<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I don't know if this will be informative or not, but:<br>
<br>
<tt># strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com</tt><tt><br>
</tt><tt>--------------</tt><tt><br>
</tt><tt>1 host matched</tt><tt><br>
</tt><tt>--------------</tt><tt><br>
</tt><tt>
Host name: zw129.damascusgrp.com</tt><tt><br>
</tt><tt> :</tt><tt><br>
</tt><tt> :</tt><tt><br>
</tt><tt>#</tt><br>
<br>
I then found this pattern occurring a number of times within the
(17564 line) output file:<br>
<tt><br>
</tt><tt>4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 <unfinished ...></tt><tt><br>
</tt><tt>4237 <... close resumed> ) = 0</tt><tt><br>
</tt><tt>4229 <... mmap resumed> ) =
0x7f936aad2000<br>
4229 read(13, <unfinished ...><br>
4237 dup2(7, 0) = 0</tt><br>
<tt>4237 dup2(10, 1) = 1<br>
</tt><tt>4237 dup2(12, 2) = 2<br>
4237 close(7) = 0</tt><br>
<tt>4237 close(10) = 0<br>
</tt><tt>4237 close(12) = 0<br>
</tt><tt>4237 close(3) = 0<br>
</tt><tt>4237 close(4) = 0<br>
</tt><tt>4237 close(5) = 0<br>
</tt><tt>4237 close(6) = 0<br>
</tt><tt>4237 close(7) = -1 EBADF (Bad
file descriptor)<br>
</tt><tt>4237 close(8) = -1 EBADF (Bad
file descriptor)<br>
</tt><tt>4237 close(9) = -1 EBADF (Bad
file descriptor)<br>
</tt><tt>4237 close(10) = -1 EBADF (Bad
file descriptor)<br>
:<br>
: Continues for a thousand entries or so, then<br>
:<br>
</tt><tt>4237 close(1022) = -1 EBADF (Bad
file descriptor)<br>
</tt><tt>4237 close(1023) = -1 EBADF (Bad
file descriptor)<br>
4237 execve("/bin/keyctl", ["keyctl", "padd", "user",
<a class="moz-txt-link-rfc2396E" href="mailto:ipa_session_cookie:admin@DAMASCUSGRP.COM">"ipa_session_cookie:admin@DAMASCUSGRP.COM"</a>, "@s"], [/* 27 vars */]
<unfinished ...><br>
</tt><br>
Interesting, or just noise?<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/21/2014 02:50 PM, Bret Wortman
wrote:<br>
</div>
<blockquote
cite="mid:911FBF07-2E6C-4E79-8D06-E739FBF60425@damascusgrp.com"
type="cite">
<pre wrap="">D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday.
Bret Wortman
<a class="moz-txt-link-freetext" href="http://bretwortman.com/">http://bretwortman.com/</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/BretWortman">http://twitter.com/BretWortman</a>
</pre>
<blockquote type="cite">
<pre wrap="">On Feb 21, 2014, at 2:13 PM, Mauricio Tavares <a class="moz-txt-link-rfc2396E" href="mailto:raubvogel@gmail.com"><raubvogel@gmail.com></a> wrote:
On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman
<a class="moz-txt-link-rfc2396E" href="mailto:bret.wortman@damascusgrp.com"><bret.wortman@damascusgrp.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Bizarre.
# strace -f -o /tmp/out ipa help
Usage: ipa [global-options] COMMAND [command-options]
:
:
:
# ipa help
Connection to ipamaster closed.
$
</pre>
</blockquote>
<pre wrap=""> When you logged back in, did /tmp/out have anything interesting?
</pre>
<blockquote type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">On 02/21/2014 01:36 PM, Rob Crittenden wrote:
Bret Wortman wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
I'm getting ready to leave for the weekend, and this isn't the kind of
thing I want to track down on a Friday, but if anyone has any ideas for
things I should look at come Monday morning, I'd be very appreciative.
I've got a system with 12 replicas, and no matter which IPA server I log
into and try to run "ipa" CLI commands on (even "ipa help"), I get my
session terminated. I also tried from a client system that has the
ipatools rpm installed, and in that case I got bounced out of my sudo'd
root session.
I need to figure this out because something's obviously amiss, and we
have discovered a number of systems that are lacking Kerberos keys. I
was hoping the CLI would provide the mechanism to get them fixed. We're
also trying to track down a 6-10 second delay every time a user logs in
using SSSD to authenticate; the password check passes almost instantly,
but something is taking up an additional bunch of time and my users are
starting to complain. So I need to get past this so I can debug that.
Thanks, and have a great weekend, all.
</pre>
</blockquote>
<pre wrap="">
For the life of me I can't figure out what the ipa command might do that
would log you out. I think brute force might be a way to go with this:
strace -f o /tmp/out ipa help
Then go back in and see what happened.
As for login delay you may want to pick a client system and bump up the
sssd debug level and see if that provides any clues.
rob
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
</blockquote>
<br>
</body>
</html>