicas should be involved in a single Identity Management domain." - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy ________________________________ ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? ???, ??????? ??? ??????????. ? ????????? ????? ??????????? ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? ?????????, ?? ?????????????, ?????????????, ??????????? ??? ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 28 12:13:06 2015 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 28 Apr 2015 14:13:06 +0200 Subject: [Freeipa-users] =?utf-8?q?Fw=3A__Web_ui_error_=E2=80=9CYour_sessi?= =?utf-8?q?on_has_expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on?= =?utf-8?q?_a_remote_client=2E?= In-Reply-To: References: Message-ID: <553F7952.7020908@redhat.com> On 04/27/2015 06:09 PM, Christopher Lamb wrote: > > Hi All > > I may have found a possible cause of our instance of the "Your session has > expired" Web UI error on our new FreeIPA 4.1.0 Server > > By chance I checked the date on the server hosting FreeIPA 4.1.0. To my > surprise, despite running ntpd it was 2 hours in the future! > > Some moons ago we suffering from clock-skew problems, and had spent a lot > of time understanding ntp, and setting up an optimal ntp > architecture /config. We were able to completely eliminate clock-skew > across all our servers. > > Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 > NTPD servers with 4 RedHat NTPD servers. > > Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, > and time was correct again. > > Subsequent to this (at least at various points today) I have been able to > successfully log into the Web UI from Firefox and Safari on OSX, and > Firefox on Windows. On both platforms Chrome (not supported) does not work. > > I confess I have not had the time to return to the FreeIPA ntp config to > see if the 2 hour offset + Web UI session problem can be reproduced, so at > the moment this remains a credible, but not proven hypothesis. > > However I guess that 2 hour offset probably comes from the 2 hour > difference between UTC and European Summertime. > > I think it would be great if the changes made by FreeIPA setup to ntp.conf > were optional - we care strongly about the content of that file! > > Cheers > > Chris Good to know. I updated the Troubleshooting page with this tip: https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI Thanks! Martin From mrniranjan at redhat.com Tue Apr 28 06:56:21 2015 From: mrniranjan at redhat.com (Niranjan M.R) Date: Tue, 28 Apr 2015 12:26:21 +0530 Subject: [Freeipa-users] How to renew an expired admin certificate In-Reply-To: References: Message-ID: <553F2F15.3080108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 11:20 AM, Kamal Perera wrote: > Dear All, > > I'm in the process of regaining one of the old CA systems which was not being used for a long time. > > In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent > interface. Could you roll back the system date and try ? > > Please help me to proceed with the login in to the agent interface. > > Regards, > Kamal > > - -- Niranjan irc: mrniranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iKYEARECAGYFAlU/LxVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8ef5wCfUP8ObZnJ6nO2gqqRnWU/VUWr u00AoMpIaGxdjEXm/7uAK0oUDsWq/Mn0 =2nS3 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x6047C7C7.asc Type: application/pgp-keys Size: 1893 bytes Desc: not available URL: From dpal at redhat.com Tue Apr 28 13:41:52 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 09:41:52 -0400 Subject: [Freeipa-users] How to renew an expired admin certificate In-Reply-To: <553F2F15.3080108@redhat.com> References: <553F2F15.3080108@redhat.com> Message-ID: <553F8E20.1090706@redhat.com> On 04/28/2015 02:56 AM, Niranjan M.R wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 04/28/2015 11:20 AM, Kamal Perera wrote: >> Dear All, >> >> I'm in the process of regaining one of the old CA systems which was not being used for a long time. >> >> In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent >> interface. > Could you roll back the system date and try ? http://www.freeipa.org/page/Howto/CA_Certificate_Renewal > >> Please help me to proceed with the login in to the agent interface. >> >> Regards, >> Kamal >> >> > > - -- > Niranjan > irc: mrniranjan > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iKYEARECAGYFAlU/LxVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl > bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF > RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8ef5wCfUP8ObZnJ6nO2gqqRnWU/VUWr > u00AoMpIaGxdjEXm/7uAK0oUDsWq/Mn0 > =2nS3 > -----END PGP SIGNATURE----- > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Tue Apr 28 13:44:39 2015 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 28 Apr 2015 09:44:39 -0400 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <5531CDAF.1080506@gmail.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> <5531AC8D.3070900@redhat.com> <5531CDAF.1080506@gmail.com> Message-ID: <1430228679.4592.4.camel@redhat.com> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: > On 4/17/15 5:59 PM, Dmitri Pal wrote: > > On 04/17/2015 08:07 PM, Janelle wrote: > > > > > > > > > > > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal wrote: > > > > > > > On 04/17/2015 04:52 PM, Janelle wrote: > > > > > On 4/17/15 1:19 PM, Dmitri Pal wrote: > > > > > > On 04/17/2015 01:20 PM, Janelle wrote: > > > > > > > On 4/17/15 9:53 AM, Dmitri Pal wrote: > > > > > > > > On 04/17/2015 11:16 AM, Janelle wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > Is anyone else having issues with OTP since > > > > > > > > > upgrading? For the life of me I can't get it to > > > > > > > > > accept "Sync" for the tokens. No matter what is put > > > > > > > > > in, it just keeps saying the username, password or > > > > > > > > > tokens entered are incorrect. > > > > > > > > > > > > > > > > > > To make it simple - I am tryign this on a brand new > > > > > > > > > CentOS 7.1 system with a clean/fresh install of > > > > > > > > > FreeIPA 4.1.4 and yet it just refuses to work. > > > > > > > > > > > > > > > > > > I create a user -- configure them. They work just > > > > > > > > > fine with a password. Then add a token. Sync with > > > > > > > > > FreeOTP and that all works. Then going back to the > > > > > > > > > web UI and do Sync OTP and it simply refuses to > > > > > > > > > accept any values. And yet the same user can login > > > > > > > > > to the regular web UI with their password. > > > > > > > > > > > > > > > > > > I have tried setting the user to both Password and > > > > > > > > > OTP for auth methods. And also just OTP and nothing > > > > > > > > > works. > > > > > > > > Please look in the logs to see what is going on. > > > > > > > > You would need to look at the KDC, http and DS logs on > > > > > > > > the server to sort out what is going on. > > > > > > > > > > > > > > > > Do you change the password for the user first after > > > > > > > > creating him? > > > > > > > > > > > > > > > > Can you reproduce the problem with demo instance? > > > > > > > > http://www.freeipa.org/page/Demo > > > > > > > > If you can then we can take a look at the logs right > > > > > > > > away. > > > > > > > > Hints? Am I missing a step? > > > > > > > > > > > > > > > > ~J > > > > > > > > > > > > > > > It appears to be the UI. If I go through the steps and > > > > > > > let it "fail", I can still login using OTP to servers. I > > > > > > > made the assumption that the error itself was not an > > > > > > > error.. :-) > > > > > > > > > > > > > > ~J > > > > > > > > > > > > > I am not sure I get what you are saying. Do you still see > > > > > > the problem or you misinterpreted the UI and now the > > > > > > problem is gone? If you did is there any recommendation > > > > > > how to improve the UI not to confuse people? > > > > > > > > > > > The problem exists -- this is what it shows: > > > > > HOWEVER, it is still WORKING. Meaning, even if you get this > > > > > error, if you attempt to login with your FreeOTP token, it > > > > > WORKS. > > > > > > > > > > ~J > > > > > > > > > > > > > > > > > > > > > > > > Does it give you this error when you use password or password > > > > and token? > > > > Can you please describe the flow of steps in more details? > > > > I start browser, go here, click here, enter this, etc. > > > > > > > > Are you using SSSD to login to servers? Is SSSD configured > > > > with IPA provider or you configured it for LDAP manually. > > > > There is a difference between LDAP and Kerberos authentication. > > > > > > > > May be the following article will help you to understand the > > > > expectations: > > > > https://access.redhat.com/documentation/en > > > > -US/Red_Hat_Enterprise_Linux/7/html/System > > > > -Level_Authentication_Guide/authconfig-addl-auth.html#enable > > > > -otp > > > > > > > > > > > > > > > Simple. And my test made it simple. > > > Stand up new vm running fc21/freeipa. > > > Configure user. > > > Add password. > > > Add token. > > > > > > Login to the vm with the user created using password. Kerberos > > > ticket assigned, all is well. > > > > > > Login to web interface with admin. Change user to OTP only. > > > Go to web UI and click sync OTP. > > > Enter username, password and 2 OTP sequences. Click sync. Error > > > appears. > > > > > > Now, ssh to same vm using OTP username. Enter password + OTP > > > value. > > > Login successful. > > I can reproduce this issue with demo instance. > > I will file a bug later today. > > I think it is a bug with sync. > > Which token do you use time based or event based? > TOTP... > > Hmm, makes me wonder - with HOTP fail the same? Off to try it. This should just affect TOTP. I have posted a patch that should fix this problem. Are you able to test it? https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html > ~J > > PS - is there a way to sync a token from command line? I can't think > of a way, but maybe... ipa otptoken-sync Nathaniel From dpal at redhat.com Tue Apr 28 13:46:31 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 09:46:31 -0400 Subject: [Freeipa-users] freeIPA and AD in multi-homed environment In-Reply-To: <1488fa8d007b4edc8f6a8f0d20d1b607@sib-ums03.Megafon.ru> References: <20150428102623.GU26437@redhat.com> <1488fa8d007b4edc8f6a8f0d20d1b607@sib-ums03.Megafon.ru> Message-ID: <553F8F37.70605@redhat.com> On 04/28/2015 07:35 AM, Alexander Frolushkin wrote: > > Hello. We were also planned relatively large deployment (8 sites, 19 > IPA servers), and for now our experience told us that Red Hat official > support is a must-have option for IPA in mission-critical environment. > > IPA is still a very fresh solution and it have some issues you may face. > I would say that it is not that fresh, however, it is being constantly enhanced and actively developed. That definitely has some impact so having a supported version in production is strongly recommended. > WBR, > > Alexander Frolushkin > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *??????????????? > *Sent:* Tuesday, April 28, 2015 5:05 PM > *To:* Alexander Bokovoy > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] freeIPA and AD in multi-homed environment > > Thank you for quick response. So, did I got it right, that this > limitation is affecting only RedHat support agreement, and not the > technical side of configuration? We're considering the CentOS 7 > deployment, and we don't have Red Hat support agreement. > > Maybe it's a stupid question, but since we don't have support > agreement, can I still ask questions in RedHat mailing list? (I > haven't found any forums/KBs/mailing lists dedicated solely to freeIPA > and CentOS). > > 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy >: > > On Tue, 28 Apr 2015, ??????? ???????? wrote: > > - Hi all. > I've got a rather big domain environment with 10 distributed locations, > and I'm considering using FreeIPA as an id manager for linux users and > servers, alongside with existing AD, using trusts. In every > location, there > are 2 DCs for windows environment, and I'm thinking about deployment > of 2 > freeIPA servers for each location, with replicas. This document > states that > I can't use more than 20 servers per IPA domain: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies > > - "No more than 20 servers and replicas should be involved in a single > Identity Management domain." > - How strict is this restriction? Is there any way I can deploy freeIPA > in this situation, assuming that number of locations would increace over > time? Is there any other limitations to integrate freeIPA in AD? > > The limitations described above are for supported configurations > deployed on Red Hat Enterprise Linux. If you want a larger configuration > to be supported, you need to contact your Red Hat representatives and > work out with them exact support statement. > > > -- > / Alexander Bokovoy > > > ------------------------------------------------------------------------ > > ?????????? ? ???? ????????? ????????????? ????????????? ??? ?????????? > ???, ??????? ??? ??????????. ? ????????? ????? ??????????? > ???????????????? ??????????, ??????? ?? ????? ???? ???????? ??? > ???????????? ???-????, ????? ?????????. ???? ?? ?? ??????? ????? > ?????????, ?? ?????????????, ?????????????, ??????????? ??? > ??????????????? ?????????? ????????? ??? ??? ????? ????????? ? > ?????????. ???? ?? ???????? ??? ????????? ????????, ??????????, > ??????????????? ???????? ??????????? ?? ???? ? ??????? ?? ???? > ?????????? ???? ????????? ? ????? ????????? ??? ????? ? ??????????. > > The information contained in this communication is intended solely for > the use of the individual or entity to whom it is addressed and others > authorized to receive it. It may contain confidential or legally > privileged information. The contents may not be disclosed or used by > anyone other than the addressee. If you are not the intended > recipient(s), any use, disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it is prohibited and may > be unlawful. If you have received this communication in error please > notify us immediately by responding to this email and then delete the > e-mail and all attachments and any copies thereof. > > (c)20mf50 > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Apr 28 14:10:15 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 28 Apr 2015 16:10:15 +0200 Subject: [Freeipa-users] =?utf-8?q?Fw=3A__Web_ui_error_=E2=80=9CYour_sessi?= =?utf-8?q?on_has_expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on?= =?utf-8?q?_a_remote_client=2E?= In-Reply-To: <553F7952.7020908@redhat.com> References: <553F7952.7020908@redhat.com> Message-ID: Hi Martin That is great. However you may wish to qualify what "significant" is. In the case of the original clock-skew problems (between the IPA LDAP Server and sssd clients on other servers), a skew in the order of 5 minutes was enough to prevent us sshing into our servers with an ldap user. You might also want to repeat the hint that if the FreeIPA Server is running in a VM, it must NEVER be a NTPD server for other servers, as VMs are notorious for bad time keeping. Cheers Chris From: Martin Kosek To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Date: 28.04.2015 14:13 Subject: Re: [Freeipa-users] Fw: Web ui error ?Your session has expired. Please re-login.? from a browser on a remote client. On 04/27/2015 06:09 PM, Christopher Lamb wrote: > > Hi All > > I may have found a possible cause of our instance of the "Your session has > expired" Web UI error on our new FreeIPA 4.1.0 Server > > By chance I checked the date on the server hosting FreeIPA 4.1.0. To my > surprise, despite running ntpd it was 2 hours in the future! > > Some moons ago we suffering from clock-skew problems, and had spent a lot > of time understanding ntp, and setting up an optimal ntp > architecture /config. We were able to completely eliminate clock-skew > across all our servers. > > Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 > NTPD servers with 4 RedHat NTPD servers. > > Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, > and time was correct again. > > Subsequent to this (at least at various points today) I have been able to > successfully log into the Web UI from Firefox and Safari on OSX, and > Firefox on Windows. On both platforms Chrome (not supported) does not work. > > I confess I have not had the time to return to the FreeIPA ntp config to > see if the 2 hour offset + Web UI session problem can be reproduced, so at > the moment this remains a credible, but not proven hypothesis. > > However I guess that 2 hour offset probably comes from the 2 hour > difference between UTC and European Summertime. > > I think it would be great if the changes made by FreeIPA setup to ntp.conf > were optional - we care strongly about the content of that file! > > Cheers > > Chris Good to know. I updated the Troubleshooting page with this tip: https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI Thanks! Martin From janellenicole80 at gmail.com Tue Apr 28 15:26:23 2015 From: janellenicole80 at gmail.com (Janelle) Date: Tue, 28 Apr 2015 08:26:23 -0700 Subject: [Freeipa-users] 4.1.4 and OTP In-Reply-To: <1430228679.4592.4.camel@redhat.com> References: <553123D9.5090800@gmail.com> <55313A9B.2030408@redhat.com> <553140DA.7020001@gmail.com> <55316ABF.1000606@redhat.com> <55317279.3010107@gmail.com> <55319908.60109@redhat.com> <8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com> <5531AC8D.3070900@redhat.com> <5531CDAF.1080506@gmail.com> <1430228679.4592.4.camel@redhat.com> Message-ID: <553FA69F.3060009@gmail.com> On 4/28/15 6:44 AM, Nathaniel McCallum wrote: > On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: >> On 4/17/15 5:59 PM, Dmitri Pal wrote: >>> On 04/17/2015 08:07 PM, Janelle wrote: >>>> >>>> >>>> >>>> On Apr 17, 2015, at 16:36, Dmitri Pal wrote: >>>> >>>>> On 04/17/2015 04:52 PM, Janelle wrote: >>>>>> On 4/17/15 1:19 PM, Dmitri Pal wrote: >>>>>>> On 04/17/2015 01:20 PM, Janelle wrote: >>>>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote: >>>>>>>>> On 04/17/2015 11:16 AM, Janelle wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Is anyone else having issues with OTP since >>>>>>>>>> upgrading? For the life of me I can't get it to >>>>>>>>>> accept "Sync" for the tokens. No matter what is put >>>>>>>>>> in, it just keeps saying the username, password or >>>>>>>>>> tokens entered are incorrect. >>>>>>>>>> >>>>>>>>>> To make it simple - I am tryign this on a brand new >>>>>>>>>> CentOS 7.1 system with a clean/fresh install of >>>>>>>>>> FreeIPA 4.1.4 and yet it just refuses to work. >>>>>>>>>> >>>>>>>>>> I create a user -- configure them. They work just >>>>>>>>>> fine with a password. Then add a token. Sync with >>>>>>>>>> FreeOTP and that all works. Then going back to the >>>>>>>>>> web UI and do Sync OTP and it simply refuses to >>>>>>>>>> accept any values. And yet the same user can login >>>>>>>>>> to the regular web UI with their password. >>>>>>>>>> >>>>>>>>>> I have tried setting the user to both Password and >>>>>>>>>> OTP for auth methods. And also just OTP and nothing >>>>>>>>>> works. >>>>>>>>> Please look in the logs to see what is going on. >>>>>>>>> You would need to look at the KDC, http and DS logs on >>>>>>>>> the server to sort out what is going on. >>>>>>>>> >>>>>>>>> Do you change the password for the user first after >>>>>>>>> creating him? >>>>>>>>> >>>>>>>>> Can you reproduce the problem with demo instance? >>>>>>>>> http://www.freeipa.org/page/Demo >>>>>>>>> If you can then we can take a look at the logs right >>>>>>>>> away. >>>>>>>>> Hints? Am I missing a step? >>>>>>>>> >>>>>>>>> ~J >>>>>>>>> >>>>>>>> It appears to be the UI. If I go through the steps and >>>>>>>> let it "fail", I can still login using OTP to servers. I >>>>>>>> made the assumption that the error itself was not an >>>>>>>> error.. :-) >>>>>>>> >>>>>>>> ~J >>>>>>>> >>>>>>> I am not sure I get what you are saying. Do you still see >>>>>>> the problem or you misinterpreted the UI and now the >>>>>>> problem is gone? If you did is there any recommendation >>>>>>> how to improve the UI not to confuse people? >>>>>>> >>>>>> The problem exists -- this is what it shows: >>>>>> HOWEVER, it is still WORKING. Meaning, even if you get this >>>>>> error, if you attempt to login with your FreeOTP token, it >>>>>> WORKS. >>>>>> >>>>>> ~J >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Does it give you this error when you use password or password >>>>> and token? >>>>> Can you please describe the flow of steps in more details? >>>>> I start browser, go here, click here, enter this, etc. >>>>> >>>>> Are you using SSSD to login to servers? Is SSSD configured >>>>> with IPA provider or you configured it for LDAP manually. >>>>> There is a difference between LDAP and Kerberos authentication. >>>>> >>>>> May be the following article will help you to understand the >>>>> expectations: >>>>> https://access.redhat.com/documentation/en >>>>> -US/Red_Hat_Enterprise_Linux/7/html/System >>>>> -Level_Authentication_Guide/authconfig-addl-auth.html#enable >>>>> -otp >>>>> >>>>> >>>>> >>>> Simple. And my test made it simple. >>>> Stand up new vm running fc21/freeipa. >>>> Configure user. >>>> Add password. >>>> Add token. >>>> >>>> Login to the vm with the user created using password. Kerberos >>>> ticket assigned, all is well. >>>> >>>> Login to web interface with admin. Change user to OTP only. >>>> Go to web UI and click sync OTP. >>>> Enter username, password and 2 OTP sequences. Click sync. Error >>>> appears. >>>> >>>> Now, ssh to same vm using OTP username. Enter password + OTP >>>> value. >>>> Login successful. >>> I can reproduce this issue with demo instance. >>> I will file a bug later today. >>> I think it is a bug with sync. >>> Which token do you use time based or event based? >> TOTP... >> >> Hmm, makes me wonder - with HOTP fail the same? Off to try it. > This should just affect TOTP. I have posted a patch that should fix > this problem. Are you able to test it? > > https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html > > I shall give it a try and let you know. ~J From christopher.lamb at ch.ibm.com Tue Apr 28 16:17:13 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 28 Apr 2015 18:17:13 +0200 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet Message-ID: Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field? Thanks Chris From dpal at redhat.com Tue Apr 28 17:45:31 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 13:45:31 -0400 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: References: Message-ID: <553FC73B.3000302@redhat.com> On 04/28/2015 12:17 PM, Christopher Lamb wrote: > Hi All > > I wish to pick your brains on the attribute sambaPwdLastSet > > We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an > old 3.0.0 instance. > > We are also running Samba to share files to Windows and OSX users. This > means that all the FreeIPA user accounts have the attribute > sambaPwdLastSet. > > If this has the value 0, our users cannot map Samba shares, so we need to > make sure the value is a positive integer. > > In an attempt to do this, I modified user.py, adding the attribute to the > takes_params for the class user as follows: > > class user(LDAPObject): > . . . > takes_params = ( > . . . > Int('sambapwdlastset?', > label=_('sambaPwdLastSet'), > doc=_('Date as an integer when the samba password was last set' > ), > default=1, > autofill=True, > ), > . . . > > This works fine if I create a user via the CLI. > > However if I create a user via the Web UI, or use the Web UI to reset a > user's password, then the attribute sambaPwdLastSet is set to zero. > > So what scripts do I need to change to make sure the Web UI sets > sambaPwdLast Set to a positive value? (I don't want to run ldapmodify > scripts, or have to use Apache Directory Studio to hack the db..) > > Or is there an altogether better approach to handling this field? > > Thanks > > Chris > > > > > May be you should consider managed entry plugin and make this attribute be updated at the same time the standard password expiration attribute is updated? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From abokovoy at redhat.com Tue Apr 28 18:02:38 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Apr 2015 21:02:38 +0300 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <553FC73B.3000302@redhat.com> References: <553FC73B.3000302@redhat.com> Message-ID: <20150428180238.GC26437@redhat.com> On Tue, 28 Apr 2015, Dmitri Pal wrote: >On 04/28/2015 12:17 PM, Christopher Lamb wrote: >>Hi All >> >>I wish to pick your brains on the attribute sambaPwdLastSet >> >>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an >>old 3.0.0 instance. >> >>We are also running Samba to share files to Windows and OSX users. This >>means that all the FreeIPA user accounts have the attribute >>sambaPwdLastSet. >> >>If this has the value 0, our users cannot map Samba shares, so we need to >>make sure the value is a positive integer. >> >>In an attempt to do this, I modified user.py, adding the attribute to the >>takes_params for the class user as follows: >> >>class user(LDAPObject): >> . . . >> takes_params = ( >> . . . >> Int('sambapwdlastset?', >> label=_('sambaPwdLastSet'), >> doc=_('Date as an integer when the samba password was last set' >>), >> default=1, >> autofill=True, >> ), >> . . . >> >>This works fine if I create a user via the CLI. >> >>However if I create a user via the Web UI, or use the Web UI to reset a >>user's password, then the attribute sambaPwdLastSet is set to zero. >> >>So what scripts do I need to change to make sure the Web UI sets >>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify >>scripts, or have to use Apache Directory Studio to hack the db..) >> >>Or is there an altogether better approach to handling this field? >> >>Thanks >> >>Chris >> >> >> >> >> >May be you should consider managed entry plugin and make this >attribute be updated at the same time the standard password expiration >attribute is updated? Dmitri, it is already updated -- we set it to 0 when admin changes user's password. I've wrote an answer to Chris but forgot to CC: the list. I'll re-send my answer. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Apr 28 18:11:00 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Apr 2015 21:11:00 +0300 Subject: [Freeipa-users] FreeIPA and sambaPwdLastSet In-Reply-To: <20150428170157.GA26437@redhat.com> References: <20150428170157.GA26437@redhat.com> Message-ID: <20150428181100.GE26437@redhat.com> Resending it to the right list. :) Not my evening. On Tue, 28 Apr 2015, Alexander Bokovoy wrote: >On Tue, 28 Apr 2015, Christopher Lamb wrote: >> >>Hi All >> >>I wish to pick your brains on the attribute sambaPwdLastSet >> >>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an >>old 3.0.0 instance. >> >>We are also running Samba to share files to Windows and OSX users. This >>means that all the FreeIPA user accounts have the attribute >>sambaPwdLastSet. >> >>If this has the value 0, our users cannot map Samba shares, so we need to >>make sure the value is a positive integer. >> >>In an attempt to do this, I modified user.py, adding the attribute to the >>takes_params for the class user as follows: >> >>class user(LDAPObject): >> . . . >> takes_params = ( >> . . . >> Int('sambapwdlastset?', >> label=_('sambaPwdLastSet'), >> doc=_('Date as an integer when the samba password was last set' >>), >> default=1, >> autofill=True, >> ), >> . . . >> >>This works fine if I create a user via the CLI. >> >>However if I create a user via the Web UI, or use the Web UI to reset a >>user's password, then the attribute sambaPwdLastSet is set to zero. >> >>So what scripts do I need to change to make sure the Web UI sets >>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify >>scripts, or have to use Apache Directory Studio to hack the db..) >> >>Or is there an altogether better approach to handling this field? >Yes, there is. > >Given that you are running FreeIPA 4.1, you now can use SSSD as your >libwbclient provider to be able to run Samba on IPA client against IPA >database. There will be no dependency on sambaPwdLastSet anymore. > >See >http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > >This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA >client. It does not work though with non-Kerberos (NTLM) logins. > >However, if you insist on using sambaPwdLastSet attribute, then user >password change rule is applying: > >- if admin changes user password, sambaPwdLastSet is cleared to 0 to > force users to change their passwords also via Samba > >If user changes the password him/herself, sambaPwdLastSet is set to the >current time (i.e. not 0). > >This really goes into enforcing privacy of user passwords -- if admins >change user passwords, the password is not really secret anymore and >cannot be considered secure, so it is only used once. > >See also https://www.freeipa.org/page/Self-Service_Password_Reset and >https://www.freeipa.org/page/New_Passwords_Expired > >-- >/ Alexander Bokovoy -- / Alexander Bokovoy From rmj at ast.cam.ac.uk Tue Apr 28 18:12:34 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 28 Apr 2015 19:12:34 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5538F034.3050902@redhat.com> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> <5538F034.3050902@redhat.com> Message-ID: <553FCD92.7030106@ast.cam.ac.uk> On 23/04/15 14:14, Rob Crittenden wrote: > Roderick Johnstone wrote: >> On 23/04/15 04:25, Rob Crittenden wrote: >>> Roderick Johnstone wrote: >>>> On 22/04/15 14:30, Dmitri Pal wrote: >>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>>> Hi >>>>>> >>>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>>> >>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>>> >>>>>> It looks to me as if this: >>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>>> >>>>>> >>>>>> might be the best guide available, although I'm not sure what changes >>>>>> I might need to make because I'm actually on Solaris 10 rather than >>>>>> 11. >>>>>> >>>>>> Can anyone advise please? >>>>>> >>>>>> There is a comment in the above post: >>>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>>> >>>>>> My automount maps are already called eg auto.master, auto.home on my >>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>>> attributeMap can fix this issue, but I can't find it now, so maybe I >>>>>> am mistaken. >>>>>> >>>>>> Am I on the right track? Is anyone familiar with that fix. >>>>>> >>>>>> Thanks >>>>>> >>>>>> Roderick Johnstone >>>>>> >>>>> We are not strong in Solaris so you really need to search user archives >>>>> or wait for someone who accomplished Solaris integration to chime in >>>>> here on the list. >>>>> >>>> >>>> Dmitri >>>> >>>> I had gathered that from previous postings to the list and was indeed >>>> hoping that one of the Solaris experts might comment. >>>> >>>> By the way, there are various suggestions on the list of putting the >>>> best Solaris instructions on the wiki. Is that still a possibility? I'd >>>> be happy to help, but I'm not experienced with connecting Solaris to ipa >>>> yet! >>>> >>>> Roderick >>>> >>> >>> A few weeks back I added what I thought were the most relevant threads >>> and pointers. The mailing list thread you refer to was converted into >>> some documentation bugs and tickets. I referenced those at >>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >>> >>> If there is anything I can improve here just let me know. >> >> Rob >> >> This page has expanded since I was searching a few weeks ago. Thanks for >> that. I understand that the project has no direct Solaris expertise. >> >> There are some things that could be made easier to follow and others >> that seem inconsistent with the mailing list thread that I found. Maybe >> some are just different ways of doing the same thing. >> >> I started to point some some differences in this email, but its probably >> best if I go through the mailing list link that I found and the web page >> you referenced, systematically, and list what the differences are. I'll >> be in touch when I have done that. >> >> In the meantime I noticed a few of small html link issues on the web >> page you referenced... >> >> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication >> the link to the reference files in /var/ldap >> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), >> for me, resolves to the top level "Open Source Community page" >> http://community.redhat.com/software/. I do however see the files >> correctly linked from the section "Client Configuration Files" at bottom >> of the page. > > Fixed. > >> >> 2) There is the same issue for the links to the nsswitch.conf and >> pam.conf files linked in items 2 and 4 below the above - sorry, its hard >> to describe well where these links are. > > Fixed, and fixed a couple of similar issues in other OS's. > >> And it would be good if the patch ("Patch to update Solaris >> documentation") that is referred to in Solaris 8/9/10 / Additional >> resources could be applied to the original document and the patched >> document made available, or at least the information in it. > > Unfortunately the upstream doc project that this is patched against was > discontinued. The patch is mostly interesting for the two tickets it > links to. > > rob > Rob Sorry to be slow getting back on this. Thanks for fixing those links in the existing web page. It seems that the existing page and the mailing list thread that I found are doing slightly different things in rather different ways. The mailing list thread is more focused on using the DUAprofile and tls encrypted connections to the ldap server as well as filling in some more details of other parts of the Solaris configuration that are necessary for other features. I think it would be good to have the prescription from the mailing list also in the wiki to help others that come along. I'll not be in a position to try to join a Solaris host to my ipa server until next week at the earliest, but it is a priority for me, so when other things stop getting in the way I'll definitely be doing this. I'll document what I do following the prescription in the mailing list, for myself, and maybe this can all be made this into a new wiki page. I would be happy to lead on writing the page (and giving references where appropriate) if I had access, but realise that I might not be able to get that access. Thanks Roderick From dpal at redhat.com Tue Apr 28 18:23:19 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 14:23:19 -0400 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <553FCD92.7030106@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> <5538F034.3050902@redhat.com> <553FCD92.7030106@ast.cam.ac.uk> Message-ID: <553FD017.4050805@redhat.com> On 04/28/2015 02:12 PM, Roderick Johnstone wrote: > On 23/04/15 14:14, Rob Crittenden wrote: >> Roderick Johnstone wrote: >>> On 23/04/15 04:25, Rob Crittenden wrote: >>>> Roderick Johnstone wrote: >>>>> On 22/04/15 14:30, Dmitri Pal wrote: >>>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>>>> Hi >>>>>>> >>>>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>>>> >>>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>>>> >>>>>>> It looks to me as if this: >>>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>>>> >>>>>>> >>>>>>> >>>>>>> might be the best guide available, although I'm not sure what >>>>>>> changes >>>>>>> I might need to make because I'm actually on Solaris 10 rather than >>>>>>> 11. >>>>>>> >>>>>>> Can anyone advise please? >>>>>>> >>>>>>> There is a comment in the above post: >>>>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>>>> >>>>>>> My automount maps are already called eg auto.master, auto.home >>>>>>> on my >>>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>>>> attributeMap can fix this issue, but I can't find it now, so >>>>>>> maybe I >>>>>>> am mistaken. >>>>>>> >>>>>>> Am I on the right track? Is anyone familiar with that fix. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Roderick Johnstone >>>>>>> >>>>>> We are not strong in Solaris so you really need to search user >>>>>> archives >>>>>> or wait for someone who accomplished Solaris integration to chime in >>>>>> here on the list. >>>>>> >>>>> >>>>> Dmitri >>>>> >>>>> I had gathered that from previous postings to the list and was indeed >>>>> hoping that one of the Solaris experts might comment. >>>>> >>>>> By the way, there are various suggestions on the list of putting the >>>>> best Solaris instructions on the wiki. Is that still a >>>>> possibility? I'd >>>>> be happy to help, but I'm not experienced with connecting Solaris >>>>> to ipa >>>>> yet! >>>>> >>>>> Roderick >>>>> >>>> >>>> A few weeks back I added what I thought were the most relevant threads >>>> and pointers. The mailing list thread you refer to was converted into >>>> some documentation bugs and tickets. I referenced those at >>>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >>>> >>>> >>>> If there is anything I can improve here just let me know. >>> >>> Rob >>> >>> This page has expanded since I was searching a few weeks ago. Thanks >>> for >>> that. I understand that the project has no direct Solaris expertise. >>> >>> There are some things that could be made easier to follow and others >>> that seem inconsistent with the mailing list thread that I found. Maybe >>> some are just different ways of doing the same thing. >>> >>> I started to point some some differences in this email, but its >>> probably >>> best if I go through the mailing list link that I found and the web >>> page >>> you referenced, systematically, and list what the differences are. I'll >>> be in touch when I have done that. >>> >>> In the meantime I noticed a few of small html link issues on the web >>> page you referenced... >>> >>> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication >>> the link to the reference files in /var/ldap >>> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), >>> >>> for me, resolves to the top level "Open Source Community page" >>> http://community.redhat.com/software/. I do however see the files >>> correctly linked from the section "Client Configuration Files" at >>> bottom >>> of the page. >> >> Fixed. >> >>> >>> 2) There is the same issue for the links to the nsswitch.conf and >>> pam.conf files linked in items 2 and 4 below the above - sorry, its >>> hard >>> to describe well where these links are. >> >> Fixed, and fixed a couple of similar issues in other OS's. >> >>> And it would be good if the patch ("Patch to update Solaris >>> documentation") that is referred to in Solaris 8/9/10 / Additional >>> resources could be applied to the original document and the patched >>> document made available, or at least the information in it. >> >> Unfortunately the upstream doc project that this is patched against was >> discontinued. The patch is mostly interesting for the two tickets it >> links to. >> >> rob >> > > Rob > > Sorry to be slow getting back on this. > > Thanks for fixing those links in the existing web page. > > It seems that the existing page and the mailing list thread that I > found are doing slightly different things in rather different ways. > The mailing list thread is more focused on using the DUAprofile and > tls encrypted connections to the ldap server as well as filling in > some more details of other parts of the Solaris configuration that are > necessary for other features. > > I think it would be good to have the prescription from the mailing > list also in the wiki to help others that come along. I'll not be in a > position to try to join a Solaris host to my ipa server until next > week at the earliest, but it is a priority for me, so when other > things stop getting in the way I'll definitely be doing this. > > I'll document what I do following the prescription in the mailing > list, for myself, and maybe this can all be made this into a new wiki > page. I would be happy to lead on writing the page (and giving > references where appropriate) if I had access, but realise that I > might not be able to get that access. We can arrange that and give you permissions. Thank you for your desire to document this. It is really appreciated. Please send me an email off list to set things up when you are ready. > > Thanks > > Roderick > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From sigbjorn at nixtra.com Tue Apr 28 18:24:53 2015 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 28 Apr 2015 20:24:53 +0200 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <5538D07F.9030902@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> Message-ID: <08A8F66B-D112-4A34-8D92-BDA6A91F7C48@nixtra.com> Hi, I wrote these bugzilla entries based on my own Solaris 10 configuration for IPA a while back. Did you try these? They include a working DUA profile (need to change server names of course) and the steps I did for configuring Solaris 10 as an IPA client. Config: https://bugzilla.redhat.com/show_bug.cgi?id=815533 Dua Profile: https://bugzilla.redhat.com/show_bug.cgi?id=815515 The attribute mapping I suggested was for auto.master only. The example dua profile above have this mapping. You may see here for a further explanation: https://www.redhat.com/archives/freeipa-users/2015-March/msg00317.html Regards, Siggi > On 23 Apr 2015, at 12:59, Roderick Johnstone wrote: > > On 23/04/15 04:25, Rob Crittenden wrote: >> Roderick Johnstone wrote: >>> On 22/04/15 14:30, Dmitri Pal wrote: >>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>> Hi >>>>> >>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>> >>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>> >>>>> It looks to me as if this: >>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>> >>>>> might be the best guide available, although I'm not sure what changes >>>>> I might need to make because I'm actually on Solaris 10 rather than 11. >>>>> >>>>> Can anyone advise please? >>>>> >>>>> There is a comment in the above post: >>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>> >>>>> My automount maps are already called eg auto.master, auto.home on my >>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>> attributeMap can fix this issue, but I can't find it now, so maybe I >>>>> am mistaken. >>>>> >>>>> Am I on the right track? Is anyone familiar with that fix. >>>>> >>>>> Thanks >>>>> >>>>> Roderick Johnstone >>>>> >>>> We are not strong in Solaris so you really need to search user archives >>>> or wait for someone who accomplished Solaris integration to chime in >>>> here on the list. >>>> >>> >>> Dmitri >>> >>> I had gathered that from previous postings to the list and was indeed >>> hoping that one of the Solaris experts might comment. >>> >>> By the way, there are various suggestions on the list of putting the >>> best Solaris instructions on the wiki. Is that still a possibility? I'd >>> be happy to help, but I'm not experienced with connecting Solaris to ipa >>> yet! >>> >>> Roderick >>> >> >> A few weeks back I added what I thought were the most relevant threads >> and pointers. The mailing list thread you refer to was converted into >> some documentation bugs and tickets. I referenced those at >> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >> >> If there is anything I can improve here just let me know. > > Rob > > This page has expanded since I was searching a few weeks ago. Thanks for that. I understand that the project has no direct Solaris expertise. > > There are some things that could be made easier to follow and others that seem inconsistent with the mailing list thread that I found. Maybe some are just different ways of doing the same thing. > > I started to point some some differences in this email, but its probably best if I go through the mailing list link that I found and the web page you referenced, systematically, and list what the differences are. I'll be in touch when I have done that. > > In the meantime I noticed a few of small html link issues on the web page you referenced... > > 1) Under the section Solaris 8/9/10 / Configuring Client Authentication > the link to the reference files in /var/ldap (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), for me, resolves to the top level "Open Source Community page" http://community.redhat.com/software/. I do however see the files correctly linked from the section "Client Configuration Files" at bottom of the page. > > 2) There is the same issue for the links to the nsswitch.conf and pam.conf files linked in items 2 and 4 below the above - sorry, its hard to describe well where these links are. > > And it would be good if the patch ("Patch to update Solaris documentation") that is referred to in Solaris 8/9/10 / Additional resources could be applied to the original document and the patched document made available, or at least the information in it. > > > Thanks > > Roderick > > >> >> rob >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Apr 28 18:33:40 2015 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 28 Apr 2015 20:33:40 +0200 Subject: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login In-Reply-To: References: <55008BF5.4070003@redhat.com> Message-ID: Hi, You may download the profile from bugzilla, here?s a direct link to the attachement: https://bugzilla.redhat.com/attachment.cgi?id=579657 Modify the server names and baseDN to match your environment. Use ldapadd to add the dua profile to your IPA LDAP server. ldapadd -x -D 'cn=Directory Manager' -W Please note: We do not use any AD trust, so the users logging into our Solaris servers is doing so from an IPA account. Regards, Siggi > On 12 Mar 2015, at 19:30, Ben .T.George wrote: > > HI Siggi, > > thanks for the detailed information. > > how can i apply this DUA profile? can you please give me the steps to apply this. > > my current stage is, i can able to login to solaris 10 box with AD user. only thing from command like without "-" in su > > Regards, > Ben > > On Thu, Mar 12, 2015 at 4:00 PM, Sigbjorn Lie > wrote: > Hi, > > Yes the DUA profile needs manually editing and updating as IPA servers are added or removed. Ideally this would be managed by ipa-replica-manage, however as I was advised in the BZ, Red Hat does not have the knowledge or resources to focus on integration with Solaris, which is understandable. :) > > The DUA profile I?ve uploaded to the BZ is a copy (with server names edited), of the DUA profile I1ve used at several environments when configuring Solaris 10 to work with IPA, so unless there are typos I haven?t discovered, it would work ok. :) > > As for the auto mount, Linux uses ?.? between auto and the map name, such as auto.master, auto.home, etc. And Solaris uses ?_? between the auto and the map name, such as auto_master, auto_home. > > This can be worked around in the DUA profile by adding a searchServiceDescriptor for each auto mounter map, such as "serviceSearchDescriptor: auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=ix,dc=test,dc=com?. > > What I found as the best middle ground here, was to keep the master name auto.master and have a serviceSearchDescriptor in the DUA profile for auto.master, and have the remaining maps in IPA with ?_?as the separator. This works the best as Linux will look for automaster by default, and be happy with the other maps being referred to with ?_?as separator. Solaris seem to require that all the maps use ?_?as seperator, unless serviceSearchDescriptor entries are added for each map. > > I hope this was what you we?re looking for? > > > Regards, > Siggi > > > > >> On 11 Mar 2015, at 19:39, Dmitri Pal > wrote: >> >> Hello, >> >> Is there any chance you can help this guy on the FreeIPA list? >> >> Thanks >> Dmitri >> >> >> -------- Original Message -------- >> Subject: Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login >> Date: Wed, 11 Mar 2015 21:22:02 +0300 >> From: Ben .T.George >> Reply-To: bentech4you at gmail.com >> To: dpal >> CC: freeipa-users >> >> >> from BZ >> >> "While >> we value your interest in IPA Solaris support, the >> implementation of the DUA profile is not on our nearest >> schedule at the moment. We lack both knowledge and resources >> to focus on integration with Solaris. This is where we need >> a help (ideally patches) and contribution from the community >> to help us push these features in. >> I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. >> >> What I think that we can work on is to work together on >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 >> ... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you?" >> this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box >> >> On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal > wrote: >> On 03/11/2015 01:56 PM, Ben .T.George wrote: >>> HI >>> >>> yea , i saw that mail thread and he claims that he achieved somehow. but not clear. >>> >>> and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. >>> >>> later that thread also closed without proper explanation. >>> >>> i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. >>> >>> anyway still waiting for rply >> >> Have you found the BZ? They are very detailed. >> https://bugzilla.redhat.com/show_bug.cgi?id=815515 >> The DUA profile is attached to the bug. >> >> >>> >>> Regards, >>> Ben >>> >>> On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal > wrote: >>> On 03/11/2015 01:18 PM, Ben .T.George wrote: >>>> HI >>>> >>>> thanks for the rply. >>>> >>>> even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. >>>> >>>> i don't think no one did full solaris integration util now as i asked many questions related to that. >>>> >>>> now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join >>> >>> I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. >>> There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. >>> >>> >>>> >>>> Regards, >>>> Ben >>>> >>>> >>>> >>>> On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal > wrote: >>>> On 03/11/2015 09:50 AM, Ben .T.George wrote: >>>>> HI >>>>> >>>>> i can able to reach upto level that IPA user can able to login on solaris box, >>>>> >>>>> but how can i create home directories automatically on solaris while IPA user login. >>>>> >>>>> even i change the shell in IPA web interface that is getting affected i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 >>>> >>>> All the options are still there. The menus got re-arranged a bit. >>>> Hopefully someone with a Solaris knowledge will help you with the rest. >>>> >>>>> >>>>> please anyone tell me where it is and how can i achieve this >>>>> >>>>> regards, >>>>> Ben >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Tue Apr 28 21:11:41 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Tue, 28 Apr 2015 23:11:41 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <553E8E53.6080703@redhat.com> References: <553E8E53.6080703@redhat.com> Message-ID: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Chris From: Dmitri Pal To: freeipa-users at redhat.com Date: 27.04.2015 21:31 Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in Sent by: freeipa-users-bounces at redhat.com On 04/27/2015 12:39 PM, Christopher Lamb wrote: > Hi All > > When I use the logout dropdown the WebUI (top righthand corner of the > screen), it logs me out, then immediately reloads and logs me right back in > again to the Users screen. > > This prevents me from logging in with a different user. > > The FreeIPA Server is 4.1.0 on OEL 7.5. > > I am using Web UI from an OSX workstation (Firefox and Safari). > > We did not have this behaviour with FreeIPA 3.0.0 > > Thanks for your help > > Chris > Try kdestroy and then logout. I am not sure it worked differently in 3.0 may be you tried 3.0 when your Kerberis ticket already expired. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project From dpal at redhat.com Tue Apr 28 21:30:38 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 17:30:38 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> Message-ID: <553FFBFE.1020208@redhat.com> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > HI All > > I have just tested with the FreeIPA Web UI public demo > https://ipa.demo1.freeipa.org/ipa/ui/ > > Using the public demo, when I log out, I get returned to the login screen, > as expected. This allows me to log in with a different user. > > With our own installation FreeIPA, from exactly the same browser, I get > logged straight back in to the Web UI - which makes logging out pointless. > > still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. > > Chris > > > > From: Dmitri Pal > To: freeipa-users at redhat.com > Date: 27.04.2015 21:31 > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > Sent by: freeipa-users-bounces at redhat.com > > > > On 04/27/2015 12:39 PM, Christopher Lamb wrote: >> Hi All >> >> When I use the logout dropdown the WebUI (top righthand corner of the >> screen), it logs me out, then immediately reloads and logs me right back > in >> again to the Users screen. >> >> This prevents me from logging in with a different user. >> >> The FreeIPA Server is 4.1.0 on OEL 7.5. >> >> I am using Web UI from an OSX workstation (Firefox and Safari). >> >> We did not have this behaviour with FreeIPA 3.0.0 >> >> Thanks for your help >> >> Chris >> > Try kdestroy and then logout. > I am not sure it worked differently in 3.0 may be you tried 3.0 when > your Kerberis ticket already expired. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From rmj at ast.cam.ac.uk Tue Apr 28 21:33:14 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 28 Apr 2015 22:33:14 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <553FD017.4050805@redhat.com> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> <5538F034.3050902@redhat.com> <553FCD92.7030106@ast.cam.ac.uk> <553FD017.4050805@redhat.com> Message-ID: <553FFC9A.6070709@ast.cam.ac.uk> On 28/04/2015 19:23, Dmitri Pal wrote: > On 04/28/2015 02:12 PM, Roderick Johnstone wrote: >> On 23/04/15 14:14, Rob Crittenden wrote: >>> Roderick Johnstone wrote: >>>> On 23/04/15 04:25, Rob Crittenden wrote: >>>>> Roderick Johnstone wrote: >>>>>> On 22/04/15 14:30, Dmitri Pal wrote: >>>>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>>>>> Hi >>>>>>>> >>>>>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>>>>> >>>>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>>>>> >>>>>>>> It looks to me as if this: >>>>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> might be the best guide available, although I'm not sure what >>>>>>>> changes >>>>>>>> I might need to make because I'm actually on Solaris 10 rather than >>>>>>>> 11. >>>>>>>> >>>>>>>> Can anyone advise please? >>>>>>>> >>>>>>>> There is a comment in the above post: >>>>>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>>>>> >>>>>>>> My automount maps are already called eg auto.master, auto.home >>>>>>>> on my >>>>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>>>>> attributeMap can fix this issue, but I can't find it now, so >>>>>>>> maybe I >>>>>>>> am mistaken. >>>>>>>> >>>>>>>> Am I on the right track? Is anyone familiar with that fix. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Roderick Johnstone >>>>>>>> >>>>>>> We are not strong in Solaris so you really need to search user >>>>>>> archives >>>>>>> or wait for someone who accomplished Solaris integration to chime in >>>>>>> here on the list. >>>>>>> >>>>>> >>>>>> Dmitri >>>>>> >>>>>> I had gathered that from previous postings to the list and was indeed >>>>>> hoping that one of the Solaris experts might comment. >>>>>> >>>>>> By the way, there are various suggestions on the list of putting the >>>>>> best Solaris instructions on the wiki. Is that still a >>>>>> possibility? I'd >>>>>> be happy to help, but I'm not experienced with connecting Solaris >>>>>> to ipa >>>>>> yet! >>>>>> >>>>>> Roderick >>>>>> >>>>> >>>>> A few weeks back I added what I thought were the most relevant threads >>>>> and pointers. The mailing list thread you refer to was converted into >>>>> some documentation bugs and tickets. I referenced those at >>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >>>>> >>>>> >>>>> If there is anything I can improve here just let me know. >>>> >>>> Rob >>>> >>>> This page has expanded since I was searching a few weeks ago. Thanks >>>> for >>>> that. I understand that the project has no direct Solaris expertise. >>>> >>>> There are some things that could be made easier to follow and others >>>> that seem inconsistent with the mailing list thread that I found. Maybe >>>> some are just different ways of doing the same thing. >>>> >>>> I started to point some some differences in this email, but its >>>> probably >>>> best if I go through the mailing list link that I found and the web >>>> page >>>> you referenced, systematically, and list what the differences are. I'll >>>> be in touch when I have done that. >>>> >>>> In the meantime I noticed a few of small html link issues on the web >>>> page you referenced... >>>> >>>> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication >>>> the link to the reference files in /var/ldap >>>> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), >>>> >>>> for me, resolves to the top level "Open Source Community page" >>>> http://community.redhat.com/software/. I do however see the files >>>> correctly linked from the section "Client Configuration Files" at >>>> bottom >>>> of the page. >>> >>> Fixed. >>> >>>> >>>> 2) There is the same issue for the links to the nsswitch.conf and >>>> pam.conf files linked in items 2 and 4 below the above - sorry, its >>>> hard >>>> to describe well where these links are. >>> >>> Fixed, and fixed a couple of similar issues in other OS's. >>> >>>> And it would be good if the patch ("Patch to update Solaris >>>> documentation") that is referred to in Solaris 8/9/10 / Additional >>>> resources could be applied to the original document and the patched >>>> document made available, or at least the information in it. >>> >>> Unfortunately the upstream doc project that this is patched against was >>> discontinued. The patch is mostly interesting for the two tickets it >>> links to. >>> >>> rob >>> >> >> Rob >> >> Sorry to be slow getting back on this. >> >> Thanks for fixing those links in the existing web page. >> >> It seems that the existing page and the mailing list thread that I >> found are doing slightly different things in rather different ways. >> The mailing list thread is more focused on using the DUAprofile and >> tls encrypted connections to the ldap server as well as filling in >> some more details of other parts of the Solaris configuration that are >> necessary for other features. >> >> I think it would be good to have the prescription from the mailing >> list also in the wiki to help others that come along. I'll not be in a >> position to try to join a Solaris host to my ipa server until next >> week at the earliest, but it is a priority for me, so when other >> things stop getting in the way I'll definitely be doing this. >> >> I'll document what I do following the prescription in the mailing >> list, for myself, and maybe this can all be made this into a new wiki >> page. I would be happy to lead on writing the page (and giving >> references where appropriate) if I had access, but realise that I >> might not be able to get that access. > > We can arrange that and give you permissions. Thank you for your desire > to document this. It is really appreciated. Not at all. I can't contribute much on the tech side here, but if I can at least make it easier for someone later to follow I'm happy to do that. > Please send me an email off list to set things up when you are ready. Will do. Thanks Roderick From rcritten at redhat.com Tue Apr 28 21:38:12 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2015 17:38:12 -0400 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <553FFC9A.6070709@ast.cam.ac.uk> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> <5538F034.3050902@redhat.com> <553FCD92.7030106@ast.cam.ac.uk> <553FD017.4050805@redhat.com> <553FFC9A.6070709@ast.cam.ac.uk> Message-ID: <553FFDC4.9060202@redhat.com> Roderick Johnstone wrote: > On 28/04/2015 19:23, Dmitri Pal wrote: >> On 04/28/2015 02:12 PM, Roderick Johnstone wrote: >>> On 23/04/15 14:14, Rob Crittenden wrote: >>>> Roderick Johnstone wrote: >>>>> On 23/04/15 04:25, Rob Crittenden wrote: >>>>>> Roderick Johnstone wrote: >>>>>>> On 22/04/15 14:30, Dmitri Pal wrote: >>>>>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>>>>>> Hi >>>>>>>>> >>>>>>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>>>>>> >>>>>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red >>>>>>>>> Hat >>>>>>>>> manuals, various bug trackers and the freeipa-users mailing list. >>>>>>>>> >>>>>>>>> It looks to me as if this: >>>>>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> might be the best guide available, although I'm not sure what >>>>>>>>> changes >>>>>>>>> I might need to make because I'm actually on Solaris 10 rather >>>>>>>>> than >>>>>>>>> 11. >>>>>>>>> >>>>>>>>> Can anyone advise please? >>>>>>>>> >>>>>>>>> There is a comment in the above post: >>>>>>>>> "Make sure that the automount maps in ipaserver is named auto_* >>>>>>>>> and >>>>>>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>>>>>> >>>>>>>>> My automount maps are already called eg auto.master, auto.home >>>>>>>>> on my >>>>>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>>>>>> attributeMap can fix this issue, but I can't find it now, so >>>>>>>>> maybe I >>>>>>>>> am mistaken. >>>>>>>>> >>>>>>>>> Am I on the right track? Is anyone familiar with that fix. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Roderick Johnstone >>>>>>>>> >>>>>>>> We are not strong in Solaris so you really need to search user >>>>>>>> archives >>>>>>>> or wait for someone who accomplished Solaris integration to >>>>>>>> chime in >>>>>>>> here on the list. >>>>>>>> >>>>>>> >>>>>>> Dmitri >>>>>>> >>>>>>> I had gathered that from previous postings to the list and was >>>>>>> indeed >>>>>>> hoping that one of the Solaris experts might comment. >>>>>>> >>>>>>> By the way, there are various suggestions on the list of putting the >>>>>>> best Solaris instructions on the wiki. Is that still a >>>>>>> possibility? I'd >>>>>>> be happy to help, but I'm not experienced with connecting Solaris >>>>>>> to ipa >>>>>>> yet! >>>>>>> >>>>>>> Roderick >>>>>>> >>>>>> >>>>>> A few weeks back I added what I thought were the most relevant >>>>>> threads >>>>>> and pointers. The mailing list thread you refer to was converted into >>>>>> some documentation bugs and tickets. I referenced those at >>>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >>>>>> >>>>>> >>>>>> >>>>>> If there is anything I can improve here just let me know. >>>>> >>>>> Rob >>>>> >>>>> This page has expanded since I was searching a few weeks ago. Thanks >>>>> for >>>>> that. I understand that the project has no direct Solaris expertise. >>>>> >>>>> There are some things that could be made easier to follow and others >>>>> that seem inconsistent with the mailing list thread that I found. >>>>> Maybe >>>>> some are just different ways of doing the same thing. >>>>> >>>>> I started to point some some differences in this email, but its >>>>> probably >>>>> best if I go through the mailing list link that I found and the web >>>>> page >>>>> you referenced, systematically, and list what the differences are. >>>>> I'll >>>>> be in touch when I have done that. >>>>> >>>>> In the meantime I noticed a few of small html link issues on the web >>>>> page you referenced... >>>>> >>>>> 1) Under the section Solaris 8/9/10 / Configuring Client >>>>> Authentication >>>>> the link to the reference files in /var/ldap >>>>> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), >>>>> >>>>> >>>>> for me, resolves to the top level "Open Source Community page" >>>>> http://community.redhat.com/software/. I do however see the files >>>>> correctly linked from the section "Client Configuration Files" at >>>>> bottom >>>>> of the page. >>>> >>>> Fixed. >>>> >>>>> >>>>> 2) There is the same issue for the links to the nsswitch.conf and >>>>> pam.conf files linked in items 2 and 4 below the above - sorry, its >>>>> hard >>>>> to describe well where these links are. >>>> >>>> Fixed, and fixed a couple of similar issues in other OS's. >>>> >>>>> And it would be good if the patch ("Patch to update Solaris >>>>> documentation") that is referred to in Solaris 8/9/10 / Additional >>>>> resources could be applied to the original document and the patched >>>>> document made available, or at least the information in it. >>>> >>>> Unfortunately the upstream doc project that this is patched against was >>>> discontinued. The patch is mostly interesting for the two tickets it >>>> links to. >>>> >>>> rob >>>> >>> >>> Rob >>> >>> Sorry to be slow getting back on this. >>> >>> Thanks for fixing those links in the existing web page. >>> >>> It seems that the existing page and the mailing list thread that I >>> found are doing slightly different things in rather different ways. >>> The mailing list thread is more focused on using the DUAprofile and >>> tls encrypted connections to the ldap server as well as filling in >>> some more details of other parts of the Solaris configuration that are >>> necessary for other features. >>> >>> I think it would be good to have the prescription from the mailing >>> list also in the wiki to help others that come along. I'll not be in a >>> position to try to join a Solaris host to my ipa server until next >>> week at the earliest, but it is a priority for me, so when other >>> things stop getting in the way I'll definitely be doing this. >>> >>> I'll document what I do following the prescription in the mailing >>> list, for myself, and maybe this can all be made this into a new wiki >>> page. I would be happy to lead on writing the page (and giving >>> references where appropriate) if I had access, but realise that I >>> might not be able to get that access. >> >> We can arrange that and give you permissions. Thank you for your desire >> to document this. It is really appreciated. > > Not at all. I can't contribute much on the tech side here, but if I can > at least make it easier for someone later to follow I'm happy to do that. > >> Please send me an email off list to set things up when you are ready. > > Will do. I think to edit the wiki all you need is a Fedora Account System (FAS) account: https://admin.fedoraproject.org/accounts/ rob From rcritten at redhat.com Tue Apr 28 21:39:50 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Apr 2015 17:39:50 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <553FFBFE.1020208@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> Message-ID: <553FFE26.20006@redhat.com> Dmitri Pal wrote: > On 04/28/2015 05:11 PM, Christopher Lamb wrote: >> HI All >> >> I have just tested with the FreeIPA Web UI public demo >> https://ipa.demo1.freeipa.org/ipa/ui/ >> >> Using the public demo, when I log out, I get returned to the login >> screen, >> as expected. This allows me to log in with a different user. >> >> With our own installation FreeIPA, from exactly the same browser, I get >> logged straight back in to the Web UI - which makes logging out >> pointless. >> >> still confused ... > > Do you have a kerberos ticket on your local system? > Do klist. > See which tickets you have. > If you have tickets do kdestroy - this will remove the ability to SSO. > If you then try to use your IPA server you will have the same experience > as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob From rmj at ast.cam.ac.uk Tue Apr 28 21:40:55 2015 From: rmj at ast.cam.ac.uk (Roderick Johnstone) Date: Tue, 28 Apr 2015 22:40:55 +0100 Subject: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa In-Reply-To: <08A8F66B-D112-4A34-8D92-BDA6A91F7C48@nixtra.com> References: <5536854A.4090209@ast.cam.ac.uk> <5537A282.8060700@redhat.com> <5537D45F.9010108@ast.cam.ac.uk> <55386623.6000900@redhat.com> <5538D07F.9030902@ast.cam.ac.uk> <08A8F66B-D112-4A34-8D92-BDA6A91F7C48@nixtra.com> Message-ID: <553FFE67.2080607@ast.cam.ac.uk> Siggi Thanks for the reminder. I did see these a while ago - I've seen so much in so many places and became rapidly confused, because I don't have much ldap or ipa experience. I'll review your instructions and see how they fit with the Solaris 11 instructions from the mailing list that I found and try to distil a page with appropriate attributions when I've implemented something that works. Roderick On 28/04/2015 19:24, Sigbjorn Lie wrote: > Hi, > > I wrote these bugzilla entries based on my own Solaris 10 configuration > for IPA a while back. Did you try these? They include a working DUA > profile (need to change server names of course) and the steps I did for > configuring Solaris 10 as an IPA client. > > Config: > https://bugzilla.redhat.com/show_bug.cgi?id=815533 > > Dua Profile: > https://bugzilla.redhat.com/show_bug.cgi?id=815515 > > The attribute mapping I suggested was for auto.master only. The example > dua profile above have this mapping. You may see here for a further > explanation: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00317.html > > > Regards, > Siggi > > > >> On 23 Apr 2015, at 12:59, Roderick Johnstone > > wrote: >> >> On 23/04/15 04:25, Rob Crittenden wrote: >>> Roderick Johnstone wrote: >>>> On 22/04/15 14:30, Dmitri Pal wrote: >>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>>> Hi >>>>>> >>>>>> I also need to integrate Solaris 10 clients with freeipa servers. >>>>>> >>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>>>>> manuals, various bug trackers and the freeipa-users mailing list >>>>>> >>>>>> It looks to me as if this: >>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html >>>>>> >>>>>> >>>>>> might be the best guide available, although I'm not sure what changes >>>>>> I might need to make because I'm actually on Solaris 10 rather >>>>>> than 11. >>>>>> >>>>>> Can anyone advise please? >>>>>> >>>>>> There is a comment in the above post: >>>>>> "Make sure that the automount maps in ipaserver is named auto_* and >>>>>> NOT auto.* so they are compatible with Solaris name standards." >>>>>> >>>>>> My automount maps are already called eg auto.master, auto.home on my >>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an >>>>>> attributeMap can fix this issue, but I can't find it now, so maybe I >>>>>> am mistaken. >>>>>> >>>>>> Am I on the right track? Is anyone familiar with that fix. >>>>>> >>>>>> Thanks >>>>>> >>>>>> Roderick Johnstone >>>>>> >>>>> We are not strong in Solaris so you really need to search user archives >>>>> or wait for someone who accomplished Solaris integration to chime in >>>>> here on the list. >>>>> >>>> >>>> Dmitri >>>> >>>> I had gathered that from previous postings to the list and was indeed >>>> hoping that one of the Solaris experts might comment. >>>> >>>> By the way, there are various suggestions on the list of putting the >>>> best Solaris instructions on the wiki. Is that still a possibility? I'd >>>> be happy to help, but I'm not experienced with connecting Solaris to ipa >>>> yet! >>>> >>>> Roderick >>>> >>> >>> A few weeks back I added what I thought were the most relevant threads >>> and pointers. The mailing list thread you refer to was converted into >>> some documentation bugs and tickets. I referenced those at >>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources >>> >>> If there is anything I can improve here just let me know. >> >> Rob >> >> This page has expanded since I was searching a few weeks ago. Thanks >> for that. I understand that the project has no direct Solaris expertise. >> >> There are some things that could be made easier to follow and others >> that seem inconsistent with the mailing list thread that I found. >> Maybe some are just different ways of doing the same thing. >> >> I started to point some some differences in this email, but its >> probably best if I go through the mailing list link that I found and >> the web page you referenced, systematically, and list what the >> differences are. I'll be in touch when I have done that. >> >> In the meantime I noticed a few of small html link issues on the web >> page you referenced... >> >> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication >> the link to the reference files in /var/ldap >> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), >> for me, resolves to the top level "Open Source Community page" >> http://community.redhat.com/software/. I do however see the files >> correctly linked from the section "Client Configuration Files" at >> bottom of the page. >> >> 2) There is the same issue for the links to the nsswitch.conf and >> pam.conf files linked in items 2 and 4 below the above - sorry, its >> hard to describe well where these links are. >> >> And it would be good if the patch ("Patch to update Solaris >> documentation") that is referred to in Solaris 8/9/10 / Additional >> resources could be applied to the original document and the patched >> document made available, or at least the information in it. >> >> >> Thanks >> >> Roderick >> >> >>> >>> rob >>> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > From raubvogel at gmail.com Tue Apr 28 21:43:36 2015 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue, 28 Apr 2015 23:43:36 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <553FFBFE.1020208@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> Message-ID: On Apr 28, 2015 11:33 PM, "Dmitri Pal" wrote: > > On 04/28/2015 05:11 PM, Christopher Lamb wrote: >> >> HI All >> >> I have just tested with the FreeIPA Web UI public demo >> https://ipa.demo1.freeipa.org/ipa/ui/ >> >> Using the public demo, when I log out, I get returned to the login screen, >> as expected. This allows me to log in with a different user. >> >> With our own installation FreeIPA, from exactly the same browser, I get >> logged straight back in to the Web UI - which makes logging out pointless. >> >> still confused ... > > > Do you have a kerberos ticket on your local system? > Do klist. > See which tickets you have. > If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. > I think the user case Chris is alluding is 1. Login to your desktop as you 2. Login then to IPA server as an admin user that has nothing to do with your everyday user account. 3. Rinse and repeat >> >> Chris >> >> >> >> From: Dmitri Pal >> To: freeipa-users at redhat.com >> Date: 27.04.2015 21:31 >> Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in >> Sent by: freeipa-users-bounces at redhat.com >> >> >> >> On 04/27/2015 12:39 PM, Christopher Lamb wrote: >>> >>> Hi All >>> >>> When I use the logout dropdown the WebUI (top righthand corner of the >>> screen), it logs me out, then immediately reloads and logs me right back >> >> in >>> >>> again to the Users screen. >>> >>> This prevents me from logging in with a different user. >>> >>> The FreeIPA Server is 4.1.0 on OEL 7.5. >>> >>> I am using Web UI from an OSX workstation (Firefox and Safari). >>> >>> We did not have this behaviour with FreeIPA 3.0.0 >>> >>> Thanks for your help >>> >>> Chris >>> >> Try kdestroy and then logout. >> I am not sure it worked differently in 3.0 may be you tried 3.0 when >> your Kerberis ticket already expired. >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 28 21:53:23 2015 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 28 Apr 2015 17:53:23 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <553FFE26.20006@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> Message-ID: <55400153.7020600@redhat.com> On 04/28/2015 05:39 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>> HI All >>> >>> I have just tested with the FreeIPA Web UI public demo >>> https://ipa.demo1.freeipa.org/ipa/ui/ >>> >>> Using the public demo, when I log out, I get returned to the login >>> screen, >>> as expected. This allows me to log in with a different user. >>> >>> With our own installation FreeIPA, from exactly the same browser, I get >>> logged straight back in to the Web UI - which makes logging out >>> pointless. >>> >>> still confused ... >> Do you have a kerberos ticket on your local system? >> Do klist. >> See which tickets you have. >> If you have tickets do kdestroy - this will remove the ability to SSO. >> If you then try to use your IPA server you will have the same experience >> as with public demo. > I think this is a question for Petr. On logout one should be directed to > a page that doesn't require auth so it doesn't renegotiate the connection. > > rob Petr can you reproduce this? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From simo at redhat.com Wed Apr 29 01:31:29 2015 From: simo at redhat.com (Simo Sorce) Date: Tue, 28 Apr 2015 21:31:29 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <55400153.7020600@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> Message-ID: <1430271089.13607.167.camel@willson.usersys.redhat.com> On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: > > Dmitri Pal wrote: > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > >>> HI All > >>> > >>> I have just tested with the FreeIPA Web UI public demo > >>> https://ipa.demo1.freeipa.org/ipa/ui/ > >>> > >>> Using the public demo, when I log out, I get returned to the login > >>> screen, > >>> as expected. This allows me to log in with a different user. > >>> > >>> With our own installation FreeIPA, from exactly the same browser, I get > >>> logged straight back in to the Web UI - which makes logging out > >>> pointless. > >>> > >>> still confused ... > >> Do you have a kerberos ticket on your local system? > >> Do klist. > >> See which tickets you have. > >> If you have tickets do kdestroy - this will remove the ability to SSO. > >> If you then try to use your IPA server you will have the same experience > >> as with public demo. > > I think this is a question for Petr. On logout one should be directed to > > a page that doesn't require auth so it doesn't renegotiate the connection. > > > > rob > Petr can you reproduce this? I've seen this in the past on my own IPA domain at home. Perhaps what we should do is to have a logout option that says "log in with a different user" and redirect to anon kerberized page that allows you to do form based login. This would address the case where a domain user wants to log in as admin w/o exiting their user session or destroying there ccache (as that may imply loosing access to email, other company websites, etc...). Simo. -- Simo Sorce * Red Hat, Inc * New York From christopher.lamb at ch.ibm.com Wed Apr 29 05:57:48 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 29 Apr 2015 07:57:48 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <1430271089.13607.167.camel@willson.usersys.redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: HI Simo, Dmitiri, Rob and co. Simos "log in with a different user" suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. thanks Chris From: Simo Sorce To: dpal at redhat.com Cc: Rob Crittenden , Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Date: 29.04.2015 03:31 Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: > > Dmitri Pal wrote: > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > >>> HI All > >>> > >>> I have just tested with the FreeIPA Web UI public demo > >>> https://ipa.demo1.freeipa.org/ipa/ui/ > >>> > >>> Using the public demo, when I log out, I get returned to the login > >>> screen, > >>> as expected. This allows me to log in with a different user. > >>> > >>> With our own installation FreeIPA, from exactly the same browser, I get > >>> logged straight back in to the Web UI - which makes logging out > >>> pointless. > >>> > >>> still confused ... > >> Do you have a kerberos ticket on your local system? > >> Do klist. > >> See which tickets you have. > >> If you have tickets do kdestroy - this will remove the ability to SSO. > >> If you then try to use your IPA server you will have the same experience > >> as with public demo. > > I think this is a question for Petr. On logout one should be directed to > > a page that doesn't require auth so it doesn't renegotiate the connection. > > > > rob > Petr can you reproduce this? I've seen this in the past on my own IPA domain at home. Perhaps what we should do is to have a logout option that says "log in with a different user" and redirect to anon kerberized page that allows you to do form based login. This would address the case where a domain user wants to log in as admin w/o exiting their user session or destroying there ccache (as that may imply loosing access to email, other company websites, etc...). Simo. -- Simo Sorce * Red Hat, Inc * New York From mkosek at redhat.com Wed Apr 29 06:49:45 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 08:49:45 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <55400153.7020600@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> Message-ID: <55407F09.5000502@redhat.com> On 04/28/2015 11:53 PM, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>>> HI All >>>> >>>> I have just tested with the FreeIPA Web UI public demo >>>> https://ipa.demo1.freeipa.org/ipa/ui/ >>>> >>>> Using the public demo, when I log out, I get returned to the login >>>> screen, >>>> as expected. This allows me to log in with a different user. >>>> >>>> With our own installation FreeIPA, from exactly the same browser, I get >>>> logged straight back in to the Web UI - which makes logging out >>>> pointless. >>>> >>>> still confused ... >>> Do you have a kerberos ticket on your local system? >>> Do klist. >>> See which tickets you have. >>> If you have tickets do kdestroy - this will remove the ability to SSO. >>> If you then try to use your IPA server you will have the same experience >>> as with public demo. >> I think this is a question for Petr. On logout one should be directed to >> a page that doesn't require auth so it doesn't renegotiate the connection. >> >> rob > Petr can you reproduce this? CCing Petr, just to be sure he gets the message. From Andy.Thompson at e-tcc.com Wed Apr 29 10:57:45 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 10:57:45 +0000 Subject: [Freeipa-users] allow trust users to login without domain Message-ID: In the environment I'm working on currently we have a single trusted AD domain and will never have any additional domain trusts in place. Is there a way to allow users to login without using @ad_domain in their username? We use DB2 in the environment and it's from the dark ages and doesn't like usernames with more than 8 chars :/ Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From mkosek at redhat.com Wed Apr 29 11:05:14 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 13:05:14 +0200 Subject: [Freeipa-users] allow trust users to login without domain In-Reply-To: References: Message-ID: <5540BAEA.1000000@redhat.com> On 04/29/2015 12:57 PM, Andy Thompson wrote: > In the environment I'm working on currently we have a single trusted AD > domain and will never have any additional domain trusts in place. Is there > a way to allow users to login without using @ad_domain in their username? > We use DB2 in the environment and it's from the dark ages and doesn't like > usernames with more than 8 chars :/ > > Thanks > > -andy This looks as a job for default_domain_suffix option. See "man sssd.conf" for details. Note that after this fix, IPA users would need to log in with fully qualified user name instead. CCing Jakub for reference. From Andy.Thompson at e-tcc.com Wed Apr 29 11:08:16 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 11:08:16 +0000 Subject: [Freeipa-users] allow trust users to login without domain In-Reply-To: <5540BAEA.1000000@redhat.com> References: <5540BAEA.1000000@redhat.com> Message-ID: <3c6835697ed348e79cf5fee93a89e474@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 29, 2015 7:05 AM > To: Andy Thompson; freeipa-users at redhat.com; Jakub Hrozek > Subject: Re: [Freeipa-users] allow trust users to login without domain > > On 04/29/2015 12:57 PM, Andy Thompson wrote: > > In the environment I'm working on currently we have a single trusted > > AD domain and will never have any additional domain trusts in place. > > Is there a way to allow users to login without using @ad_domain in their > username? > > We use DB2 in the environment and it's from the dark ages and doesn't > > like usernames with more than 8 chars :/ > > > > Thanks > > > > -andy > > This looks as a job for default_domain_suffix option. See "man sssd.conf" for > details. > > Note that after this fix, IPA users would need to log in with fully qualified > user name instead. CCing Jakub for reference. Perfect. I grepped the man page.. apparently didn't search for the right thing. Thanks much -andy From pvoborni at redhat.com Wed Apr 29 11:26:52 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Apr 2015 13:26:52 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <55400153.7020600@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> Message-ID: <5540BFFC.9090004@redhat.com> On 04/28/2015 11:53 PM, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>>> HI All >>>> >>>> I have just tested with the FreeIPA Web UI public demo >>>> https://ipa.demo1.freeipa.org/ipa/ui/ >>>> >>>> Using the public demo, when I log out, I get returned to the login >>>> screen, >>>> as expected. This allows me to log in with a different user. >>>> >>>> With our own installation FreeIPA, from exactly the same browser, I get >>>> logged straight back in to the Web UI - which makes logging out >>>> pointless. >>>> >>>> still confused ... >>> Do you have a kerberos ticket on your local system? >>> Do klist. >>> See which tickets you have. >>> If you have tickets do kdestroy - this will remove the ability to SSO. >>> If you then try to use your IPA server you will have the same experience >>> as with public demo. >> I think this is a question for Petr. On logout one should be directed to >> a page that doesn't require auth so it doesn't renegotiate the >> connection. >> >> rob > Petr can you reproduce this? > Yes. User is automatically logged-in back if he has a valid Kerberos ticket. The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in. IPA had a logout page but it was removed. One reason was that PatternFly says that when a session expires(which, in a way, is a logout), user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected. I've created a new ticket: https://fedorahosted.org/freeipa/ticket/5008 -- Petr Vobornik From Andy.Thompson at e-tcc.com Wed Apr 29 11:26:25 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 11:26:25 +0000 Subject: [Freeipa-users] deleting ipa user Message-ID: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** From christopher.lamb at ch.ibm.com Wed Apr 29 11:42:07 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 29 Apr 2015 13:42:07 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <5540BFFC.9090004@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <5540BFFC.9090004@redhat.com> Message-ID: HI Petr thanks. Can you qualify "has a valid Kerberos Ticket"? In my case, my user has a valid ticket on the LDAP server, but not on the OSX workstation from which I am using Firefox / Web UI. Cheers Chris From: Petr Vobornik To: dpal at redhat.com, Rob Crittenden , Christopher Lamb/Switzerland/IBM at IBMCH Cc: freeipa-users at redhat.com Date: 29.04.2015 13:27 Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in On 04/28/2015 11:53 PM, Dmitri Pal wrote: > On 04/28/2015 05:39 PM, Rob Crittenden wrote: >> Dmitri Pal wrote: >>> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>>> HI All >>>> >>>> I have just tested with the FreeIPA Web UI public demo >>>> https://ipa.demo1.freeipa.org/ipa/ui/ >>>> >>>> Using the public demo, when I log out, I get returned to the login >>>> screen, >>>> as expected. This allows me to log in with a different user. >>>> >>>> With our own installation FreeIPA, from exactly the same browser, I get >>>> logged straight back in to the Web UI - which makes logging out >>>> pointless. >>>> >>>> still confused ... >>> Do you have a kerberos ticket on your local system? >>> Do klist. >>> See which tickets you have. >>> If you have tickets do kdestroy - this will remove the ability to SSO. >>> If you then try to use your IPA server you will have the same experience >>> as with public demo. >> I think this is a question for Petr. On logout one should be directed to >> a page that doesn't require auth so it doesn't renegotiate the >> connection. >> >> rob > Petr can you reproduce this? > Yes. User is automatically logged-in back if he has a valid Kerberos ticket. The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in. IPA had a logout page but it was removed. One reason was that PatternFly says that when a session expires(which, in a way, is a logout), user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected. I've created a new ticket: https://fedorahosted.org/freeipa/ticket/5008 -- Petr Vobornik From pvoborni at redhat.com Wed Apr 29 11:57:51 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Apr 2015 13:57:51 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <5540BFFC.9090004@redhat.com> Message-ID: <5540C73F.3080603@redhat.com> On 04/29/2015 01:42 PM, Christopher Lamb wrote: > HI Petr > > thanks. > > Can you qualify "has a valid Kerberos Ticket"? > > In my case, my user has a valid ticket on the LDAP server, but not on the > OSX workstation from which I am using Firefox / Web UI. On the OSX workstation, if the user has a non-expired TGT ticket which could be then used to obtain ticket for principal HTTP/myipa.my.domain at MY.REALM (IPA server API - backend of webui). > > Cheers > > Chris > > > > From: Petr Vobornik > To: dpal at redhat.com, Rob Crittenden , > Christopher Lamb/Switzerland/IBM at IBMCH > Cc: freeipa-users at redhat.com > Date: 29.04.2015 13:27 > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > > > > On 04/28/2015 11:53 PM, Dmitri Pal wrote: >> On 04/28/2015 05:39 PM, Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>>>> HI All >>>>> >>>>> I have just tested with the FreeIPA Web UI public demo >>>>> https://ipa.demo1.freeipa.org/ipa/ui/ >>>>> >>>>> Using the public demo, when I log out, I get returned to the login >>>>> screen, >>>>> as expected. This allows me to log in with a different user. >>>>> >>>>> With our own installation FreeIPA, from exactly the same browser, I > get >>>>> logged straight back in to the Web UI - which makes logging out >>>>> pointless. >>>>> >>>>> still confused ... >>>> Do you have a kerberos ticket on your local system? >>>> Do klist. >>>> See which tickets you have. >>>> If you have tickets do kdestroy - this will remove the ability to SSO. >>>> If you then try to use your IPA server you will have the same > experience >>>> as with public demo. >>> I think this is a question for Petr. On logout one should be directed to >>> a page that doesn't require auth so it doesn't renegotiate the >>> connection. >>> >>> rob >> Petr can you reproduce this? >> > > Yes. > > User is automatically logged-in back if he has a valid Kerberos ticket. > > The reason is that after showing the login form, the whole UI is > reloaded in order to forget everything in the app memory. It then > behaves as normal access and SSO kicks in. > > IPA had a logout page but it was removed. One reason was that PatternFly > says that when a session expires(which, in a way, is a logout), user > should be presented with a login page. As we see, with SSO, the behavior > is a little bit different and unexpected. > > I've created a new ticket: > > https://fedorahosted.org/freeipa/ticket/5008 > -- > Petr Vobornik > > > > -- Petr Vobornik From mkosek at redhat.com Wed Apr 29 12:31:00 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 14:31:00 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> Message-ID: <5540CF04.9010300@redhat.com> On 04/29/2015 01:26 PM, Andy Thompson wrote: > I'm trying to delete an IPA account and I get a generic "operations error" when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting "memberUser: uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Thanks, Martin From pspacek at redhat.com Wed Apr 29 12:36:26 2015 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Apr 2015 14:36:26 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: <5540BFFC.9090004@redhat.com> References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <5540BFFC.9090004@redhat.com> Message-ID: <5540D04A.3040804@redhat.com> On 29.4.2015 13:26, Petr Vobornik wrote: > On 04/28/2015 11:53 PM, Dmitri Pal wrote: >> On 04/28/2015 05:39 PM, Rob Crittenden wrote: >>> Dmitri Pal wrote: >>>> On 04/28/2015 05:11 PM, Christopher Lamb wrote: >>>>> HI All >>>>> >>>>> I have just tested with the FreeIPA Web UI public demo >>>>> https://ipa.demo1.freeipa.org/ipa/ui/ >>>>> >>>>> Using the public demo, when I log out, I get returned to the login >>>>> screen, >>>>> as expected. This allows me to log in with a different user. >>>>> >>>>> With our own installation FreeIPA, from exactly the same browser, I get >>>>> logged straight back in to the Web UI - which makes logging out >>>>> pointless. >>>>> >>>>> still confused ... >>>> Do you have a kerberos ticket on your local system? >>>> Do klist. >>>> See which tickets you have. >>>> If you have tickets do kdestroy - this will remove the ability to SSO. >>>> If you then try to use your IPA server you will have the same experience >>>> as with public demo. >>> I think this is a question for Petr. On logout one should be directed to >>> a page that doesn't require auth so it doesn't renegotiate the >>> connection. >>> >>> rob >> Petr can you reproduce this? >> > > Yes. > > User is automatically logged-in back if he has a valid Kerberos ticket. > > The reason is that after showing the login form, the whole UI is reloaded in > order to forget everything in the app memory. It then behaves as normal access > and SSO kicks in. > > IPA had a logout page but it was removed. One reason was that PatternFly says > that when a session expires(which, in a way, is a logout), user should be > presented with a login page. As we see, with SSO, the behavior is a little bit > different and unexpected. > > I've created a new ticket: > > https://fedorahosted.org/freeipa/ticket/5008 I guess that we could have a cookie with meaning 'auto-login disabled' for this purpose. Maybe it could have very short expiration (1 minute?) so it actually kicks in only for the one attempt. Or it could be automatically removed after each login ... -- Petr^2 Spacek From Andy.Thompson at e-tcc.com Wed Apr 29 12:43:17 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 12:43:17 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540CF04.9010300@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> Message-ID: <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users at redhat.com; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote: > > I'm trying to delete an IPA account and I get a generic "operations error" > when trying to remove it. It looks like something is messed up with the > group object. The user doesn't show up in the ipausers group and there also > isn't a group object for the user in question. Here is the error from the > attempt. > > > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: > > entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > > "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" > failed > > (16) > > [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: > > entry > > ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=domain,dc= > > com: deleting "memberUser: > > uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > > tombstone into a tombstone! > > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, > > refcnt: 1 > > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: > > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > > tombstone into a tombstone! > > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, > > refcnt: 1 > > [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: > > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) > > This is the first time I see this error. CCing Ludwig or Thierry to advise. > > Andy, please also include FreeIPA and 389-ds-base packages versions so that > Thierry and Ludwig know what to look at. > Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy From tbordaz at redhat.com Wed Apr 29 13:14:19 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 29 Apr 2015 15:14:19 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> Message-ID: <5540D92B.5080800@redhat.com> On 04/29/2015 02:43 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Martin Kosek [mailto:mkosek at redhat.com] >> Sent: Wednesday, April 29, 2015 8:31 AM >> To: Andy Thompson; freeipa-users at redhat.com; Ludwig Krispenz; Thierry >> Bordaz >> Subject: Re: [Freeipa-users] deleting ipa user >> >> On 04/29/2015 01:26 PM, Andy Thompson wrote: >>> I'm trying to delete an IPA account and I get a generic "operations error" >> when trying to remove it. It looks like something is messed up with the >> group object. The user doesn't show up in the ipausers group and there also >> isn't a group object for the user in question. Here is the error from the >> attempt. >>> [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: >>> entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting >>> "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" >> failed >>> (16) >>> [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: >>> entry >>> ipaUniqueID=3897c894-e764-11e4-b05b- >> 005056a92af3,cn=hbac,dc=domain,dc= >>> com: deleting "memberUser: >>> uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) >>> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a >>> tombstone into a tombstone! >>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=,cn=group >>> s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, >>> refcnt: 1 >>> [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: >>> failed to delete managed entry >>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) >>> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a >>> tombstone into a tombstone! >>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=,cn=group >>> s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, >>> refcnt: 1 >>> [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: >>> failed to delete managed entry >>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) >> This is the first time I see this error. CCing Ludwig or Thierry to advise. >> >> Andy, please also include FreeIPA and 389-ds-base packages versions so that >> Thierry and Ludwig know what to look at. >> > Here you go > > ipa-server-4.1.0-18.el7_1.3.x86_64 > 389-ds-base-1.3.3.1-15.el7_1.x86_64 > > Thanks much > > -andy > > Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at fahrendorf.de Wed Apr 29 13:17:14 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Wed, 29 Apr 2015 15:17:14 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <553DE905.3080108@redhat.com> References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> Message-ID: <5540D9DA.9040507@fahrendorf.de> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: > > On 04/26/2015 10:49 AM, Martin (Lists) wrote: > > Hallo > > > > after a reboot I get almost thousand of the following messages: > > > > DSRetroclPlugin - delete_changerecord: could not delete change record > > 128755 (rc: 32) > this message comes from changeglog trimming and means that an entry, > which should be purged does not exist (any more). > the retrocl maintains a first/lastchange and trinming starts at > firstchange. if for some reason (race ?) there is an attempt to try to > delete the same entry a second time this message should be logged. > since the changenumbers in the error message increases, I think > changelog trimming moves forward. you could do searches on > "cn=changelog" to verify that trimming works. changelog is part of the ldbm database plugin and contains several informations I don't understand (or understand partially). What kind of information should I look for? I only have one server running by the way. Regards Martin > > From lkrispen at redhat.com Wed Apr 29 13:22:00 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 15:22:00 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540D92B.5080800@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> Message-ID: <5540DAF8.5050202@redhat.com> On 04/29/2015 03:14 PM, thierry bordaz wrote: > On 04/29/2015 02:43 PM, Andy Thompson wrote: >>> -----Original Message----- >>> From: Martin Kosek [mailto:mkosek at redhat.com] >>> Sent: Wednesday, April 29, 2015 8:31 AM >>> To: Andy Thompson;freeipa-users at redhat.com; Ludwig Krispenz; Thierry >>> Bordaz >>> Subject: Re: [Freeipa-users] deleting ipa user >>> >>> On 04/29/2015 01:26 PM, Andy Thompson wrote: >>>> I'm trying to delete an IPA account and I get a generic "operations error" >>> when trying to remove it. It looks like something is messed up with the >>> group object. The user doesn't show up in the ipausers group and there also >>> isn't a group object for the user in question. Here is the error from the >>> attempt. >>>> [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: >>>> entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting >>>> "member: uid=,cn=users,cn=accounts,dc=domain,dc=com" >>> failed >>>> (16) >>>> [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: >>>> entry >>>> ipaUniqueID=3897c894-e764-11e4-b05b- >>> 005056a92af3,cn=hbac,dc=domain,dc= >>>> com: deleting "memberUser: >>>> uid=,cn=users,cn=accounts,dc=domain,dc=com" failed (16) >>>> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a >>>> tombstone into a tombstone! >>>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >>> f0abc1a8,cn=,cn=group >>>> s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, >>>> refcnt: 1 >>>> [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: >>>> failed to delete managed entry >>>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) >>>> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a >>>> tombstone into a tombstone! >>>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >>> f0abc1a8,cn=,cn=group >>>> s,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, >>>> refcnt: 1 >>>> [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: >>>> failed to delete managed entry >>>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) >>> This is the first time I see this error. CCing Ludwig or Thierry to advise. >>> >>> Andy, please also include FreeIPA and 389-ds-base packages versions so that >>> Thierry and Ludwig know what to look at. >>> >> Here you go >> >> ipa-server-4.1.0-18.el7_1.3.x86_64 >> 389-ds-base-1.3.3.1-15.el7_1.x86_64 >> >> Thanks much >> >> -andy >> >> > Hello, > > I wonder it is not a similar issue I hit > https://fedorahosted.org/389/ticket/48165. What differs is > '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? > ? I have a non systematic test case for 48165. > Is it happening systematically in your case ? > > thanks > thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Apr 29 13:43:03 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 15:43:03 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <5540D9DA.9040507@fahrendorf.de> References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> <5540D9DA.9040507@fahrendorf.de> Message-ID: <5540DFE7.9030208@redhat.com> On 04/29/2015 03:17 PM, Martin (Lists) wrote: > Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: >> On 04/26/2015 10:49 AM, Martin (Lists) wrote: >>> Hallo >>> >>> after a reboot I get almost thousand of the following messages: >>> >>> DSRetroclPlugin - delete_changerecord: could not delete change record >>> 128755 (rc: 32) >> this message comes from changeglog trimming and means that an entry, >> which should be purged does not exist (any more). >> the retrocl maintains a first/lastchange and trinming starts at >> firstchange. if for some reason (race ?) there is an attempt to try to >> delete the same entry a second time this message should be logged. >> since the changenumbers in the error message increases, I think >> changelog trimming moves forward. you could do searches on >> "cn=changelog" to verify that trimming works. > changelog is part of the ldbm database plugin and contains several > informations I don't understand (or understand partially). What kind of > information should I look for? the changelog keeps track of the changes applied to the database, a typical entry looks like: dn: changenumber=4,cn=changelog objectClass: top objectClass: changelogentry changeNumber: 4 targetDn: cn=tuser,ou=people,dc=example,dc=com changeTime: 20140411093444Z changeType: delete each entry gets a DN made up from he changenumber, so your entries will be named: .... dn: changenumber=61,cn=changelog dn: changenumber=62,cn=changelog dn: changenumber=63,cn=changelog dn: changenumber=64,cn=changelog .... changenumbers start and are always incremented, changelog trimming removes old entries (depending on config). so if you do a search like: ldapsearch .................. -b "cn=changelog" the changenumber of the first entry rerurne should always increase, indicating that trimming works. you said "thousands" of messages, how frequent are they really ? > > I only have one server running by the way. > > Regards > Martin From Andy.Thompson at e-tcc.com Wed Apr 29 13:40:42 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 13:40:42 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540DAF8.5050202@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> Message-ID: <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 9:22 AM > To: thierry bordaz > Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:14 PM, thierry bordaz wrote: > > > On 04/29/2015 02:43 PM, Andy Thompson wrote: > > > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users at redhat.com > ; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote: > > I'm trying to delete an IPA account and I get a > generic "operations error" > > when trying to remove it. It looks like something is > messed up with the > group object. The user doesn't show up in the > ipausers group and there also > isn't a group object for the user in question. Here is > the error from the > attempt. > > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > "member: > uid=,cn=users,cn=accounts,dc=domain,dc=com" > > failed > > (16) > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > ipaUniqueID=3897c894-e764-11e4-b05b- > > 005056a92af3,cn=hbac,dc=domain,dc= > > com: deleting "memberUser: > > uid=,cn=users,cn=accounts,dc=domain,dc=com" failed > (16) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > > This is the first time I see this error. CCing Ludwig or > Thierry to advise. > > Andy, please also include FreeIPA and 389-ds-base > packages versions so that > Thierry and Ludwig know what to look at. > > > Here you go > > ipa-server-4.1.0-18.el7_1.3.x86_64 > 389-ds-base-1.3.3.1-15.el7_1.x86_64 > > Thanks much > > -andy > > > > Hello, > > I wonder it is not a similar issue I hit > https://fedorahosted.org/389/ticket/48165. What differs is > '_update_all_per_mod' logs but could be a consequence of the same bug. > > > I think what differs taht in the ticket there is an attempt to delete an existng > entry, but in the log snippet provided it attempts to delete a tombstone > entry (an entry which was already deleted). > So the errors logged by DS seem to be ok, but why does IPA want to delete > an already deleted user ? but mybe only the mep plugin finds a tombstone > and tries to delete it. > > What was the command executed, is the result the same if repeated ? > > I attempted using the web interface initially and then tried using ipa user-del to see if it gave any more detail. More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first. I see this in the logs on the replica [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later. -andy From simo at redhat.com Wed Apr 29 13:58:56 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2015 09:58:56 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: <1430315936.22966.0.camel@willson.usersys.redhat.com> On Wed, 2015-04-29 at 07:57 +0200, Christopher Lamb wrote: > HI Simo, Dmitiri, Rob and co. > > Simos "log in with a different user" suggestion is pretty much what I was > intending. I want to be able to log out of the web ui, then log back in > with a different user. e.g. to allow a newly added user to change their > password to something secret. Can you open a RFE ticket about this ? We should track it. Thanks, Simo. > On this particular workstation I have no kerberos ticket (double checking > with klist at the terminal confirms this). I have not saved the password in > Firefox (checking in the settings confirms this). > > I often have ssh sessons open via terminal to the FreeIPA Server, and even > Apache Directory Studio open to browse the LDAP structure and content. I > don't see how that can play a role, but I mention it for completeness. > > thanks > > Chris > > > > From: Simo Sorce > To: dpal at redhat.com > Cc: Rob Crittenden , Christopher > Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com > Date: 29.04.2015 03:31 > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > > > > On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: > > On 04/28/2015 05:39 PM, Rob Crittenden wrote: > > > Dmitri Pal wrote: > > >> On 04/28/2015 05:11 PM, Christopher Lamb wrote: > > >>> HI All > > >>> > > >>> I have just tested with the FreeIPA Web UI public demo > > >>> https://ipa.demo1.freeipa.org/ipa/ui/ > > >>> > > >>> Using the public demo, when I log out, I get returned to the login > > >>> screen, > > >>> as expected. This allows me to log in with a different user. > > >>> > > >>> With our own installation FreeIPA, from exactly the same browser, I > get > > >>> logged straight back in to the Web UI - which makes logging out > > >>> pointless. > > >>> > > >>> still confused ... > > >> Do you have a kerberos ticket on your local system? > > >> Do klist. > > >> See which tickets you have. > > >> If you have tickets do kdestroy - this will remove the ability to SSO. > > >> If you then try to use your IPA server you will have the same > experience > > >> as with public demo. > > > I think this is a question for Petr. On logout one should be directed > to > > > a page that doesn't require auth so it doesn't renegotiate the > connection. > > > > > > rob > > Petr can you reproduce this? > > I've seen this in the past on my own IPA domain at home. > Perhaps what we should do is to have a logout option that says "log in > with a different user" and redirect to anon kerberized page that allows > you to do form based login. > > This would address the case where a domain user wants to log in as admin > w/o exiting their user session or destroying there ccache (as that may > imply loosing access to email, other company websites, etc...). > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > -- Simo Sorce * Red Hat, Inc * New York From lkrispen at redhat.com Wed Apr 29 14:07:20 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 16:07:20 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> Message-ID: <5540E598.8000902@redhat.com> On 04/29/2015 03:40 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 9:22 AM >> To: thierry bordaz >> Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> >> On 04/29/2015 03:14 PM, thierry bordaz wrote: >> >> >> On 04/29/2015 02:43 PM, Andy Thompson wrote: >> >> >> -----Original Message----- >> From: Martin Kosek [mailto:mkosek at redhat.com] >> Sent: Wednesday, April 29, 2015 8:31 AM >> To: Andy Thompson; freeipa-users at redhat.com >> ; Ludwig Krispenz; Thierry >> Bordaz >> Subject: Re: [Freeipa-users] deleting ipa user >> >> On 04/29/2015 01:26 PM, Andy Thompson wrote: >> >> I'm trying to delete an IPA account and I get a >> generic "operations error" >> >> when trying to remove it. It looks like something is >> messed up with the >> group object. The user doesn't show up in the >> ipausers group and there also >> isn't a group object for the user in question. Here is >> the error from the >> attempt. >> >> [29/Apr/2015:07:21:32 -0400] referint-plugin - >> _update_all_per_mod: >> entry >> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting >> "member: >> uid=,cn=users,cn=accounts,dc=domain,dc=com" >> >> failed >> >> (16) >> [29/Apr/2015:07:21:32 -0400] referint-plugin - >> _update_all_per_mod: >> entry >> ipaUniqueID=3897c894-e764-11e4-b05b- >> >> 005056a92af3,cn=hbac,dc=domain,dc= >> >> com: deleting "memberUser: >> >> uid=,cn=users,cn=accounts,dc=domain,dc=com" failed >> (16) >> [29/Apr/2015:07:21:32 -0400] >> ldbm_back_delete - conn=0 op=0 Turning a >> tombstone into a tombstone! >> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=,cn=group >> >> s,cn=accounts,dc=domain,dc=com"; e: >> 0x7fcc84226070, cache_state: 0x0, >> refcnt: 1 >> [29/Apr/2015:07:21:32 -0400] managed- >> entries-plugin - mep_del_post_op: >> failed to delete managed entry >> >> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - >> error (1) >> [29/Apr/2015:07:21:32 -0400] >> ldbm_back_delete - conn=0 op=0 Turning a >> tombstone into a tombstone! >> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=,cn=group >> >> s,cn=accounts,dc=domain,dc=com"; e: >> 0x7fcc84226070, cache_state: 0x0, >> refcnt: 1 >> [29/Apr/2015:07:21:32 -0400] managed- >> entries-plugin - mep_del_post_op: >> failed to delete managed entry >> >> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - >> error (1) >> >> This is the first time I see this error. CCing Ludwig or >> Thierry to advise. >> >> Andy, please also include FreeIPA and 389-ds-base >> packages versions so that >> Thierry and Ludwig know what to look at. >> >> >> Here you go >> >> ipa-server-4.1.0-18.el7_1.3.x86_64 >> 389-ds-base-1.3.3.1-15.el7_1.x86_64 >> >> Thanks much >> >> -andy >> >> >> >> Hello, >> >> I wonder it is not a similar issue I hit >> https://fedorahosted.org/389/ticket/48165. What differs is >> '_update_all_per_mod' logs but could be a consequence of the same bug. >> >> >> I think what differs taht in the ticket there is an attempt to delete an existng >> entry, but in the log snippet provided it attempts to delete a tombstone >> entry (an entry which was already deleted). >> So the errors logged by DS seem to be ok, but why does IPA want to delete >> an already deleted user ? but mybe only the mep plugin finds a tombstone >> and tries to delete it. >> >> What was the command executed, is the result the same if repeated ? >> >> > I attempted using the web interface initially > and then tried using ipa user-del to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? > > More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first. well, if you cannot delete on one server, but do it on the other this looks like servers were not consistent before > I see this in the logs on the replica > > [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later. now the replica tries to replicate the delete and has the same failures as your direct delete. Do you have other replicas ? Is the delete replicated to other replicas ? > > -andy From Andy.Thompson at e-tcc.com Wed Apr 29 14:14:24 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 14:14:24 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540E598.8000902@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> Message-ID: <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 10:07 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:40 PM, Andy Thompson wrote: > >> -----Original Message----- > >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >> Sent: Wednesday, April 29, 2015 9:22 AM > >> To: thierry bordaz > >> Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> > >> On 04/29/2015 03:14 PM, thierry bordaz wrote: > >> > >> > >> On 04/29/2015 02:43 PM, Andy Thompson wrote: > >> > >> > >> -----Original Message----- > >> From: Martin Kosek [mailto:mkosek at redhat.com] > >> Sent: Wednesday, April 29, 2015 8:31 AM > >> To: Andy Thompson; freeipa-users at redhat.com > >> ; Ludwig Krispenz; Thierry > >> Bordaz > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> On 04/29/2015 01:26 PM, Andy Thompson wrote: > >> > >> I'm trying to delete an IPA account and I get a > generic > >> "operations error" > >> > >> when trying to remove it. It looks like something is > messed up > >> with the > >> group object. The user doesn't show up in the > ipausers group and > >> there also > >> isn't a group object for the user in question. Here is > the error > >> from the > >> attempt. > >> > >> [29/Apr/2015:07:21:32 -0400] referint-plugin - > >> _update_all_per_mod: > >> entry > >> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > >> "member: > >> uid=,cn=users,cn=accounts,dc=domain,dc=com" > >> > >> failed > >> > >> (16) > >> [29/Apr/2015:07:21:32 -0400] referint-plugin - > >> _update_all_per_mod: > >> entry > >> ipaUniqueID=3897c894-e764-11e4-b05b- > >> > >> 005056a92af3,cn=hbac,dc=domain,dc= > >> > >> com: deleting "memberUser: > >> > >> uid=,cn=users,cn=accounts,dc=domain,dc=com" failed > >> (16) > >> [29/Apr/2015:07:21:32 -0400] > >> ldbm_back_delete - conn=0 op=0 Turning a > >> tombstone into a tombstone! > >> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > >> > >> f0abc1a8,cn=,cn=group > >> > >> s,cn=accounts,dc=domain,dc=com"; e: > >> 0x7fcc84226070, cache_state: 0x0, > >> refcnt: 1 > >> [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - > >> mep_del_post_op: > >> failed to delete managed entry > >> > >> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > >> [29/Apr/2015:07:21:32 -0400] > >> ldbm_back_delete - conn=0 op=0 Turning a > >> tombstone into a tombstone! > >> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > >> > >> f0abc1a8,cn=,cn=group > >> > >> s,cn=accounts,dc=domain,dc=com"; e: > >> 0x7fcc84226070, cache_state: 0x0, > >> refcnt: 1 > >> [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - > >> mep_del_post_op: > >> failed to delete managed entry > >> > >> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > >> > >> This is the first time I see this error. CCing Ludwig or > Thierry > >> to advise. > >> > >> Andy, please also include FreeIPA and 389-ds-base > packages > >> versions so that > >> Thierry and Ludwig know what to look at. > >> > >> > >> Here you go > >> > >> ipa-server-4.1.0-18.el7_1.3.x86_64 > >> 389-ds-base-1.3.3.1-15.el7_1.x86_64 > >> > >> Thanks much > >> > >> -andy > >> > >> > >> > >> Hello, > >> > >> I wonder it is not a similar issue I hit > >> https://fedorahosted.org/389/ticket/48165. What differs is > >> '_update_all_per_mod' logs but could be a consequence of the same bug. > >> > >> > >> I think what differs taht in the ticket there is an attempt to delete > >> an existng entry, but in the log snippet provided it attempts to > >> delete a tombstone entry (an entry which was already deleted). > >> So the errors logged by DS seem to be ok, but why does IPA want to > >> delete an already deleted user ? but mybe only the mep plugin finds a > >> tombstone and tries to delete it. > >> > >> What was the command executed, is the result the same if repeated ? > >> > >> > > I attempted using the web interface initially > > and then tried using ipa user-del to see if it gave any more > detail. > were both attempts at 2015:07:21:32 ? or do you have more errors in the > error log ? I had errors from the other delete attempts but they were the same errors at different times. I can send my entire log to you offline if it would be helpful. > > > > More info though, this is a replicated environment and I just tried deleting > it on the replica server and it completed successfully so it appears I might > have a replication issue going on? Hopefully I didn't mess something up > doing that, should have checked the logs there first. > well, if you cannot delete on one server, but do it on the other this looks like > servers were not consistent before > > I see this in the logs on the replica > > > > [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - > agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer > failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, > CSN 5540deb8000300030000): Operations error (1). Will retry later. > now the replica tries to replicate the delete and has the same failures as your > direct delete. Do you have other replicas ? Is the delete replicated to other > replicas ? I've got two replicas. The initial error was on the first replica server I installed. I do not see the same error on the replica server. I was able to delete the user on the second replica using ipa user-del but now the "failed to replay" error above is cycling in the logs on the second replica. So it seems that the replica I tried to delete the user on initially is still trying to send a delete event to the second replica server and it is failing because the object is indeed gone from that replica since the delete completed successfully. -andy From lkrispen at redhat.com Wed Apr 29 14:28:01 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 16:28:01 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> Message-ID: <5540EA71.3070602@redhat.com> can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" -w xxx -b "dc=xxx.... " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass > >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 10:07 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> >> On 04/29/2015 03:40 PM, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>> Sent: Wednesday, April 29, 2015 9:22 AM >>>> To: thierry bordaz >>>> Cc: Andy Thompson; Martin Kosek; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> >>>> On 04/29/2015 03:14 PM, thierry bordaz wrote: >>>> >>>> >>>> On 04/29/2015 02:43 PM, Andy Thompson wrote: >>>> >>>> >>>> -----Original Message----- >>>> From: Martin Kosek [mailto:mkosek at redhat.com] >>>> Sent: Wednesday, April 29, 2015 8:31 AM >>>> To: Andy Thompson; freeipa-users at redhat.com >>>> ; Ludwig Krispenz; Thierry >>>> Bordaz >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> On 04/29/2015 01:26 PM, Andy Thompson wrote: >>>> >>>> I'm trying to delete an IPA account and I get a >> generic >>>> "operations error" >>>> >>>> when trying to remove it. It looks like something is >> messed up >>>> with the >>>> group object. The user doesn't show up in the >> ipausers group and >>>> there also >>>> isn't a group object for the user in question. Here is >> the error >>>> from the >>>> attempt. >>>> >>>> [29/Apr/2015:07:21:32 -0400] referint-plugin - >>>> _update_all_per_mod: >>>> entry >>>> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting >>>> "member: >>>> uid=,cn=users,cn=accounts,dc=domain,dc=com" >>>> >>>> failed >>>> >>>> (16) >>>> [29/Apr/2015:07:21:32 -0400] referint-plugin - >>>> _update_all_per_mod: >>>> entry >>>> ipaUniqueID=3897c894-e764-11e4-b05b- >>>> >>>> 005056a92af3,cn=hbac,dc=domain,dc= >>>> >>>> com: deleting "memberUser: >>>> >>>> uid=,cn=users,cn=accounts,dc=domain,dc=com" failed >>>> (16) >>>> [29/Apr/2015:07:21:32 -0400] >>>> ldbm_back_delete - conn=0 op=0 Turning a >>>> tombstone into a tombstone! >>>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >>>> >>>> f0abc1a8,cn=,cn=group >>>> >>>> s,cn=accounts,dc=domain,dc=com"; e: >>>> 0x7fcc84226070, cache_state: 0x0, >>>> refcnt: 1 >>>> [29/Apr/2015:07:21:32 -0400] managed- >> entries-plugin - >>>> mep_del_post_op: >>>> failed to delete managed entry >>>> >>>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - >> error (1) >>>> [29/Apr/2015:07:21:32 -0400] >>>> ldbm_back_delete - conn=0 op=0 Turning a >>>> tombstone into a tombstone! >>>> "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >>>> >>>> f0abc1a8,cn=,cn=group >>>> >>>> s,cn=accounts,dc=domain,dc=com"; e: >>>> 0x7fcc84226070, cache_state: 0x0, >>>> refcnt: 1 >>>> [29/Apr/2015:07:21:32 -0400] managed- >> entries-plugin - >>>> mep_del_post_op: >>>> failed to delete managed entry >>>> >>>> (cn=,cn=groups,cn=accounts,dc=domain,dc=com) - >> error (1) >>>> This is the first time I see this error. CCing Ludwig or >> Thierry >>>> to advise. >>>> >>>> Andy, please also include FreeIPA and 389-ds-base >> packages >>>> versions so that >>>> Thierry and Ludwig know what to look at. >>>> >>>> >>>> Here you go >>>> >>>> ipa-server-4.1.0-18.el7_1.3.x86_64 >>>> 389-ds-base-1.3.3.1-15.el7_1.x86_64 >>>> >>>> Thanks much >>>> >>>> -andy >>>> >>>> >>>> >>>> Hello, >>>> >>>> I wonder it is not a similar issue I hit >>>> https://fedorahosted.org/389/ticket/48165. What differs is >>>> '_update_all_per_mod' logs but could be a consequence of the same bug. >>>> >>>> >>>> I think what differs taht in the ticket there is an attempt to delete >>>> an existng entry, but in the log snippet provided it attempts to >>>> delete a tombstone entry (an entry which was already deleted). >>>> So the errors logged by DS seem to be ok, but why does IPA want to >>>> delete an already deleted user ? but mybe only the mep plugin finds a >>>> tombstone and tries to delete it. >>>> >>>> What was the command executed, is the result the same if repeated ? >>>> >>>> >>> I attempted using the web interface initially >>> and then tried using ipa user-del to see if it gave any more >> detail. >> were both attempts at 2015:07:21:32 ? or do you have more errors in the >> error log ? > I had errors from the other delete attempts but they were the same errors at different times. I can send my entire log to you offline if it would be helpful. > >>> More info though, this is a replicated environment and I just tried deleting >> it on the replica server and it completed successfully so it appears I might >> have a replication issue going on? Hopefully I didn't mess something up >> doing that, should have checked the logs there first. >> well, if you cannot delete on one server, but do it on the other this looks like >> servers were not consistent before >>> I see this in the logs on the replica >>> >>> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - >> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer >> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, >> CSN 5540deb8000300030000): Operations error (1). Will retry later. >> now the replica tries to replicate the delete and has the same failures as your >> direct delete. Do you have other replicas ? Is the delete replicated to other >> replicas ? > I've got two replicas. The initial error was on the first replica server I installed. I do not see the same error on the replica server. I was able to delete the user on the second replica using ipa user-del but now the "failed to replay" error above is cycling in the logs on the second replica. So it seems that the replica I tried to delete the user on initially is still trying to send a delete event to the second replica server and it is failing because the object is indeed gone from that replica since the delete completed successfully. > > -andy From tmpchq at gmail.com Wed Apr 29 14:29:17 2015 From: tmpchq at gmail.com (Qing Chang) Date: Wed, 29 Apr 2015 10:29:17 -0400 Subject: [Freeipa-users] ipa-replica-install fails at CA setup Message-ID: CentOS7.1 with IPA server 4.1. "ipa-replica-install --setup-ca --setup-dns ..." fails with this error message: ----- [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed ----- ipareplica-install.log shows this: ----- 2015-04-29T13:40:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Starting external process 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX' 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmpaUGoKX. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error in populating database: Could not connect to LDAP server host mrip a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://mripa2.mr.ric:389 (91) 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed ----- I hope this is enough information. Thanks in advance, Qing Chang -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmpchq at gmail.com Wed Apr 29 14:35:09 2015 From: tmpchq at gmail.com (Qing Chang) Date: Wed, 29 Apr 2015 10:35:09 -0400 Subject: [Freeipa-users] ipa-replica-install fails at CA setup In-Reply-To: References: Message-ID: mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap service was available at all at installation stage. Thanks, Qing On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang wrote: > CentOS7.1 with IPA server 4.1. > > "ipa-replica-install --setup-ca --setup-dns ..." fails with this error > message: > ----- > [2/22]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero > exit status 1 > [error] RuntimeError: Configuration of CA failed > ----- > > ipareplica-install.log shows this: > ----- > 2015-04-29T13:40:11Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-04-29T13:40:11Z DEBUG Starting external process > 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpaUGoKX' > 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 > 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from > /tmp/tmpaUGoKX. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... Exception > from Java Configuration Servlet: Error in populating database: Could not > connect to LDAP server host mrip > a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to > server ldap://mripa2.mr.ric:389 (91) > > 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero > exit status 1 > 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 673, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > ----- > > I hope this is enough information. > > Thanks in advance, > > Qing Chang > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Wed Apr 29 14:34:20 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 14:34:20 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540EA71.3070602@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> Message-ID: <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 10:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > can you do the followin search on both servers ? > > ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - > w xxx -b "dc=xxx.... " > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8))" > nscpentrywsi | grep -i objectClass > > The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy From lkrispen at redhat.com Wed Apr 29 14:50:52 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 16:50:52 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> Message-ID: <5540EFCC.40900@redhat.com> did you run the searches as directory manager ? On 04/29/2015 04:34 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 10:28 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> can you do the followin search on both servers ? >> >> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" - >> w xxx -b "dc=xxx.... " >> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8))" >> nscpentrywsi | grep -i objectClass > The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything > > objectClass: posixgroup > objectClass: ipaobject > objectClass: mepManagedEntry > objectClass: top > objectClass: nsTombstone > > -andy From Andy.Thompson at e-tcc.com Wed Apr 29 14:49:21 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 14:49:21 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540EFCC.40900@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> Message-ID: <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 10:51 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > did you run the searches as directory manager ? > Yep sure did > On 04/29/2015 04:34 PM, Andy Thompson wrote: > >> -----Original Message----- > >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >> Sent: Wednesday, April 29, 2015 10:28 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> can you do the followin search on both servers ? > >> > >> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory > >> manager" - w xxx -b "dc=xxx.... " > >> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > >> f0abc1a8))" > >> nscpentrywsi | grep -i objectClass > > The server that I initially attempted the deletion on returns nothing. > > The second server (the one currently throwing the consumer failed > > replay error) returns this if I remove the nscpentrywsi attribute > > filter. If I leave the attribute filter I don't get anything > > > > objectClass: posixgroup > > objectClass: ipaobject > > objectClass: mepManagedEntry > > objectClass: top > > objectClass: nsTombstone > > > > -andy From lkrispen at redhat.com Wed Apr 29 14:58:41 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 16:58:41 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> Message-ID: <5540F1A1.6050501@redhat.com> On 04/29/2015 04:49 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 10:51 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> did you run the searches as directory manager ? >> > Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? > > > >> On 04/29/2015 04:34 PM, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>> Sent: Wednesday, April 29, 2015 10:28 AM >>>> To: Andy Thompson >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> can you do the followin search on both servers ? >>>> >>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory >>>> manager" - w xxx -b "dc=xxx.... " >>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- >> 99f1b343- >>>> f0abc1a8))" >>>> nscpentrywsi | grep -i objectClass >>> The server that I initially attempted the deletion on returns nothing. >>> The second server (the one currently throwing the consumer failed >>> replay error) returns this if I remove the nscpentrywsi attribute >>> filter. If I leave the attribute filter I don't get anything >>> >>> objectClass: posixgroup >>> objectClass: ipaobject >>> objectClass: mepManagedEntry >>> objectClass: top >>> objectClass: nsTombstone >>> >>> -andy From Andy.Thompson at e-tcc.com Wed Apr 29 15:08:58 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 15:08:58 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540F1A1.6050501@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> Message-ID: <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 10:59 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 04:49 PM, Andy Thompson wrote: > >> -----Original Message----- > >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >> Sent: Wednesday, April 29, 2015 10:51 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> did you run the searches as directory manager ? > >> > > Yep sure did > that's weird, as directory manager you should be able to see the > nscpentrywsi attribute, could you paste your full search request ? > > This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass > > > > > >> On 04/29/2015 04:34 PM, Andy Thompson wrote: > >>>> -----Original Message----- > >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >>>> Sent: Wednesday, April 29, 2015 10:28 AM > >>>> To: Andy Thompson > >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>> > >>>> can you do the followin search on both servers ? > >>>> > >>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D > >>>> "cn=directory manager" - w xxx -b "dc=xxx.... " > >>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > >> 99f1b343- > >>>> f0abc1a8))" > >>>> nscpentrywsi | grep -i objectClass > >>> The server that I initially attempted the deletion on returns nothing. > >>> The second server (the one currently throwing the consumer failed > >>> replay error) returns this if I remove the nscpentrywsi attribute > >>> filter. If I leave the attribute filter I don't get anything > >>> > >>> objectClass: posixgroup > >>> objectClass: ipaobject > >>> objectClass: mepManagedEntry > >>> objectClass: top > >>> objectClass: nsTombstone > >>> > >>> -andy From lkrispen at redhat.com Wed Apr 29 15:27:34 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 17:27:34 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> Message-ID: <5540F866.8090400@redhat.com> On 04/29/2015 05:08 PM, Andy Thompson wrote: > >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 10:59 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> >> On 04/29/2015 04:49 PM, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>> Sent: Wednesday, April 29, 2015 10:51 AM >>>> To: Andy Thompson >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> did you run the searches as directory manager ? >>>> >>> Yep sure did >> that's weird, as directory manager you should be able to see the >> nscpentrywsi attribute, could you paste your full search request ? > This returns the object > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" | grep -i objectClass > > This returns nothing > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. what is logged in the access log for these two searches? > > >>> >>>> On 04/29/2015 04:34 PM, Andy Thompson wrote: >>>>>> -----Original Message----- >>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>>>> Sent: Wednesday, April 29, 2015 10:28 AM >>>>>> To: Andy Thompson >>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>>>> Subject: Re: [Freeipa-users] deleting ipa user >>>>>> >>>>>> can you do the followin search on both servers ? >>>>>> >>>>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D >>>>>> "cn=directory manager" - w xxx -b "dc=xxx...." >>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- >>>> 99f1b343- >>>>>> f0abc1a8))" >>>>>> nscpentrywsi | grep -i objectClass >>>>> The server that I initially attempted the deletion on returns nothing. >>>>> The second server (the one currently throwing the consumer failed >>>>> replay error) returns this if I remove the nscpentrywsi attribute >>>>> filter. If I leave the attribute filter I don't get anything >>>>> >>>>> objectClass: posixgroup >>>>> objectClass: ipaobject >>>>> objectClass: mepManagedEntry >>>>> objectClass: top >>>>> objectClass: nsTombstone >>>>> >>>>> -andy From Andy.Thompson at e-tcc.com Wed Apr 29 15:35:18 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 15:35:18 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540F866.8090400@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> Message-ID: <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > Sent: Wednesday, April 29, 2015 11:28 AM > To: Andy Thompson > Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 05:08 PM, Andy Thompson wrote: > > > >> -----Original Message----- > >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >> Sent: Wednesday, April 29, 2015 10:59 AM > >> To: Andy Thompson > >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >> Subject: Re: [Freeipa-users] deleting ipa user > >> > >> > >> On 04/29/2015 04:49 PM, Andy Thompson wrote: > >>>> -----Original Message----- > >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >>>> Sent: Wednesday, April 29, 2015 10:51 AM > >>>> To: Andy Thompson > >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>> > >>>> did you run the searches as directory manager ? > >>>> > >>> Yep sure did > >> that's weird, as directory manager you should be able to see the > >> nscpentrywsi attribute, could you paste your full search request ? > > This returns the object > > > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D > > "cn=directory manager" -W -b "dc=..." > > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0a > > bc1a8))" | grep -i objectClass > > > > This returns nothing > > > > ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D > > "cn=directory manager" -W -b "dc=..." > > "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0a > > bc1a8))" nscpentrywsi | grep -i objectClass > and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000500040000: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a42000500040000: top nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 nscpentrywsi: description;vucsn-55364a42000500040000: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000300030000 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. > what is logged in the access log for these two searches? > > > > > >>> > >>>> On 04/29/2015 04:34 PM, Andy Thompson wrote: > >>>>>> -----Original Message----- > >>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] > >>>>>> Sent: Wednesday, April 29, 2015 10:28 AM > >>>>>> To: Andy Thompson > >>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com > >>>>>> Subject: Re: [Freeipa-users] deleting ipa user > >>>>>> > >>>>>> can you do the followin search on both servers ? > >>>>>> > >>>>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D > >>>>>> "cn=directory manager" - w xxx -b "dc=xxx...." > >>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- > >>>> 99f1b343- > >>>>>> f0abc1a8))" > >>>>>> nscpentrywsi | grep -i objectClass > >>>>> The server that I initially attempted the deletion on returns nothing. > >>>>> The second server (the one currently throwing the consumer failed > >>>>> replay error) returns this if I remove the nscpentrywsi attribute > >>>>> filter. If I leave the attribute filter I don't get anything > >>>>> > >>>>> objectClass: posixgroup > >>>>> objectClass: ipaobject > >>>>> objectClass: mepManagedEntry > >>>>> objectClass: top > >>>>> objectClass: nsTombstone > >>>>> > >>>>> -andy From lkrispen at redhat.com Wed Apr 29 15:47:00 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 29 Apr 2015 17:47:00 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> Message-ID: <5540FCF4.8070606@redhat.com> On 04/29/2015 05:35 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 11:28 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> >> On 04/29/2015 05:08 PM, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>> Sent: Wednesday, April 29, 2015 10:59 AM >>>> To: Andy Thompson >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> >>>> On 04/29/2015 04:49 PM, Andy Thompson wrote: >>>>>> -----Original Message----- >>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>>>> Sent: Wednesday, April 29, 2015 10:51 AM >>>>>> To: Andy Thompson >>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>>>> Subject: Re: [Freeipa-users] deleting ipa user >>>>>> >>>>>> did you run the searches as directory manager ? >>>>>> >>>>> Yep sure did >>>> that's weird, as directory manager you should be able to see the >>>> nscpentrywsi attribute, could you paste your full search request ? >>> This returns the object >>> >>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D >>> "cn=directory manager" -W -b "dc=..." >>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0a >>> bc1a8))" | grep -i objectClass >>> >>> This returns nothing >>> >>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D >>> "cn=directory manager" -W -b "dc=..." >>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0a >>> bc1a8))" nscpentrywsi | grep -i objectClass >> and if you omit the grep ? still puzzled. > Ah if I omit the grep on the second server I get > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup > nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000500040000: mepManagedEntry > nscpentrywsi: objectClass;vucsn-55364a42000500040000: top > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone > nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh > nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 > nscpentrywsi: description;vucsn-55364a42000500040000: User private group for username > nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config > nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z > nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: 94dc1638-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000300030000 > nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb8000300030000: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the & filter with nstombstone does return nothing, could you try - a plain search (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) (also with nscpentrywsi) or if this doesn't return anything: - (objectclass=nstombstone) and grep for your > >> what is logged in the access log for these two searches? >>> >>>>>> On 04/29/2015 04:34 PM, Andy Thompson wrote: >>>>>>>> -----Original Message----- >>>>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>>>>>> Sent: Wednesday, April 29, 2015 10:28 AM >>>>>>>> To: Andy Thompson >>>>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>>>>>> Subject: Re: [Freeipa-users] deleting ipa user >>>>>>>> >>>>>>>> can you do the followin search on both servers ? >>>>>>>> >>>>>>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D >>>>>>>> "cn=directory manager" - w xxx -b "dc=xxx...." >>>>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- >>>>>> 99f1b343- >>>>>>>> f0abc1a8))" >>>>>>>> nscpentrywsi | grep -i objectClass >>>>>>> The server that I initially attempted the deletion on returns nothing. >>>>>>> The second server (the one currently throwing the consumer failed >>>>>>> replay error) returns this if I remove the nscpentrywsi attribute >>>>>>> filter. If I leave the attribute filter I don't get anything >>>>>>> >>>>>>> objectClass: posixgroup >>>>>>> objectClass: ipaobject >>>>>>> objectClass: mepManagedEntry >>>>>>> objectClass: top >>>>>>> objectClass: nsTombstone >>>>>>> >>>>>>> -andy From tbordaz at redhat.com Wed Apr 29 15:49:29 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 29 Apr 2015 17:49:29 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> Message-ID: <5540FD89.7010103@redhat.com> On 04/29/2015 05:35 PM, Andy Thompson wrote: >> -----Original Message----- >> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >> Sent: Wednesday, April 29, 2015 11:28 AM >> To: Andy Thompson >> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> >> On 04/29/2015 05:08 PM, Andy Thompson wrote: >>>> -----Original Message----- >>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>> Sent: Wednesday, April 29, 2015 10:59 AM >>>> To: Andy Thompson >>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] deleting ipa user >>>> >>>> >>>> On 04/29/2015 04:49 PM, Andy Thompson wrote: >>>>>> -----Original Message----- >>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>>>> Sent: Wednesday, April 29, 2015 10:51 AM >>>>>> To: Andy Thompson >>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>>>> Subject: Re: [Freeipa-users] deleting ipa user >>>>>> >>>>>> did you run the searches as directory manager ? >>>>>> >>>>> Yep sure did >>>> that's weird, as directory manager you should be able to see the >>>> nscpentrywsi attribute, could you paste your full search request ? >>> This returns the object >>> >>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D >>> "cn=directory manager" -W -b "dc=..." >>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0a >>> bc1a8))" | grep -i objectClass >>> >>> This returns nothing >>> >>> ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D >>> "cn=directory manager" -W -b "dc=..." >>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0a >>> bc1a8))" nscpentrywsi | grep -i objectClass >> and if you omit the grep ? still puzzled. > Ah if I omit the grep on the second server I get > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup > nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000500040000: mepManagedEntry > nscpentrywsi: objectClass;vucsn-55364a42000500040000: top > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone > nscpentrywsi: cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh > nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 > nscpentrywsi: description;vucsn-55364a42000500040000: User private group for username > nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed Entries,cn=plugins,cn=config > nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: 20150421130152Z > nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: 94dc1638-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000300030000 > nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, apparently not. This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory manager" -W -b "dc=..." "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3))" > >> what is logged in the access log for these two searches? >>> >>>>>> On 04/29/2015 04:34 PM, Andy Thompson wrote: >>>>>>>> -----Original Message----- >>>>>>>> From: Ludwig Krispenz [mailto:lkrispen at redhat.com] >>>>>>>> Sent: Wednesday, April 29, 2015 10:28 AM >>>>>>>> To: Andy Thompson >>>>>>>> Cc: thierry bordaz; Martin Kosek; freeipa-users at redhat.com >>>>>>>> Subject: Re: [Freeipa-users] deleting ipa user >>>>>>>> >>>>>>>> can you do the followin search on both servers ? >>>>>>>> >>>>>>>> ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D >>>>>>>> "cn=directory manager" - w xxx -b "dc=xxx...." >>>>>>>> "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- >>>>>> 99f1b343- >>>>>>>> f0abc1a8))" >>>>>>>> nscpentrywsi | grep -i objectClass >>>>>>> The server that I initially attempted the deletion on returns nothing. >>>>>>> The second server (the one currently throwing the consumer failed >>>>>>> replay error) returns this if I remove the nscpentrywsi attribute >>>>>>> filter. If I leave the attribute filter I don't get anything >>>>>>> >>>>>>> objectClass: posixgroup >>>>>>> objectClass: ipaobject >>>>>>> objectClass: mepManagedEntry >>>>>>> objectClass: top >>>>>>> objectClass: nsTombstone >>>>>>> >>>>>>> -andy From lists at fahrendorf.de Wed Apr 29 15:51:46 2015 From: lists at fahrendorf.de (Martin (Lists)) Date: Wed, 29 Apr 2015 17:51:46 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <5540DFE7.9030208@redhat.com> References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> <5540D9DA.9040507@fahrendorf.de> <5540DFE7.9030208@redhat.com> Message-ID: <5540FE12.7060302@fahrendorf.de> Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: > > On 04/29/2015 03:17 PM, Martin (Lists) wrote: >> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: >>> On 04/26/2015 10:49 AM, Martin (Lists) wrote: >>>> Hallo >>>> >>>> after a reboot I get almost thousand of the following messages: >>>> >>>> DSRetroclPlugin - delete_changerecord: could not delete change record >>>> 128755 (rc: 32) >>> this message comes from changeglog trimming and means that an entry, >>> which should be purged does not exist (any more). >>> the retrocl maintains a first/lastchange and trinming starts at >>> firstchange. if for some reason (race ?) there is an attempt to try to >>> delete the same entry a second time this message should be logged. >>> since the changenumbers in the error message increases, I think >>> changelog trimming moves forward. you could do searches on >>> "cn=changelog" to verify that trimming works. >> changelog is part of the ldbm database plugin and contains several >> informations I don't understand (or understand partially). What kind of >> information should I look for? > the changelog keeps track of the changes applied to the database, a > typical entry looks like: > dn: changenumber=4,cn=changelog > objectClass: top > objectClass: changelogentry > changeNumber: 4 > targetDn: cn=tuser,ou=people,dc=example,dc=com > changeTime: 20140411093444Z > changeType: delete OK, I looked in the wrong directory. Now I have found many changelog entries, starting with number 152926 and ending with 155512 (ldapsearch states 2588 numEntries). Should that be that much? The oldest is about two days and an half old and it does not change within the last few minutes. > > each entry gets a DN made up from he changenumber, so your entries will > be named: > .... > dn: changenumber=61,cn=changelog > dn: changenumber=62,cn=changelog > dn: changenumber=63,cn=changelog > dn: changenumber=64,cn=changelog > .... > changenumbers start and are always incremented, changelog trimming > removes old entries (depending on config). > > so if you do a search like: > ldapsearch .................. -b "cn=changelog" > the changenumber of the first entry rerurne should always increase, > indicating that trimming works. As it seems my trimming is broken, at least partially. Is there something I can adjust? > > you said "thousands" of messages, how frequent are they really ? On every reboot I got these messages. I do not get them during normal opperation. Something odd I observed after the last two reboots: ns-slapd runs my hard disk for several minutes (about 15 minutes) after the reboot. This is the time it takes to log all these change record messages. Kindly Martin From Andy.Thompson at e-tcc.com Wed Apr 29 15:58:53 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 15:58:53 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540FCF4.8070606@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> Message-ID: <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> > > dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: dn: > > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup > > nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject > > nscpentrywsi: objectClass;vucsn-55364a42000500040000: > mepManagedEntry > > nscpentrywsi: objectClass;vucsn-55364a42000500040000: top > > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone > > nscpentrywsi: > > cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh > > nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 > > nscpentrywsi: description;vucsn-55364a42000500040000: User private > > group for username > > nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= > > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed > > Entries,cn=plugins,cn=config > > nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed > > Entries,cn=plugins,cn=config > > nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: > > 20150421130152Z > > nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: > > 20150421130152Z > > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > > nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: > > 94dc1638-e826-11e4-878a-005056a92af3 > > nscpentrywsi: parentid: 4 > > nscpentrywsi: entryid: 385 > > nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 > > nscpentrywsi: nstombstonecsn: 5540deb8000300030000 > > nscpentrywsi: nscpEntryDN: > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > > nscpentrywsi: entryusn: 52327 > > > > thought I tried that before, apparently not. > ok, so we have the entry on one server, the csn of the objectclass: > tombstone is : > > objectClass;vucsn-5540deb8000300030000: nsTombstone > > , which matches the csn in the error log: > > Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- > f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of > the entry is as expected. > > Now we nend to find it on the other server. If the search for the & filter with > nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: username at mhbenp.lin krbPrincipalName: username at MHBENP.LIN givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 1249000003 gidNumber: 1249000003 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 From Andy.Thompson at e-tcc.com Wed Apr 29 16:00:24 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 16:00:24 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5540FD89.7010103@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FD89.7010103@redhat.com> Message-ID: <13b3dd3381da4ef58bbbf15b1661d9f8@TCCCORPEXCH02.TCC.local> > This is looking like that on the replica where the errors are logged. > The entry is a tombstone but can not be find with the nsuniqueid. > If on that server you do > > ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D "cn=directory > manager" -W -b "dc=..." > "(&(objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a- > 005056a92af3))" > > This one returns nothing on either server. From CWhite at skytouchtechnology.com Wed Apr 29 16:02:57 2015 From: CWhite at skytouchtechnology.com (Craig White) Date: Wed, 29 Apr 2015 16:02:57 +0000 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos "log in with a different user" suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. ---- Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig From rcritten at redhat.com Wed Apr 29 16:14:46 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 29 Apr 2015 12:14:46 -0400 Subject: [Freeipa-users] ipa-replica-install fails at CA setup In-Reply-To: References: Message-ID: <55410376.9020307@redhat.com> Qing Chang wrote: > mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap > service was available at all at installation stage. I think we'd need to see the full ipareplica-install.log. You might also want to see if a ns-slapd process is running and check /var/log/dirsrv/slapd-REALM/errors for anything interesting. rob > > Thanks, > Qing > > On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang > wrote: > > CentOS7.1 with IPA server 4.1. > > "ipa-replica-install --setup-ca --setup-dns ..." fails with this > error message: > ----- > [2/22]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned > non-zero exit status 1 > [error] RuntimeError: Configuration of CA failed > ----- > > ipareplica-install.log shows this: > ----- > 2015-04-29T13:40:11Z DEBUG Saving StateFile to > '/var/lib/ipa/sysrestore/sysrestore.state' > 2015-04-29T13:40:11Z DEBUG Starting external process > 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpaUGoKX' > 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 > 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration > from /tmp/tmpaUGoKX. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > Installation failed. > > > 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... > Exception from Java Configuration Servlet: Error in populating > database: Could not connect to LDAP server host mrip > a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to > connect to server ldap://mripa2.mr.ric:389 (91) > > 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance > Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' > returned non-zero exit status 1 > 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 382, in start_creation > run_step(full_msg, method) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 372, in run_step > method() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 673, in __spawn_instance > raise RuntimeError('Configuration of CA failed') > RuntimeError: Configuration of CA failed > ----- > > I hope this is enough information. > > Thanks in advance, > > Qing Chang > > > > From tbordaz at redhat.com Wed Apr 29 16:27:45 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 29 Apr 2015 18:27:45 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> Message-ID: <55410681.4020004@redhat.com> On 04/29/2015 05:58 PM, Andy Thompson wrote: >>> dn: >>> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,c >>> n=accounts,dc=mhbenp,dc=lin >>> nscpentrywsi: dn: >>> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,c >>> n=accounts,dc=mhbenp,dc=lin >>> nscpentrywsi: objectClass;vucsn-55364a42000500040000: posixgroup >>> nscpentrywsi: objectClass;vucsn-55364a42000500040000: ipaobject >>> nscpentrywsi: objectClass;vucsn-55364a42000500040000: >> mepManagedEntry >>> nscpentrywsi: objectClass;vucsn-55364a42000500040000: top >>> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone >>> nscpentrywsi: >>> cn;vucsn-55364a42000500040000;mdcsn-55364a42000500040000: gfeigh >>> nscpentrywsi: gidNumber;vucsn-55364a42000500040000: 1249000003 >>> nscpentrywsi: description;vucsn-55364a42000500040000: User private >>> group for username >>> nscpentrywsi: mepManagedBy;vucsn-55364a42000500040000: uid= >>> username,cn=users,cn=accounts,dc=mhbenp,dc=lin >>> nscpentrywsi: creatorsName;vucsn-55364a42000500040000: cn=Managed >>> Entries,cn=plugins,cn=config >>> nscpentrywsi: modifiersName;vucsn-55364a42000500040000: cn=Managed >>> Entries,cn=plugins,cn=config >>> nscpentrywsi: createTimestamp;vucsn-55364a42000500040000: >>> 20150421130152Z >>> nscpentrywsi: modifyTimestamp;vucsn-55364a42000500040000: >>> 20150421130152Z >>> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 >>> nscpentrywsi: ipaUniqueID;vucsn-55364a42000500040000: >>> 94dc1638-e826-11e4-878a-005056a92af3 >>> nscpentrywsi: parentid: 4 >>> nscpentrywsi: entryid: 385 >>> nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 >>> nscpentrywsi: nstombstonecsn: 5540deb8000300030000 >>> nscpentrywsi: nscpEntryDN: >>> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >>> nscpentrywsi: entryusn: 52327 >>> >>> thought I tried that before, apparently not. >> ok, so we have the entry on one server, the csn of the objectclass: >> tombstone is : >> >> objectClass;vucsn-5540deb8000300030000: nsTombstone >> >> , which matches the csn in the error log: >> >> Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- >> f0abc1a8, CSN 5540deb8000300030000): Operations error (1) so the state of >> the entry is as expected. >> >> Now we nend to find it on the other server. If the search for the & filter with >> nstombstone does return nothing, could you try > If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D "cn=directory manager" -W -b "dc=mhbenp,dc=lin" "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter it returns nothing on the primary server > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin > ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 > krbLastSuccessfulAuth: 20150421180533Z > krbPasswordExpiration: 20150720180532Z > userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 > krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A > 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD > +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= > krbLoginFailedCount: 0 > krbTicketFlags: 128 > krbLastPwdChange: 20150421180532Z > krbLastFailedAuth: 20150421180457Z > mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > displayName: user name > cn: User Name > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipantuserattrs > objectClass: nsTombstone > loginShell: /bin/bash > initials: GF > gecos: User Name > homeDirectory: /home/username > uid: username > mail: username at mhbenp.lin > krbPrincipalName: username at MHBENP.LIN > givenName: User > sn: name > ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 > uidNumber: 1249000003 > gidNumber: 1249000003 > nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 > > In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised. nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted. -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Wed Apr 29 16:31:10 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 29 Apr 2015 18:31:10 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it right 8-) Cheers Chris From: Craig White To: Christopher Lamb/Switzerland/IBM at IBMCH, Simo Sorce Cc: "freeipa-users at redhat.com" Date: 29.04.2015 18:03 Subject: RE: [Freeipa-users] FreeIPA WebUI Logout logs back in -----Original Message----- From: freeipa-users-bounces at redhat.com [ mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos "log in with a different user" suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. ---- Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig From simo at redhat.com Wed Apr 29 16:34:34 2015 From: simo at redhat.com (Simo Sorce) Date: Wed, 29 Apr 2015 12:34:34 -0400 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: <1430325274.22966.14.camel@willson.usersys.redhat.com> On Wed, 2015-04-29 at 18:31 +0200, Christopher Lamb wrote: > Hi all > > @Craig, and using the WebUI for that purpose is much more user friendly > then doing the same via a ssh terminal session. > > @Simo, as requested I have opened a ticket on this issue > https://fedorahosted.org/freeipa/ticket/5010 > > As this my first Fedora ticket, please forgive me If I didn't do it right > 8-) It's perfectly fine, thank you. Simo. > Cheers > > Chris > > > > > From: Craig White > To: Christopher Lamb/Switzerland/IBM at IBMCH, Simo Sorce > > Cc: "freeipa-users at redhat.com" > Date: 29.04.2015 18:03 > Subject: RE: [Freeipa-users] FreeIPA WebUI Logout logs back in > > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [ > mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christopher Lamb > Sent: Tuesday, April 28, 2015 10:58 PM > To: Simo Sorce > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > > HI Simo, Dmitiri, Rob and co. > > Simos "log in with a different user" suggestion is pretty much what I was > intending. I want to be able to log out of the web ui, then log back in > with a different user. e.g. to allow a newly added user to change their > password to something secret. > > On this particular workstation I have no kerberos ticket (double checking > with klist at the terminal confirms this). I have not saved the password in > Firefox (checking in the settings confirms this). > > I often have ssh sessons open via terminal to the FreeIPA Server, and even > Apache Directory Studio open to browse the LDAP structure and content. I > don't see how that can play a role, but I mention it for completeness. > ---- > Seems that would be a useful option for me too. I normally login as myself > but there are times when someone comes by and wants to change their > password and it's easier if they do it on my system sometimes as the > Kerberos auth prompt confuses them and I can coach them through. Also, I > occasionally need to login as the primary 'admin' user as some of the > options (ahem - Sudo rules on version 3.0.0) are not accessible regardless > of the permissions given. > > Craig > > > > -- Simo Sorce * Red Hat, Inc * New York From Andy.Thompson at e-tcc.com Wed Apr 29 16:45:05 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 16:45:05 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <55410681.4020004@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> Message-ID: <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> > -----Original Message----- > From: thierry bordaz [mailto:tbordaz at redhat.com] > Sent: Wednesday, April 29, 2015 12:28 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 05:58 PM, Andy Thompson wrote: > > > dn: > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: posixgroup > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: ipaobject > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: > > mepManagedEntry > > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: top > nscpentrywsi: objectClass;vucsn- > 5540deb8000300030000: nsTombstone > nscpentrywsi: > cn;vucsn-55364a42000500040000;mdcsn- > 55364a42000500040000: gfeigh > nscpentrywsi: gidNumber;vucsn- > 55364a42000500040000: 1249000003 > nscpentrywsi: description;vucsn- > 55364a42000500040000: User private > group for username > nscpentrywsi: mepManagedBy;vucsn- > 55364a42000500040000: uid= > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn- > 55364a42000500040000: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn- > 55364a42000500040000: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: createTimestamp;vucsn- > 55364a42000500040000: > 20150421130152Z > nscpentrywsi: modifyTimestamp;vucsn- > 55364a42000500040000: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- > 99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn- > 55364a42000500040000: > 94dc1638-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: 3763f193- > e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: > 5540deb8000300030000 > nscpentrywsi: nscpEntryDN: > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, apparently not. > > ok, so we have the entry on one server, the csn of the > objectclass: > tombstone is : > > objectClass;vucsn-5540deb8000300030000: nsTombstone > > , which matches the csn in the error log: > > Consumer failed to replay change (uniqueid 7e1a1f87- > e82611e4-99f1b343- > f0abc1a8, CSN 5540deb8000300030000): Operations error (1) > so the state of > the entry is as expected. > > Now we nend to find it on the other server. If the search for > the & filter with > nstombstone does return nothing, could you try > > > If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D > "cn=directory manager" -W -b "dc=mhbenp,dc=lin" > "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter > it returns nothing on the primary server > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- > 1003 > krbLastSuccessfulAuth: 20150421180533Z > krbPasswordExpiration: 20150720180532Z > userPassword:: > e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ > ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh > qTXQxUT09 > krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > krbPrincipalKey:: > MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB > AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E > P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A > 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd > mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l > bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT > mdmZWlnaKFBMD > +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz > xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl > OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ > jwMj1cTwzD1FH6/IbmDSvRMUVw8wE= > krbLoginFailedCount: 0 > krbTicketFlags: 128 > krbLastPwdChange: 20150421180532Z > krbLastFailedAuth: 20150421180457Z > mepManagedEntry: > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > displayName: user name > cn: User Name > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipantuserattrs > objectClass: nsTombstone > loginShell: /bin/bash > initials: GF > gecos: User Name > homeDirectory: /home/username > uid: username > mail: username at mhbenp.lin > krbPrincipalName: username at MHBENP.LIN > > givenName: User > sn: name > ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 > uidNumber: 1249000003 > gidNumber: 1249000003 > nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 > > > > In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but > is missing. Did you run the command with 'nscpentrywsi' requested attribute. > May be nsuniqueid was hidden for that reason but I would be surprised. > > nsuniqueid is a key element of replication. I wonder how replication can find > the entry itself. nsuniqueid could be in the index but then the entry is > corrupted. > > If I request the nscpentrywsi attribute I get dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003 nscpentrywsi: krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 20150421180533Z nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0 nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 20150720180532Z nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= nscpentrywsi: krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0 nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128 nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z nscpentrywsi: krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName nscpentrywsi: cn;vucsn-55364a42000100040000: UserName nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000100040000: person nscpentrywsi: objectClass;vucsn-55364a42000100040000: top nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash nscpentrywsi: initials;vucsn-55364a42000100040000: GF nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg nscpentrywsi: sn;vucsn-55364a42000100040000: Name nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 3 nscpentrywsi: entryid: 385 nscpentrywsi: uidNumber: 1249000003 nscpentrywsi: gidNumber: 1249000003 nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000000030000 nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 57524 nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted: From tbordaz at redhat.com Wed Apr 29 17:07:02 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 29 Apr 2015 19:07:02 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> Message-ID: <55410FB6.3040600@redhat.com> On 04/29/2015 06:45 PM, Andy Thompson wrote: >> -----Original Message----- >> From: thierry bordaz [mailto:tbordaz at redhat.com] >> Sent: Wednesday, April 29, 2015 12:28 PM >> To: Andy Thompson >> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> On 04/29/2015 05:58 PM, Andy Thompson wrote: >> >> >> dn: >> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=username,cn=groups,c >> >> n=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: >> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=username,cn=groups,c >> >> n=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: posixgroup >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: ipaobject >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: >> >> mepManagedEntry >> >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: top >> nscpentrywsi: objectClass;vucsn- >> 5540deb8000300030000: nsTombstone >> nscpentrywsi: >> cn;vucsn-55364a42000500040000;mdcsn- >> 55364a42000500040000: gfeigh >> nscpentrywsi: gidNumber;vucsn- >> 55364a42000500040000: 1249000003 >> nscpentrywsi: description;vucsn- >> 55364a42000500040000: User private >> group for username >> nscpentrywsi: mepManagedBy;vucsn- >> 55364a42000500040000: uid= >> username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: creatorsName;vucsn- >> 55364a42000500040000: cn=Managed >> Entries,cn=plugins,cn=config >> nscpentrywsi: modifiersName;vucsn- >> 55364a42000500040000: cn=Managed >> Entries,cn=plugins,cn=config >> nscpentrywsi: createTimestamp;vucsn- >> 55364a42000500040000: >> 20150421130152Z >> nscpentrywsi: modifyTimestamp;vucsn- >> 55364a42000500040000: >> 20150421130152Z >> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- >> 99f1b343-f0abc1a8 >> nscpentrywsi: ipaUniqueID;vucsn- >> 55364a42000500040000: >> 94dc1638-e826-11e4-878a-005056a92af3 >> nscpentrywsi: parentid: 4 >> nscpentrywsi: entryid: 385 >> nscpentrywsi: nsParentUniqueId: 3763f193- >> e76411e4-99f1b343-f0abc1a8 >> nscpentrywsi: nstombstonecsn: >> 5540deb8000300030000 >> nscpentrywsi: nscpEntryDN: >> >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: entryusn: 52327 >> >> thought I tried that before, apparently not. >> >> ok, so we have the entry on one server, the csn of the >> objectclass: >> tombstone is : >> >> objectClass;vucsn-5540deb8000300030000: nsTombstone >> >> , which matches the csn in the error log: >> >> Consumer failed to replay change (uniqueid 7e1a1f87- >> e82611e4-99f1b343- >> f0abc1a8, CSN 5540deb8000300030000): Operations error (1) >> so the state of >> the entry is as expected. >> >> Now we nend to find it on the other server. If the search for >> the & filter with >> nstombstone does return nothing, could you try >> >> >> If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D >> "cn=directory manager" -W -b "dc=mhbenp,dc=lin" >> "(&(objectclass=nstombstone))" I get below. If I add nsuniqueid to the filter >> it returns nothing on the primary server >> >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- >> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin >> ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- >> 1003 >> krbLastSuccessfulAuth: 20150421180533Z >> krbPasswordExpiration: 20150720180532Z >> userPassword:: >> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ >> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh >> qTXQxUT09 >> krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== >> krbPrincipalKey:: >> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB >> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E >> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A >> 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd >> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l >> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT >> mdmZWlnaKFBMD >> +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz >> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl >> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ >> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE= >> krbLoginFailedCount: 0 >> krbTicketFlags: 128 >> krbLastPwdChange: 20150421180532Z >> krbLastFailedAuth: 20150421180457Z >> mepManagedEntry: >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> displayName: user name >> cn: User Name >> objectClass: ipaobject >> objectClass: person >> objectClass: top >> objectClass: ipasshuser >> objectClass: inetorgperson >> objectClass: organizationalperson >> objectClass: krbticketpolicyaux >> objectClass: krbprincipalaux >> objectClass: inetuser >> objectClass: posixaccount >> objectClass: ipaSshGroupOfPubKeys >> objectClass: mepOriginEntry >> objectClass: ipantuserattrs >> objectClass: nsTombstone >> loginShell: /bin/bash >> initials: GF >> gecos: User Name >> homeDirectory: /home/username >> uid: username >> mail: username at mhbenp.lin >> krbPrincipalName: username at MHBENP.LIN >> >> givenName: User >> sn: name >> ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 >> uidNumber: 1249000003 >> gidNumber: 1249000003 >> nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 >> >> >> >> In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but >> is missing. Did you run the command with 'nscpentrywsi' requested attribute. >> May be nsuniqueid was hidden for that reason but I would be surprised. >> >> nsuniqueid is a key element of replication. I wonder how replication can find >> the entry itself. nsuniqueid could be in the index but then the entry is >> corrupted. >> >> > If I request the nscpentrywsi attribute I get > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z > nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE > nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin > nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003 > nscpentrywsi: krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 20150421180533Z > nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0 > nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 20150720180532Z > nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== > nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= > nscpentrywsi: krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0 > nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128 > nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z > nscpentrywsi: krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z > nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName > nscpentrywsi: cn;vucsn-55364a42000100040000: UserName > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000100040000: person > nscpentrywsi: objectClass;vucsn-55364a42000100040000: top > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys > nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry > nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone > nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash > nscpentrywsi: initials;vucsn-55364a42000100040000: GF > nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName > nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username > nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username > nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin > nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN > nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg > nscpentrywsi: sn;vucsn-55364a42000100040000: Name > nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 3 > nscpentrywsi: entryid: 385 > nscpentrywsi: uidNumber: 1249000003 > nscpentrywsi: gidNumber: 1249000003 > nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000000030000 > nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 57524 > nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted: Ok, so here is my understanding: on the second replica (where you succeed to do 'ipa user-del ' ) the entry is looking: dn: nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-*5540deb8000300030000*: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8 On the first replica (where you failed to delete the entry and where you can see the replication errors) dn: nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-*5540deb8000000030000*: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f8*2*-e82611e4-99f1b343-f0abc1a8 This is not the same entry. It is like two entries with the same 'uid' were created. Also note that those two entries were deleted on the same replica (replica ID=3: likely the second replica) almost at the same time. The errors is logged on the first replica about " nsuniqueid=7e1a1f8*7*-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com". So I think the entry you dumped on the first replica, is not the one we were looking at. The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should exists, but was not returned by the search. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Andy.Thompson at e-tcc.com Wed Apr 29 17:15:02 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Wed, 29 Apr 2015 17:15:02 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <55410FB6.3040600@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> <55410FB6.3040600@redhat.com> Message-ID: > -----Original Message----- > From: thierry bordaz [mailto:tbordaz at redhat.com] > Sent: Wednesday, April 29, 2015 1:07 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 06:45 PM, Andy Thompson wrote: > > > -----Original Message----- > From: thierry bordaz [mailto:tbordaz at redhat.com] > Sent: Wednesday, April 29, 2015 12:28 PM > To: Andy Thompson > Cc: Ludwig Krispenz; Martin Kosek; freeipa- > users at redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 05:58 PM, Andy Thompson wrote: > > > dn: > nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: > nsuniqueid=7e1a1f87-e82611e4- > 99f1b343- > > f0abc1a8,cn=username,cn=groups,c > > n=accounts,dc=mhbenp,dc=lin > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: posixgroup > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: ipaobject > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: > > mepManagedEntry > > nscpentrywsi: objectClass;vucsn- > 55364a42000500040000: top > nscpentrywsi: objectClass;vucsn- > 5540deb8000300030000: nsTombstone > nscpentrywsi: > cn;vucsn- > 55364a42000500040000;mdcsn- > 55364a42000500040000: gfeigh > nscpentrywsi: gidNumber;vucsn- > 55364a42000500040000: 1249000003 > nscpentrywsi: description;vucsn- > 55364a42000500040000: User private > group for username > nscpentrywsi: > mepManagedBy;vucsn- > 55364a42000500040000: uid= > > username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: creatorsName;vucsn- > 55364a42000500040000: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: modifiersName;vucsn- > 55364a42000500040000: cn=Managed > Entries,cn=plugins,cn=config > nscpentrywsi: > createTimestamp;vucsn- > 55364a42000500040000: > 20150421130152Z > nscpentrywsi: > modifyTimestamp;vucsn- > 55364a42000500040000: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f87- > e82611e4- > 99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn- > 55364a42000500040000: > 94dc1638-e826-11e4-878a- > 005056a92af3 > nscpentrywsi: parentid: 4 > nscpentrywsi: entryid: 385 > nscpentrywsi: nsParentUniqueId: > 3763f193- > e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: > 5540deb8000300030000 > nscpentrywsi: nscpEntryDN: > > > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52327 > > thought I tried that before, > apparently not. > > ok, so we have the entry on one server, the > csn of the > objectclass: > tombstone is : > > objectClass;vucsn-5540deb8000300030000: > nsTombstone > > , which matches the csn in the error log: > > Consumer failed to replay change (uniqueid > 7e1a1f87- > e82611e4-99f1b343- > f0abc1a8, CSN 5540deb8000300030000): > Operations error (1) > so the state of > the entry is as expected. > > Now we nend to find it on the other server. If > the search for > the & filter with > nstombstone does return nothing, could you > try > > > If I run ldapsearch -LLL -o ldif-wrap=no -H > ldap://mdhixnpipa01 -x -D > "cn=directory manager" -W -b "dc=mhbenp,dc=lin" > "(&(objectclass=nstombstone))" I get below. If I add > nsuniqueid to the filter > it returns nothing on the primary server > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > memberOf: > cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > ipaNTSecurityIdentifier: S-1-5-21-1257946092- > 587846975-4124201916- > 1003 > krbLastSuccessfulAuth: 20150421180533Z > krbPasswordExpiration: 20150720180532Z > userPassword:: > > e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3 > U3lrMTJ > > ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX > piWVh > qTXQxUT09 > krbExtraData:: > AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > krbPrincipalKey:: > > MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB > mgAwIB > > AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF > 2hLTC5E > > P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A > > 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd > > mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ > WTt++y/l > > bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5 > QLkxJT > mdmZWlnaKFBMD > > +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz > > xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ > FTlAuTEl > > OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7 > CFCi4qZ > jwMj1cTwzD1FH6/IbmDSvRMUVw8wE= > krbLoginFailedCount: 0 > krbTicketFlags: 128 > krbLastPwdChange: 20150421180532Z > krbLastFailedAuth: 20150421180457Z > mepManagedEntry: > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > displayName: user name > cn: User Name > objectClass: ipaobject > objectClass: person > objectClass: top > objectClass: ipasshuser > objectClass: inetorgperson > objectClass: organizationalperson > objectClass: krbticketpolicyaux > objectClass: krbprincipalaux > objectClass: inetuser > objectClass: posixaccount > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: ipantuserattrs > objectClass: nsTombstone > loginShell: /bin/bash > initials: GF > gecos: User Name > homeDirectory: /home/username > uid: username > mail: username at mhbenp.lin > > > krbPrincipalName: username at MHBENP.LIN > > > > givenName: User > sn: name > ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 > uidNumber: 1249000003 > gidNumber: 1249000003 > nsParentUniqueId: 3763f192-e76411e4-99f1b343- > f0abc1a8 > > > > In fact, nsuniqueid does not appear in this entry. It is a > distinguished RDN but > is missing. Did you run the command with 'nscpentrywsi' > requested attribute. > May be nsuniqueid was hidden for that reason but I would > be surprised. > > nsuniqueid is a key element of replication. I wonder how > replication can find > the entry itself. nsuniqueid could be in the index but then > the entry is > corrupted. > > > > > If I request the nscpentrywsi attribute I get > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: modifyTimestamp;adcsn- > 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z > nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- > 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn- > 5540be0c000200040000: TRUE > nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn- > 5537c2f5000200040000: > cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: > ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > nscpentrywsi: ipaNTSecurityIdentifier;adcsn- > 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- > 587846975-4124201916-1003 > nscpentrywsi: krbLastSuccessfulAuth;adcsn- > 55369202000100040000;vucsn-55369202000100040000: 20150421180533Z > nscpentrywsi: passwordGraceUserTime;adcsn- > 55369200000400040000;vucsn-55369200000400040000: 0 > nscpentrywsi: krbPasswordExpiration;adcsn- > 55369200000200040006;vucsn-55369200000200040006: 20150720180532Z > nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn- > 55369200000200040005: > {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+ > KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== > nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn- > 55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn- > 55369200000200040003:: > MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB > AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E > P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh > 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB > EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI > WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw > IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX > PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT > kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1 > FH6/IbmDSvRMUVw8wE= > nscpentrywsi: krbLoginFailedCount;adcsn- > 55369200000200040002;vucsn-55369200000200040002: 0 > nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn- > 55369200000200040001: 128 > nscpentrywsi: krbLastPwdChange;adcsn- > 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z > nscpentrywsi: krbLastFailedAuth;adcsn- > 553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z > nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: displayName;vucsn-55364a42000100040000: > UserName > nscpentrywsi: cn;vucsn-55364a42000100040000: UserName > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000100040000: person > nscpentrywsi: objectClass;vucsn-55364a42000100040000: top > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > inetorgperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > organizationalperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > krbticketpolicyaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > krbprincipalaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > posixaccount > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > ipaSshGroupOfPubKeys > nscpentrywsi: objectClass;vucsn-55364a42000600040000: > mepOriginEntry > nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: > ipantuserattrs > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: > nsTombstone > nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash > nscpentrywsi: initials;vucsn-55364a42000100040000: GF > nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName > nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: > /home/username > nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn- > 55364a42000100040000: username > nscpentrywsi: mail;vucsn-55364a42000100040000: > username at mhbenp.lin > nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: > username at MHBENP.LIN > nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg > nscpentrywsi: sn;vucsn-55364a42000100040000: Name > nscpentrywsi: creatorsName;vucsn-55364a42000100040000: > uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06- > e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 3 > nscpentrywsi: entryid: 385 > nscpentrywsi: uidNumber: 1249000003 > nscpentrywsi: gidNumber: 1249000003 > nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343- > f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000000030000 > nscpentrywsi: nscpEntryDN: > uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 57524 > nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn- > 55369200000500040000;deletedattribute;deleted: > > > Ok, so here is my understanding: > on the second replica (where you succeed to do 'ipa user-del ' ) > the entry is looking: Sorry that was from the replica where I tried to do the delete and failed. This is from the second replica where I successfully deleted the entry but now has the "failed to replay change" error being logged. I've run so many queries I'm starting to lose track :) dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE nscpentrywsi: krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003 nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0 nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005: 20150720180532Z nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128 nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName nscpentrywsi: cn;vucsn-55364a42000100040000: UserName nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject nscpentrywsi: objectClass;vucsn-55364a42000100040000: person nscpentrywsi: objectClass;vucsn-55364a42000100040000: top nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash nscpentrywsi: initials;vucsn-55364a42000100040000: GF nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg nscpentrywsi: sn;vucsn-55364a42000100040000: Name nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 3 nscpentrywsi: entryid: 384 nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003 nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003 nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb8000000030000 nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52322 nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted: > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > > > > On the first replica (where you failed to delete the entry and where you can > see the replication errors) > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > > > This is not the same entry. It is like two entries with the same 'uid' were > created. > Also note that those two entries were deleted on the same replica (replica > ID=3: likely the second replica) almost at the same time. > > The errors is logged on the first replica about " > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com". > > So I think the entry you dumped on the first replica, is not the one we were > looking at. > The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should > exists, but was not returned by the search. > > > From tmpchq at gmail.com Wed Apr 29 18:17:06 2015 From: tmpchq at gmail.com (Qing Chang) Date: Wed, 29 Apr 2015 14:17:06 -0400 Subject: [Freeipa-users] ipa-replica-install fails at CA setup In-Reply-To: <55410376.9020307@redhat.com> References: <55410376.9020307@redhat.com> Message-ID: ipareplica-install is big, folowing starts at around step 34/35 for directory server config (see red lines), and then CA steup sopped at second step. Relaevnt logs in error and access are attched too. It appears at the time when CA setup eed access to dirsrv, it was down? ----- ipareplica-install log ----- 2015-04-29T13:40:03Z DEBUG Final value after applying updates 2015-04-29T13:40:03Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2015-04-29T13:40:03Z DEBUG schema-compat-entry-attribute: 2015-04-29T13:40:03Z DEBUG objectclass=posixGroup 2015-04-29T13:40:03Z DEBUG gidNumber=%{gidNumber} 2015-04-29T13:40:03Z DEBUG memberUid=%{memberUid} 2015-04-29T13:40:03Z DEBUG memberUid=%deref_r("member","uid") 2015-04-29T13:40:03Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") 2015-04-29T13:40:03Z DEBUG %ifeq("ipauniqueid","%{ipauniqueid}","ipaanchoruuid=:IPA:mr.ric:%{ipauniqueid}","") 2015-04-29T13:40:03Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2015-04-29T13:40:03Z DEBUG %ifeq("ipaanchoruuid","%{ipaanchoruuid}","objectclass=ipaOverrideTarget","") 2015-04-29T13:40:03Z DEBUG cn: 2015-04-29T13:40:03Z DEBUG groups 2015-04-29T13:40:03Z DEBUG objectClass: 2015-04-29T13:40:03Z DEBUG top 2015-04-29T13:40:03Z DEBUG extensibleObject 2015-04-29T13:40:03Z DEBUG schema-compat-search-filter: 2015-04-29T13:40:03Z DEBUG objectclass=posixGroup 2015-04-29T13:40:03Z DEBUG schema-compat-container-rdn: 2015-04-29T13:40:03Z DEBUG cn=groups 2015-04-29T13:40:03Z DEBUG schema-compat-entry-rdn: 2015-04-29T13:40:03Z DEBUG cn=%{cn} 2015-04-29T13:40:03Z DEBUG schema-compat-search-base: 2015-04-29T13:40:03Z DEBUG cn=groups, cn=accounts, dc=mr,dc=ric 2015-04-29T13:40:03Z DEBUG schema-compat-container-group: 2015-04-29T13:40:03Z DEBUG cn=compat, dc=mr,dc=ric 2015-04-29T13:40:03Z DEBUG duration: 1 seconds 2015-04-29T13:40:03Z DEBUG [34/35]: tuning directory server 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/usr/sbin/selinuxenabled' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv.systemd' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv at MR-RIC.service' 2015-04-29T13:40:06Z DEBUG Process finished, return code=0 2015-04-29T13:40:06Z DEBUG stdout= 2015-04-29T13:40:06Z DEBUG stderr= 2015-04-29T13:40:06Z DEBUG Starting external process 2015-04-29T13:40:06Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at MR-RIC.service' 2015-04-29T13:40:06Z DEBUG Process finished, return code=0 2015-04-29T13:40:06Z DEBUG stdout=active 2015-04-29T13:40:06Z DEBUG stderr= 2015-04-29T13:40:06Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv at MR-RIC.service' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=active 2015-04-29T13:40:10Z DEBUG stderr= 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpH_pfpG' '-H' 'ldap://mripa2.mr.ric:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpqvAwmY' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=replace nsslapd-maxdescriptors: 8192 replace nsslapd-reservedescriptors: 64 modifying entry "cn=config" modify complete 2015-04-29T13:40:10Z DEBUG stderr=ldap_initialize( ldap://mripa2.mr.ric:389/??base ) 2015-04-29T13:40:10Z DEBUG duration: 6 seconds 2015-04-29T13:40:10Z DEBUG [35/35]: configuring directory to start on boot 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-enabled' 'dirsrv at MR-RIC.service' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=enabled 2015-04-29T13:40:10Z DEBUG stderr= 2015-04-29T13:40:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'disable' 'dirsrv at MR-RIC.service' 2015-04-29T13:40:11Z DEBUG Process finished, return code=0 2015-04-29T13:40:11Z DEBUG stdout= 2015-04-29T13:40:11Z DEBUG stderr=rm '/etc/systemd/system/dirsrv.target.wants/dirsrv at MR-RIC.service' 2015-04-29T13:40:11Z DEBUG duration: 0 seconds 2015-04-29T13:40:11Z DEBUG Done configuring directory server (dirsrv). 2015-04-29T13:40:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds 2015-04-29T13:40:11Z DEBUG [1/22]: creating certificate server user 2015-04-29T13:40:11Z DEBUG group pkiuser exists 2015-04-29T13:40:11Z DEBUG user pkiuser exists 2015-04-29T13:40:11Z DEBUG duration: 0 seconds 2015-04-29T13:40:11Z DEBUG [2/22]: configuring certificate server instance 2015-04-29T13:40:11Z DEBUG Contents of pkispawn configuration file (/tmp/tmpaUGoKX): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_client_database_dir = /tmp/tmp-RwhQYk pki_client_database_password = XXXXXXXX pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root at localhost pki_admin_password = XXXXXXXX pki_admin_nickname = ipa-ca-agent pki_admin_subject_dn = cn=ipa-ca-agent,O=MR.RIC pki_client_admin_cert_p12 = /root/ca-agent.p12 pki_ds_ldap_port = 389 pki_ds_password = XXXXXXXX pki_ds_base_dn = o=ipaca pki_ds_database = ipaca pki_subsystem_subject_dn = cn=CA Subsystem,O=MR.RIC pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=MR.RIC pki_ssl_server_subject_dn = cn=mripa2.mr.ric,O=MR.RIC pki_audit_signing_subject_dn = cn=CA Audit,O=MR.RIC pki_ca_signing_subject_dn = cn=Certificate Authority,O=MR.RIC pki_subsystem_nickname = subsystemCert cert-pki-ca pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca pki_ssl_server_nickname = Server-Cert cert-pki-ca pki_audit_signing_nickname = auditSigningCert cert-pki-ca pki_ca_signing_nickname = caSigningCert cert-pki-ca pki_ca_signing_key_algorithm = SHA256withRSA pki_security_domain_hostname = mripa1.mr.ric pki_security_domain_https_port = 443 pki_security_domain_user = admin pki_security_domain_password = XXXXXXXX pki_clone = True pki_clone_pkcs12_path = /tmp/ca.p12 pki_clone_pkcs12_password = XXXXXXXX pki_clone_replication_security = TLS pki_clone_replication_master_port = 389 pki_clone_replication_clone_port = 389 pki_clone_replicate_schema = False pki_clone_uri = https://mripa1.mr.ric:443 2015-04-29T13:40:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Starting external process 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX' 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmpaUGoKX. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... Exception from Java Configuration Servlet: Error in populating database: Could not connect to LDAP server host mrip a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://mripa2.mr.ric:389 (91) 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed 2015-04-29T13:40:51Z DEBUG [error] RuntimeError: Configuration of CA failed 2015-04-29T13:40:51Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 646, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 703, in main CA = cainstance.install_replica_ca(config) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1869, in install_replica_ca subject_base=config.subject_base) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 520, in configure_instance self.start_creation(runtime=210) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 382, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 372, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2015-04-29T13:40:51Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed ----- ----- error log ----- [29/Apr/2015:09:39:26 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [29/Apr/2015:09:39:26 -0400] - check_and_set_import_cache: pagesize: 4096, pages: 471119, procpages: 54357 [29/Apr/2015:09:39:26 -0400] - Import allocates 753788KB import cache. [29/Apr/2015:09:39:27 -0400] - import userRoot: Beginning import job... [29/Apr/2015:09:39:27 -0400] - import userRoot: Index buffering enabled with bucket size 100 [29/Apr/2015:09:39:28 -0400] - import userRoot: Processing file "/var/lib/dirsrv/boot.ldif" [29/Apr/2015:09:39:28 -0400] - import userRoot: Finished scanning file "/var/lib/dirsrv/boot.ldif" (1 entries) [29/Apr/2015:09:39:28 -0400] - import userRoot: Workers finished; cleaning up... [29/Apr/2015:09:39:28 -0400] - import userRoot: Workers cleaned up. [29/Apr/2015:09:39:28 -0400] - import userRoot: Cleaning up producer thread... [29/Apr/2015:09:39:29 -0400] - import userRoot: Indexing complete. Post-processing... [29/Apr/2015:09:39:29 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [29/Apr/2015:09:39:29 -0400] - import userRoot: Generating numSubordinates complete. [29/Apr/2015:09:39:29 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [29/Apr/2015:09:39:29 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [29/Apr/2015:09:39:29 -0400] - Nothing to do to build ancestorid index [29/Apr/2015:09:39:29 -0400] - import userRoot: Created ancestorid index (new idl). [29/Apr/2015:09:39:29 -0400] - import userRoot: Flushing caches... [29/Apr/2015:09:39:29 -0400] - import userRoot: Closing files... [29/Apr/2015:09:39:29 -0400] - All database threads now stopped [29/Apr/2015:09:39:29 -0400] - import userRoot: Import complete. Processed 1 entries in 2 seconds. (0.50 entries/sec) [29/Apr/2015:09:39:31 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [29/Apr/2015:09:39:31 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [29/Apr/2015:09:39:31 -0400] - Db home directory is not set. Possibly nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the config file. [29/Apr/2015:09:39:31 -0400] - I'm resizing my cache now...cache was 771878912 and is now 6400000 [29/Apr/2015:09:39:32 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Apr/2015:09:39:33 -0400] - The change of nsslapd-ldapilisten will not take effect until the server is restarted [29/Apr/2015:09:39:36 -0400] - Warning: Adding configuration attribute "nsslapd-security" [29/Apr/2015:09:39:37 -0400] - slapd shutting down - signaling operation threads - op stack size 2 max work q size 1 max work q stack size 1 [29/Apr/2015:09:39:37 -0400] - slapd shutting down - waiting for 29 threads to terminate [29/Apr/2015:09:39:37 -0400] - slapd shutting down - closing down internal subsystems and plugins [29/Apr/2015:09:39:37 -0400] - Waiting for 4 database threads to stop [29/Apr/2015:09:39:38 -0400] - All database threads now stopped [29/Apr/2015:09:39:38 -0400] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [29/Apr/2015:09:39:38 -0400] - slapd stopped. [29/Apr/2015:09:39:40 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [29/Apr/2015:09:39:40 -0400] - SSL alert: Configured NSS Ciphers [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:40 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [29/Apr/2015:09:39:41 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [29/Apr/2015:09:39:41 -0400] - I'm resizing my cache now...cache was 6400000 and is now 5120000 [29/Apr/2015:09:39:42 -0400] attrcrypt - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [29/Apr/2015:09:39:42 -0400] attrcrypt - Key for cipher AES successfully generated and stored [29/Apr/2015:09:39:42 -0400] attrcrypt - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [29/Apr/2015:09:39:42 -0400] attrcrypt - Key for cipher 3DES successfully generated and stored [29/Apr/2015:09:39:42 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [29/Apr/2015:09:39:42 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [29/Apr/2015:09:39:43 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Apr/2015:09:39:43 -0400] - Listening on All Interfaces port 636 for LDAPS requests [29/Apr/2015:09:39:43 -0400] - Listening on /var/run/slapd-MR-RIC.socket for LDAPI requests [29/Apr/2015:09:39:44 -0400] - slapd shutting down - signaling operation threads - op stack size 1 max work q size 1 max work q stack size 1 [29/Apr/2015:09:39:44 -0400] - slapd shutting down - waiting for 27 threads to terminate [29/Apr/2015:09:39:44 -0400] - slapd shutting down - closing down internal subsystems and plugins [29/Apr/2015:09:39:44 -0400] - Waiting for 4 database threads to stop [29/Apr/2015:09:39:45 -0400] - All database threads now stopped [29/Apr/2015:09:39:45 -0400] - slapd shutting down - freed 1 work q stack objects - freed 1 op stack objects [29/Apr/2015:09:39:45 -0400] - slapd stopped. [29/Apr/2015:09:39:46 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [29/Apr/2015:09:39:46 -0400] - SSL alert: Configured NSS Ciphers [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:46 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:39:47 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:39:48 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:39:48 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [29/Apr/2015:09:39:48 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [29/Apr/2015:09:39:48 -0400] - I'm resizing my cache now...cache was 5120000 and is now 4096000 [29/Apr/2015:09:39:48 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [29/Apr/2015:09:39:48 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [29/Apr/2015:09:39:48 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Apr/2015:09:39:48 -0400] - Listening on All Interfaces port 636 for LDAPS requests [29/Apr/2015:09:39:48 -0400] - Listening on /var/run/slapd-MR-RIC.socket for LDAPI requests [29/Apr/2015:09:39:50 -0400] NSMMReplicationPlugin - agmt="cn=meTomripa1.mr.ric" (mripa1:389): The remote replica has a different database generation ID than the local database. Y ou may have to reinitialize the remote replica, or the local replica. [29/Apr/2015:09:39:51 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mr,dc=ric is going offline; disabling replication [29/Apr/2015:09:39:52 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [29/Apr/2015:09:39:55 -0400] - import userRoot: Workers finished; cleaning up... [29/Apr/2015:09:39:55 -0400] - import userRoot: Workers cleaned up. [29/Apr/2015:09:39:55 -0400] - import userRoot: Indexing complete. Post-processing... [29/Apr/2015:09:39:55 -0400] - import userRoot: Generating numsubordinates (this may take several minutes to complete)... [29/Apr/2015:09:39:55 -0400] - import userRoot: Generating numSubordinates complete. [29/Apr/2015:09:39:55 -0400] - import userRoot: Gathering ancestorid non-leaf IDs... [29/Apr/2015:09:39:55 -0400] - import userRoot: Finished gathering ancestorid non-leaf IDs. [29/Apr/2015:09:39:55 -0400] - import userRoot: Creating ancestorid index (new idl)... [29/Apr/2015:09:39:56 -0400] - import userRoot: Created ancestorid index (new idl). [29/Apr/2015:09:39:56 -0400] - import userRoot: Flushing caches... [29/Apr/2015:09:39:56 -0400] - import userRoot: Closing files... [29/Apr/2015:09:39:57 -0400] - import userRoot: Import complete. Processed 422 entries in 5 seconds. (84.40 entries/sec) [29/Apr/2015:09:39:57 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=mr,dc=ric is coming online; enabling replication [29/Apr/2015:09:39:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be added before the CoS Definition. [29/Apr/2015:09:39:57 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist [29/Apr/2015:09:39:58 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:03 -0400] - slapd shutting down - signaling operation threads - op stack size 3 max work q size 1 max work q stack size 1 [29/Apr/2015:09:40:03 -0400] - slapd shutting down - waiting for 22 threads to terminate [29/Apr/2015:09:40:03 -0400] - slapd shutting down - closing down internal subsystems and plugins [29/Apr/2015:09:40:04 -0400] NSMMReplicationPlugin - agmt="cn=meTomripa1.mr.ric" (mripa1:389): Warning: Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -5 (Timed out) [29/Apr/2015:09:40:04 -0400] - Waiting for 4 database threads to stop [29/Apr/2015:09:40:04 -0400] - All database threads now stopped [29/Apr/2015:09:40:04 -0400] - slapd shutting down - freed 1 work q stack objects - freed 3 op stack objects [29/Apr/2015:09:40:04 -0400] - slapd stopped. [29/Apr/2015:09:40:06 -0400] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [29/Apr/2015:09:40:06 -0400] - SSL alert: Configured NSS Ciphers [29/Apr/2015:09:40:06 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:40:06 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:40:06 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [29/Apr/2015:09:40:07 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [29/Apr/2015:09:40:08 -0400] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [29/Apr/2015:09:40:08 -0400] - 389-Directory/1.3.3.1 B2015.118.1941 starting up [29/Apr/2015:09:40:08 -0400] - I'm resizing my cache now...cache was 10240000 and is now 3276800 [29/Apr/2015:09:40:09 -0400] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=mr,dc=ric [29/Apr/2015:09:40:09 -0400] schema-compat-plugin - no RDN for ipauniqueid=f0186aa0-eab1-11e4-b498-000c29fa12eb,cn=sudorules,cn=sudo,dc=mr,dc=ric, unsetting domain/map/id "ou=sudoe rs,dc=mr,dc=ric"/""/("ipauniqueid=f0186aa0-eab1-11e4-b498-000c29fa12eb,cn=sudorules,cn=sudo,dc=mr,dc=ric") [29/Apr/2015:09:40:09 -0400] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=mr,dc=ric [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target ou=sudoers,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=users,cn=compat,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=mr,dc=ric does not exist [29/Apr/2015:09:40:09 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be added before the CoS Definition. [29/Apr/2015:09:40:09 -0400] ipalockout_get_global_config - [file ipa_lockout.c, line 185]: Failed to get default realm (-1765328160) [29/Apr/2015:09:40:09 -0400] ipaenrollment_start - [file ipa_enrollment.c, line 393]: Failed to get default realm?! [29/Apr/2015:09:40:10 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be added before the CoS Definition. [29/Apr/2015:09:40:10 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [29/Apr/2015:09:40:10 -0400] - Listening on All Interfaces port 636 for LDAPS requests [29/Apr/2015:09:40:10 -0400] - Listening on /var/run/slapd-MR-RIC.socket for LDAPI requests [29/Apr/2015:09:40:10 -0400] - The change of nsslapd-maxdescriptors will not take effect until the server is restarted ----- ----- access log ---- [29/Apr/2015:09:40:11 -0400] conn=3 fd=64 slot=64 connection from 172.25.12.161 to 172.25.12.161 [29/Apr/2015:09:40:11 -0400] conn=3 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [29/Apr/2015:09:40:11 -0400] conn=3 op=0 RESULT err=0 tag=101 nentries=1 etime=0 [29/Apr/2015:09:40:11 -0400] conn=3 op=1 BIND dn="cn=Directory Manager" method=128 version=3 [29/Apr/2015:09:40:11 -0400] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [29/Apr/2015:09:40:11 -0400] conn=3 op=2 SRCH base="o=ipaca" scope=0 filter="(objectClass=*)" attrs=ALL [29/Apr/2015:09:40:11 -0400] conn=3 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [29/Apr/2015:09:40:11 -0400] conn=3 op=3 UNBIND [29/Apr/2015:09:40:11 -0400] conn=3 op=3 fd=64 closed - U1 ----- On Wed, Apr 29, 2015 at 12:14 PM, Rob Crittenden wrote: > Qing Chang wrote: > > mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap > > service was available at all at installation stage. > > I think we'd need to see the full ipareplica-install.log. > > You might also want to see if a ns-slapd process is running and check > /var/log/dirsrv/slapd-REALM/errors for anything interesting. > > rob > > > > > Thanks, > > Qing > > > > On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang > > wrote: > > > > CentOS7.1 with IPA server 4.1. > > > > "ipa-replica-install --setup-ca --setup-dns ..." fails with this > > error message: > > ----- > > [2/22]: configuring certificate server instance > > ipa : CRITICAL failed to configure ca instance Command > > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned > > non-zero exit status 1 > > [error] RuntimeError: Configuration of CA failed > > ----- > > > > ipareplica-install.log shows this: > > ----- > > 2015-04-29T13:40:11Z DEBUG Saving StateFile to > > '/var/lib/ipa/sysrestore/sysrestore.state' > > 2015-04-29T13:40:11Z DEBUG Starting external process > > 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > > '/tmp/tmpaUGoKX' > > 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 > > 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration > > from /tmp/tmpaUGoKX. > > Installing CA into /var/lib/pki/pki-tomcat. > > Storing deployment configuration into > > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > > > > Installation failed. > > > > > > 2015-04-29T13:40:51Z DEBUG stderr=pkispawn : ERROR ....... > > Exception from Java Configuration Servlet: Error in populating > > database: Could not connect to LDAP server host mrip > > a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to > > connect to server ldap://mripa2.mr.ric:389 (91) > > > > 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance > > Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' > > returned non-zero exit status 1 > > 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 382, in start_creation > > run_step(full_msg, method) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > > line 372, in run_step > > method() > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > > line 673, in __spawn_instance > > raise RuntimeError('Configuration of CA failed') > > RuntimeError: Configuration of CA failed > > ----- > > > > I hope this is enough information. > > > > Thanks in advance, > > > > Qing Chang > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed Apr 29 19:33:51 2015 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 29 Apr 2015 21:33:51 +0200 Subject: [Freeipa-users] FreeIPA WebUI Logout logs back in In-Reply-To: References: <553E8E53.6080703@redhat.com> <553FFBFE.1020208@redhat.com> <553FFE26.20006@redhat.com> <55400153.7020600@redhat.com> <1430271089.13607.167.camel@willson.usersys.redhat.com> Message-ID: <5541321F.4050704@redhat.com> On 04/29/2015 06:31 PM, Christopher Lamb wrote: > Hi all > > @Craig, and using the WebUI for that purpose is much more user friendly > then doing the same via a ssh terminal session. > > @Simo, as requested I have opened a ticket on this issue > https://fedorahosted.org/freeipa/ticket/5010 > > As this my first Fedora ticket, please forgive me If I didn't do it right > 8-) No, you did it perfectly right. Just Petr Vobornik was faster and created a ticket https://fedorahosted.org/freeipa/ticket/5008. This makes your ticket a duplicate, so I had to close it. But please do not let this hickup stop you, please continue in discussions, tickets, patches - it's useful! :-) > > Cheers > > Chris > > > > > From: Craig White > To: Christopher Lamb/Switzerland/IBM at IBMCH, Simo Sorce > > Cc: "freeipa-users at redhat.com" > Date: 29.04.2015 18:03 > Subject: RE: [Freeipa-users] FreeIPA WebUI Logout logs back in > > > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [ > mailto:freeipa-users-bounces at redhat.com] On Behalf Of Christopher Lamb > Sent: Tuesday, April 28, 2015 10:58 PM > To: Simo Sorce > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in > > HI Simo, Dmitiri, Rob and co. > > Simos "log in with a different user" suggestion is pretty much what I was > intending. I want to be able to log out of the web ui, then log back in > with a different user. e.g. to allow a newly added user to change their > password to something secret. > > On this particular workstation I have no kerberos ticket (double checking > with klist at the terminal confirms this). I have not saved the password in > Firefox (checking in the settings confirms this). > > I often have ssh sessons open via terminal to the FreeIPA Server, and even > Apache Directory Studio open to browse the LDAP structure and content. I > don't see how that can play a role, but I mention it for completeness. > ---- > Seems that would be a useful option for me too. I normally login as myself > but there are times when someone comes by and wants to change their > password and it's easier if they do it on my system sometimes as the > Kerberos auth prompt confuses them and I can coach them through. Also, I > occasionally need to login as the primary 'admin' user as some of the > options (ahem - Sudo rules on version 3.0.0) are not accessible regardless > of the permissions given. > > Craig > > > > From awilisch at gmail.com Thu Apr 30 00:38:50 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Wed, 29 Apr 2015 20:38:50 -0400 Subject: [Freeipa-users] Master level IPA server Message-ID: <7411239F-2706-428D-8E88-1AE40EEEB7DB@gmail.com> Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com , then have a secondary zone that is ipa2.sub1.domain.com . We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. So if there is documentation on how to set that up I would appreciate a pointer, I haven?t been able to find it yet. Thanks much! Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 30 00:57:32 2015 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 29 Apr 2015 20:57:32 -0400 Subject: [Freeipa-users] Master level IPA server In-Reply-To: <7411239F-2706-428D-8E88-1AE40EEEB7DB@gmail.com> References: <7411239F-2706-428D-8E88-1AE40EEEB7DB@gmail.com> Message-ID: <55417DFC.9020501@redhat.com> On 04/29/2015 08:38 PM, Aric Wilisch wrote: > Is it possible to setup a Master level FreeIPA domain, then have 3 sub > level domains use it for authentication? > > So master server at say ipa.domain.com , then > have a secondary zone that is ipa2.sub1.domain.com > . > > We have 3 different environments that need to stay separated. We were > going to have them all authenticate to an Active Directory domain but > getting that setup is turning into a real issue. So if possible I > would like to have a master level IPA server, then three sub level IPA > servers that authenticate against it, then have our Windows Terminal > Servers authenticate against it as well if possible. > > So if there is documentation on how to set that up I would appreciate > a pointer, I haven't been able to find it yet. > > Thanks much! > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com > > > > > > You can have one IPA Kerberos realm spanning several zones but the top level domain should be the same as the realm otherwise trust would not work. I think Alexander would have some pointers. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janellenicole80 at gmail.com Thu Apr 30 03:30:51 2015 From: janellenicole80 at gmail.com (Janelle) Date: Wed, 29 Apr 2015 20:30:51 -0700 Subject: [Freeipa-users] PWM and IPA Message-ID: <5541A1EB.3070109@gmail.com> Hi all, Just wondering if anyone has put together a guide for integrating PWM with IPA? I know there is a section on 389-ds, but that is kind of raw-389 and not the highly modified-for-IPA 389-ds. I would like to set this up for my users, but really don't want to do it using that guide unless that is what others might suggest? Any suggestions? ~J From abokovoy at redhat.com Thu Apr 30 05:03:01 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Apr 2015 08:03:01 +0300 Subject: [Freeipa-users] Master level IPA server In-Reply-To: <7411239F-2706-428D-8E88-1AE40EEEB7DB@gmail.com> References: <7411239F-2706-428D-8E88-1AE40EEEB7DB@gmail.com> Message-ID: <20150430050301.GF11785@redhat.com> On Wed, 29 Apr 2015, Aric Wilisch wrote: >Is it possible to setup a Master level FreeIPA domain, then have 3 sub >level domains use it for authentication? > >So master server at say ipa.domain.com , then >have a secondary zone that is ipa2.sub1.domain.com >. This is possible. As long as DNS domains of IPA do not overlap with DNS domains of Active Directory deployment, or any other Kerberos realm, things should work. > >We have 3 different environments that need to stay separated. We were >going to have them all authenticate to an Active Directory domain but >getting that setup is turning into a real issue. So if possible I would >like to have a master level IPA server, then three sub level IPA >servers that authenticate against it, then have our Windows Terminal >Servers authenticate against it as well if possible. You cannot login to Windows machines by authenticating against IPA right now, this is not supported. You can establish cross-forest trust between IPA realm and Active Directory and then login to IPA machines with Active Directory credentials. If this is not what you want, IPA is not yet supporting your case. There isn't enough details to see what is your issue, though. -- / Alexander Bokovoy From tbordaz at redhat.com Thu Apr 30 07:29:13 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 30 Apr 2015 09:29:13 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> <55410FB6.3040600@redhat.com> Message-ID: <5541D9C9.8000807@redhat.com> On 04/29/2015 07:15 PM, Andy Thompson wrote: > >> -----Original Message----- >> From: thierry bordaz [mailto:tbordaz at redhat.com] >> Sent: Wednesday, April 29, 2015 1:07 PM >> To: Andy Thompson >> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> On 04/29/2015 06:45 PM, Andy Thompson wrote: >> >> >> -----Original Message----- >> From: thierry bordaz [mailto:tbordaz at redhat.com] >> Sent: Wednesday, April 29, 2015 12:28 PM >> To: Andy Thompson >> Cc: Ludwig Krispenz; Martin Kosek; freeipa- >> users at redhat.com >> Subject: Re: [Freeipa-users] deleting ipa user >> >> On 04/29/2015 05:58 PM, Andy Thompson wrote: >> >> >> dn: >> nsuniqueid=7e1a1f87-e82611e4- >> 99f1b343- >> >> f0abc1a8,cn=username,cn=groups,c >> >> n=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: >> nsuniqueid=7e1a1f87-e82611e4- >> 99f1b343- >> >> f0abc1a8,cn=username,cn=groups,c >> >> n=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: posixgroup >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: ipaobject >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: >> >> mepManagedEntry >> >> nscpentrywsi: objectClass;vucsn- >> 55364a42000500040000: top >> nscpentrywsi: objectClass;vucsn- >> 5540deb8000300030000: nsTombstone >> nscpentrywsi: >> cn;vucsn- >> 55364a42000500040000;mdcsn- >> 55364a42000500040000: gfeigh >> nscpentrywsi: gidNumber;vucsn- >> 55364a42000500040000: 1249000003 >> nscpentrywsi: description;vucsn- >> 55364a42000500040000: User private >> group for username >> nscpentrywsi: >> mepManagedBy;vucsn- >> 55364a42000500040000: uid= >> >> username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: creatorsName;vucsn- >> 55364a42000500040000: cn=Managed >> Entries,cn=plugins,cn=config >> nscpentrywsi: modifiersName;vucsn- >> 55364a42000500040000: cn=Managed >> Entries,cn=plugins,cn=config >> nscpentrywsi: >> createTimestamp;vucsn- >> 55364a42000500040000: >> 20150421130152Z >> nscpentrywsi: >> modifyTimestamp;vucsn- >> 55364a42000500040000: >> 20150421130152Z >> nscpentrywsi: nsUniqueId: 7e1a1f87- >> e82611e4- >> 99f1b343-f0abc1a8 >> nscpentrywsi: ipaUniqueID;vucsn- >> 55364a42000500040000: >> 94dc1638-e826-11e4-878a- >> 005056a92af3 >> nscpentrywsi: parentid: 4 >> nscpentrywsi: entryid: 385 >> nscpentrywsi: nsParentUniqueId: >> 3763f193- >> e76411e4-99f1b343-f0abc1a8 >> nscpentrywsi: nstombstonecsn: >> 5540deb8000300030000 >> nscpentrywsi: nscpEntryDN: >> >> >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: entryusn: 52327 >> >> thought I tried that before, >> apparently not. >> >> ok, so we have the entry on one server, the >> csn of the >> objectclass: >> tombstone is : >> >> objectClass;vucsn-5540deb8000300030000: >> nsTombstone >> >> , which matches the csn in the error log: >> >> Consumer failed to replay change (uniqueid >> 7e1a1f87- >> e82611e4-99f1b343- >> f0abc1a8, CSN 5540deb8000300030000): >> Operations error (1) >> so the state of >> the entry is as expected. >> >> Now we nend to find it on the other server. If >> the search for >> the & filter with >> nstombstone does return nothing, could you >> try >> >> >> If I run ldapsearch -LLL -o ldif-wrap=no -H >> ldap://mdhixnpipa01 -x -D >> "cn=directory manager" -W -b "dc=mhbenp,dc=lin" >> "(&(objectclass=nstombstone))" I get below. If I add >> nsuniqueid to the filter >> it returns nothing on the primary server >> >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> memberOf: >> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- >> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin >> ipaNTSecurityIdentifier: S-1-5-21-1257946092- >> 587846975-4124201916- >> 1003 >> krbLastSuccessfulAuth: 20150421180533Z >> krbPasswordExpiration: 20150720180532Z >> userPassword:: >> >> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3 >> U3lrMTJ >> >> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NX >> piWVh >> qTXQxUT09 >> krbExtraData:: >> AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== >> krbPrincipalKey:: >> >> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMB >> mgAwIB >> >> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF >> 2hLTC5E >> >> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A >> >> 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd >> >> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQ >> WTt++y/l >> >> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5 >> QLkxJT >> mdmZWlnaKFBMD >> >> +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz >> >> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJ >> FTlAuTEl >> >> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7 >> CFCi4qZ >> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE= >> krbLoginFailedCount: 0 >> krbTicketFlags: 128 >> krbLastPwdChange: 20150421180532Z >> krbLastFailedAuth: 20150421180457Z >> mepManagedEntry: >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> displayName: user name >> cn: User Name >> objectClass: ipaobject >> objectClass: person >> objectClass: top >> objectClass: ipasshuser >> objectClass: inetorgperson >> objectClass: organizationalperson >> objectClass: krbticketpolicyaux >> objectClass: krbprincipalaux >> objectClass: inetuser >> objectClass: posixaccount >> objectClass: ipaSshGroupOfPubKeys >> objectClass: mepOriginEntry >> objectClass: ipantuserattrs >> objectClass: nsTombstone >> loginShell: /bin/bash >> initials: GF >> gecos: User Name >> homeDirectory: /home/username >> uid: username >> mail: username at mhbenp.lin >> >> >> krbPrincipalName: username at MHBENP.LIN >> >> >> >> givenName: User >> sn: name >> ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 >> uidNumber: 1249000003 >> gidNumber: 1249000003 >> nsParentUniqueId: 3763f192-e76411e4-99f1b343- >> f0abc1a8 >> >> >> >> In fact, nsuniqueid does not appear in this entry. It is a >> distinguished RDN but >> is missing. Did you run the command with 'nscpentrywsi' >> requested attribute. >> May be nsuniqueid was hidden for that reason but I would >> be surprised. >> >> nsuniqueid is a key element of replication. I wonder how >> replication can find >> the entry itself. nsuniqueid could be in the index but then >> the entry is >> corrupted. >> >> >> >> >> If I request the nscpentrywsi attribute I get >> >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: modifyTimestamp;adcsn- >> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z >> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- >> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn- >> 5540be0c000200040000: TRUE >> nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn- >> 5537c2f5000200040000: >> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: >> ipaUniqueID=3897c894-e764-11e4-b05b- >> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin >> nscpentrywsi: ipaNTSecurityIdentifier;adcsn- >> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- >> 587846975-4124201916-1003 >> nscpentrywsi: krbLastSuccessfulAuth;adcsn- >> 55369202000100040000;vucsn-55369202000100040000: 20150421180533Z >> nscpentrywsi: passwordGraceUserTime;adcsn- >> 55369200000400040000;vucsn-55369200000400040000: 0 >> nscpentrywsi: krbPasswordExpiration;adcsn- >> 55369200000200040006;vucsn-55369200000200040006: 20150720180532Z >> nscpentrywsi: userPassword;adcsn-55369200000200040005;vucsn- >> 55369200000200040005: >> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+ >> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== >> nscpentrywsi: krbExtraData;adcsn-55369200000200040004;vucsn- >> 55369200000200040004:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== >> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040003;vucsn- >> 55369200000200040003:: >> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB >> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E >> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh >> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB >> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI >> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw >> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX >> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT >> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1 >> FH6/IbmDSvRMUVw8wE= >> nscpentrywsi: krbLoginFailedCount;adcsn- >> 55369200000200040002;vucsn-55369200000200040002: 0 >> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn- >> 55369200000200040001: 128 >> nscpentrywsi: krbLastPwdChange;adcsn- >> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z >> nscpentrywsi: krbLastFailedAuth;adcsn- >> 553691dd000000040000;vucsn-553691dd000200040003: 20150421180457Z >> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: displayName;vucsn-55364a42000100040000: >> UserName >> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> inetorgperson >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> organizationalperson >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> krbticketpolicyaux >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> krbprincipalaux >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> posixaccount >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> ipaSshGroupOfPubKeys >> nscpentrywsi: objectClass;vucsn-55364a42000600040000: >> mepOriginEntry >> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: >> ipantuserattrs >> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: >> nsTombstone >> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash >> nscpentrywsi: initials;vucsn-55364a42000100040000: GF >> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName >> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: >> /home/username >> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn- >> 55364a42000100040000: username >> nscpentrywsi: mail;vucsn-55364a42000100040000: >> username at mhbenp.lin >> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: >> username at MHBENP.LIN >> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg >> nscpentrywsi: sn;vucsn-55364a42000100040000: Name >> nscpentrywsi: creatorsName;vucsn-55364a42000100040000: >> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: >> 20150421130152Z >> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 >> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06- >> e826-11e4-878a-005056a92af3 >> nscpentrywsi: parentid: 3 >> nscpentrywsi: entryid: 385 >> nscpentrywsi: uidNumber: 1249000003 >> nscpentrywsi: gidNumber: 1249000003 >> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343- >> f0abc1a8 >> nscpentrywsi: nstombstonecsn: 5540deb8000000030000 >> nscpentrywsi: nscpEntryDN: >> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: entryusn: 57524 >> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn- >> 55369200000500040000;deletedattribute;deleted: >> >> >> Ok, so here is my understanding: >> on the second replica (where you succeed to do 'ipa user-del ' ) >> the entry is looking: > Sorry that was from the replica where I tried to do the delete and failed. This is from the second replica where I successfully deleted the entry but now has the "failed to replay change" error being logged. I've run so many queries I'm starting to lose track :) difficult to keep following track with replication :-) You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 On the second replica you can see messages like: [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later. On the first replica, you had difficulties to retrieve the entry and finally had to remove 'nsuniqueid' from the filter to retrieve this entry dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 ... On the second replica you can the entry: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin ... nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... It differs '2' instead of '7'. So this is not the same entry (from replication point of view). The error reported in the first replica was about Turning a tombstone into a tombstone! "nsuniqueid=7e1a1f87... The error reported in the second replica was also about Consumer failed to replay change (uniqueid 7e1a1f87... So I think the entry you dumped on the first replica is not (should not be) the one we are looking for. Although it could be two entries having the same DN but that was deleted, added and then deleted again. The difficulty is to retrieve it (on the first replica) as we cannot specify its 'nsuniqueid' to retrieve it. May be you can retrieve it with its (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-005056a92af3)) thanks thierry > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z > nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE > nscpentrywsi: krbLastSuccessfulAuth;adcsn-5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z > nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-5537c2f5000400030000: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin > nscpentrywsi: ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-587846975-4124201916-1003 > nscpentrywsi: passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0 > nscpentrywsi: krbPasswordExpiration;adcsn-55369200000200040005;vucsn-55369200000200040005: 20150720180532Z > nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-55369200000200040004: {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== > nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-55369200000200040002:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= > nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128 > nscpentrywsi: krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 20150421180532Z > nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName > nscpentrywsi: cn;vucsn-55364a42000100040000: UserName > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000100040000: person > nscpentrywsi: objectClass;vucsn-55364a42000100040000: top > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys > nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry > nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone > nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash > nscpentrywsi: initials;vucsn-55364a42000100040000: GF > nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName > nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username > nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: username > nscpentrywsi: mail;vucsn-55364a42000100040000: username at mhbenp.lin > nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: username at MHBENP.LIN > nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg > nscpentrywsi: sn;vucsn-55364a42000100040000: Name > nscpentrywsi: creatorsName;vucsn-55364a42000100040000: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 3 > nscpentrywsi: entryid: 384 > nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003 > nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003 > nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000000030000 > nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52322 > nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted: >> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 >> >> >> >> On the first replica (where you failed to delete the entry and where you can >> see the replication errors) >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 >> >> >> This is not the same entry. It is like two entries with the same 'uid' were >> created. >> Also note that those two entries were deleted on the same replica (replica >> ID=3: likely the second replica) almost at the same time. >> >> The errors is logged on the first replica about " >> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com". >> >> So I think the entry you dumped on the first replica, is not the one we were >> looking at. >> The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) should >> exists, but was not returned by the search. >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Apr 30 10:10:36 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Apr 2015 12:10:36 +0200 Subject: [Freeipa-users] PWM and IPA In-Reply-To: <5541A1EB.3070109@gmail.com> References: <5541A1EB.3070109@gmail.com> Message-ID: <5541FF9C.6000608@redhat.com> On 04/30/2015 05:30 AM, Janelle wrote: > Hi all, > > Just wondering if anyone has put together a guide for integrating PWM with IPA? > I know there is a section on 389-ds, but that is kind of raw-389 and not the > highly modified-for-IPA 389-ds. I would like to set this up for my users, but > really don't want to do it using that guide unless that is what others might > suggest? > > Any suggestions? We have this page with our take on self-service password reset: https://www.freeipa.org/page/Self-Service_Password_Reset And we also have a ticket for implementing pwm-like capability in FreeIPA: https://fedorahosted.org/freeipa/ticket/3611 This ticket may be worked on in near future, we have a candidate for the work. You may add yourself to CC of this ticket if you are interested for updates. From Andy.Thompson at e-tcc.com Thu Apr 30 10:41:08 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 30 Apr 2015 10:41:08 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <5541D9C9.8000807@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540CF04.9010300@redhat.com> <39c3d0fff3104fce847db60727607423@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> <55410FB6.3040600@redhat.com> <5541D9C9.8000807@redhat.com> Message-ID: <7fb45cc879614e03a38d11a48fe4a1ef@TCCCORPEXCH02.TCC.local> > You got a first replica where you failed to delete the entry. > You got a second replica where you succeeded to delete the entry. > > On first replica you can see messages like: > > [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, refcnt: 1 > > On the second replica you can see messages like: > > [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - > agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer > failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, > CSN 5540deb8000300030000): Operations error (1). Will retry later. > > > On the first replica, you had difficulties to retrieve the entry and finally had to > remove 'nsuniqueid' from the filter to retrieve this entry > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > ... > > > On the second replica you can the entry: > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 > > > Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. > while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... > > It differs '2' instead of '7'. So this is not the same entry (from replication point > of view). > > The error reported in the first replica was about Turning a tombstone into a > tombstone! "nsuniqueid=7e1a1f87... > > > The error reported in the second replica was also about > Consumer failed to replay change (uniqueid 7e1a1f87... > > > So I think the entry you dumped on the first replica is not (should not be) the > one we are looking for. It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. > Although it could be two entries having the same DN but that was deleted, > added and then deleted again. > > The difficulty is to retrieve it (on the first replica) as we cannot specify its > 'nsuniqueid' to retrieve it. > May be you can retrieve it with its > (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- > 005056a92af3)) > > > thanks > thierry > > > > > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: modifyTimestamp;adcsn- > 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z > nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- > 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn- > 5540be0c000200040000: TRUE > nscpentrywsi: krbLastSuccessfulAuth;adcsn- > 5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z > nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn- > 5537c2f5000400030000: > cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: > ipaUniqueID=3897c894-e764-11e4-b05b- > 005056a92af3,cn=hbac,dc=mhbenp,dc=lin > nscpentrywsi: ipaNTSecurityIdentifier;adcsn- > 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- > 587846975-4124201916-1003 > nscpentrywsi: passwordGraceUserTime;adcsn- > 55369200000400040000;vucsn-55369200000400040000: 0 > nscpentrywsi: krbPasswordExpiration;adcsn- > 55369200000200040005;vucsn-55369200000200040005: 20150720180532Z > nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn- > 55369200000200040004: > {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+ > KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== > nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn- > 55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== > nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn- > 55369200000200040002:: > MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB > AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E > P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh > 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB > EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI > WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw > IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX > PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT > kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1 > FH6/IbmDSvRMUVw8wE= > nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn- > 55369200000200040001: 128 > nscpentrywsi: krbLastPwdChange;adcsn- > 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z > nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: > cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: displayName;vucsn-55364a42000100040000: > UserName > nscpentrywsi: cn;vucsn-55364a42000100040000: UserName > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject > nscpentrywsi: objectClass;vucsn-55364a42000100040000: person > nscpentrywsi: objectClass;vucsn-55364a42000100040000: top > nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > inetorgperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > organizationalperson > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > krbticketpolicyaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > krbprincipalaux > nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > posixaccount > nscpentrywsi: objectClass;vucsn-55364a42000100040000: > ipaSshGroupOfPubKeys > nscpentrywsi: objectClass;vucsn-55364a42000600040000: > mepOriginEntry > nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: > ipantuserattrs > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: > nsTombstone > nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash > nscpentrywsi: initials;vucsn-55364a42000100040000: GF > nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName > nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: > /home/username > nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn- > 55364a42000100040000: username > nscpentrywsi: mail;vucsn-55364a42000100040000: > username at mhbenp.lin > nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: > username at MHBENP.LIN > nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg > nscpentrywsi: sn;vucsn-55364a42000100040000: Name > nscpentrywsi: creatorsName;vucsn-55364a42000100040000: > uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: > 20150421130152Z > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 > nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06- > e826-11e4-878a-005056a92af3 > nscpentrywsi: parentid: 3 > nscpentrywsi: entryid: 384 > nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003 > nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003 > nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343- > f0abc1a8 > nscpentrywsi: nstombstonecsn: 5540deb8000000030000 > nscpentrywsi: nscpEntryDN: > uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: entryusn: 52322 > nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn- > 55369200000500040000;deletedattribute;deleted: > > > dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000300030000: > nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343- > f0abc1a8 > > > > On the first replica (where you failed to delete the entry and > where you can > see the replication errors) > dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- > > f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin > ... > nscpentrywsi: objectClass;vucsn-5540deb8000000030000: > nsTombstone ... > nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343- > f0abc1a8 > > > This is not the same entry. It is like two entries with the same > 'uid' were > created. > Also note that those two entries were deleted on the same > replica (replica > ID=3: likely the second replica) almost at the same time. > > The errors is logged on the first replica about " > nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=co > m". > > So I think the entry you dumped on the first replica, is not the > one we were > looking at. > The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343- > f0abc1a8) should > exists, but was not returned by the search. > > > > > > From pvoborni at redhat.com Thu Apr 30 10:52:03 2015 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Apr 2015 12:52:03 +0200 Subject: [Freeipa-users] =?utf-8?q?Web_ui_error_=E2=80=9CYour_session_has_?= =?utf-8?q?expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on_a_remo?= =?utf-8?q?te_client=2E?= In-Reply-To: References: Message-ID: <55420953.90805@redhat.com> On 04/25/2015 02:58 AM, Christopher Lamb wrote: > > Hi All > > I too am suffering from the infamous Web ui error ?Your session has > expired. Please re-login.? using from browser(s) on remote client(s), > similar to the existing tickets: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html > https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html > https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html > > We have 2 FreeIPA installations: > An ?Old?, soon to be decommissioned v3.0.0, on OEL 6.5 > The ?new? instance, v4.1.0, on a fresh install of OEL 7.0 > > The error occurs on both instances. > > I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE > etc) > Very sporadically one of the above browsers will ?let me in? - If I cycle > through all the browsers on various workstations / laptops on my desk > somtimes I get lucky and one will work. > > kinit in a ssh session works. > > SELinux is disabled. > > All IPA Services are running. > > I can find no error(s) in /var/log/httpd/error_log > > In /var/log/krb5kdc.log I get entries like: > Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes > {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for > HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM > Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down > fd 12 > > If I enter a wrong password, I correctly get ?The password or username you > entered is incorrect. ?, + errors in /var/log/httpd/error_log > > None of the browsers have a krb5 ticket installed. > > I get the error with both my user, and the default admin user. > >>From the same browsers I can successfully access the Web UI of the public > demo on https://ipa.demo1.freeipa.org/ipa/ui/ > Do the machines with browsers have synchronized time with IPA servers? If a client machine with browser is 20min+ in a future compared to IPA server, the browser will treat ipa_session cookie as expired because its validity is auth_time + 20 min. Could you enable server debug logging [1] and send me entries from httpd/error_log and krb5kdc.log which were added upon Web UI forms-based auth with correct username and password? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug -- Petr Vobornik From tbordaz at redhat.com Thu Apr 30 10:54:53 2015 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 30 Apr 2015 12:54:53 +0200 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <7fb45cc879614e03a38d11a48fe4a1ef@TCCCORPEXCH02.TCC.local> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> <55410FB6.3040600@redhat.com> <5541D9C9.8000807@redhat.com> <7fb45cc879614e03a38d11a48fe4a1ef@TCCCORPEXCH02.TCC.local> Message-ID: <554209FD.8020104@redhat.com> On 04/30/2015 12:41 PM, Andy Thompson wrote: >> You got a first replica where you failed to delete the entry. >> You got a second replica where you succeeded to delete the entry. >> >> On first replica you can see messages like: >> >> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a >> tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=com"; e: >> 0x7fcc84226070, cache_state: 0x0, refcnt: 1 >> >> On the second replica you can see messages like: >> >> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - >> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer >> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, >> CSN 5540deb8000300030000): Operations error (1). Will retry later. >> >> >> On the first replica, you had difficulties to retrieve the entry and finally had to >> remove 'nsuniqueid' from the filter to retrieve this entry >> >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 >> ... >> >> >> On the second replica you can the entry: >> >> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 >> >> >> Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82.. >> while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ... >> >> It differs '2' instead of '7'. So this is not the same entry (from replication point >> of view). >> >> The error reported in the first replica was about Turning a tombstone into a >> tombstone! "nsuniqueid=7e1a1f87... >> >> >> The error reported in the second replica was also about >> Consumer failed to replay change (uniqueid 7e1a1f87... >> >> >> So I think the entry you dumped on the first replica is not (should not be) the >> one we are looking for. > It appears that f82 is the user object and f87 is the group object. So you are right, I don't think f82 is what we were looking for, it just happened to have the username in it when I grepped without filtering the uniqueid. I'm not sure why it was having problems with the user group object, but I don't have individual group objects showing up for any local accounts I've created. You are right. I think the private group of a user is/should be deleted at the same time when you delete a user. > > All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box yesterday and the error has not shown since. So I'm not sure if it was because of the minor upgrade or cycling the daemon. The logs gave a lot of information but without a test case it could be difficult to identify the RC. Now as I mentioned I hit (with a non systematic test case) an other bug when deleting a user. It was impossible to remove the entry/group. In this bug I tested on standalone instance but on replicated topology I wonder if it could have the same symptom. > > Is there any way to find the root cause of this? And is it normal that individual group objects are not created for users? I thought I remembered reading somewhere that they were derived and not static entries? The few accounts I have on there were created in the web interface, most of my users are all trust users. > >> Although it could be two entries having the same DN but that was deleted, >> added and then deleted again. >> >> The difficulty is to retrieve it (on the first replica) as we cannot specify its >> 'nsuniqueid' to retrieve it. >> May be you can retrieve it with its >> (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a- >> 005056a92af3)) >> >> >> thanks >> thierry >> >> >> >> >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: modifyTimestamp;adcsn- >> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z >> nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn- >> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn- >> 5540be0c000200040000: TRUE >> nscpentrywsi: krbLastSuccessfulAuth;adcsn- >> 5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z >> nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn- >> 5537c2f5000400030000: >> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: memberOf;vucsn-5537c2f5000400030000: >> ipaUniqueID=3897c894-e764-11e4-b05b- >> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin >> nscpentrywsi: ipaNTSecurityIdentifier;adcsn- >> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092- >> 587846975-4124201916-1003 >> nscpentrywsi: passwordGraceUserTime;adcsn- >> 55369200000400040000;vucsn-55369200000400040000: 0 >> nscpentrywsi: krbPasswordExpiration;adcsn- >> 55369200000200040005;vucsn-55369200000200040005: 20150720180532Z >> nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn- >> 55369200000200040004: >> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+ >> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q== >> nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn- >> 55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== >> nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn- >> 55369200000200040002:: >> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB >> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E >> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh >> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB >> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI >> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw >> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX >> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT >> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1 >> FH6/IbmDSvRMUVw8wE= >> nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn- >> 55369200000200040001: 128 >> nscpentrywsi: krbLastPwdChange;adcsn- >> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z >> nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: >> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: displayName;vucsn-55364a42000100040000: >> UserName >> nscpentrywsi: cn;vucsn-55364a42000100040000: UserName >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: person >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: top >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> inetorgperson >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> organizationalperson >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> krbticketpolicyaux >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> krbprincipalaux >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> posixaccount >> nscpentrywsi: objectClass;vucsn-55364a42000100040000: >> ipaSshGroupOfPubKeys >> nscpentrywsi: objectClass;vucsn-55364a42000600040000: >> mepOriginEntry >> nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: >> ipantuserattrs >> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: >> nsTombstone >> nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash >> nscpentrywsi: initials;vucsn-55364a42000100040000: GF >> nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName >> nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: >> /home/username >> nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn- >> 55364a42000100040000: username >> nscpentrywsi: mail;vucsn-55364a42000100040000: >> username at mhbenp.lin >> nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: >> username at MHBENP.LIN >> nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg >> nscpentrywsi: sn;vucsn-55364a42000100040000: Name >> nscpentrywsi: creatorsName;vucsn-55364a42000100040000: >> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: >> 20150421130152Z >> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8 >> nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06- >> e826-11e4-878a-005056a92af3 >> nscpentrywsi: parentid: 3 >> nscpentrywsi: entryid: 384 >> nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003 >> nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003 >> nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343- >> f0abc1a8 >> nscpentrywsi: nstombstonecsn: 5540deb8000000030000 >> nscpentrywsi: nscpEntryDN: >> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: entryusn: 52322 >> nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn- >> 55369200000500040000;deletedattribute;deleted: >> >> >> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: >> nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343- >> f0abc1a8 >> >> >> >> On the first replica (where you failed to delete the entry and >> where you can >> see the replication errors) >> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- >> >> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin >> ... >> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: >> nsTombstone ... >> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343- >> f0abc1a8 >> >> >> This is not the same entry. It is like two entries with the same >> 'uid' were >> created. >> Also note that those two entries were deleted on the same >> replica (replica >> ID=3: likely the second replica) almost at the same time. >> >> The errors is logged on the first replica about " >> nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> >> f0abc1a8,cn=,cn=groups,cn=accounts,dc=domain,dc=co >> m". >> >> So I think the entry you dumped on the first replica, is not the >> one we were >> looking at. >> The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343- >> f0abc1a8) should >> exists, but was not returned by the search. >> >> >> >> >> >> From lkrispen at redhat.com Thu Apr 30 11:36:16 2015 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 30 Apr 2015 13:36:16 +0200 Subject: [Freeipa-users] thousands DSRetroclPlugin mesages In-Reply-To: <5540FE12.7060302@fahrendorf.de> References: <553CA688.9040009@fahrendorf.de> <553DE905.3080108@redhat.com> <5540D9DA.9040507@fahrendorf.de> <5540DFE7.9030208@redhat.com> <5540FE12.7060302@fahrendorf.de> Message-ID: <554213B0.5090604@redhat.com> On 04/29/2015 05:51 PM, Martin (Lists) wrote: > Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: >> On 04/29/2015 03:17 PM, Martin (Lists) wrote: >>> Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: >>>> On 04/26/2015 10:49 AM, Martin (Lists) wrote: >>>>> Hallo >>>>> >>>>> after a reboot I get almost thousand of the following messages: >>>>> >>>>> DSRetroclPlugin - delete_changerecord: could not delete change record >>>>> 128755 (rc: 32) >>>> this message comes from changeglog trimming and means that an entry, >>>> which should be purged does not exist (any more). >>>> the retrocl maintains a first/lastchange and trinming starts at >>>> firstchange. if for some reason (race ?) there is an attempt to try to >>>> delete the same entry a second time this message should be logged. >>>> since the changenumbers in the error message increases, I think >>>> changelog trimming moves forward. you could do searches on >>>> "cn=changelog" to verify that trimming works. >>> changelog is part of the ldbm database plugin and contains several >>> informations I don't understand (or understand partially). What kind of >>> information should I look for? >> the changelog keeps track of the changes applied to the database, a >> typical entry looks like: >> dn: changenumber=4,cn=changelog >> objectClass: top >> objectClass: changelogentry >> changeNumber: 4 >> targetDn: cn=tuser,ou=people,dc=example,dc=com >> changeTime: 20140411093444Z >> changeType: delete > OK, I looked in the wrong directory. Now I have found many changelog > entries, starting with number 152926 and ending with 155512 (ldapsearch > states 2588 numEntries). Should that be that much? > > The oldest is about two days and an half old and it does not change > within the last few minutes. > >> each entry gets a DN made up from he changenumber, so your entries will >> be named: >> .... >> dn: changenumber=61,cn=changelog >> dn: changenumber=62,cn=changelog >> dn: changenumber=63,cn=changelog >> dn: changenumber=64,cn=changelog >> .... >> changenumbers start and are always incremented, changelog trimming >> removes old entries (depending on config). >> >> so if you do a search like: >> ldapsearch .................. -b "cn=changelog" >> the changenumber of the first entry rerurne should always increase, >> indicating that trimming works. > As it seems my trimming is broken, at least partially. Is there > something I can adjust? no, it seems to be ok, IPA configures the "changelog maxage" as 2d, so if changelog trimming runs, it removes changes older than two days, then it "sleeps" for this time and then runs again, so the changes could pile up to four days, then get trimmed and so on ... > >> you said "thousands" of messages, how frequent are they really ? > On every reboot I got these messages. I do not get them during normal > opperation. how frequently do you reboot ? maybe you only see the trimming after startup > > Something odd I observed after the last two reboots: ns-slapd runs my > hard disk for several minutes (about 15 minutes) after the reboot. This > is the time it takes to log all these change record messages. > > Kindly > Martin > From Andy.Thompson at e-tcc.com Thu Apr 30 12:31:04 2015 From: Andy.Thompson at e-tcc.com (Andy Thompson) Date: Thu, 30 Apr 2015 12:31:04 +0000 Subject: [Freeipa-users] deleting ipa user In-Reply-To: <554209FD.8020104@redhat.com> References: <33d9b6a68f2e45d98b4b96b84a973c33@TCCCORPEXCH02.TCC.local> <5540D92B.5080800@redhat.com> <5540DAF8.5050202@redhat.com> <73f14f0a552c430287fce6007f456f3f@TCCCORPEXCH02.TCC.local> <5540E598.8000902@redhat.com> <02dbb08ff03944ad9c1f753f3d2c2d64@TCCCORPEXCH02.TCC.local> <5540EA71.3070602@redhat.com> <0651d0d2bc9749e8b13b85772dd247e4@TCCCORPEXCH02.TCC.local> <5540EFCC.40900@redhat.com> <4fe3dfe261b140a2909d0d7428f25c90@TCCCORPEXCH02.TCC.local> <5540F1A1.6050501@redhat.com> <40190450ad2f455e9add8cd3b64c63ee@TCCCORPEXCH02.TCC.local> <5540F866.8090400@redhat.com> <83cdb7ccd4d34362a78e6f33cd81cf9d@TCCCORPEXCH02.TCC.local> <5540FCF4.8070606@redhat.com> <1c36c58d3c564cae80cc61ac7cbd4f42@TCCCORPEXCH02.TCC.local> <55410681.4020004@redhat.com> <638f1a52be4e4da3bb047c31cf290f5e@TCCCORPEXCH02.TCC.local> <55410FB6.3040600@redhat.com> <5541D9C9.8000807@redhat.com> <7fb45cc879614e03a38d11a48fe4a1ef@TCCCORPEXCH02.TCC.local> <554209FD.8020104@redhat.com> Message-ID: > > It appears that f82 is the user object and f87 is the group object. So you are > right, I don't think f82 is what we were looking for, it just happened to have > the username in it when I grepped without filtering the uniqueid. I'm not > sure why it was having problems with the user group object, but I don't have > individual group objects showing up for any local accounts I've created. > You are right. I think the private group of a user is/should be deleted at the > same time when you delete a user. > > Is it normal that private groups do not show up in the user group listing or with ipa group-find commands? I thought I remembered seeing them on a freeipa 3 installation but I've checked a couple 4 installs and they don't show up. I just had a random issue a little bit ago with another account when I checked the user groups in the web interface it popped with an unknown error dialog. I have not been able to reproduce it again and don't see anything in the error logs or access log which would indicate any problems. > > All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box > yesterday and the error has not shown since. So I'm not sure if it was > because of the minor upgrade or cycling the daemon. > The logs gave a lot of information but without a test case it could be difficult > to identify the RC. > Now as I mentioned I hit (with a non systematic test case) an other bug when > deleting a user. It was impossible to remove the entry/group. In this bug I > tested on standalone instance but on replicated topology I wonder if it could > have the same symptom. > I've not been able to reproduce the issue in my sandbox environment so I'm not sure. It is also replicated. -andy From christopher.lamb at ch.ibm.com Thu Apr 30 12:39:12 2015 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 30 Apr 2015 14:39:12 +0200 Subject: [Freeipa-users] =?utf-8?q?Web_ui_error_=E2=80=9CYour_session_has_?= =?utf-8?q?expired=2E_Please_re-login=2E=E2=80=9D_from_a_browser_on_a_remo?= =?utf-8?q?te_client=2E?= In-Reply-To: <55420953.90805@redhat.com> References: <55420953.90805@redhat.com> Message-ID: Hi Petr Thanks, we solved this issue and reported that back on this thread. The troubleshooting guide has even been updated as a result. https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html Your suggestion has however hit the nail on the head - the problem was clock skew between the Server hosting freeIPA and the workstations. Ironically, before installing freeIPA server we had no clock skew -clients and workstation clocks were with seconds. Post freeIPA install, the server was suddenly 2 hours in the future. This seems to be because freeIPA had replaced the ntpd server entries in the ntp.conf file. After reverting to our standard ntp.conf for a vm and restarting ntpd the clock-skew vanished, as did the "Your session has been expired" error on the the Web UI. The 2 hours time difference was probably a result of the difference between UTC and European Summer Time. It will likely be familiar to anybody who has configured FIX interfaces in Europe. Chris b.t.w, the above applies to our new 4.1.0 installation. We get the same "session has expired" error from our 3.0.0 freeIPA installation that we will decommission shortly. On that machine the cause is not clock-skew. From: Petr Vobornik To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Date: 30.04.2015 12:52 Subject: Re: [Freeipa-users] Web ui error ?Your session has expired. Please re-login.? from a browser on a remote client. On 04/25/2015 02:58 AM, Christopher Lamb wrote: > > Hi All > > I too am suffering from the infamous Web ui error ?Your session has > expired. Please re-login.? using from browser(s) on remote client(s), > similar to the existing tickets: > > https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html > https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html > https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html > > We have 2 FreeIPA installations: > An ?Old?, soon to be decommissioned v3.0.0, on OEL 6.5 > The ?new? instance, v4.1.0, on a fresh install of OEL 7.0 > > The error occurs on both instances. > > I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE > etc) > Very sporadically one of the above browsers will ?let me in? - If I cycle > through all the browsers on various workstations / laptops on my desk > somtimes I get lucky and one will work. > > kinit in a ssh session works. > > SELinux is disabled. > > All IPA Services are running. > > I can find no error(s) in /var/log/httpd/error_log > > In /var/log/krb5kdc.log I get entries like: > Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 > etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes > {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for > HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM > Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down > fd 12 > > If I enter a wrong password, I correctly get ?The password or username you > entered is incorrect. ?, + errors in /var/log/httpd/error_log > > None of the browsers have a krb5 ticket installed. > > I get the error with both my user, and the default admin user. > >>From the same browsers I can successfully access the Web UI of the public > demo on https://ipa.demo1.freeipa.org/ipa/ui/ > Do the machines with browsers have synchronized time with IPA servers? If a client machine with browser is 20min+ in a future compared to IPA server, the browser will treat ipa_session cookie as expired because its validity is auth_time + 20 min. Could you enable server debug logging [1] and send me entries from httpd/error_log and krb5kdc.log which were added upon Web UI forms-based auth with correct username and password? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug -- Petr Vobornik From awilisch at gmail.com Thu Apr 30 12:56:17 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Thu, 30 Apr 2015 08:56:17 -0400 Subject: [Freeipa-users] RHEL5 clients not getting ssh key Message-ID: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. Thanks! Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Thu Apr 30 13:13:44 2015 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 30 Apr 2015 15:13:44 +0200 Subject: [Freeipa-users] RHEL5 clients not getting ssh key In-Reply-To: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> References: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> Message-ID: <55422A88.3090202@redhat.com> On 04/30/2015 02:56 PM, Aric Wilisch wrote: > Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. > > Thanks! > > Regards, > ------------------------------------------ > Aric Wilisch > awilisch at gmail.com Well, RHEL-5's latest build should be sssd-1.5.1-71.el5, but the SSH public key support was added in SSSD 1.8: https://fedorahosted.org/sssd/ticket/610 So I do not know any way besides upgrading to RHEL-6/RHEL-7 or backporting the SSSD 1.8+ yourself (which I do not expect to be an easy task). Martin From jhrozek at redhat.com Thu Apr 30 13:34:54 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2015 15:34:54 +0200 Subject: [Freeipa-users] RHEL5 clients not getting ssh key In-Reply-To: <55422A88.3090202@redhat.com> References: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> <55422A88.3090202@redhat.com> Message-ID: <20150430133454.GH2791@hendrix> On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote: > On 04/30/2015 02:56 PM, Aric Wilisch wrote: > > Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. > > > > Thanks! > > > > Regards, > > ------------------------------------------ > > Aric Wilisch > > awilisch at gmail.com > > Well, RHEL-5's latest build should be sssd-1.5.1-71.el5, but the SSH public key > support was added in SSSD 1.8: > > https://fedorahosted.org/sssd/ticket/610 > > So I do not know any way besides upgrading to RHEL-6/RHEL-7 or backporting the > SSSD 1.8+ yourself (which I do not expect to be an easy task). The 1.9 branch should build and work on RHEL-5. The newer branches might not (iow, upstream dropped RHEL-5 support). From abokovoy at redhat.com Thu Apr 30 13:41:09 2015 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 30 Apr 2015 16:41:09 +0300 Subject: [Freeipa-users] [WARNING] Trusts are broken in Fedora 22 Message-ID: <20150430134109.GK11785@redhat.com> Hi, If you are eager to try Fedora 22 beta and overall try FreeIPA in Fedora 22, be aware that trusts to Active Directory are currently broken due to Samba 4.2.1 update in Fedora 22. I've pushed build [1] of Samba today that at least allows Samba processes to start properly but establishing trust will fail due to changes in Samba client libraries. I'm investigating the reason for the issues and hope to get them fixed before Fedora 22 final freeze comes. [1] https://admin.fedoraproject.org/updates/samba-4.2.1-7.fc22 -- / Alexander Bokovoy From lslebodn at redhat.com Thu Apr 30 14:32:30 2015 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 30 Apr 2015 16:32:30 +0200 Subject: [Freeipa-users] RHEL5 clients not getting ssh key In-Reply-To: <20150430133454.GH2791@hendrix> References: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> <55422A88.3090202@redhat.com> <20150430133454.GH2791@hendrix> Message-ID: <20150430143230.GA17722@mail.corp.redhat.com> On (30/04/15 15:34), Jakub Hrozek wrote: >On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote: >> On 04/30/2015 02:56 PM, Aric Wilisch wrote: >> > Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. >> > >> > Thanks! >> > >> > Regards, >> > ------------------------------------------ >> > Aric Wilisch >> > awilisch at gmail.com >> >> Well, RHEL-5's latest build should be sssd-1.5.1-71.el5, but the SSH public key >> support was added in SSSD 1.8: >> >> https://fedorahosted.org/sssd/ticket/610 >> >> So I do not know any way besides upgrading to RHEL-6/RHEL-7 or backporting the >> SSSD 1.8+ yourself (which I do not expect to be an easy task). > >The 1.9 branch should build and work on RHEL-5. > But IIRC openssh-server should be patched as well. LS From jhrozek at redhat.com Thu Apr 30 14:42:42 2015 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 30 Apr 2015 16:42:42 +0200 Subject: [Freeipa-users] RHEL5 clients not getting ssh key In-Reply-To: <20150430143230.GA17722@mail.corp.redhat.com> References: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> <55422A88.3090202@redhat.com> <20150430133454.GH2791@hendrix> <20150430143230.GA17722@mail.corp.redhat.com> Message-ID: <20150430144242.GJ2791@hendrix> On Thu, Apr 30, 2015 at 04:32:30PM +0200, Lukas Slebodnik wrote: > On (30/04/15 15:34), Jakub Hrozek wrote: > >On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote: > >> On 04/30/2015 02:56 PM, Aric Wilisch wrote: > >> > Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. > >> > > >> > Thanks! > >> > > >> > Regards, > >> > ------------------------------------------ > >> > Aric Wilisch > >> > awilisch at gmail.com > >> > >> Well, RHEL-5's latest build should be sssd-1.5.1-71.el5, but the SSH public key > >> support was added in SSSD 1.8: > >> > >> https://fedorahosted.org/sssd/ticket/610 > >> > >> So I do not know any way besides upgrading to RHEL-6/RHEL-7 or backporting the > >> SSSD 1.8+ yourself (which I do not expect to be an easy task). > > > >The 1.9 branch should build and work on RHEL-5. > > > But IIRC openssh-server should be patched as well. Perhaps, you definitely need the AuthorizedKeysCommand and similar. Honza might know best.. At any rate, upgrading from RHEL-5 to something recent is a good idea :-) From awilisch at gmail.com Thu Apr 30 19:36:44 2015 From: awilisch at gmail.com (Aric Wilisch) Date: Thu, 30 Apr 2015 15:36:44 -0400 Subject: [Freeipa-users] RHEL5 clients not getting ssh key In-Reply-To: <20150430144242.GJ2791@hendrix> References: <9C35F52F-CFD7-4254-B928-509C9BC2BAA5@gmail.com> <55422A88.3090202@redhat.com> <20150430133454.GH2791@hendrix> <20150430143230.GA17722@mail.corp.redhat.com> <20150430144242.GJ2791@hendrix> Message-ID: I wish I could, but unfortunately these are RHEL 5 because the client has not yet upgraded their software to work on 6 or 7, so I?m stuck with a RHEL 5 infrastructure for awhile. As long as it authenticates and sudo works we may just have to live with the keys not working. Thanks for the info though. I might try 1.9 and see if that fixes the problem. Regards, ------------------------------------------ Aric Wilisch awilisch at gmail.com > On Apr 30, 2015, at 10:42 AM, Jakub Hrozek wrote: > > On Thu, Apr 30, 2015 at 04:32:30PM +0200, Lukas Slebodnik wrote: >> On (30/04/15 15:34), Jakub Hrozek wrote: >>> On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote: >>>> On 04/30/2015 02:56 PM, Aric Wilisch wrote: >>>>> Is there a trick to getting a users SSH key that?s attached to their FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6 clients with no issues but they still get prompted for their passwords on the RHEL 5 server, so it?s not pushing down their ssh keys. >>>>> >>>>> Thanks! >>>>> >>>>> Regards, >>>>> ------------------------------------------ >>>>> Aric Wilisch >>>>> awilisch at gmail.com >>>> >>>> Well, RHEL-5's latest build should be sssd-1.5.1-71.el5, but the SSH public key >>>> support was added in SSSD 1.8: >>>> >>>> https://fedorahosted.org/sssd/ticket/610 >>>> >>>> So I do not know any way besides upgrading to RHEL-6/RHEL-7 or backporting the >>>> SSSD 1.8+ yourself (which I do not expect to be an easy task). >>> >>> The 1.9 branch should build and work on RHEL-5. >>> >> But IIRC openssh-server should be patched as well. > > Perhaps, you definitely need the AuthorizedKeysCommand and similar. > Honza might know best.. > > At any rate, upgrading from RHEL-5 to something recent is a good idea > :-) > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From wgraboyes at cenic.org Thu Apr 30 19:51:49 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Thu, 30 Apr 2015 12:51:49 -0700 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <5536C761.7090704@redhat.com> References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> Message-ID: <554287D5.5090702@cenic.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi list, The end goal is to eliminate self signed certs from user interaction with FreeIPA, without having to roll out changes to each user in the house (and remote locations). So basically changing the CA to a trusted CA that will not bring "scare" the users with "Site security cannot be verified, return to safety." The problem with the CN is that when it is read from the CSR the CN="Certificate Authority". Which is not an acceptable CN according to the tool we use for generating certs, The tool we use expects a CN of something along the lines of example.com. Thanks, Bill On 4/21/15 2:55 PM, Rob Crittenden wrote: > William Graboyes wrote: >> Hi List, >> >> I am having yet another issue, when I run the following command: >> ipa-cacert-manage renew --external-ca >> >> It does output the CSR, however the CN is not a valid name >> (Certificate Authority). Is it possible to change the output of >> this command to use an external CA that requires a proper common >> name to be in the CSR? >> >> What I am trying to do is change from the internal self signed >> certs to an external CA signing system. >> > > What isn't valid about the name? > > This would make the IPA CA a subordinate of the external CA. Is > that what you want? > > rob > > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVQofVAAoJEJFMz73A1+zrIysP+QFRo04UdfWhJxfWSkkG+0Ig 1kMqQuTN3/ee4AQ/g6rqMUhCPbWTh5MeM2vMf346hrEyq1m/1EpCflj3OfF0Rk6u S5k4rJBatglaGBWwjp1bufgLBrFveLNrVVDBE4tAb4+Ss8sQbT+2rgdVKuyNiVU0 msPGpNDh9XaL5neXbzUyo2sJ1tVV0ltwI6St58dF1EhqwVSTm62+tkpixoMez2FX JEuSvOQMk0k29Sox3kNW4SQB+/lkv3IveEe/gow0PoRQNom9jsR04tjFJn7rB8mo T0BrKB0jVbvjqwzhB8OHzijmnQZG4Jg2y10uxju+6wKTWibMZh9XT67K53zwE4Cg jNRuRf1Ukei/R8e4HggICKLlFdSjb/aBSQESNhwdCosUlT6XGrZVNjNz3TRQaAtM E4eYny9kdcAfOBaafMjViPJPxJf+98X9x3VbIxdKmSOZzi9rSelZetuK7w9hpn7q rJxHyy363PhzwDfEmBfbnXE2nmVWVYONwb8KI0E66fCs2ilH9ElqwG/eBpFDxI5M e10d50QrCHn2UkNbHAV6sQVgIYeGoJT34dAT6jRqUvF02tH1bcIWakqZrjgyw0wh 4VBpKnh3jmDC+sKv++7AeAccxqY73Y83lhy00xuXckiLDoS3d1CLlpQtpWl9cFrp URRCyh9IDBo6sgMrm2Sn =vz3J -----END PGP SIGNATURE----- From rcritten at redhat.com Thu Apr 30 20:44:43 2015 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 30 Apr 2015 16:44:43 -0400 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <554287D5.5090702@cenic.org> References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> <554287D5.5090702@cenic.org> Message-ID: <5542943B.5030105@redhat.com> William Graboyes wrote: > Hi list, > > The end goal is to eliminate self signed certs from user interaction > with FreeIPA, without having to roll out changes to each user in the > house (and remote locations). So basically changing the CA to a > trusted CA that will not bring "scare" the users with "Site security > cannot be verified, return to safety." > > The problem with the CN is that when it is read from the CSR the > CN="Certificate Authority". Which is not an acceptable CN according > to the tool we use for generating certs, The tool we use expects a CN > of something along the lines of example.com. That sounds odd. The CN of a CA doesn't represent a machine or a specific domain, it represents itself. Granted Certificate Authority isn't all that unique a name either, but it's what we defaulted to, IIRC based on the dogtag defaults. Changing it might have other odd side-effects too as it's hardcoded in a few other places. I'm not exactly sure what would break, if anything. It sounds like your tool is issuing a server cert, not a CA cert. A server cert traditionally has used cn=FQDN,. That doesn't really apply to a CA. So it's changeable if you hack some installer code, but there be dragons. rob > > Thanks, > Bill > > On 4/21/15 2:55 PM, Rob Crittenden wrote: >> William Graboyes wrote: >>> Hi List, >>> >>> I am having yet another issue, when I run the following command: >>> ipa-cacert-manage renew --external-ca >>> >>> It does output the CSR, however the CN is not a valid name >>> (Certificate Authority). Is it possible to change the output of >>> this command to use an external CA that requires a proper common >>> name to be in the CSR? >>> >>> What I am trying to do is change from the internal self signed >>> certs to an external CA signing system. >>> > >> What isn't valid about the name? > >> This would make the IPA CA a subordinate of the external CA. Is >> that what you want? > >> rob > > > From wgraboyes at cenic.org Thu Apr 30 20:50:18 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Thu, 30 Apr 2015 13:50:18 -0700 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <5542943B.5030105@redhat.com> References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> <554287D5.5090702@cenic.org> <5542943B.5030105@redhat.com> Message-ID: <5542958A.3070102@cenic.org> Let me ask this a different way. What is the easiest method of using a trusted third party cert for the web UI? Running IPA 4.1.0 on Centos 7. Thanks, Bill On 4/30/15 1:44 PM, Rob Crittenden wrote: > William Graboyes wrote: > > Hi list, > > > > The end goal is to eliminate self signed certs from user interaction > > with FreeIPA, without having to roll out changes to each user in the > > house (and remote locations). So basically changing the CA to a > > trusted CA that will not bring "scare" the users with "Site security > > cannot be verified, return to safety." > > > > The problem with the CN is that when it is read from the CSR the > > CN="Certificate Authority". Which is not an acceptable CN according > > to the tool we use for generating certs, The tool we use expects a CN > > of something along the lines of example.com. > > That sounds odd. The CN of a CA doesn't represent a machine or a > specific domain, it represents itself. Granted Certificate Authority > isn't all that unique a name either, but it's what we defaulted to, IIRC > based on the dogtag defaults. > > Changing it might have other odd side-effects too as it's hardcoded in a > few other places. I'm not exactly sure what would break, if anything. > > It sounds like your tool is issuing a server cert, not a CA cert. A > server cert traditionally has used cn=FQDN,. That > doesn't really apply to a CA. > > So it's changeable if you hack some installer code, but there be dragons. > > rob > > > > Thanks, > > Bill > > > > On 4/21/15 2:55 PM, Rob Crittenden wrote: > >> William Graboyes wrote: > >>> Hi List, > >>> > >>> I am having yet another issue, when I run the following command: > >>> ipa-cacert-manage renew --external-ca > >>> > >>> It does output the CSR, however the CN is not a valid name > >>> (Certificate Authority). Is it possible to change the output of > >>> this command to use an external CA that requires a proper common > >>> name to be in the CSR? > >>> > >>> What I am trying to do is change from the internal self signed > >>> certs to an external CA signing system. > >>> > > > >> What isn't valid about the name? > > > >> This would make the IPA CA a subordinate of the external CA. Is > >> that what you want? > > > >> rob > > > > > > > From dpal at redhat.com Thu Apr 30 21:45:45 2015 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 30 Apr 2015 17:45:45 -0400 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <5542958A.3070102@cenic.org> References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> <554287D5.5090702@cenic.org> <5542943B.5030105@redhat.com> <5542958A.3070102@cenic.org> Message-ID: <5542A289.9070105@redhat.com> On 04/30/2015 04:50 PM, William Graboyes wrote: > Let me ask this a different way. > > What is the easiest method of using a trusted third party cert for the web UI? Make IPA CA-less with just certs from that 3rd party CA installed or make IPA trust that CA and be a sub CA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-ca-options > > Running IPA 4.1.0 on Centos 7. > > Thanks, > Bill > On 4/30/15 1:44 PM, Rob Crittenden wrote: >> William Graboyes wrote: >>> Hi list, >>> >>> The end goal is to eliminate self signed certs from user interaction >>> with FreeIPA, without having to roll out changes to each user in the >>> house (and remote locations). So basically changing the CA to a >>> trusted CA that will not bring "scare" the users with "Site security >>> cannot be verified, return to safety." >>> >>> The problem with the CN is that when it is read from the CSR the >>> CN="Certificate Authority". Which is not an acceptable CN according >>> to the tool we use for generating certs, The tool we use expects a CN >>> of something along the lines of example.com. >> That sounds odd. The CN of a CA doesn't represent a machine or a >> specific domain, it represents itself. Granted Certificate Authority >> isn't all that unique a name either, but it's what we defaulted to, IIRC >> based on the dogtag defaults. >> >> Changing it might have other odd side-effects too as it's hardcoded in a >> few other places. I'm not exactly sure what would break, if anything. >> >> It sounds like your tool is issuing a server cert, not a CA cert. A >> server cert traditionally has used cn=FQDN,. That >> doesn't really apply to a CA. >> >> So it's changeable if you hack some installer code, but there be dragons. >> >> rob >>> Thanks, >>> Bill >>> >>> On 4/21/15 2:55 PM, Rob Crittenden wrote: >>>> William Graboyes wrote: >>>>> Hi List, >>>>> >>>>> I am having yet another issue, when I run the following command: >>>>> ipa-cacert-manage renew --external-ca >>>>> >>>>> It does output the CSR, however the CN is not a valid name >>>>> (Certificate Authority). Is it possible to change the output of >>>>> this command to use an external CA that requires a proper common >>>>> name to be in the CSR? >>>>> >>>>> What I am trying to do is change from the internal self signed >>>>> certs to an external CA signing system. >>>>> >>>> What isn't valid about the name? >>>> This would make the IPA CA a subordinate of the external CA. Is >>>> that what you want? >>>> rob >>> >>> -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. From benjamen at dollarshaveclub.com Thu Apr 30 22:28:54 2015 From: benjamen at dollarshaveclub.com (Benjamen Keroack) Date: Thu, 30 Apr 2015 15:28:54 -0700 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: <5542A289.9070105@redhat.com> References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> <554287D5.5090702@cenic.org> <5542943B.5030105@redhat.com> <5542958A.3070102@cenic.org> <5542A289.9070105@redhat.com> Message-ID: With respect, neither option is realistic in the common case. Unless I'm mistaken, a CA-less installation will break in ~1 year when host certificates expire and are not automatically renewed via certmonger. Option 2 (sub-CA) is, as far as I can tell, also not feasible since no public CA will sell subordinate CA certificates commercially. At least not that I can find. In our case, the only option is to resign ourselves to using self-signed certificates for the UI. End users can import IPA CA root cert if they choose. On Thu, Apr 30, 2015 at 2:45 PM, Dmitri Pal wrote: > On 04/30/2015 04:50 PM, William Graboyes wrote: > >> Let me ask this a different way. >> >> What is the easiest method of using a trusted third party cert for the >> web UI? >> > > Make IPA CA-less with just certs from that 3rd party CA installed or make > IPA trust that CA and be a sub CA. > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-ca-options > > > >> Running IPA 4.1.0 on Centos 7. >> >> Thanks, >> Bill >> On 4/30/15 1:44 PM, Rob Crittenden wrote: >> >>> William Graboyes wrote: >>> >>>> Hi list, >>>> >>>> The end goal is to eliminate self signed certs from user interaction >>>> with FreeIPA, without having to roll out changes to each user in the >>>> house (and remote locations). So basically changing the CA to a >>>> trusted CA that will not bring "scare" the users with "Site security >>>> cannot be verified, return to safety." >>>> >>>> The problem with the CN is that when it is read from the CSR the >>>> CN="Certificate Authority". Which is not an acceptable CN according >>>> to the tool we use for generating certs, The tool we use expects a CN >>>> of something along the lines of example.com. >>>> >>> That sounds odd. The CN of a CA doesn't represent a machine or a >>> specific domain, it represents itself. Granted Certificate Authority >>> isn't all that unique a name either, but it's what we defaulted to, IIRC >>> based on the dogtag defaults. >>> >>> Changing it might have other odd side-effects too as it's hardcoded in a >>> few other places. I'm not exactly sure what would break, if anything. >>> >>> It sounds like your tool is issuing a server cert, not a CA cert. A >>> server cert traditionally has used cn=FQDN,. That >>> doesn't really apply to a CA. >>> >>> So it's changeable if you hack some installer code, but there be dragons. >>> >>> rob >>> >>>> Thanks, >>>> Bill >>>> >>>> On 4/21/15 2:55 PM, Rob Crittenden wrote: >>>> >>>>> William Graboyes wrote: >>>>> >>>>>> Hi List, >>>>>> >>>>>> I am having yet another issue, when I run the following command: >>>>>> ipa-cacert-manage renew --external-ca >>>>>> >>>>>> It does output the CSR, however the CN is not a valid name >>>>>> (Certificate Authority). Is it possible to change the output of >>>>>> this command to use an external CA that requires a proper common >>>>>> name to be in the CSR? >>>>>> >>>>>> What I am trying to do is change from the internal self signed >>>>>> certs to an external CA signing system. >>>>>> >>>>>> What isn't valid about the name? >>>>> This would make the IPA CA a subordinate of the external CA. Is >>>>> that what you want? >>>>> rob >>>>> >>>> >>>> >>>> > > -- > Thank you, > Dmitri Pal > > Director of Engineering for IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Benjamen Keroack *Infrastructure/DevOps Engineer* benjamen at dollarshaveclub.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From wgraboyes at cenic.org Thu Apr 30 22:52:33 2015 From: wgraboyes at cenic.org (William Graboyes) Date: Thu, 30 Apr 2015 15:52:33 -0700 Subject: [Freeipa-users] Common Name for the ipa-cacert-manage command In-Reply-To: References: <5536C111.1000706@cenic.org> <5536C761.7090704@redhat.com> <554287D5.5090702@cenic.org> <5542943B.5030105@redhat.com> <5542958A.3070102@cenic.org> <5542A289.9070105@redhat.com> Message-ID: <5542B231.6060104@cenic.org> I have to agree with Benjamen here. I guess it is time to get deep into API documentation. This is a hell of a lot of hoops to jump through just so that users who don't have shell access can easily change their passwords without having to see a scare page. Distributing the IPA CA is not an option at this point, as we have a very odd desktop support model. I thought all of this was to be fixed in 4.1, which is why I went 4.1... and now nothing has changed... and I am back to square 1. This is the only, and I am serious here, the only gating factor for FreeIPA going into production. The self-signed certs on the UI. It really isn't safe or secure to tell users to "Just trust the self signed cert." You create an easy vector for users to get sucked into a phishing trap. Next question, Has anyone made or documented an external password change program for freeipa? On 4/30/15 3:28 PM, Benjamen Keroack wrote: > With respect, neither option is realistic in the common case. Unless I'm > mistaken, a CA-less installation will break in ~1 year when host > certificates expire and are not automatically renewed via certmonger. > Option 2 (sub-CA) is, as far as I can tell, also not feasible since no > public CA will sell subordinate CA certificates commercially. At least not > that I can find. > > In our case, the only option is to resign ourselves to using self-signed > certificates for the UI. End users can import IPA CA root cert if they > choose. > > On Thu, Apr 30, 2015 at 2:45 PM, Dmitri Pal wrote: > > > On 04/30/2015 04:50 PM, William Graboyes wrote: > > > >> Let me ask this a different way. > >> > >> What is the easiest method of using a trusted third party cert for the > >> web UI? > >> > > > > Make IPA CA-less with just certs from that 3rd party CA installed or make > > IPA trust that CA and be a sub CA. > > > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-ca-options > > > > > > > >> Running IPA 4.1.0 on Centos 7. > >> > >> Thanks, > >> Bill > >> On 4/30/15 1:44 PM, Rob Crittenden wrote: > >> > >>> William Graboyes wrote: > >>> > >>>> Hi list, > >>>> > >>>> The end goal is to eliminate self signed certs from user interaction > >>>> with FreeIPA, without having to roll out changes to each user in the > >>>> house (and remote locations). So basically changing the CA to a > >>>> trusted CA that will not bring "scare" the users with "Site security > >>>> cannot be verified, return to safety." > >>>> > >>>> The problem with the CN is that when it is read from the CSR the > >>>> CN="Certificate Authority". Which is not an acceptable CN according > >>>> to the tool we use for generating certs, The tool we use expects a CN > >>>> of something along the lines of example.com. > >>>> > >>> That sounds odd. The CN of a CA doesn't represent a machine or a > >>> specific domain, it represents itself. Granted Certificate Authority > >>> isn't all that unique a name either, but it's what we defaulted to, IIRC > >>> based on the dogtag defaults. > >>> > >>> Changing it might have other odd side-effects too as it's hardcoded in a > >>> few other places. I'm not exactly sure what would break, if anything. > >>> > >>> It sounds like your tool is issuing a server cert, not a CA cert. A > >>> server cert traditionally has used cn=FQDN,. That > >>> doesn't really apply to a CA. > >>> > >>> So it's changeable if you hack some installer code, but there be dragons. > >>> > >>> rob > >>> > >>>> Thanks, > >>>> Bill > >>>> > >>>> On 4/21/15 2:55 PM, Rob Crittenden wrote: > >>>> > >>>>> William Graboyes wrote: > >>>>> > >>>>>> Hi List, > >>>>>> > >>>>>> I am having yet another issue, when I run the following command: > >>>>>> ipa-cacert-manage renew --external-ca > >>>>>> > >>>>>> It does output the CSR, however the CN is not a valid name > >>>>>> (Certificate Authority). Is it possible to change the output of > >>>>>> this command to use an external CA that requires a proper common > >>>>>> name to be in the CSR? > >>>>>> > >>>>>> What I am trying to do is change from the internal self signed > >>>>>> certs to an external CA signing system. > >>>>>> > >>>>>> What isn't valid about the name? > >>>>> This would make the IPA CA a subordinate of the external CA. Is > >>>>> that what you want? > >>>>> rob > >>>>> > >>>> > >>>> > >>>> > > > > -- > > Thank you, > > Dmitri Pal > > > > Director of Engineering for IdM portfolio > > Red Hat, Inc. > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > >