From Steven.Jones at vuw.ac.nz Sun Jul 1 20:44:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 1 Jul 2012 20:44:13 +0000 Subject: [Freeipa-users] nfs server In-Reply-To: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCDA236@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Ive just done NFS this week ( I think) just testing now, you add the key to the list.... the admin guide should have the command. So to look to the keytab list use ktutil, here are my ones, ======== [root at vuwunicorh6ws04 ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal 1 1 host/vuwunicorh6ws04.ods.vuw.ac.nz at ODS.VUW.AC.NZ 8><-------- 8 2 nfs/vuwuniconfsipa1.ods.vuw.ac.nz at ODS.VUW.AC.NZ ktutil: quit [root at vuwunicorh6ws04 ~]# ======== So to add I seem to have done this, ( echo rkt /root/nfs-client.keytab; echo wkt /etc/krb5.keytab) |ktutil regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of george he [george_he7 at yahoo.com] Sent: Saturday, 30 June 2012 2:18 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] nfs server Hello all, Now I have an ipa server and a few ipa clients set up, I need to set up an nfs server on one of the ipa-clients. I'm following the instructions here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html where at 8.c and 8.d, it says scp /tmp/krb5.keytab root at nfs.example.com:/etc/krb5.keytab and scp /tmp/krb5.keytab root at client.example.com:/etc/krb5.keytab But the file /etc/krb5.keytab already exists on both of the ipa-server and the nfs-server. Should I just over-write the existing keytabs? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Jul 1 20:47:11 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 1 Jul 2012 20:47:11 +0000 Subject: [Freeipa-users] nfs server In-Reply-To: <1340992992.14199.20.camel@willson.li.ssimo.org> References: <1340979481.44487.YahooMailNeo@web120006.mail.ne1.yahoo.com> <1340979891.14199.2.camel@willson.li.ssimo.org> <1340981125.6049.YahooMailNeo@web120001.mail.ne1.yahoo.com> <1340981584.14199.9.camel@willson.li.ssimo.org> <1340982489.4831.YahooMailNeo@web120003.mail.ne1.yahoo.com>, <1340992992.14199.20.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCDA25D@STAWINCOX10MBX1.staff.vuw.ac.nz> except that wouldnt work for me, I had to scp the keys after creating them on the IPA server. 8><-------- The best way to ensure keys are properly handled is to retrieve them directly on the target machine, and only there. Simo. From natxo.asenjo at gmail.com Sun Jul 1 21:03:12 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sun, 1 Jul 2012 23:03:12 +0200 Subject: [Freeipa-users] nfs4 acl In-Reply-To: <11451.90.178.156.11.1341175164.squirrel@webmail.s3group.com> References: <4FEE2658.8090300@redhat.com> <11451.90.178.156.11.1341175164.squirrel@webmail.s3group.com> Message-ID: On Sun, Jul 1, 2012 at 10:39 PM, wrote: > In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world > that can provide you with a true NFSv4 ACLs (remember to turn them on > using options nfs.v4.acl = on). > The nasty hack Rob mentioned will only provide you with POSIX Acls mapped > to the NFSv4 acls - which will consequently cripple down the whole ACLs > the NFS server is providing. > > So if you want a nice, fully fledged NFSv4 ACLs, go to Netapp or Solaris > based NFSv4 server. Forget about Linux. > ok, thanks for confirming what I was already thinking. We do have Netapp (and very happy customers, I must say). When you say 'Solaris based' do you mean nexenta/openindiana? That still is a very nice choice to have, it would be great to have a linux based one, but still. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Jul 1 21:28:18 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 1 Jul 2012 21:28:18 +0000 Subject: [Freeipa-users] nfs4 acl In-Reply-To: References: <4FEE2658.8090300@redhat.com> <11451.90.178.156.11.1341175164.squirrel@webmail.s3group.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCDCA49@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Do not buy the Sun/Oracle NAS 7xxx series however it is a pile of doggy doo doo. We cant even get a 86% uptime on it................ripping it out at present. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Natxo Asenjo [natxo.asenjo at gmail.com] Sent: Monday, 2 July 2012 9:03 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] nfs4 acl On Sun, Jul 1, 2012 at 10:39 PM, > wrote: In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world that can provide you with a true NFSv4 ACLs (remember to turn them on using options nfs.v4.acl = on). The nasty hack Rob mentioned will only provide you with POSIX Acls mapped to the NFSv4 acls - which will consequently cripple down the whole ACLs the NFS server is providing. So if you want a nice, fully fledged NFSv4 ACLs, go to Netapp or Solaris based NFSv4 server. Forget about Linux. ok, thanks for confirming what I was already thinking. We do have Netapp (and very happy customers, I must say). When you say 'Solaris based' do you mean nexenta/openindiana? That still is a very nice choice to have, it would be great to have a linux based one, but still. -- natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun Jul 1 21:41:56 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 1 Jul 2012 21:41:56 +0000 Subject: [Freeipa-users] adding new users in the ui Message-ID: <833D8E48405E064EBC54C84EC6B36E404CCDCA6F@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Just adding a new user in the web ui and I like the changes to the dialogue box :D regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Mon Jul 2 08:02:57 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Mon, 02 Jul 2012 10:02:57 +0200 Subject: [Freeipa-users] nfs4 acl In-Reply-To: References: <4FEE2658.8090300@redhat.com> <11451.90.178.156.11.1341175164.squirrel@webmail.s3group.com> Message-ID: <4FF155B1.1000906@s3group.cz> On 07/01/2012 11:03 PM, Natxo Asenjo wrote: > On Sun, Jul 1, 2012 at 10:39 PM, > wrote: > > In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world > that can provide you with a true NFSv4 ACLs (remember to turn them on > using options nfs.v4.acl = on). > The nasty hack Rob mentioned will only provide you with POSIX Acls mapped > to the NFSv4 acls - which will consequently cripple down the whole ACLs > the NFS server is providing. > > So if you want a nice, fully fledged NFSv4 ACLs, go to Netapp or Solaris > based NFSv4 server. Forget about Linux. > > > ok, thanks for confirming what I was already thinking. We do have Netapp (and very happy customers, I must say). > > When you say 'Solaris based' do you mean nexenta/openindiana? That still is a very nice choice to have, it would be great to have a linux > based one, but still. > > -- > natxo The real problem is that no Linux filesystem I am aware of can store NFSv4 ACLs natively - there are some patches for ext4 but I doubt they did make its way for the production. The future seems to be richacl friendly filesystem, but I do not know anything about it, too. The only filesystem that can store NFSv4 ACLs is Suns ZFS so hence you should be able to built your own NFS server based on OpenSolaris or some clones. Actually, you might want to check this: http://www.bestbits.at/richacl/ to see if your kernel has this patch - if yes, there is quite a good chance you could do it on Linux, too. Ondrej -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.com Sun Jul 1 20:39:24 2012 From: ondrejv at s3group.com (ondrejv at s3group.com) Date: Sun, 1 Jul 2012 21:39:24 +0100 (IST) Subject: [Freeipa-users] nfs4 acl In-Reply-To: <4FEE2658.8090300@redhat.com> References: <4FEE2658.8090300@redhat.com> Message-ID: <11451.90.178.156.11.1341175164.squirrel@webmail.s3group.com> In fact, Netapp is (sadly to say) the only NFSv4 server in the whole world that can provide you with a true NFSv4 ACLs (remember to turn them on using options nfs.v4.acl = on). The nasty hack Rob mentioned will only provide you with POSIX Acls mapped to the NFSv4 acls - which will consequently cripple down the whole ACLs the NFS server is providing. So if you want a nice, fully fledged NFSv4 ACLs, go to Netapp or Solaris based NFSv4 server. Forget about Linux. Ondrej > Natxo Asenjo wrote: >> hi, >> >> I followed the instructions here >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html >> and they worked flawlessly. >> >> Is it possible to use acls on nfs4 with a rhel 6 nfs server? if that is >> not possible, is it possible to use a netapp file as nfs4 server with >> acl support for rhel 6 clients? > > Here is documentation about RHEL 6 and NFS ACLs. I don't know if it > works with netapp: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 From rcritten at redhat.com Mon Jul 2 21:28:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Jul 2012 17:28:30 -0400 Subject: [Freeipa-users] Announcing FreeIPA v3.0.0 beta 1 Release Message-ID: <4FF2127E.6080206@redhat.com> The FreeIPA team is proud to announce version FreeIPA v3.0.0 beta 1. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available in the Fedora rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeipa-devel.repo . To install in Fedora 17 the updates-repo repository needs to be enabled as well. For additional information see the AD Trust design page http://freeipa.org/page/IPAv3_AD_trust and the AD Trust testing page http://freeipa.org/page/IPAv3_testing_AD_trust. == Highlights in 3.0.0 == * Support for AD Trust * Per-domain DNS permissions * DNS persistent search enabled by default, new zones are seen immediately * New DNS resolver library * Migration improvements * The last administrator cannot be removed * Forms-based password reset * Redesigned action panels in UI * Sessions for command-line users * Tool to configure automount client, ipa-client-automount == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 should work but has not been fully tested. Proceed with caution. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed changelog including 2.2.0 == The development of 3.0 occurred simultaneously with 2.2.0 so there is some overlap. Adam Young (10): * enable proxy for dogtag * split metadata call * Make mod_nss renegotiation configuration a public function * Execute pki proxy setup when server is upgraded if needed * Force the upgrade of pki-setup when upgrading the RPMS * Fix dynamic display of UI tabs based on rights * remove enrolled column * Add priority to pwpolicy list * Remove delegation from browser config * ignore generated services file. Alexander Bokovoy (61): * Propagate environment when it is required. * Incorrect name in examples of ipa help hbactest * Unroll groups when testing HBAC rules * Convert server install code to platform-independent access to system services * Convert client-side tools to platform-independent access to system services * Convert installation tools to platform-independent access to system services * Cleanup whitespace * Introduce platform-specific adaptation for services used by FreeIPA. * When external host is specified in HBAC rule, allow its use in simulation * Unroll StrEnum values when displaying help * Configure pam_krb5 on the client only if sssd is not configured * Setup and restore ntp configuration on the client side properly * Fix 'referenced before assignment' warning * Before kinit, try to sync time with the NTP servers of the domain we are joining * Increase number of 'getent passwd attempts' to 10 * Force kerberos realm to be a string * Include indirect membership and canonicalize hosts during HBAC rules testing * Refactor backup_and_replace_hostname() into a flexible config modification tool * Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool * Refactor authconfig use in ipa-client-install * Document --preserve-sssd option of ipa-client-install * Use set class instead of dictview class as set is wider supported * hbactest fails while you have svcgroup in hbacrule * Add support for systemd environments and use it to support Fedora 16 * Spin for connection success also when socket is not (yet) available * Update spec file to use systemd on Fedora 16 and above * Quote multiple workers option * Check for Python.h during build of py_default_encoding extension * Add configure check for libintl.h * Create directories for client install * Add "Extending FreeIPA" developer guide * Small fix to the guide CSS: enable vertical scroll bar * Rename included snippets to avoid problems with pylint * Fix dependency for samba4-devel package * Merge branch 'master' of git+ssh://git.fedorahosted.org/git/freeipa * Check through all LDAP servers in the domain during IPA discovery * Validate sudo RunAsUser/RunAsGroup arguments * Allow hbactest to work with HBAC rules exceeding default IPA limits * Add management of inifiles to allow manipulation of systemd units * Handle upgrade issues with systemd in Fedora 16 and above * Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore * When changing multiple booleans with setsebool, pass each of them separately. * Add separate attribute to store trusted domain SID * Use dedicated keytab for Samba * Add trust management for Active Directory trusts * Use fully qualified PDC name when contacting for extended DN information * Perform case-insensitive searches for principals on TGS requests * Properly handle multiple IP addresses per host when installing trust support * Restart KDC after installing trust support to allow MS PAC generation * Add trust-related ACIs * get_fqdn() moved to ipaserver.installutils * ipa-sam: update sid_to_id() interface to follow passdb API changes in Samba * Add python-crypto to build requires for AD server-side code * Move AD trust support code to freeipa-server-trust-ad subpackage * restart dirsrv as part of ipa-adtrust-install * Re-format ipa-adtrust-install final message to be within 80 characters wide * Use correct SID attribute for trusted domains * Rename 'ipa trust-add-ad' to 'ipa trust-add --type=ad' * Support requests for DOMAIN$ account for trusted domains in ipasam module * Add error condition handling to the SASL bind callback in ipasam * Add support for external group members Endi S. Dewata (105): * Fixed browser configuration pages * Hide activation/deactivation link from regular users. * Fixed problem selecting value from combobox * Fixed inconsistent layout for password reset dialog. * Removed 'Hide already enrolled' checkbox. * Replaced page dirty dialog title. * Updated add and delete association dialog titles. * Removed unnecessary HBAC/sudo rule category modification. * Fixed command partial failure handling. * Fixed default map type in automount map adder dialog. * Fixed host OTP status. * Fixed host keytab status after setting OTP. * Fixed host adder dialog to show default DNS zone. * Fixed hard-coded UI messages. * Fixed problem adding hostgroup into netgroup. * Fixed problem with combobox. * Fixed hard-coded UI message in entity.js. * Fixed missing permission filter field. * Fixed problem with combobox using Sahi * Fixed unit test for entity select widget. * Fixed layout problem in permission adder dialog. * Fixed sudo rule association dialogs. * Fixed missing optional field. * Fixed labels for run-as users and groups. * Fixed problem opening host adder dialog. * Removed entitlement menu. * Fixed posix group checkbox. * Fixed columns in HBAC/sudo rules list pages. * Removed HBAC rule type. * Fixed missing cancel button in unprovisioning dialog. * Fixed problem enabling/disabling DNS zone. * Fixed problem enrolling member with the same name. * Modified dialog to use sections. * Removed undo flags from dialog field specs. * Fixed problem on combobox with search limit. * Fixed problem displaying special characters. * Updated DNS zone details page. * Replaced description text fields with text areas. * Fixed add/delete arrows position. * Fixed duplicate entries in enrollment dialog. * Updated color scheme. * Fixed tab and dialog widths. * Use editable combobox for service type. * Disable enroll button if nothing selected. * Fixed missing default shell field. * I18n clean-up. * Disable sudo options Delete button if nothing selected. * Added confirmation when adding multiple entries. * Added selectable labels for radio buttons. * Fixed dependency problem in UI test. * Fixed inconsistent required/optional attributes. * Removed HBAC deny rule warning. * Fixed host Enrolled column. * Fixed problem clearing validation error on checkboxes. * Fixed "enroll" labels. * Merged widget's metadata and param_info. * Refactored validation code. * Fixed inconsistent image names. * Fixed inconsistent details facet validation. * Added password field in user adder dialog. * Fixed blank krbtpolicy and config pages. * Moved facet code into facet.js. * Added extensible UI framework. * Added current password field. * Fixed problem changing page in association facet. * Updated sample data. * Added paging on search facet. * Refactored permission target section. * Removed develop.js. * Added commands into metadata. * Refactored entity object resolution. * Fixed ipa.js for sessions. * Fixed entity definition in test cases. * Added support for radio buttons in table widget. * Fixed entity metadata resolution. * Refactored facet.load(). * Added HBAC Test page. * Fixed navigation buttons for HBAC Test. * Fixed search filter in HBAC Test. * Added external fields for HBAC Test. * Fixed CSS for HBAC Test * Fixed I18n labels for HBAC Test * Fixed matched/unmatched checkboxes in HBAC Test * Added HBAC Test input validation. * Fixed problem loading DNS records. * Fixed unmatched checkbox name. * Fixed combobox icon position. * Fixed combobox search icon position. * Reload UI when the user changes. * Reload UI on server upgrade. * Added account status into user search facet. * Added policies into user details page. * Load user data and policies in a single batch. * Added instructions to generate CSR. * Fixed problem removing automount keys and DNS records. * Enabled paging on self-service permissions and delegations. * Enabled paging on automount keys. * Show disabled entries in gray. * Fixed inconsistent status labels. * Fixed host managed-by adder dialog. * Added icons for status column. * Hide Add/Delete buttons in self-service mode. * Use fixed font when displaying certificate. * Show password expiration date. * Fixed boot.ldif permission. JR Aquino (5): * Create Tool for Enabling/Disabling Managed Entry Plugins * Replication: Adjust replica installation to omit processing memberof computations * Improve sudorule documentation * Create FreeIPA CLI Plugin for the 389 Auto Membership plugin * Move Managed Entries into their own container in the replicated space. Jan Cholasta (42): * Make sure messagebus is running prior to starting certmonger. * Verify that passwords specified through command line options of ipa-server-install meet the length requirement. * Add option to install without the automatic redirect to the Web UI. * Search for users in all the naming contexts present on the directory server. * Add subscription-manager dependency for RHEL. * Verify that the external CA certificate files are correct. * Check that install hostname matches the server hostname. * Fix client install on IPv6 machines. * Fix ipa-replica-prepare always warning the user about not using the system hostname. * Validate name_from_ip parameter of dnszone. * Add a function for formatting network locations of the form host:port for use in URLs. * Work around pkisilent bugs. * Disallow deletion of global password policy. * Don't leak passwords through kdb5_ldap_util command line arguments. * Remove more redundant configuration values from krb5.conf. * Finalize plugin initialization on demand. * Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True. * Fix make-lint crash under certain circumstances. * Fix attempted write to attribute of read-only object. * Add LDAP schema for SSH public keys. * Add LDAP ACIs for SSH public key schema. * Add support for SSH public keys to user and host objects. * Add API initialization to ipa-client-install. * Move the nsupdate functionality to separate function in ipa-client-install. * Update host SSH public keys on the server during client install. * Configure ssh and sshd during ipa-client-install. * Base64-decode unicode values in Bytes parameters. * Add SSH service to platform-specific services. * Move the compat module from ipalib to ipapython. * Configure SSH features of SSSD in ipa-client-install. * Wait for child process to terminate after receiving SIGINT in ipautil.run. * Parse zone indices in IPv6 addresses in CheckedIPAddress. * Fix uses of O=REALM instead of the configured certificate subject base. * Fix the procedure for getting default values of command parameters. * Change parameters to use only default_from for dynamic default values. * Check whether the default user group is POSIX when adding new user with --noprivate. * Check configured maximum user login length on user rename. * Fix internal error when renaming user with an empty string. * Refactor exc_callback invocation. * Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes". * Redo boolean value encoding. * SSH configuration fixes. John Dennis (38): * DN objects should support the insert method * Test DN object non-latin Unicode support * convert unittests to use DN objects * invalid i18n string in dns.py * update LINGUAS file, add missing po files * Update all po files * compute accurate translation statistics * add documentation validation to makeapi tool * internationalize help topics * internationalize cli help framework * improve i18n docstring extraction * Fix Spanish po translation file * Unable to Download Certificate with Browser * Add log manager module * modify codebase to utilize IPALogManager, obsoletes logging * IPAdmin undefined anonymous parameter lists * subclass SimpleLDAPObject * Restore default log level in server to INFO * If "make rpms" fails so will the next make * Remove old RPMROOT contents before it is used for rpmbuild * update i18n pot file for branch master * Add ipa_memcached service * add session manager and cache krb auth * Update pot file and list of explicit Python files needing translation * pulled new po files from Transifex * update translation pot file * Tweak the session auth to reflect developer consensus. * Implement session activity timeout * Implement password based session login * Log a message when returning non-success HTTP result * Replace broken i18n shell test with Python test * improve handling of ds instances during uninstall * Use indexed format specifiers in i18n strings * text unit test should validate using installed mo file * Validate DN & RDN parameters for migrate command * don't append basedn to container if it is included * Fix name error in hbactest * validate i18n strings when running "make lint" Lars Sjostrom (1): * Add disovery domain if client domain is different from server domain Marko Myllynen (2): * include for uintptr_t * Don't remove /tmp when removing temp cert dir Martin Kosek (171): * Add missing attribute labels for sudorule * Fix automountkey-mod * Fix automountlocation-import conflicts * ipa-client-install breaks network configuration * Fix sudo help and summaries * Let Bind track data changes * Improve man pages structure * Improve ipa-join man page * Fix permissions in installers * Fix configure.jar permissions * Set bind and bind-dyndb-ldap min nvr * Fix pylint false positive in hbactest module * ipactl does not stop dirsrv * dirsrv is not stopped correctly in the fallback * Remove checks for ds-replication plugin * Fix /usr/bin/ipa dupled server list * Revert "Always require SSL in the Kerberos authorization block." * Fix error messages in hbacrule * Fix LDAPCreate search failure * Fix HBAC tests hostnames * ipa-client assumes a single namingcontext * migrate process cannot handle multivalued pkey attribute * Be more clear about selfsign option * Install tools crash when password prompt is interrupted * Improve ipa-replica-prepare DNS check * Prevent collisions of hostgroup and netgroup * Make sure ipa-client-install returns correct error code * Improve default user/group object class validation * Fix i18n in config plugin * Fix dnszone-add name_from_ip server validation * Improve handling of GIDs when migrating groups * ipa-client-install hangs if the discovered server is unresponsive * Optimize member/memberof searches in LDAP * Make IPv4 address parsing more strict * Check hostname resolution sanity * Hostname used by IPA must be a system hostname * Check /etc/hosts file in ipa-server-install * Fix ipa-client-install -U option alignment * Improve hostgroup/netgroup collision checks * Fix client krb5 domain mapping and DNS * Add --zonemgr/--admin-mail validator * Fix ipa-managed-entries password option long form * Create pkey-only option for find commands * Fix ipa-server-install answer cache * Fix ipa-replica-conncheck port labels * Allow custom server backend encoding * Fix DNS zone --allow-dynupdate option behavior * Improve DNS record data validation * Polish ipa config help * Hosts file not updated when IP is passed as option * Fix API.txt * Fix LDAP object parameter encoding * Remove redundant information from API.txt * Fix ipa-managed-entries bind procedure * Let PublicError accept Gettext objects * Fix coverity issues in client CLI tools * Enable automember for upgraded servers * Make ipa-server-install clean after itself * Add --delattr option to complement --setattr/--addattr * Revert "Add DNS service records for Windows" * Improve zonemgr validator and normalizer * Change default DNS zone manager to hostmaster * Fix config migration option * Ask for user confirmation in ipa-server-install * Add connection failure recovery to IPAdmin * Add DNS check to conncheck port probe * Refactor dnsrecord processing * Fix Parameter csv parsing * Improve CLI output for complex commands * Create per-type DNS API * Fix maxvalue in DNS plugin * Fix LDAP add calls in replication module * Prevent service restart failures in ipa-replica-install * Fix LDAP updates in ipa-replica-install * Let replicas install without DNS * Restore ACI when aci_mod fails * Add missing --pkey-only option for selfservice and delegation * Replace float with Decimal * Improve host-add error message * Fix ipa-server-install for dual NICs * Fix selfservice-find crashes * Mark optional DNS record parts * Fix ldap2 combine_filters for ldap2.MATCH_NONE * Add missing managing hosts filtering options * Improve netgroup-add error messages * Fix TXT record parsing * Fix NSEC record conversion * Add SRV record target validator * Add data field for A6 record * Improve dnszone-add error message * Improve migration help * Fix raw format for ACI commands * Improve password change error message * Remove debug messages * Add argument help to CLI * Return proper DN in netgroup-add * Remove unused options from ipa-managed-entries * Add Petr Viktor?n to Contributors.txt * Ease zonemgr restrictions * Update schema for bind-dyndb-ldap * Global DNS options * Query and transfer ACLs for DNS zones * Add DNS conditional forwarding * Add API for PTR sync control * Add gidnumber minvalue * Add reverse DNS record when forward is created * Sanitize UDP checks in conncheck * Add client hostname requirements to man * Add SSHFP update policy for existing zones * Improve dns error message * Improve dnsrecord-add interactive mode * Improve hostname and domain name validation * Improve FQDN handling in DNS and host plugins * Improve hostname verification in install tools * Fix typos in ipa-replica-manage man page * Remove memberPrincipal for deleted replicas * Fix encoding for setattr/addattr/delattr * Add help for new structured DNS framework * Improve dnsrecord interactive help * Ignore case in yes/no prompts * Refresh resolvers after DNS install * Fix migration plugin compat check * Fix ipa-replica-manage TLS connection error * Treat UPGs correctly in winsync replication * Allow port numbers for idnsForwarders * Add missing global options in dnsconfig * Fix precallback validators in DNS plugin * Harden raw record processing in DNS plugin * Fix LDAP effective rights control with python-ldap 2.4.x * Avoid deleting DNS zone when a context is reused * Fix default SOA serial format * Amend permissions for new DNS attributes * Improve user awareness about dnsconfig * Fix dnsrecord-del interactive mode * Tolerate UDP port failures in conncheck * Improve automount indirect map error message * Forbid public access to DNS tree * Configure SELinux for httpd during upgrades * Fix installation when server hostname is not in a default domain * Return correct record name in DNS plugin * Fix dnsrecord_add interactive mode * Fix DNS and permissions unit tests * Raise proper exception when LDAP limits are exceeded * Do not fail migration because of duplicate groups * Fix help of --hostname option in ipa-client-install * Sort password policies properly with --pkey-only * Improve error message in zonemgr validator * Make ipa 2.2 client capable of joining an older server * Fix python Requires in Fedora 17 build * Remove ipa-server-install LDAP update errors * Remove LDAP limits from DNS service * Replace DNS client based on acutil with python-dns * Fix default_server configuration in ipapython.config * Reset krbtpolicy when a unit test is finished * Add rename option for DNS records * permission-find missed some results with --pkey-only option * Allow relative DNS name in NS validator * Fill new DNS zone update policy by default * Improve migration NotFound error * Fix dnszone-mod --forwader option help string * Add sysupgrade state file * Enable persistent search by default * Enable psearch on upgrades * Only set sebools when necessary * Password change capability for form-based auth * Remove trust work unit test failures * Decimal parameter conversion and normalization * Remove ipaNTHash from global allow ACI * Add missing libsss_idmap Requires on freeipa-server-trust-ad * Per-domain DNS record permissions * Create default range entry after upgrade Nalin Dahyabhai (5): * list users from nested groups, too * note that PKCS#12 files also contain private keys, and that the "pkinit" options refer to the KDC's credentials * index the fqdn and macAddress attributes for the sake of the compat plugin * create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes * add a pair of ethers maps for computers with hardware addresses on file Ondrej Hamada (26): * Misleading Keytab field * Client install root privileges check * Sort password policy by priority * Client install checks for nss_ldap * User-add random password support * HBAC test optional sourcehost option * localhost.localdomain clients refused to join * Leave nsds5replicaupdateschedule parameter unset * Fix 'no-reverse' option description * Memberof attribute control and update * Validate attributes in permission-add * Migration warning when compat enabled * ipa-client-install not calling authconfig * More exception handlers in ipa-client-install * Search allowed attributes in superior objectclasses * Typos in FreeIPA messages * Netgroup nisdomain and hosts validation * Confusing default user groups * Unable to rename permission object * Fix empty external member processing * Allow one letter net/hostgroups names * permission-mod prompts for all parameters * ipa-server-install reword message * Always set ipa_hostname for sssd.conf * Case sensitive renaming of objects * Change random passwords behaviour Petr Viktorin (60): * Switch --group and --membergroup in example for delegation * Fix/add options in ipa-managed-entries man page * Honor default home directory and login shell in user_add * Clean up i18n strings * Internationalization for HBAC and ipalib.output * Make ipausers a non-posix group on new installs * Add extra checking function to XMLRPC test framework * Add common helper for interactive prompts * Make sure the nolog argument to ipautil.run is not a bare string * Use stricter semantics when checking IP address for DNS records * Use reboot from /sbin * Allow removing sudo commands with special characters from command groups * Enforce that required attributes can't be set to None in CRUD Update * Mark most config options as required * Don't crash when searching with empty relationship options * Remove ipausers' gidnumber from tests * Use nose tools to check for exceptions * Only split CSV in the client, quote instead of escaping * Add missing BuildRequires * Use valid argument names in tests * Add CLI parsing tests * Allow multi-line CSV parameters * Move test skipping to class setup * Fix little test errors * Test the batch plugin * Defer conversion and validation until after --{add,del,set}attr are handled * Limit permission and selfservice names to alphanumerics, -, _, space * Convert --setattr values for attributes marked no_update * Fix expected error messages in tests * Remove pattern_errmsg from API.txt * Pass make-test arguments through to Nose * Document the 'nonempty' flag * Additional tests for pwpolicy * Update hostname validator error messages in tests * Do not use extra command options in the automount plugin * Do not crash on empty reverse member options * Do not crash on empty --setattr, --getattr, --addattr * Don't fail when adding default objectclasses using config-mod * Remove duplicate and unused utility code * Validate externalhost (when added by --addattr/--setattr) * Do not use extra command options in ACI, permission, selfservice * Check for empty/single value parameters before calling callbacks * Disallow '<' and non-ASCII characters in the DM password * Fix the pwpolicy_find post_callback * Disallow setattr on no_update/no_create params * Provide a better error message when deleting nonexistent attributes * Move install script error handling to a common function * Add more automount tests * Add samba4-python to BuildRequires * Prevent deletion of the last admin * Only allow root to run update plugins * Clean keytabs before installing new keys into them * Fix update plugin order * Rework the CallbackInterface * Improve ipa-client-install debug output * Improve autodiscovery logging * Fail on unknown Command options * Typo fixes * Improve output validation * Explicitly filter options that permission-{add,mod} passes to aci-{add,mod} Petr Vobornik (158): * error dialog for batch command * Uncheck checkboxes in association after deletion * Show error in adding associations * Validation of details facet before update https://fedorahosted.org/freeipa/ticket/1676 The ticket is a duplicate of server error, but it revealed few UI errors. * Modify serial associator to use batch * Modifying sudo options refreshes the whole page * Enable update and reset button only if dirty * Attributes table not scrollable * Fixed: JavaScript type error in entitlement page * Fixed inconsistency in enabling delete buttons * Code cleanup: widget creation * Fixed: Column header for attributes table should be full width * Fixed: Enrolment dialog offers to add entity to reflexive association. * Fixed: Some widgets do not have space for validation error message * Disables gid field if not posix group in group adder dialog * Fixed links to images in config and migration pages * Split Web UI initialization to several smaller calls #2 * Split Web UI initialization to several smaller calls * Added missing fields to password policy page * Fixed: Unable to add external user for RunAs User for Sudo rules * Circular entity dependency * Fixed: Duplicate CSS definitions * Fixing infinite loop in UI navigation unit test. * Minor visual enhancement of required indicator * Page is cleared before it is visible * Field for DNS SOA class changed to combobox with options * Extending facet's mechanism of gathering changes * Added cross browser support of Array.indexOf method * Splitting widget into widget and field * Splitting basic widgets into visual widgets and fields * Improved fields dirty status detection logic * Builders and collections for fields and widgets * Removing sections as special type of object * Added possibility to define facet/dialog specific policies * Modifying users to work with new concept * Modifying hosts to work with new concept * Modifying dns to work with new concept * Modifying services to work with new concept * Separation of writable update from field load method * Modifying ACI to work with new concept * Modifying groups to work with new concept * Code cleanup of HBAC, Sudo rules * Changing definition of basic fields in section from factory to type * Modifying automount to work with new concept * Fixed unit tests after widget refactoring * Removed usage of bitwise assignment operators in logical operations * Search facets show translated boolean values * Better displaying of long names in tables and facet headers * Additional better displaying of long names * Reordered facets in ACI * Association facets are read only in self service * Added facet tabs coloring * Fixed displaying of external records in rule association widgets * Distinguishing of external values in association tables * Better table column width computing * Fixed labels in Sudo, HBAC rules * Parsing of IPv4 and IPv6 addresses * Added support of custom field validators * Added validation logic to multivalued text field * Added client-side validation of A and AAAA DNS records * Fixed IPv6 validation special case: single colon * Added support for memberof attribute in permission * Added IP address validator to Host and DNS record adder dialog * Fixed entity link disabling * Fixed content type check in login_password * Improved usability of login dialog * Removed CSV creation from UI * Fixed mask validation in network_validator * Fixed checkbox value in table without pkey * Certificate serial number in hex format - ui testing data * Fixed evaluating checkbox dirty status * Better hbactest validation message * Content is no more overwritten by error message * Show_content on refresh success * Fixed rpm build warning - extension.js listed twice * Add support of new options in dnsconfig * DNS forwarder validator * Added mac address to host page * Facet expiration flag * Inter-facet expiration * Reworked netgroup Web UI to allow setting user/host category * Fixed: permission attrs table didn't update its available options on load * Added attrs field to permission for target=subtree * DNS forward policy: checkboxes changed to radio buttons * Removed mutex option from checkboxes * Removal of memberofindirect_permissons from privileges * User is notified that password needs to be reset in forms-based login * Added permission field to delegation * Paging disable for password policies * General builder support * Action lists * Control buttons * Redefined details control buttons * Redefined search control buttons * Hide search facet add/delete buttons in self-service * Batch action for search page control buttons * General details facet actions * Consistent change of entry status. * Instructions to generate cert use certutil instead of openssl * Host page fixed to work with disabled DNS support * Improved calculation of max pkey length in facet header * Correction of nested search facets tab labels * Refactored action list and control buttons to use shared list of actions * Refactored entities to use changed actions concept * Action panel * User password widget modified. * Action panel for user * Added missing i18n in action list and action panel * Add shadow to dialog * Enable reset password action according to attribute perrmission * Added cancel button to service unprovision dialog * Removal of illegal options in JSON-RPC calls * Added links to netgroup member tables * Text widget's dirty state is changed on various input methods * Change json serialization to serialize useful data * Removal of illegal options in association dialog * Update of serverconfig ipaconfigstring options * Action panel for host enrollment * Action panel for service provisioning * Separate reset password page * Added password reset capabilities to unauthorized dialog * Set network.http.sendRefererHeader to 2 on browser config * Custom Web UI error message for IPA error 911 * Trust Web UI * Same password validator * Action panel for certificates * Web UI password is going to expire in n days notification * Refactored associatin facet to use facet buttons with actions * Continuation of removing of not supported command options from Web UI * UI for SELinux user mapping * Added refresh button for UI * Modifying DNS UI to benefit from new DNS API * Added paging to DNS record search facet * Navigation and redirection to various facets * Automember UI * Automember UI - default groups * Automember UI - Fixed I18n labels * Removed question marks from field labels * UI support for ssh keys * Redirection to PTR records from A,AAAA records * Fixed problem when attributes_widget was displaying empty option * Added missing configuration options * Static metadata update - new DNS options * New checkboxes option: Mutual exclusive * DNS Zone UI: added new attributes * DNS UI: added A,AAAA create reverse options to adder dialog * Fixed displaying of A6 Record * New UI for DNS global configuration * Moved is_empty method from field to IPA object * Making validators to return true result if empty * Fixed DNS record add handling of 4304 error * Added unsupported_validator * Fixed redirection in Add and edit in automember hostgroup. * Fixed selection of single value in combobox * Multiple fields for one attribute * Added attrs to permission when target is group or filter * Added logout button * Forms based authentication UI Rob Crittenden (191): * Add information on setting api.env.host in the ipactl.8 man page * Log each command in a batch separately. * Do batch logging on successful commands too, not just failures. * Fix wording in examples of delegation plugin. * Suppress 389-ds debug output when starting services * Fix thread deadlock by using pthreads library instead of NSPR. * Change the way has_keytab is determined, also check for password. * Add additional pam ftp services to HBAC, and a ftp HBAC service group * Add label for HBAC services to show as members * Add option to only prompt once for passwords, use in entitle_register * Retrieve password/keytab state when modifying a host. * Disable reverse lookups in ipa-join and ipa-getkeytab * Remove more 389-ds files/directories on uninstallation. * Remove 389-ds upgrade state during uninstall * Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505 * Add common is_installed() fn, better uninstall logging, check for errors. * Add external source hosts to HBAC. * Roll back changes if client installation fails. * Add netgroup as possible memberOf for hostgroups * Sort lists so order is predictable and tests pass as expected. * Suppress managed netgroups from showing as memberof hostgroups. * Use the IPA server cert profile in the installer. * Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605 * Don't allow a OTP to be set on an enrolled host * Remove normalizer that made role, privilege and permission names lower-case * Improved handling for ipa-pki-proxy.conf * The precendence on the modrdn plugin was set in the wrong location. * Update ipa-ldap-updater man page saying it is not an end-user utility * Skip the cert validator if the csr we are passed in is a valid filename * Change the Requires for the server and server-selinux for proper order * Suppress managed netgroups as indirect members of hosts. * The return value of restorecon is not reliable, ignore it. * Normalize uid in user principal to lower-case and do validation * Shut down duplicated file handle when HTTP response code is not 200. * Don't log one-time password in logs when configuring client. * Always require SSL in the Kerberos authorization block. * Include failed service and service groups in hbac rule management * Add regular expression pattern to host names. * Detect CA installation type in ipa-replica-prepare and ipa-ca-install. * Require current password when using passwd to change your own password. * Migration: don't assume there is only one naming context, add logging. * When calculating indirect membership don't test nesting on users and hosts. * Fix DNS permissions and membership in privileges * Fix upgrades of selfsign server * Make ipa-join work against an LDAP server that disallows anon binds * Fix has_upg() to work with relocated managed entries configuration. * Work around limits not being updatable in 389-ds. * Save the value of hostname even if it doesn't appear in /etc/sysconfig/network * Add explicit instructions to ipa-replica-manage for winsync replication * Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324) * Handle an empty value in a name/value pair in config_replace_variables() * Update all LDAP configuration files that we can. * If our domain is already configured in sssd.conf start with a new config. * Fix typo in invalid PTR record error message * Fix problems in help system * Fix nis netgroup config entry so users appear in netgroup triple. * Don't allow default objectclass list to be empty. * Remove calls to has_managed_entries() * Fix copy/paste error in parameter description. * Add Ondrej Hamada to Contributors.txt * Don't check for 389-instances. * Clarify usage of --posix argument in group plugin. * Add plugin framework to LDAP updates. * Fix some issues introduced when rebasing update patch * Remove extraneous trailing single quote in nis.uldif * Mark some attributes required to match the schema. * Use absolute paths when trying to find certmonger request id. * Reorder privileges so that memberof for permissions are generated properly * Add SELinux user mapping framework. * Require an HTTP Referer header in the server. Send one in ipa tools. * Display the value of memberOf ACIs in permission plugin. * Fix two typos in role help. * Configure s4u2proxy during installation. * Document the ping plugin. * Catch exception when trying to list missing managed entries definitions * Fix some typos in automember help and paramters. * Add labels so HBAC and Sudo rules show under hosts/hostgroups. * Use correct template variable for hosts, FQDN. * In sudo when the category is all do not allow members, and vice versa. * Update and package ipa-upgradeconfig man page. * Fix deletion of HBAC Rules when there are SELinux user maps defined * Add support for storing MAC address in host entries. * Don't try to bind on TLS failure * Check for the existence of a replication agreement before deleting it. * %ghost the UI files that we install/create on the fly * Make submount automount maps work. * Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf. * Consolidate external member code into two functions in baseldap.py * Make ipaconfigstring modifiable by users. * Don't use sets when calculating the modlist so order is preserved. * Add update files for SELinuxUserMap * Add update file for new schema in v2.2/3.0 * Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf * Don't set delegation flag in client, we're using S4U2Proxy now * Update S4U2proxy delegation list when creating replicas * Correct update syntax in 30-s4u2proxy.update * Remove Apache ccache on upgrade. * Add S4U2Proxy delegation permissions on upgrades * Disable false pylint error in freeipa-systemd-upgrade * Enable ipa_memcached when upgrading * Configure ipa_memcached when a replica is installed. * Use FQDN in place of FQHN for consistency in sub_dict. * Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication. * Limit the change password permission so it can't change admin passwords * Don't allow "Modify Group membership" permission to manage admins * Add the -v option to sslget to provide more verbose errors * Make sure memberof is in replication attribute exclusion list. * Don't check for schema uniqueness when comparing in ldapupdate. * Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag * Don't allow IPA master hosts or important services be deleted. * Catch public exceptions when creating the LDAP context in WSGI. * Don't consider virtual attributes when validating custom objectclasses * Add Requires to ipa-client on oddjob-mkhomedir * Fix managing winsync replication agreements with ipa-replica-manage * Check for duplicate winsync agreement before trying to set one up. * Remove unused kpasswd.keytab and ldappwd files if they exist. * Make sure 389-ds is running when adding memcache service in upgrade. * Don't run restorecon if SELinux is disabled or not present. * Limit allowed characters in a netgroup name to alpha, digit, -, _ and . * Don't call memberof task when re-initializing a replica. * Fix bad merge of not calling memberof task when re-initializing a replica * Add support defaultNamingContext and add --basedn to migrate-ds * Fix nested netgroups in NIS. * Warn that deleting replica is irreversible, try to detect reconnection. * Don't set migrated user's GID to that of default users group. * Don't delete system users that are added during installation. * Only apply validation rules when adding and updating. * subclass HTTP_Status from plugable.Plugin, fix not_found tests * Make hostnames adhere to new standards in HBAC tests * Fix WSGI error handling * Add status command to retrieve user lockout status * Add support for sudoOrder * Make hostnames adhere to new standards in hbactest plugin tests * Fix API.txt and VERSION to reflect new sudoOrder option. * Add --noac option to ipa-client-install man page * Do kinit in client before connecting to backend * Only warn if ipa-getkeytab doesn't get all requested enctypes. * Fix NSS no_init in the NSSHTTPS class * Set minimum version of selinux-policy to pick up memcached fix * Fix nsslapd-anonlimitsdn dn in cn=config * Set SELinux boolean httpd_manage_ipa so ipa_memcached will work. * Don't set dbdir in the connection until after the connection is created. * Display serial number as HEX (DECIMAL) when showing certificates. * Add subject key identifier to the dogtag server cert profile. * Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf * Import the ipaserver plugins based on context, not env.in_server. * Don't allow hosts and services of IPA masters to be disabled. * Use a consistent parameter name in errors, defaulting to cli_name. * No longer shell escape the DM password when calling pkisilent. * Fix test failure testing rename with an invalid hostname. * Fix attributes that contain DNs when migrating. * Normalize the primary key value to lowercase during migration. * Fix unit tests to work with new comma-support, validation requirements * Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue * Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available. * Add requires on python-krbV to client subpackage * Fix failure count interval attribute name in query for password policy. * Handle updating replication agreements that lack nsDS5ReplicatedAttributeList * Don't create private groups for migrated users, check for valid gidnumber * Add updated Output format for batch to API.txt * Make revocation_reason required when revoking a certificate. * Add missing comma to list of services that cannot be disabled. * Return consistent value when hostcat and usercat is all. * Dereference pointer when comparing password history in qsort compare. * Configure certmonger to execute restart scripts on renewal. * Remove the running state when uninstalling DS instances. * Return consistent expiration message for forms-based login * Use mixed-case for Read DNS Entries permission * Update docs for user-status, always show disabled, time for each server. * Revert "Search allowed attributes in superior objectclasses" * Revert "Validate attributes in permission-add" * Return LDAP_SUCCESS on mods on a referral entry. * Fix overlapping cn param/option issue, pass cn as aciname in find * Implement permission/aci find by subtree * Include more information when IP address is not local during installation. * Validate on the user-provided domain name in the installer. * During replication installation see if an agreement already exists. * Check for locked-out user before incrementing lastfail. * Retry retrieving ldap principals when setting up replication. * Normalize uid to lower case in winsync. * Enforce sizelimit in permission-find, post_callback returns truncated * If SELinux is enabled ensure we also have restorecon. * Store session cookie in ccache for cli users * Add flag to ipa-client-install to managed order of ipa_server in sssd * Increase LimitRequestFieldSize in Apache config to support a 64KiB PAC * Add logging to ipa-upgradeconfig * Configure automount using autofs or sssd. * Defer adding ipa-cifs-delegation-targets until the Updates phase. * Add missing option to range_add in API.txt * Fix compatibility with Fedora 18. * Become IPA v3 beta 1 (3.0.0.pre1) Simo Sorce (104): * Set VERSION to 2.99.0 on the 3.0 development branch * Fix build warnings * ipa-pwd_extop: use endian.h instead of nih function * krbinstance: use helper function to get realm suffix * ipa-pwd-extop: Remove unused variables and code to set them * ipa-pwd-extop: do not append mkvno to krbExtraData * ipa-pwd-extop: Use the proper mkvno number in keys * ipa-pwd-extop: re-indent code using old style * ipa-pwd-extop: Use common krb5 structs from kdb.h * ipa-pwd-extop: Move encryption of keys in common * ipa-pwd-extop: Move encoding in common too * ipa-pwd-extop: make encsalt parsing function common * ipa-kdb: Initial plugin skeleton * ipa-kdb: add exports file * ipa-kdb: initialize module functions * ipa-kdb: implement get_time function * ipa-kdb: add common utility ldap wrapper functions * ipa-kdb: functions to get principal * ipa-kdb: add function to free principals * ipa-kdb: add functions to delete principals * ipa-kdb: add function to iterate over principals * ipa-kdb: add functions to change principals * ipa-kdb: Get/Store Master Key directly from LDAP * ipa-kdb: implement function to retrieve password policies * ipa-kdb: implement change_pwd function * util: add password policy manipulation functions * ipa-pwd-extop: Use common password policy code * ipa-kdb: add password policy support * ipa-pwd-extop: Allow kadmin to set krb keys * ipa-kdb: Change install to use the new ipa-kdb kdc backend * install: Remove uid=kdc user * ipa-kdb: Be flexible * install: Use proper case for boolean values * daemons: Remove ipa_kpasswd * schema: Split ipadns definitions from basev2 ones * v3-schema: Add new ipaExternalGroup objectclass * install: We do not need a ldap password anymore * install: We do not need a kpasswd keytab anymore * conncheck: Fix List of ports to check * ipa-kdb: Properly set password expiration time. * schema: Add new attributes and objectclasses for AD Trusts * conncheck: Additional check to verify the admin password is ok * ipa-pwd-extop: Fix segfault in password change. * ipa-pwd-extop: Enforce old password checks * ipa-kdb: Fix expiration time calculation * ipa-client-install: Fix joining when LDAP access is restricted * replica-prepare: anonymous binds may be disallowed * ipa-kdb: Fix legacy password hashes generation * updates: Change default limits on ldap searches * ipa-kdb: Fix memory leak * Modify random salt creation for interoperability * Amend #2038 fix * Fix CID 10742: Unchecked return value * Fix CID 10743: Unchecked return value * Fix CID 10745: Unchecked return value * Fix CID 11019: Resource leak * Fix CID 11020: Resource leak * Fix CID 11021: Resource leak * Fix CID 11022: Resource leak * Fix CID 11023: Resource leak * Fix CID 11024: Resource leak * Fix CID 11025: Resource leak * Fix CID 11026: Resource leak * Fix CID 11027: Wrong sizeof argument * Add support for generating PAC for AS requests for user principals * MS-PAC: Add support for verifying PAC in TGS requests * Add missing copyright header * Add NT domain GUID attribute. * Create skeleton CLDAP server as a DS plugin * ipa-cldap: Implement worker thread. * ipa-cldap: Decode CLDAP request. * ipa-cldap: Create netlogon blob * ipa-cldap: send cldap reply * ipa-kdb: Support re-signing PAC with different checksum * spec: We do not need krb5-server-ldap anymore * ipa-kdb: fix free() of uninitialized var * ipa-kdb: Remove unused CFLAGS/LIBS from Makefiles * ipa-kdb: fix memleaks in ipa_kdb_mspac.c * ipa-kdb: Fix copy and paste typo * ipa-kdb: Delegation ACL schema * ipa-kdb: enhance deref searches * ipa-kdb: Add delgation access control support * ipa-kdb: return properly when no PAC is available * ipa-cldap: Support clients asking for default domain * ipa-kdb: Verify the correct checksum in PAC validation * ipa-kdb: Create PAC's KDC checksum with right key * Fix replication setup * slapi-plugins: use thread-safe ldap library * ipa-kdb: add AS auditing support * ipa-kdb: Avoid lookup on modify if possible * ipa-kdb: set krblastpwdchange only when keys have been effectively changed * Remove compat defines * Require krb5 1.10 * ipa-kdb: Fix ACL evaluator * policy: add function to check lockout policy * ipa-kdb: fix delegation acl check * Fix ticket checks when using either s4u2proxy or a delegated krbtgt * Fix memleak and silence Coverity defects * Fix MS-PAC checks when using s4u2proxy * Fix theoretical leak discovered by coverity * Fix migration code password setting. * Fix setting domain_sid * ipa-kdb: Add MS-PAC on constrained delegation. * Add support for disabling KDC writes Sumit Bose (32): * Call standard_logging_setup() before any logging is done * Add ipa-adtrust-install utility * Fix ACIs in ipa-adtrust-install * Update samba LDAP schema * Fix typo in v3 base schema * Add admin SIDs * ipa-pwd-extop: allow password change on all connections with SSF>1 * Add DNS service records for Windows * Add DNS service records for Windows * Move our own domain info into cn=etc * Add trust objectclass and attributes to v3 schema * Use new objectclasses and attributes for trust * Fix some pylint warnings * Add ipasam samba passdb backend * activate CLDAP * Make pwd-extop aware of new ipaNTHash attribute * Add a second module init call for newer samba versions * Use exop instead of kadmin.local * ipasam: remove unused struct elements * Move some krb5 keys related functions from ipa-client to util * Add sidgen postop and task * Filter groups in the PAC * Add configure check for C Unit-Test framework check * Add external domain extop DS plugin * Use lower case names in LDAP to meet freeIPA convention * Extend LDAP schema * Add objects for initial ID range * Set RID bases for local domain during ipa-adtrust-install * Add CLI for ID ranges * Add range check preop plugin * Use DN objects instead of strings in adtrustinstance * Set samba_portmapper SELinux boolean during ipa-adtrust-install Yuri Chornoivan (1): * Fix typos From nkinder at redhat.com Tue Jul 3 03:55:06 2012 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 02 Jul 2012 20:55:06 -0700 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <4FEDB76C.2000603@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> <20120629135517.GL6687@redhat.com> <4FEDB76C.2000603@redhat.com> Message-ID: <4FF26D1A.1030407@redhat.com> On 06/29/2012 07:10 AM, Petr Viktorin wrote: > On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: >> On Fri, 29 Jun 2012, Petr Viktorin wrote: >>> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>>> Hi All, >>>>> >>>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >>>>> the UID when I add a user with that number? (I've already checked the >>>>> UID isn't in use) >>>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>>> an allocated one with the help of the 389-ds plugin >>>> http://directory.fedoraproject.org/wiki/DNA_Plugin >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values >>>> >>>> >>> >>> The documentation mentions that the magic value can be a word >>> ("magic"), or it doesn't have to exist at all (it's added for >>> objectClass:posixAccount entries). Is there a reason IPA is using 999 >>> here? >> uidNumber and gidNumber field use integer value syntax: >> OID value: 1.3.6.1.4.1.1466.115.121.1.27 >> >> OID description: >> Values in this syntax are encoded as the decimal representation of their >> values, with each decimal digit represented by the its character >> equivalent. So the number 1321 is represented by the character string >> "1321". >> So, you can't have string there that does not evaluate to integer. > > That's true, but according to the documentation you linked, > uidNumber/gidNumber syntax doesn't matter. > The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA > plugin sees and modifies the value before it's validated as an integer. I wouldn't trust this, as DNA was initially designed/implemented before we added syntax validation to 389. DNA was also written to be able to work with non integer attributes, where values have some sort of prefix followed by an integer (such as "user1", "user2", etc.). For this reason, dnaMagicRegen was left as "Directory String" syntax. I personally feel that it is safer to have the magic value be syntactically valid for the attribute that DNA is configured to generate. > >>> If there is, the command should fail instead of silently assigning a >>> different number than asked for. I'll file a bug for this. >> DNA_MAGIC in user.py is defined to 999 and it is default value to >> uidNumber and gidNumber options. We have no way to differentiate between >> default and entered by user but the same value. > > Yes, the server would need to verify if the client has been fixed. > This means either waiting for the next major API version, or looking > at the version/capabilities the client sends us. (See Martin's message > from 2012-06-20 in thread "[Freeipa-devel] [PATCH] 0062 Don't crash > when server returns extra output"). > >>> >>>>> >>>>> [root at sysvm-ipa ~]# ipa user-add administrator --uid=999 >>>>> --gidnumber=132 >>>>> --first=administrator --last=administrator >>>>> -------------------------- >>>>> Added user "administrator" >>>>> -------------------------- >>>>> User login: administrator >>>>> First name: administrator >>>>> Last name: administrator >>>>> Full name: administrator administrator >>>>> Display name: administrator administrator >>>>> Initials: aa >>>>> Home directory: /home/administrator >>>>> GECOS field: administrator administrator >>>>> Login shell: /bin/bash >>>>> Kerberos principal: administrator at EXAMPLE.COM >>>>> UID: 721000062 >>>>> GID: 132 >>>>> Keytab: False >>>>> Password: False >>>>> >>>>> >>>>> cya >>>>> >>>>> Craig >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>> >>> >>> -- >>> Petr? >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > From freeipa at noboost.org Tue Jul 3 05:44:42 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 3 Jul 2012 15:44:42 +1000 Subject: [Freeipa-users] Postfix IPA Message-ID: <20120703054442.GA11356@noboost.org> Hi All, Server: ipa-server-2.1.3-9.el6.x86_64 sssd-1.5.1-66.el6_2.3 Client: ipa-client-2.1.3-9.el6.x86_64 I've got Postfix working with IPA and to be honest it was actually very easy. I simply setup a standard postfix server, configured the IPA client and when mail was delivered, postfix detected the UID's from IPA and delivered the mail. So I thought to myself, this is one of the most important services we have. What would happen if the SSSD client failed for some reason on the postfix server? As expected the postfix server bounces the email back to it's sender. ------------------------------------------------------------------------- This is the mail system at host pan.example.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system (expanded from ): host safevm-craig.example.com[192.168.0.28] said: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command) ------------------------------------------------------------------------- Before I start investigating backup mail servers, different posfix queues. Just thought I'd ask if anyone else has setup their one solution to ensure the safety of mail delivery with IPA? cya Craig From pviktori at redhat.com Tue Jul 3 07:38:00 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 03 Jul 2012 09:38:00 +0200 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <4FF26D1A.1030407@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> <20120629135517.GL6687@redhat.com> <4FEDB76C.2000603@redhat.com> <4FF26D1A.1030407@redhat.com> Message-ID: <4FF2A158.3060302@redhat.com> On 07/03/2012 05:55 AM, Nathan Kinder wrote: > On 06/29/2012 07:10 AM, Petr Viktorin wrote: >> On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: >>> On Fri, 29 Jun 2012, Petr Viktorin wrote: >>>> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>>>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>>>> Hi All, >>>>>> >>>>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing >>>>>> the UID when I add a user with that number? (I've already checked the >>>>>> UID isn't in use) >>>>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>>>> an allocated one with the help of the 389-ds plugin >>>>> http://directory.fedoraproject.org/wiki/DNA_Plugin >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values >>>>> >>>>> >>>> >>>> The documentation mentions that the magic value can be a word >>>> ("magic"), or it doesn't have to exist at all (it's added for >>>> objectClass:posixAccount entries). Is there a reason IPA is using 999 >>>> here? >>> uidNumber and gidNumber field use integer value syntax: >>> OID value: 1.3.6.1.4.1.1466.115.121.1.27 >>> >>> OID description: >>> Values in this syntax are encoded as the decimal representation of their >>> values, with each decimal digit represented by the its character >>> equivalent. So the number 1321 is represented by the character string >>> "1321". >>> So, you can't have string there that does not evaluate to integer. >> >> That's true, but according to the documentation you linked, >> uidNumber/gidNumber syntax doesn't matter. >> The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA >> plugin sees and modifies the value before it's validated as an integer. > I wouldn't trust this, as DNA was initially designed/implemented before > we added syntax validation to 389. DNA was also written to be able to > work with non integer attributes, where values have some sort of prefix > followed by an integer (such as "user1", "user2", etc.). For this > reason, dnaMagicRegen was left as "Directory String" syntax. I > personally feel that it is safer to have the magic value be > syntactically valid for the attribute that DNA is configured to generate. Best go with a negative number then. The DS docs should be updated if you don't trust what they say, though. On 06/29/2012 04:23 PM, Alexander Bokovoy wrote: > Looks like you are right: > http://comments.gmane.org/gmane.linux.redhat.fedora.directory.user/10641 > > We would have issue on our side when using non-integer value as Int() > parameter does not support non-integer values. However, we could select > some negative value as default one and use the same value for DNA > configuration. The value can be optional, the server can fill in the default if it's not received from the client. -- Petr? From nkinder at redhat.com Tue Jul 3 15:29:48 2012 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 03 Jul 2012 08:29:48 -0700 Subject: [Freeipa-users] UID 999, not possible? In-Reply-To: <4FF2A158.3060302@redhat.com> References: <20120628024802.GA11874@noboost.org> <20120629130437.GK6687@redhat.com> <4FEDACCA.1090401@redhat.com> <20120629135517.GL6687@redhat.com> <4FEDB76C.2000603@redhat.com> <4FF26D1A.1030407@redhat.com> <4FF2A158.3060302@redhat.com> Message-ID: <4FF30FEC.8060503@redhat.com> On 07/03/2012 12:38 AM, Petr Viktorin wrote: > On 07/03/2012 05:55 AM, Nathan Kinder wrote: >> On 06/29/2012 07:10 AM, Petr Viktorin wrote: >>> On 06/29/2012 03:55 PM, Alexander Bokovoy wrote: >>>> On Fri, 29 Jun 2012, Petr Viktorin wrote: >>>>> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote: >>>>>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote: >>>>>>> Hi All, >>>>>>> >>>>>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps >>>>>>> changing >>>>>>> the UID when I add a user with that number? (I've already >>>>>>> checked the >>>>>>> UID isn't in use) >>>>>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by >>>>>> an allocated one with the help of the 389-ds plugin >>>>>> http://directory.fedoraproject.org/wiki/DNA_Plugin >>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values >>>>>> >>>>>> >>>>>> >>>>> >>>>> The documentation mentions that the magic value can be a word >>>>> ("magic"), or it doesn't have to exist at all (it's added for >>>>> objectClass:posixAccount entries). Is there a reason IPA is using 999 >>>>> here? >>>> uidNumber and gidNumber field use integer value syntax: >>>> OID value: 1.3.6.1.4.1.1466.115.121.1.27 >>>> >>>> OID description: >>>> Values in this syntax are encoded as the decimal representation of >>>> their >>>> values, with each decimal digit represented by the its character >>>> equivalent. So the number 1321 is represented by the character string >>>> "1321". >>>> So, you can't have string there that does not evaluate to integer. >>> >>> That's true, but according to the documentation you linked, >>> uidNumber/gidNumber syntax doesn't matter. >>> The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA >>> plugin sees and modifies the value before it's validated as an integer. >> I wouldn't trust this, as DNA was initially designed/implemented before >> we added syntax validation to 389. DNA was also written to be able to >> work with non integer attributes, where values have some sort of prefix >> followed by an integer (such as "user1", "user2", etc.). For this >> reason, dnaMagicRegen was left as "Directory String" syntax. I >> personally feel that it is safer to have the magic value be >> syntactically valid for the attribute that DNA is configured to >> generate. > > Best go with a negative number then. > The DS docs should be updated if you don't trust what they say, though. I should have been a bit more clear. I believe that the core 389 DS code does handle replacing the magic value before the syntax is checked, but we have encountered issues with client applications trying to enforce syntax before the server receives the operation. An example of this is the 389-console application (which FreeIPA doesn't use). The Console knows that the uidNumber attribute is defined to use the Integer syntax, so the UI field is validated before it can be submitted to the server. Other client applications may do similar things by looking up the schema definitions on the server and trying to do some client-side validation. This sort of behavior prevents the ability to trigger DNA if the magic value does not meet the syntax requirements of the attribute. Again, this may not affect FreeIPA, but I wanted to provide a bit of background. > > > On 06/29/2012 04:23 PM, Alexander Bokovoy wrote: > > Looks like you are right: > > > http://comments.gmane.org/gmane.linux.redhat.fedora.directory.user/10641 > > > > We would have issue on our side when using non-integer value as Int() > > parameter does not support non-integer values. However, we could select > > some negative value as default one and use the same value for DNA > > configuration. > > The value can be optional, the server can fill in the default if it's > not received from the client. > From george_he7 at yahoo.com Tue Jul 3 20:18:03 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 3 Jul 2012 13:18:03 -0700 (PDT) Subject: [Freeipa-users] win7 client Message-ID: <1341346683.26835.YahooMailNeo@web120006.mail.ne1.yahoo.com> Hello all, I'm trying to set up a win7 as a client of my freeipa server running on fc17. so I followed the instructions here: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html But then what? The win7 is currently in a "workgroup". I tried to join the win7 to a domain with my ipa realm name, but it failed. Thanks in advance for your help, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 3 21:28:29 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 03 Jul 2012 17:28:29 -0400 Subject: [Freeipa-users] win7 client In-Reply-To: <1341346683.26835.YahooMailNeo@web120006.mail.ne1.yahoo.com> References: <1341346683.26835.YahooMailNeo@web120006.mail.ne1.yahoo.com> Message-ID: <4FF363FD.70005@redhat.com> george he wrote: > Hello all, > I'm trying to set up a win7 as a client of my freeipa server running on > fc17. so I followed the instructions here: > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html > But then what? The win7 is currently in a "workgroup". I tried to join > the win7 to a domain with my ipa realm name, but it failed. > IPA is not an AD replacement, you can't join any Windows machine to it. The instructions you referenced are for installing the MIT Kerberos package in Windows. This just lets you get a ticket from the IPA KDC that may be usable by various applications (e.g. Firefox) but it isn't a way to provide domain login. Our plan for that is to do cross-realm trust with AD, see the 3.0 beta released yesterday. rob From josh at vsnine.org Wed Jul 4 02:03:13 2012 From: josh at vsnine.org (Josh Becigneul) Date: Tue, 03 Jul 2012 22:03:13 -0400 Subject: [Freeipa-users] FreeIPA DNS manager Message-ID: <4FF3A461.1010602@vsnine.org> Hi All, I'd like to get some opinions on using the DNS component of freeIPA to manage dns zones not necessarily associated with the freeIPA realm. My thinking is to use it as a hidden master to a pre-existing group of authoritative systems, so one thing I'm curious about is is there a theoretical (or real) limit on the number of zones it can handle? Is there a limit to the number of records in a zone? I would think that this may depend on the performance of the 389 directory service. Is it possible to import existing zones? Would this be possible with zone transfers or would we have to convert the zone files to an LDIF? Thanks in advance. Josh Becigneul From natxo.asenjo at gmail.com Wed Jul 4 06:58:37 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Wed, 4 Jul 2012 08:58:37 +0200 Subject: [Freeipa-users] hostgroups/netgroups Message-ID: hi, I just wanted to say: awesome! Without using the NIS compatibility layer, I just create a hostgroup, fill it in with hosts. Then I add that hostgroup to a netgroup. That's all I need to automagically create classes our cfengine setup can use to distribute policies accross the hosts. You guys just made my day and I just wanted to share it. Thanks! -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jul 4 08:32:08 2012 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 04 Jul 2012 10:32:08 +0200 Subject: [Freeipa-users] FreeIPA DNS manager In-Reply-To: <4FF3A461.1010602@vsnine.org> References: <4FF3A461.1010602@vsnine.org> Message-ID: <4FF3FF88.60207@redhat.com> On 07/04/2012 04:03 AM, Josh Becigneul wrote: > Hi All, > > I'd like to get some opinions on using the DNS component of freeIPA to manage > dns zones not necessarily associated with the freeIPA realm. > > My thinking is to use it as a hidden master to a pre-existing group of > authoritative systems, so one thing I'm curious about is is there a > theoretical (or real) limit on the number of zones it can handle? Is there a > limit to the number of records in a zone? There are no built-in limits. Records are internally stored in Red-Black tree (in similar way as BIND does it) so memory should be only limiting factor. > I would think that this may depend > on the performance of the 389 directory service. It depends. Bind-dyndb-ldap plugin (BIND<->LDAP interface) can work in two modes - normal and persistent search. In "normal mode" (i.e. with persistent search disabled) each record is loaded from DS on demand - if some client asks for it. In this case DS performance can be limiting factor. (Plugin has built-in cache, cache TTL can be tweaked by cache_ttl parameter in /etc/named.conf.) In "persistent search mode" whole database from DS is transferred to bind-dyndb-ldap cache and all searches are done inside local memory. It consumes some memory, but this approach saves DS work. Each change in DS is incrementally transferred to bind-dyndb-ldap, so all changes should be visible immediately. Current code doesn't contain a lot of performance optimizations, but nobody reported performance problems. > Is it possible to import existing zones? Would this be possible with zone > transfers or would we have to convert the zone files to an LDIF? You need to convert existing zones to LDIF. We don't have tool for this task, please see ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/76. It should be relatively simple write this tool (see comments in the ticket). If you are going to write it, please consider contribution back to upstream. Current plugin doesn't have full power of BIND. DNS views are not supported and settings specific to zones are limited. AXFR Zone transfers are supported, SOA serial number auto-incrementation feature will be in 3.0 release (it is not present in 3.0 beta 1). Petr^2 Spacek > Josh Becigneul From mniranja at redhat.com Tue Jul 3 12:45:00 2012 From: mniranja at redhat.com (M.R Niranjan ) Date: Tue, 03 Jul 2012 18:15:00 +0530 Subject: [Freeipa-users] Postfix IPA In-Reply-To: <20120703054442.GA11356@noboost.org> References: <20120703054442.GA11356@noboost.org> Message-ID: <4FF2E94C.7000009@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/03/2012 11:14 AM, freeipa at noboost.org wrote: > Hi All, > > Server: > ipa-server-2.1.3-9.el6.x86_64 > sssd-1.5.1-66.el6_2.3 > > Client: > ipa-client-2.1.3-9.el6.x86_64 > > > I've got Postfix working with IPA and to be honest it was actually very > easy. I simply setup a standard postfix server, configured the IPA > client and when mail was delivered, postfix detected the UID's from IPA > and delivered the mail. > > So I thought to myself, this is one of the most important services we > have. What would happen if the SSSD client failed for some reason on the > postfix server? > By sssd client failing do you mean sssd not able to reach ldap servers or sssd service crashing ? If sssd parent crashes then i think not much you could do but if the child services of sssd doesn't respond sssd does restart the child services automatically . Refer: http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store > As expected the postfix server bounces the email back to it's sender. > ------------------------------------------------------------------------- > This is the mail system at host pan.example.com. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to postmaster. > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The mail system > > (expanded from > ): host > safevm-craig.example.com[192.168.0.28] said: 550 5.1.1 > : Recipient address rejected: > User > unknown in local recipient table (in reply to RCPT TO command) > ------------------------------------------------------------------------- > > Before I start investigating backup mail servers, different posfix > queues. Just thought I'd ask if anyone else has setup their one solution > to ensure the safety of mail delivery with IPA? > > cya > > Craig > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > - -- Regards M.R.Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/y6UwACgkQLu3FX2BHx8enSACePeiIfGU6DlGMsA4mSrm4mfo4 wYAAnRAA6zyXQ02mM6S3AMCyr5eLAY9w =aICl -----END PGP SIGNATURE----- From phyokyaw.uk at gmail.com Thu Jul 5 15:19:36 2012 From: phyokyaw.uk at gmail.com (Phyo Kyaw) Date: Thu, 5 Jul 2012 16:19:36 +0100 Subject: [Freeipa-users] Chaining and FreeIPA Directory Server Message-ID: Dear all, server ipa-server-2.1.3-9.el6.x86_64 This is probably a question for to Directory 389 users, but.. I would like to chain (not master to master replication) users of two or more IPA servers. The first thing I did was trying to chain the IPA 389-ds servers by setting up chaining entries. The chaining entries work out the box on standard 389-DS, but on IPA 389-ds it won't start after adding ldap suffixes. The 389-ds error log only shows [05/Jul/2012:15:00:33 +0000] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. Suffix entry dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass:nsMappingTree objectClass:extensibleObject objectClass:top cn:cn=dc=example,dc=com cn:"cn=dc=example,dc=com" nsslapd-backend:testusers nsslapd-state:backend Just wondering if FreeIPA has some other configuration or plugin that prevents/conflicts 389-DS to start. I am guess chaining is something if we have two or more IPAs in one infrastructure. Many thanks Phyo From george_he7 at yahoo.com Thu Jul 5 15:20:13 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 5 Jul 2012 08:20:13 -0700 (PDT) Subject: [Freeipa-users] error yum install freeipa-server Message-ID: <1341501613.26845.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hello all, When I do "yum install -y freeipa-server" on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon:? lstat(/etc/pki-tks*) failed:? No such file or directory /sbin/restorecon:? lstat(/etc/pki-tps*) failed:? No such file or directory /sbin/restorecon:? lstat(/etc/sysconfig/pki/ca*) failed:? No such file or directory /sbin/restorecon:? lstat(/etc/sysconfig/pki/kra*) failed:? No such file or directory . . . /sbin/restorecon:? lstat(/usr/bin/dtomcat5-pki-tks) failed:? No such file or directory /sbin/restorecon:? lstat(/var/lib/pki-ca*) failed:? No such file or directory . . . /sbin/restorecon:? lstat(/var/lib/ipa/ca_serialno) failed:? No such file or directory /sbin/restorecon:? lstat(/var/lib/pki-ca/publish*) failed:? No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 5 15:27:46 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jul 2012 11:27:46 -0400 Subject: [Freeipa-users] error yum install freeipa-server In-Reply-To: <1341501613.26845.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1341501613.26845.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <4FF5B272.2050103@redhat.com> george he wrote: > Hello all, > > When I do "yum install -y freeipa-server" on a newly installed FC17 > system, I get a lot of errors like this: > > /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory > /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory > /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file > or directory > /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file > or directory > . > . > . > /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such > file or directory > /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or > directory > . > . > . > /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file > or directory > /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file > or directory > > It seems to me these missing files are supposed to be installed by this > yum install command. > With these errors, can I still go ahead and set up the ipa-server? > > Thanks, > George Where are you seeing these logged? Some of those files/directories don't exist yet, they are created by the install. It should be safe to proceed. rob From rcritten at redhat.com Thu Jul 5 15:28:36 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jul 2012 11:28:36 -0400 Subject: [Freeipa-users] Chaining and FreeIPA Directory Server In-Reply-To: References: Message-ID: <4FF5B2A4.2080904@redhat.com> Phyo Kyaw wrote: > Dear all, > > server ipa-server-2.1.3-9.el6.x86_64 > > This is probably a question for to Directory 389 users, but.. > > I would like to chain (not master to master replication) users of two > or more IPA servers. The first thing I did was trying to chain the IPA > 389-ds servers by setting up chaining entries. The chaining entries > work out the box on standard 389-DS, but on IPA 389-ds it won't start > after adding ldap suffixes. The 389-ds error log only shows > > [05/Jul/2012:15:00:33 +0000] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > > Suffix entry > > dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config > objectClass:nsMappingTree > objectClass:extensibleObject > objectClass:top > cn:cn=dc=example,dc=com > cn:"cn=dc=example,dc=com" > nsslapd-backend:testusers > nsslapd-state:backend > > Just wondering if FreeIPA has some other configuration or plugin that > prevents/conflicts 389-DS to start. I am guess chaining is something > if we have two or more IPAs in one infrastructure. > I don't know why this would cause the server to not start but IPA doesn't support read-only replicas at this time. What is it you are trying to achieve? rob From dpal at redhat.com Thu Jul 5 15:28:39 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 05 Jul 2012 11:28:39 -0400 Subject: [Freeipa-users] win7 client In-Reply-To: <4FF363FD.70005@redhat.com> References: <1341346683.26835.YahooMailNeo@web120006.mail.ne1.yahoo.com> <4FF363FD.70005@redhat.com> Message-ID: <4FF5B2A7.2030205@redhat.com> On 07/03/2012 05:28 PM, Rob Crittenden wrote: > george he wrote: >> Hello all, >> I'm trying to set up a win7 as a client of my freeipa server running on >> fc17. so I followed the instructions here: >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html >> >> But then what? The win7 is currently in a "workgroup". I tried to join >> the win7 to a domain with my ipa realm name, but it failed. >> > > IPA is not an AD replacement, you can't join any Windows machine to it. > > The instructions you referenced are for installing the MIT Kerberos > package in Windows. This just lets you get a ticket from the IPA KDC > that may be usable by various applications (e.g. Firefox) but it isn't > a way to provide domain login. > > Our plan for that is to do cross-realm trust with AD, see the 3.0 beta > released yesterday. Windows clients generally require a lot more from the domain controller than IPA can provide. And most of the operations are done over the custom MSFT protocols. There might be a way to make the Windows workstation to work with IPA to some extent. My dream is to allow the following use case: Win7 is joined into and AD domain using AD native tools and then via a credential provider is configured to authenticate against IPA. If there is a trust between AD and IPA there should (hopefully) be a way to place the TGT that is acquired by user auth against IPA into some place where MSFT kerberos library would think that this is a TGT for a user who came from a different forest and would use cross realm exchange is user tries to access resources in the AD domain behind the scenes. If that made possible it would really create a set of interesting opportunities as IPA some time in the future would natively support 2FA over Kerberos for login. > > rob > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jul 5 15:30:22 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 05 Jul 2012 11:30:22 -0400 Subject: [Freeipa-users] hostgroups/netgroups In-Reply-To: References: Message-ID: <4FF5B30E.2080506@redhat.com> On 07/04/2012 02:58 AM, Natxo Asenjo wrote: > hi, > > I just wanted to say: awesome! > > Without using the NIS compatibility layer, I just create a hostgroup, > fill it in with hosts. Then I add that hostgroup to a netgroup. That's > all I need to automagically create classes our cfengine setup can use > to distribute policies accross the hosts. > BTW by default there should be a netgroup with the same name as a host group created every time you create a host group so you might even not have to do step 2. > You guys just made my day and I just wanted to share it. > > Thanks! > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Jul 5 15:38:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 05 Jul 2012 11:38:55 -0400 Subject: [Freeipa-users] Postfix IPA In-Reply-To: <20120703054442.GA11356@noboost.org> References: <20120703054442.GA11356@noboost.org> Message-ID: <4FF5B50F.7000807@redhat.com> freeipa at noboost.org wrote: > Hi All, > > Server: > ipa-server-2.1.3-9.el6.x86_64 > sssd-1.5.1-66.el6_2.3 > > Client: > ipa-client-2.1.3-9.el6.x86_64 > > > I've got Postfix working with IPA and to be honest it was actually very > easy. I simply setup a standard postfix server, configured the IPA > client and when mail was delivered, postfix detected the UID's from IPA > and delivered the mail. > > So I thought to myself, this is one of the most important services we > have. What would happen if the SSSD client failed for some reason on the > postfix server? > > As expected the postfix server bounces the email back to it's sender. > ------------------------------------------------------------------------- > This is the mail system at host pan.example.com. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to postmaster. > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The mail system > > (expanded from > ): host > safevm-craig.example.com[192.168.0.28] said: 550 5.1.1 > : Recipient address rejected: > User > unknown in local recipient table (in reply to RCPT TO command) > ------------------------------------------------------------------------- > > Before I start investigating backup mail servers, different posfix > queues. Just thought I'd ask if anyone else has setup their one solution > to ensure the safety of mail delivery with IPA? I think this would apply to any non-file-based nss provider (ldap, nis, etc). What does your nsswitch.conf look like? I wonder if something clever can be done like [!UNAVAIL=return]. My nss knowledge is limited though so I'm not sure what gets returned to the lookup call though, whether it is distinguishable from a notfound. rob From george_he7 at yahoo.com Thu Jul 5 15:50:00 2012 From: george_he7 at yahoo.com (george he) Date: Thu, 5 Jul 2012 08:50:00 -0700 (PDT) Subject: [Freeipa-users] error yum install freeipa-server In-Reply-To: <4FF5B272.2050103@redhat.com> References: <1341501613.26845.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FF5B272.2050103@redhat.com> Message-ID: <1341503400.96714.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello Rob, These are printed to the command window after this line: ? Installing : pki-selinux-9.0.20-1.fc17.noarch???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 34/96 The files reported missing are not there after yum install completed. I turned selinux off ("setenforce 0" and modified /etc/sysconfig/selinux) before installing freeipa-server. Don't know whether this caused the files not created by yum. Thanks, George >________________________________ > From: Rob Crittenden >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Thursday, July 5, 2012 11:27 AM >Subject: Re: [Freeipa-users] error yum install freeipa-server > >george he wrote: >> Hello all, >> >> When I do "yum install -y freeipa-server" on a newly installed FC17 >> system, I get a lot of errors like this: >> >> /sbin/restorecon:? lstat(/etc/pki-tks*) failed:? No such file or directory >> /sbin/restorecon:? lstat(/etc/pki-tps*) failed:? No such file or directory >> /sbin/restorecon:? lstat(/etc/sysconfig/pki/ca*) failed:? No such file >> or directory >> /sbin/restorecon:? lstat(/etc/sysconfig/pki/kra*) failed:? No such file >> or directory >> . >> . >> . >> /sbin/restorecon:? lstat(/usr/bin/dtomcat5-pki-tks) failed:? No such >> file or directory >> /sbin/restorecon:? lstat(/var/lib/pki-ca*) failed:? No such file or >> directory >> . >> . >> . >> /sbin/restorecon:? lstat(/var/lib/ipa/ca_serialno) failed:? No such file >> or directory >> /sbin/restorecon:? lstat(/var/lib/pki-ca/publish*) failed:? No such file >> or directory >> >> It seems to me these missing files are supposed to be installed by this >> yum install command. >> With these errors, can I still go ahead and set up the ipa-server? >> >> Thanks, >> George > >Where are you seeing these logged? Some of those files/directories don't >exist yet, they are created by the install. It should be safe to proceed. > >rob > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jul 5 16:27:33 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 05 Jul 2012 12:27:33 -0400 Subject: [Freeipa-users] Postfix IPA In-Reply-To: <4FF2E94C.7000009@redhat.com> References: <20120703054442.GA11356@noboost.org> <4FF2E94C.7000009@redhat.com> Message-ID: <1341505653.14199.165.camel@willson.li.ssimo.org> On Tue, 2012-07-03 at 18:15 +0530, M.R Niranjan wrote: > > On 07/03/2012 11:14 AM, freeipa at noboost.org wrote: > > Hi All, > > > > Server: > > ipa-server-2.1.3-9.el6.x86_64 > > sssd-1.5.1-66.el6_2.3 > > > > Client: > > ipa-client-2.1.3-9.el6.x86_64 > > > > > > I've got Postfix working with IPA and to be honest it was actually > very > > easy. I simply setup a standard postfix server, configured the IPA > > client and when mail was delivered, postfix detected the UID's from > IPA > > and delivered the mail. > > > > So I thought to myself, this is one of the most important services > we > > have. What would happen if the SSSD client failed for some reason on > the > > postfix server? > > > > By sssd client failing do you mean sssd not able to reach ldap servers > or sssd service crashing ? > > If sssd parent crashes then i think not much you could do but if the > child services of sssd doesn't respond sssd does restart the child > services automatically . > > Refer: > http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store > Also we still keep serving users out of the sssd cache as long as sssd_nss process is running. And with the memory cache we have in 1.9.0 you may still get users from the cache directly even if the whole sssd dies. Simo. -- Simo Sorce * Red Hat, Inc * New York From phyokyaw.uk at gmail.com Fri Jul 6 14:24:29 2012 From: phyokyaw.uk at gmail.com (Phyo Kyaw) Date: Fri, 6 Jul 2012 15:24:29 +0100 Subject: [Freeipa-users] Chaining and FreeIPA Directory Server In-Reply-To: <4FF5B2A4.2080904@redhat.com> References: <4FF5B2A4.2080904@redhat.com> Message-ID: Any idea? Thanks for prompt reply Rob. I was just experimenting if it is possible to setup in a way that users from IPA (A) can be made available on IPA (B), so that users from A can access clients in B. Thanks again. On 5 July 2012 16:28, Rob Crittenden wrote: > Phyo Kyaw wrote: >> >> Dear all, >> >> server ipa-server-2.1.3-9.el6.x86_64 >> >> This is probably a question for to Directory 389 users, but.. >> >> I would like to chain (not master to master replication) users of two >> or more IPA servers. The first thing I did was trying to chain the IPA >> 389-ds servers by setting up chaining entries. The chaining entries >> work out the box on standard 389-DS, but on IPA 389-ds it won't start >> after adding ldap suffixes. The 389-ds error log only shows >> >> [05/Jul/2012:15:00:33 +0000] - Detected Disorderly Shutdown last time >> Directory Server was running, recovering database. >> >> Suffix entry >> >> dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >> objectClass:nsMappingTree >> objectClass:extensibleObject >> objectClass:top >> cn:cn=dc=example,dc=com >> cn:"cn=dc=example,dc=com" >> nsslapd-backend:testusers >> nsslapd-state:backend >> >> Just wondering if FreeIPA has some other configuration or plugin that >> prevents/conflicts 389-DS to start. I am guess chaining is something >> if we have two or more IPAs in one infrastructure. >> > > I don't know why this would cause the server to not start but IPA doesn't > support read-only replicas at this time. What is it you are trying to > achieve? > > rob From dpal at redhat.com Fri Jul 6 14:35:15 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 06 Jul 2012 10:35:15 -0400 Subject: [Freeipa-users] Chaining and FreeIPA Directory Server In-Reply-To: References: <4FF5B2A4.2080904@redhat.com> Message-ID: <4FF6F7A3.6060308@redhat.com> On 07/06/2012 10:24 AM, Phyo Kyaw wrote: > Any idea? > > > Thanks for prompt reply Rob. I was just experimenting if it is > possible to setup in a way that users from IPA (A) can be made > available on IPA (B), so that users from A can access clients in B. > > Thanks again. > With the latest DS bits in Fedora you might be able to set the following: 1) Create an IPA domain for advanced clients 2) Install a separate DS instance 3) Sync some of the IPA users into DS (would require some manual configuration but I suspect is possible). No need to sync passwords though. 4) Use DS with PAM pass through capability. Configure SSSD on the DS server to use IPA as the authentication and identity source. This way you will be able to accomplish some part of what you are looking for. Dmitri > On 5 July 2012 16:28, Rob Crittenden wrote: >> Phyo Kyaw wrote: >>> Dear all, >>> >>> server ipa-server-2.1.3-9.el6.x86_64 >>> >>> This is probably a question for to Directory 389 users, but.. >>> >>> I would like to chain (not master to master replication) users of two >>> or more IPA servers. The first thing I did was trying to chain the IPA >>> 389-ds servers by setting up chaining entries. The chaining entries >>> work out the box on standard 389-DS, but on IPA 389-ds it won't start >>> after adding ldap suffixes. The 389-ds error log only shows >>> >>> [05/Jul/2012:15:00:33 +0000] - Detected Disorderly Shutdown last time >>> Directory Server was running, recovering database. >>> >>> Suffix entry >>> >>> dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config >>> objectClass:nsMappingTree >>> objectClass:extensibleObject >>> objectClass:top >>> cn:cn=dc=example,dc=com >>> cn:"cn=dc=example,dc=com" >>> nsslapd-backend:testusers >>> nsslapd-state:backend >>> >>> Just wondering if FreeIPA has some other configuration or plugin that >>> prevents/conflicts 389-DS to start. I am guess chaining is something >>> if we have two or more IPAs in one infrastructure. >>> >> I don't know why this would cause the server to not start but IPA doesn't >> support read-only replicas at this time. What is it you are trying to >> achieve? >> >> rob > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From freeipa at noboost.org Tue Jul 10 08:53:18 2012 From: freeipa at noboost.org (freeipa at noboost.org) Date: Tue, 10 Jul 2012 18:53:18 +1000 Subject: [Freeipa-users] Failed to initialize credentials using keytab Message-ID: <20120710085318.GA8624@noboost.org> Hi All, Server: RHEL 6.3 ipa-admintools-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Odd Error in /var/log/messages: Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize credentials using keytab [(null)]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity check failed Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon starting up, check in interval 240 minutes. Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local "host" service using default keytab. I checked the servers ketab and as far as I can tell, it seems fine? [root at sysvm-ipa etc]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/sysvm-ipa.example.com at EXAMPLE.COM 2 host/sysvm-ipa.example.com at EXAMPLE.COM 2 host/sysvm-ipa.example.com at EXAMPLE.COM 2 host/sysvm-ipa.example.com at EXAMPLE.COM 2 host/sysvm-ipa.example.com at EXAMPLE.COM 2 host/sysvm-ipa.example.com at EXAMPLE.COM cya Craig From ondrejv at s3group.cz Tue Jul 10 09:01:00 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Tue, 10 Jul 2012 11:01:00 +0200 Subject: [Freeipa-users] Failed to initialize credentials using keytab In-Reply-To: <20120710085318.GA8624@noboost.org> References: <20120710085318.GA8624@noboost.org> Message-ID: <4FFBEF4C.7060101@s3group.cz> does kinit -k host/sysvm-ipa.example.com at EXAMPLE.COM work for you? On 07/10/2012 10:53 AM, freeipa at noboost.org wrote: > Hi All, > > Server: > RHEL 6.3 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > libipa_hbac-1.8.0-32.el6.x86_64 > libipa_hbac-python-1.8.0-32.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > > Odd Error in /var/log/messages: > Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Failed to initialize > credentials using keytab [(null)]: Decrypt integrity check failed. > Unable to create GSSAPI-encrypted LDAP connection. > > Jul 10 18:15:30 sysvm-ipa [sssd[ldap_child[2070]]]: Decrypt integrity > check failed > > Jul 10 18:15:42 sysvm-ipa rhnsd[2194]: Red Hat Network Services Daemon > starting up, check in interval 240 minutes. > > Jul 10 18:15:43 sysvm-ipa certmonger: Error setting up ccache for local > "host" service using default keytab. > > > I checked the servers ketab and as far as I can tell, it seems fine? > [root at sysvm-ipa etc]# klist -k /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > 2 host/sysvm-ipa.example.com at EXAMPLE.COM > > > cya > > Craig > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Jul 10 13:01:15 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 10 Jul 2012 06:01:15 -0700 (PDT) Subject: [Freeipa-users] ipa samba win7 Message-ID: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Tue Jul 10 13:12:55 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Tue, 10 Jul 2012 15:12:55 +0200 Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <4FFC2A57.4000305@s3group.cz> Do you have an AD for the win7 machine or is it just standalone machine? Ondrej On 07/10/2012 03:01 PM, george he wrote: > Hello all, > I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a > win7 machine, which is not a member of the ipa realm? > Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", > but the user information is kept on the ipa server, not the file server. > What else should I take care of before I start? > ps. my ipa version is 2.2, running on fc17. > Thanks, > George > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From george_he7 at yahoo.com Tue Jul 10 13:25:20 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 10 Jul 2012 06:25:20 -0700 (PDT) Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <4FFC2A57.4000305@s3group.cz> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FFC2A57.4000305@s3group.cz> Message-ID: <1341926720.94403.YahooMailNeo@web120001.mail.ne1.yahoo.com> Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George >________________________________ > From: Ondrej Valousek >To: freeipa-users at redhat.com >Sent: Tuesday, July 10, 2012 9:12 AM >Subject: Re: [Freeipa-users] ipa samba win7 > > >Do you have an AD for the win7 machine or is it just standalone machine? >Ondrej > >On 07/10/2012 03:01 PM, george he wrote: >Hello all, >>I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? >>Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. >>What else should I take care of before I start? >>ps. my ipa version is 2.2, running on fc17. >> >>Thanks, >>George >> >> >>_______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ondrejv at s3group.cz Tue Jul 10 13:39:50 2012 From: ondrejv at s3group.cz (Ondrej Valousek) Date: Tue, 10 Jul 2012 15:39:50 +0200 Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <1341926720.94403.YahooMailNeo@web120001.mail.ne1.yahoo.com> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> <4FFC2A57.4000305@s3group.cz> <1341926720.94403.YahooMailNeo@web120001.mail.ne1.yahoo.com> Message-ID: <4FFC30A6.5070008@s3group.cz> Well, if you want to integrate Windows machines, you'd better to stick with Samba (you can try Samba 4 if you prefer the IPA-like integration). IPA itself "looks and feels" like AD but it is not compatible with AD - it is intended mainly for Linux machines. Ondrej On 07/10/2012 03:25 PM, george he wrote: > Hi Ondrej, > The win7 is standing alone. I don't have an AD for it. > I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. > Thanks, > George > > -------------------------------------------------------------------------------------------------------------------------------------------- > *From:* Ondrej Valousek > *To:* freeipa-users at redhat.com > *Sent:* Tuesday, July 10, 2012 9:12 AM > *Subject:* Re: [Freeipa-users] ipa samba win7 > > Do you have an AD for the win7 machine or is it just standalone machine? > Ondrej > > On 07/10/2012 03:01 PM, george he wrote: >> Hello all, >> I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed >> by a win7 machine, which is not a member of the ipa realm? >> Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to >> "ldapsam", but the user information is kept on the ipa server, not the file server. >> What else should I take care of before I start? >> ps. my ipa version is 2.2, running on fc17. >> Thanks, >> George >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jul 10 13:56:49 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 10 Jul 2012 09:56:49 -0400 Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> Message-ID: <1341928609.2599.44.camel@willson.li.ssimo.org> On Tue, 2012-07-10 at 06:01 -0700, george he wrote: > Hello all, > I have an ipa client that is also a file server. How do I set up a > samba server on the file server so that the files can be accessed by a > win7 machine, which is not a member of the ipa realm? > Should I set the file server as a domain controller? How do I deal > with the "passdb backend" option? I guess I can set it to "ldapsam", > but the user information is kept on the ipa server, not the file > server. > What else should I take care of before I start? > ps. my ipa version is 2.2, running on fc17. > You can install samba with the ldapsam passdb backend. security = user will suffice, you do not need to make it a domain controller. Authentication will happen only using NTLM, so you will have to add the samba samAccount objectclass to those users that you want to be able to log in to samba and the sambaGroups class to those groups you want to use with samba. After you added the right objectclass to users you will need to change the user's password once so that the ipa-pwd-exto plugin can generate NT hashes for the user. Once that is done samba should allow you to log in using the ipa password. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Tue Jul 10 16:59:53 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 10 Jul 2012 09:59:53 -0700 (PDT) Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <1341928609.2599.44.camel@willson.li.ssimo.org> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1341928609.2599.44.camel@willson.li.ssimo.org> Message-ID: <1341939593.54183.YahooMailNeo@web120005.mail.ne1.yahoo.com> Hi Simo, Could you advise how to add 1. thesamba samAccount objectclass to a user, and 2. the sambaGroups class to a group? I guess I would need to use ldap commands, which I don't know enough. By the way, do I need to add both of the above, or if everybody is allowed to use the samba share, (and they are all in ipausers group), I would only need to add the sambaGroups class to ipausers group? Thanks, George >________________________________ > From: Simo Sorce >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, July 10, 2012 9:56 AM >Subject: Re: [Freeipa-users] ipa samba win7 > >On Tue, 2012-07-10 at 06:01 -0700, george he wrote: >> Hello all, >> I have an ipa client that is also a file server. How do I set up a >> samba server on the file server so that the files can be accessed by a >> win7 machine, which is not a member of the ipa realm? >> Should I set the file server as a domain controller? How do I deal >> with the "passdb backend" option? I guess I can set it to "ldapsam", >> but the user information is kept on the ipa server, not the file >> server. >> What else should I take care of before I start? >> ps. my ipa version is 2.2, running on fc17. >> > >You can install samba with the ldapsam passdb backend. >security = user will suffice, you do not need to make it a domain >controller. >Authentication will happen only using NTLM, so you will have to add the >samba samAccount objectclass to those users that you want to be able to >log in to samba and the sambaGroups class to those groups you want to >use with samba. >After you added the right objectclass to users you will need to change >the user's password once so that the ipa-pwd-exto plugin can generate NT >hashes for the user. >Once that is done samba should allow you to log in using the ipa >password. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Tue Jul 10 19:15:41 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 10 Jul 2012 14:15:41 -0500 Subject: [Freeipa-users] sudo hostgroup sanity check, please? Message-ID: I'm running IPA 2.2.0 on RHEL6 Server: [root at validserver ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 Client: [root at validhost ~]# rpm -qa | grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 My sudo-ldap.conf file: binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com bindpw validpassword ssl start_tls tls_cacertfile /etc/ipa/ca.crt tls_checkpeer yes bind_timelimit 5 timelimit 15 uri ldap://validserver ldap://validserver2 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com What I'm trying to do: I have a group of users that I'd like to have restart apache on a group of hosts. What I've done: created a user group, created a group of hosts (in a grouplist.) I can successfully run sudo in any configuration, *except* when using a host group. When I try I get: Sorry, user validuser is not allowed to execute '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. I can edit the same rule, change the host group (that only contains two hosts) and specify the two hosts directly and it works fine. Can someone else just try this and see if I've hit a bug? I'm certain I couldn't have messed up creating the host group, but I suppose it's possible. I get the same behavior when I try a simple "/bin/cat" command through sudo, too. Is there a special config for using host groups? I suspect I may have missed some obvious documentation. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sakodak at gmail.com Tue Jul 10 19:28:15 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 10 Jul 2012 14:28:15 -0500 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: References: Message-ID: Further information: I do have: ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com In /etc/sssd/sssd.conf Is cn=ng,cn=compat correct? --Jason On Tue, Jul 10, 2012 at 2:15 PM, KodaK wrote: > I'm running IPA 2.2.0 on RHEL6 > > Server: > > [root at validserver ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > Client: > > [root at validhost ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > My sudo-ldap.conf file: > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com > bindpw validpassword > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://validserver ldap://validserver2 > sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com > > What I'm trying to do: I have a group of users that I'd like to have > restart apache on a group of hosts. > > What I've done: created a user group, created a group of hosts (in a > grouplist.) > > I can successfully run sudo in any configuration, *except* when using > a host group. When I try I get: > > Sorry, user validuser is not allowed to execute > '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. > > I can edit the same rule, change the host group (that only contains > two hosts) and specify the two hosts directly and it works fine. > > Can someone else just try this and see if I've hit a bug? I'm certain > I couldn't have messed up creating the host group, but I suppose it's > possible. > > I get the same behavior when I try a simple "/bin/cat" command through > sudo, too. > > Is there a special config for using host groups? I suspect I may have > missed some obvious documentation. > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From qchang at sri.utoronto.ca Tue Jul 10 19:53:12 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Tue, 10 Jul 2012 15:53:12 -0400 Subject: [Freeipa-users] IPA + OpenAFS Message-ID: <4FFC8828.8060209@sri.utoronto.ca> please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root at smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be "des-cbc-crc:v4", but following fails when I tried to cretae the keytab file: ==== [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material ==== My IPA server kdc.conf file has this: supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 And the krb5.conf file on both IPA server and OpenAFS server has this: allow_weak_crypto = true Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS does not like them. Thanks, Qing -- ------------------ Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qchang at sri.utoronto.ca ------------------ From dpal at redhat.com Tue Jul 10 19:56:31 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 10 Jul 2012 15:56:31 -0400 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: References: Message-ID: <4FFC88EF.4060802@redhat.com> On 07/10/2012 03:15 PM, KodaK wrote: > I'm running IPA 2.2.0 on RHEL6 > > Server: > > [root at validserver ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > Client: > > [root at validhost ~]# rpm -qa | grep ipa > ipa-client-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.8.0-32.el6.x86_64 > ipa-python-2.2.0-16.el6.x86_64 > ipa-server-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-1.8.0-32.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > > My sudo-ldap.conf file: > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com > bindpw validpassword > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://validserver ldap://validserver2 > sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com > > What I'm trying to do: I have a group of users that I'd like to have > restart apache on a group of hosts. > > What I've done: created a user group, created a group of hosts (in a > grouplist.) > > I can successfully run sudo in any configuration, *except* when using > a host group. When I try I get: > > Sorry, user validuser is not allowed to execute > '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. > > I can edit the same rule, change the host group (that only contains > two hosts) and specify the two hosts directly and it works fine. > > Can someone else just try this and see if I've hit a bug? I'm certain > I couldn't have messed up creating the host group, but I suppose it's > possible. > > I get the same behavior when I try a simple "/bin/cat" command through > sudo, too. > > Is there a special config for using host groups? I suspect I may have > missed some obvious documentation. > How do your SUDO entries look like? Do you see host netgroup coming over to the system when you enumerate netgroups? Does it have the two hosts you mentioned? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sakodak at gmail.com Tue Jul 10 20:16:41 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 10 Jul 2012 15:16:41 -0500 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: <4FFC88EF.4060802@redhat.com> References: <4FFC88EF.4060802@redhat.com> Message-ID: On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal wrote: > On 07/10/2012 03:15 PM, KodaK wrote: >> I'm running IPA 2.2.0 on RHEL6 >> >> Server: >> >> [root at validserver ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> Client: >> >> [root at validhost ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> My sudo-ldap.conf file: >> >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com >> bindpw validpassword >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://validserver ldap://validserver2 >> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com >> >> What I'm trying to do: I have a group of users that I'd like to have >> restart apache on a group of hosts. >> >> What I've done: created a user group, created a group of hosts (in a >> grouplist.) >> >> I can successfully run sudo in any configuration, *except* when using >> a host group. When I try I get: >> >> Sorry, user validuser is not allowed to execute >> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. >> >> I can edit the same rule, change the host group (that only contains >> two hosts) and specify the two hosts directly and it works fine. >> >> Can someone else just try this and see if I've hit a bug? I'm certain >> I couldn't have messed up creating the host group, but I suppose it's >> possible. >> >> I get the same behavior when I try a simple "/bin/cat" command through >> sudo, too. >> >> Is there a special config for using host groups? I suspect I may have >> missed some obvious documentation. >> > How do your SUDO entries look like? Rule name: test rule Options: none Who: specified users and groups Users: jebalicki User groups: none Access this host: specified users and groups Hosts: none Host groups: tds-webhosts (contains the two valid client systems) RUN COMMANDS ALLOW command category the rule applies to: specified commands and groups sudo allow commands: /bin/cat sudo allow command groups: none Nothing denied. "As whom" is left as default. > Do you see host netgroup coming over to the system when you enumerate > netgroups? I don't know how to do this at the command line. I'm googling for it. The only thing I'm even vaguely familiar with (in that it exists) is ypcat, but I thought sssd was taking care of "translating" the host groups to netgroups for sudo? I'm sorry, I'm just not familiar with NIS at all. The documentation tells me that a hidden netgroup is created, so I shouldn't need to manually specify one, right? > Does it have the two hosts you mentioned? Once I find that I'll get back to you. Thanks for taking the time. From natxo.asenjo at gmail.com Tue Jul 10 20:49:15 2012 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Tue, 10 Jul 2012 22:49:15 +0200 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: References: <4FFC88EF.4060802@redhat.com> Message-ID: On Tue, Jul 10, 2012 at 10:16 PM, KodaK wrote: > On Tue, Jul 10, 2012 at 2:56 PM, Dmitri Pal wrote:> > > Do you see host netgroup coming over to the system when you enumerate > > netgroups? > > I don't know how to do this at the command line. I'm googling for it. > The only thing I'm even vaguely familiar with (in that it exists) is > ypcat, but I thought sssd was taking care of "translating" the host > groups to netgroups for sudo? I'm sorry, I'm just not familiar with > NIS at all. The documentation tells me that a hidden netgroup is > created, so I shouldn't need to manually specify one, right? > getent netgroup -------------- next part -------------- An HTML attachment was scrubbed... URL: From JR.Aquino at citrix.com Tue Jul 10 22:45:38 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 10 Jul 2012 22:45:38 +0000 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: References: Message-ID: <0C3D65F1-04E0-4E0C-8080-1EEFFD1DBB73@citrixonline.com> On Jul 10, 2012, at 12:28 PM, KodaK wrote: > Further information: > > I do have: > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=validdomain,dc=com Go ahead and remove this line. Previous legacy versions of sssd required it. I believe it just gets in the way now. You also want to run: $ domainanme Make sure it comes back with your domain, if not, please set your domainname. (/etc/rc.local is currently the place recommended to set this value) Netgroups will come back as a tuple like: (testhost.domain.com, -, domain.com) Sudo will do the netgroup look up and wants to see that the hostname matches the hostname of the server, and that the domain also matches. You can double-check this by doing: getent netgroup It should return a tuple like the one above. If you are still having difficulty, you can add sudoers_debug 2 in your /etc/sudo-ldap.conf file then re-run your sudo command. IT should show the various tests it performs and the output of the FreeIPA server. It wants to match, user, host, and command. > In /etc/sssd/sssd.conf > > Is cn=ng,cn=compat correct? > > --Jason > > On Tue, Jul 10, 2012 at 2:15 PM, KodaK wrote: >> I'm running IPA 2.2.0 on RHEL6 >> >> Server: >> >> [root at validserver ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> Client: >> >> [root at validhost ~]# rpm -qa | grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> My sudo-ldap.conf file: >> >> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com >> bindpw validpassword >> >> ssl start_tls >> tls_cacertfile /etc/ipa/ca.crt >> tls_checkpeer yes >> >> bind_timelimit 5 >> timelimit 15 >> >> uri ldap://validserver ldap://validserver2 >> sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com >> >> What I'm trying to do: I have a group of users that I'd like to have >> restart apache on a group of hosts. >> >> What I've done: created a user group, created a group of hosts (in a >> grouplist.) >> >> I can successfully run sudo in any configuration, *except* when using >> a host group. When I try I get: >> >> Sorry, user validuser is not allowed to execute >> '/etc/rc.d/init.d/httpd status' as root on validhost1.fqdn.com. >> >> I can edit the same rule, change the host group (that only contains >> two hosts) and specify the two hosts directly and it works fine. >> >> Can someone else just try this and see if I've hit a bug? I'm certain >> I couldn't have messed up creating the host group, but I suppose it's >> possible. >> >> I get the same behavior when I try a simple "/bin/cat" command through >> sudo, too. >> >> Is there a special config for using host groups? I suspect I may have >> missed some obvious documentation. >> >> -- >> The government is going to read our mail anyway, might as well make it >> tough for them. GPG Public key ID: B6A1A7C6 > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From nalin at redhat.com Wed Jul 11 00:34:35 2012 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 10 Jul 2012 20:34:35 -0400 Subject: [Freeipa-users] sudo hostgroup sanity check, please? In-Reply-To: References: Message-ID: <20120711003435.GF15922@redhat.com> On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote: [snip] > My sudo-ldap.conf file: > > binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com > bindpw validpassword > > ssl start_tls > tls_cacertfile /etc/ipa/ca.crt > tls_checkpeer yes > > bind_timelimit 5 > timelimit 15 > > uri ldap://validserver ldap://validserver2 This may be unrelated, but keep in mind that these should be FQDNs, because that's what the directory server SSL certificates have in them, and a client will check that the name in the certificate the server uses to identify itself matches the name that the client "thinks" the server has, which the client derives from the URI values given here. > sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com Assuming your domain name is "UNIX.MAGELLANHEALTH.COM" and you haven't changed the configuration for the Schema Compatibility plugin, this looks correct. If your domain name is something else, you'll need to change this setting to "ou=SUDOers,$basedn", where "basedn" is the value listed in your server's /etc/ipa/default.conf file. HTH, Nalin From james.hogarth at gmail.com Wed Jul 11 10:02:06 2012 From: james.hogarth at gmail.com (James Hogarth) Date: Wed, 11 Jul 2012 11:02:06 +0100 Subject: [Freeipa-users] Sudo documentation correction (sudo 1.7.4p-5 update breaks working configuration) Message-ID: Hi all, Having just spent an hour debugging this during my centos6.2 to centos6.3 updates here's a heads up for others and a correction to the documentation at docs.redhat.com .... The update to sudo mentioned changed sudo to use /etc/sudo-ldap.conf for a ldap-backed sudo configuration instead of /etc/nslcd.conf but did not copy an existing /etc/nslcd.conf into this new file and consequently disabled ldap-backed sudo. The documentation in 13.4.2 still refers to /etc/nslcd.conf for RHEL6 based systems - which is obviously incorrect now.... This documentation would probably be best to have a note added that between 6.2 and 6.3 (or even specify the sudo revisions) that the configuration file has changed. James From mkosek at redhat.com Wed Jul 11 10:13:43 2012 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 11 Jul 2012 12:13:43 +0200 Subject: [Freeipa-users] Sudo documentation correction (sudo 1.7.4p-5 update breaks working configuration) In-Reply-To: References: Message-ID: <4FFD51D7.7030902@redhat.com> On 07/11/2012 12:02 PM, James Hogarth wrote: > Hi all, > > Having just spent an hour debugging this during my centos6.2 to > centos6.3 updates here's a heads up for others and a correction to the > documentation at docs.redhat.com .... > > The update to sudo mentioned changed sudo to use /etc/sudo-ldap.conf > for a ldap-backed sudo configuration instead of /etc/nslcd.conf but > did not copy an existing /etc/nslcd.conf into this new file and > consequently disabled ldap-backed sudo. > > The documentation in 13.4.2 still refers to /etc/nslcd.conf for RHEL6 > based systems - which is obviously incorrect now.... > > This documentation would probably be best to have a note added that > between 6.2 and 6.3 (or even specify the sudo revisions) that the > configuration file has changed. > > James > Thanks for pointing that out. Btw. there is a relevant Bugzila that should cover this deficiency: https://bugzilla.redhat.com/show_bug.cgi?id=835515 Please feel free to comment if you found any relevant issues that are not covered with this Bugzilla. Martin From simo at redhat.com Wed Jul 11 12:28:05 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Jul 2012 08:28:05 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFC8828.8060209@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> Message-ID: <1342009685.2599.63.camel@willson.li.ssimo.org> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > please forgive me if this is a question that has been answered somewhere already. > > I am almost finished setting up my first OpenAFS cell using IPA's KDC for > authentication but stumble on this error: > > [root at smb1 ~]# fs setacl /afs system:anyuser rl > fs: You don't have the required access rights on '/afs' > > A thread on OpenAFS mailing list suggests that it is because I have wrong salt > with my afs service key. The right one should be "des-cbc-crc:v4", but following fails > when I tried to cretae the keytab file: > ==== > [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P > New Principal Password: > Verify Principal Password: > Bad or unsupported salt type (1)! > Failed to create key material > ==== > > My IPA server kdc.conf file has this: > supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 > > And the krb5.conf file on both IPA server and OpenAFS server has this: > allow_weak_crypto = true > > Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS > does not like them. You need to change the supported enc types in LDAP for ipa to care. these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in ldap. Simo. -- Simo Sorce * Red Hat, Inc * New York From qchang at sri.utoronto.ca Wed Jul 11 14:19:57 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Wed, 11 Jul 2012 10:19:57 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <1342009685.2599.63.camel@willson.li.ssimo.org> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> Message-ID: <4FFD8B8D.5020407@sri.utoronto.ca> I think I do have it configured already: ===== krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special ===== As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: > On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >> please forgive me if this is a question that has been answered somewhere already. >> >> I am almost finished setting up my first OpenAFS cell using IPA's KDC for >> authentication but stumble on this error: >> >> [root at smb1 ~]# fs setacl /afs system:anyuser rl >> fs: You don't have the required access rights on '/afs' >> >> A thread on OpenAFS mailing list suggests that it is because I have wrong salt >> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails >> when I tried to cretae the keytab file: >> ==== >> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P >> New Principal Password: >> Verify Principal Password: >> Bad or unsupported salt type (1)! >> Failed to create key material >> ==== >> >> My IPA server kdc.conf file has this: >> supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal >> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 >> >> And the krb5.conf file on both IPA server and OpenAFS server has this: >> allow_weak_crypto = true >> >> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS >> does not like them. > You need to change the supported enc types in LDAP for ipa to care. > these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in > ldap. > > Simo. > From dpal at redhat.com Wed Jul 11 18:12:34 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 Jul 2012 14:12:34 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFD8B8D.5020407@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> Message-ID: <4FFDC212.4000901@redhat.com> On 07/11/2012 10:19 AM, Qing Chang wrote: > I think I do have it configured already: > ===== > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > ===== > > As I mentioned, I can create keytabs with des-cbc-crc:normal and > des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses. Is there anything in the Kerberos logs on the server? > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: >> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>> please forgive me if this is a question that has been answered >>> somewhere already. >>> >>> I am almost finished setting up my first OpenAFS cell using IPA's >>> KDC for >>> authentication but stumble on this error: >>> >>> [root at smb1 ~]# fs setacl /afs system:anyuser rl >>> fs: You don't have the required access rights on '/afs' >>> >>> A thread on OpenAFS mailing list suggests that it is because I have >>> wrong salt >>> with my afs service key. The right one should be "des-cbc-crc:v4", >>> but following fails >>> when I tried to cretae the keytab file: >>> ==== >>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab >>> -e des-cbc-crc:v4 -P >>> New Principal Password: >>> Verify Principal Password: >>> Bad or unsupported salt type (1)! >>> Failed to create key material >>> ==== >>> >>> My IPA server kdc.conf file has this: >>> supported_enctypes = aes256-cts:normal aes128-cts:normal >>> des3-hmac-sha1:normal arcfour-hmac:normal >>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal >>> des-cbc-crc:v4 des-cbc-crc:afs3 >>> >>> And the krb5.conf file on both IPA server and OpenAFS server has this: >>> allow_weak_crypto = true >>> >>> Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and >>> des-cbc-crc:afs3 works, but OpenAFS >>> does not like them. >> You need to change the supported enc types in LDAP for ipa to care. >> these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in >> ldap. >> >> Simo. >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Wed Jul 11 18:24:02 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Jul 2012 14:24:02 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFD8B8D.5020407@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> Message-ID: <1342031042.2599.86.camel@willson.li.ssimo.org> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: > I think I do have it configured already: > ===== > krbSupportedEncSaltTypes: aes256-cts:normal > krbSupportedEncSaltTypes: aes256-cts:special > krbSupportedEncSaltTypes: aes128-cts:normal > krbSupportedEncSaltTypes: aes128-cts:special > krbSupportedEncSaltTypes: des3-hmac-sha1:normal > krbSupportedEncSaltTypes: des3-hmac-sha1:special > krbSupportedEncSaltTypes: arcfour-hmac:normal > krbSupportedEncSaltTypes: arcfour-hmac:special > krbSupportedEncSaltTypes: des-hmac-sha1:normal > krbSupportedEncSaltTypes: des-cbc-md5:normal > krbSupportedEncSaltTypes: des-cbc-crc:normal > krbSupportedEncSaltTypes: des-cbc-crc:v4 > krbSupportedEncSaltTypes: des-cbc-crc:afs3 > krbDefaultEncSaltTypes: aes256-cts:special > krbDefaultEncSaltTypes: aes128-cts:special > krbDefaultEncSaltTypes: des3-hmac-sha1:special > krbDefaultEncSaltTypes: arcfour-hmac:special > ===== > > As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, > but not with des-cbc-crc:v4, which is what OpenAFS uses. > > Qing > > On 11/07/2012 8:28 AM, Simo Sorce wrote: > > On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: > >> please forgive me if this is a question that has been answered somewhere already. > >> > >> I am almost finished setting up my first OpenAFS cell using IPA's KDC for > >> authentication but stumble on this error: > >> > >> [root at smb1 ~]# fs setacl /afs system:anyuser rl > >> fs: You don't have the required access rights on '/afs' > >> > >> A thread on OpenAFS mailing list suggests that it is because I have wrong salt > >> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails > >> when I tried to cretae the keytab file: > >> ==== > >> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p > >> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P > >> New Principal Password: > >> Verify Principal Password: > >> Bad or unsupported salt type (1)! > >> Failed to create key material OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sakodak at gmail.com Wed Jul 11 18:59:28 2012 From: sakodak at gmail.com (KodaK) Date: Wed, 11 Jul 2012 13:59:28 -0500 Subject: [Freeipa-users] self service password reset Message-ID: Has anyone rolled out a self-service password reset utility for IPA? If so did you use something off the shelf that speaks LDAP or roll your own? I'm looking at this: http://code.google.com/p/pwm/ But I'm just starting down this path. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From qchang at sri.utoronto.ca Wed Jul 11 19:04:28 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Wed, 11 Jul 2012 15:04:28 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <1342031042.2599.86.camel@willson.li.ssimo.org> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> Message-ID: <4FFDCE3C.8030508@sri.utoronto.ca> I agree with you that OpenAFS should implement better enctype. I'll raise it on their list. In the mean time, this is a block, do you have an estimate how long it takes to have the addition of v4 get into RHEL 6.3? I am asking because we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS to our new infrastructure by end of July. There is another issue, by convention OpenAFS service principal is created as afs/DOMAIN at REALM. IPA does not support creating a service principal without first having a corresponding host principal, eg, afs/FQDN at REALM. Is it possible to add the flexibility in IPA to create an arbitrary service principal, which can be done with a standalone Kerberos KDC? I'll try to open a ticket for v4. Many thanks, Qing On 11/07/2012 2:24 PM, Simo Sorce wrote: > On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: >> I think I do have it configured already: >> ===== >> krbSupportedEncSaltTypes: aes256-cts:normal >> krbSupportedEncSaltTypes: aes256-cts:special >> krbSupportedEncSaltTypes: aes128-cts:normal >> krbSupportedEncSaltTypes: aes128-cts:special >> krbSupportedEncSaltTypes: des3-hmac-sha1:normal >> krbSupportedEncSaltTypes: des3-hmac-sha1:special >> krbSupportedEncSaltTypes: arcfour-hmac:normal >> krbSupportedEncSaltTypes: arcfour-hmac:special >> krbSupportedEncSaltTypes: des-hmac-sha1:normal >> krbSupportedEncSaltTypes: des-cbc-md5:normal >> krbSupportedEncSaltTypes: des-cbc-crc:normal >> krbSupportedEncSaltTypes: des-cbc-crc:v4 >> krbSupportedEncSaltTypes: des-cbc-crc:afs3 >> krbDefaultEncSaltTypes: aes256-cts:special >> krbDefaultEncSaltTypes: aes128-cts:special >> krbDefaultEncSaltTypes: des3-hmac-sha1:special >> krbDefaultEncSaltTypes: arcfour-hmac:special >> ===== >> >> As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, >> but not with des-cbc-crc:v4, which is what OpenAFS uses. >> >> Qing >> >> On 11/07/2012 8:28 AM, Simo Sorce wrote: >>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>>> please forgive me if this is a question that has been answered somewhere already. >>>> >>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC for >>>> authentication but stumble on this error: >>>> >>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl >>>> fs: You don't have the required access rights on '/afs' >>>> >>>> A thread on OpenAFS mailing list suggests that it is because I have wrong salt >>>> with my afs service key. The right one should be "des-cbc-crc:v4", but following fails >>>> when I tried to cretae the keytab file: >>>> ==== >>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P >>>> New Principal Password: >>>> Verify Principal Password: >>>> Bad or unsupported salt type (1)! >>>> Failed to create key material > OK, I just checkjed the code and found out that we do not support > creating keys with the 'v4' salt type in the ipa code. > > I am not sure why I skipped that salt type when I coded it up. > Probably because it is basically obsolete (and amounts to unsalted keys) > and the only thing that still uses it is AFS which uses DES that is also > a completely deprecated and insecure algorithm these days. > > Unfortunately it is not something that can be changed via some > parameter, if this is really needed I can only suggest opening a ticket > in freeipa trac instance. > > But can't AFS use some decent crypto these days, like AES ? > > Simo. > > -- ------------------ Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qchang at sri.utoronto.ca ------------------ From danieljamesscott at gmail.com Wed Jul 11 19:10:47 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Wed, 11 Jul 2012 15:10:47 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFDCE3C.8030508@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> Message-ID: Hi, On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: > I agree with you that OpenAFS should implement better enctype. I'll raise it > on their list. In the mean time, this is a block, do you have an estimate > how > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > because > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > to our new infrastructure by end of July. Is it really a block? I run IPA with OpenAFS. I used the kadmin utility to extract the keytab (I think - this was quite a while ago). The ipa-getkeytab utility is nice, but not required. Or am I missing something? > There is another issue, by convention OpenAFS service principal is created > as > afs/DOMAIN at REALM. IPA does not support creating a service principal without > first having a corresponding host principal, eg, afs/FQDN at REALM. Is it > possible > to add the flexibility in IPA to create an arbitrary service principal, > which can be > done with a standalone Kerberos KDC? Again, you don't have to use the IPA tools. You can use the Kerberos server tools. Dan > On 11/07/2012 2:24 PM, Simo Sorce wrote: >> >> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: >>> >>> I think I do have it configured already: >>> ===== >>> krbSupportedEncSaltTypes: aes256-cts:normal >>> krbSupportedEncSaltTypes: aes256-cts:special >>> krbSupportedEncSaltTypes: aes128-cts:normal >>> krbSupportedEncSaltTypes: aes128-cts:special >>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des3-hmac-sha1:special >>> krbSupportedEncSaltTypes: arcfour-hmac:normal >>> krbSupportedEncSaltTypes: arcfour-hmac:special >>> krbSupportedEncSaltTypes: des-hmac-sha1:normal >>> krbSupportedEncSaltTypes: des-cbc-md5:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:normal >>> krbSupportedEncSaltTypes: des-cbc-crc:v4 >>> krbSupportedEncSaltTypes: des-cbc-crc:afs3 >>> krbDefaultEncSaltTypes: aes256-cts:special >>> krbDefaultEncSaltTypes: aes128-cts:special >>> krbDefaultEncSaltTypes: des3-hmac-sha1:special >>> krbDefaultEncSaltTypes: arcfour-hmac:special >>> ===== >>> >>> As I mentioned, I can create keytabs with des-cbc-crc:normal and >>> des-cbc-crc:afs3, >>> but not with des-cbc-crc:v4, which is what OpenAFS uses. >>> >>> Qing >>> >>> On 11/07/2012 8:28 AM, Simo Sorce wrote: >>>> >>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>>>> >>>>> please forgive me if this is a question that has been answered >>>>> somewhere already. >>>>> >>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC >>>>> for >>>>> authentication but stumble on this error: >>>>> >>>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl >>>>> fs: You don't have the required access rights on '/afs' >>>>> >>>>> A thread on OpenAFS mailing list suggests that it is because I have >>>>> wrong salt >>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but >>>>> following fails >>>>> when I tried to cretae the keytab file: >>>>> ==== >>>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e >>>>> des-cbc-crc:v4 -P >>>>> New Principal Password: >>>>> Verify Principal Password: >>>>> Bad or unsupported salt type (1)! >>>>> Failed to create key material >> >> OK, I just checkjed the code and found out that we do not support >> creating keys with the 'v4' salt type in the ipa code. >> >> I am not sure why I skipped that salt type when I coded it up. >> Probably because it is basically obsolete (and amounts to unsalted keys) >> and the only thing that still uses it is AFS which uses DES that is also >> a completely deprecated and insecure algorithm these days. >> >> Unfortunately it is not something that can be changed via some >> parameter, if this is really needed I can only suggest opening a ticket >> in freeipa trac instance. >> >> But can't AFS use some decent crypto these days, like AES ? >> >> Simo. >> >> > > -- > ------------------ > Qing Chang > Senior Systems Administrator > M6-624 Research Computing > Sunnybrook Health Sciences Centre > 2075 Bayview Ave. > Toronto, Ontario, M4N 3M5 > (416) 480-6100 x3263 > qchang at sri.utoronto.ca > ------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Wed Jul 11 19:21:15 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Jul 2012 15:21:15 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> Message-ID: <1342034476.2599.88.camel@willson.li.ssimo.org> On Wed, 2012-07-11 at 15:10 -0400, Dan Scott wrote: > Hi, > > On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: > > I agree with you that OpenAFS should implement better enctype. I'll raise it > > on their list. In the mean time, this is a block, do you have an estimate > > how > > long it takes to have the addition of v4 get into RHEL 6.3? I am asking > > because > > we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS > > to our new infrastructure by end of July. > > Is it really a block? I run IPA with OpenAFS. I used the kadmin > utility to extract the keytab (I think - this was quite a while ago). > The ipa-getkeytab utility is nice, but not required. Or am I missing > something? > > > There is another issue, by convention OpenAFS service principal is created > > as > > afs/DOMAIN at REALM. IPA does not support creating a service principal without > > first having a corresponding host principal, eg, afs/FQDN at REALM. Is it > > possible > > to add the flexibility in IPA to create an arbitrary service principal, > > which can be > > done with a standalone Kerberos KDC? you can use the --force flag to force the creation of an arbitrary service principal. > Again, you don't have to use the IPA tools. You can use the Kerberos > server tools. Using kadmin.local is really not recommended with IPA normally, but maybe it can be used as a temporary workaround in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York From qchang at sri.utoronto.ca Wed Jul 11 19:21:18 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Wed, 11 Jul 2012 15:21:18 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> Message-ID: <4FFDD22E.4000301@sri.utoronto.ca> On 11/07/2012 3:10 PM, Dan Scott wrote: > Hi, > > On Wed, Jul 11, 2012 at 3:04 PM, Qing Chang wrote: >> I agree with you that OpenAFS should implement better enctype. I'll raise it >> on their list. In the mean time, this is a block, do you have an estimate >> how >> long it takes to have the addition of v4 get into RHEL 6.3? I am asking >> because >> we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS >> to our new infrastructure by end of July. > Is it really a block? I run IPA with OpenAFS. I used the kadmin > utility to extract the keytab (I think - this was quite a while ago). > The ipa-getkeytab utility is nice, but not required. Or am I missing > something? Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN at REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating "afs/DOMAIN at REALM" >> There is another issue, by convention OpenAFS service principal is created >> as >> afs/DOMAIN at REALM. IPA does not support creating a service principal without >> first having a corresponding host principal, eg, afs/FQDN at REALM. Is it >> possible >> to add the flexibility in IPA to create an arbitrary service principal, >> which can be >> done with a standalone Kerberos KDC? > Again, you don't have to use the IPA tools. You can use the Kerberos > server tools. > > Dan > >> On 11/07/2012 2:24 PM, Simo Sorce wrote: >>> On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: >>>> I think I do have it configured already: >>>> ===== >>>> krbSupportedEncSaltTypes: aes256-cts:normal >>>> krbSupportedEncSaltTypes: aes256-cts:special >>>> krbSupportedEncSaltTypes: aes128-cts:normal >>>> krbSupportedEncSaltTypes: aes128-cts:special >>>> krbSupportedEncSaltTypes: des3-hmac-sha1:normal >>>> krbSupportedEncSaltTypes: des3-hmac-sha1:special >>>> krbSupportedEncSaltTypes: arcfour-hmac:normal >>>> krbSupportedEncSaltTypes: arcfour-hmac:special >>>> krbSupportedEncSaltTypes: des-hmac-sha1:normal >>>> krbSupportedEncSaltTypes: des-cbc-md5:normal >>>> krbSupportedEncSaltTypes: des-cbc-crc:normal >>>> krbSupportedEncSaltTypes: des-cbc-crc:v4 >>>> krbSupportedEncSaltTypes: des-cbc-crc:afs3 >>>> krbDefaultEncSaltTypes: aes256-cts:special >>>> krbDefaultEncSaltTypes: aes128-cts:special >>>> krbDefaultEncSaltTypes: des3-hmac-sha1:special >>>> krbDefaultEncSaltTypes: arcfour-hmac:special >>>> ===== >>>> >>>> As I mentioned, I can create keytabs with des-cbc-crc:normal and >>>> des-cbc-crc:afs3, >>>> but not with des-cbc-crc:v4, which is what OpenAFS uses. >>>> >>>> Qing >>>> >>>> On 11/07/2012 8:28 AM, Simo Sorce wrote: >>>>> On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: >>>>>> please forgive me if this is a question that has been answered >>>>>> somewhere already. >>>>>> >>>>>> I am almost finished setting up my first OpenAFS cell using IPA's KDC >>>>>> for >>>>>> authentication but stumble on this error: >>>>>> >>>>>> [root at smb1 ~]# fs setacl /afs system:anyuser rl >>>>>> fs: You don't have the required access rights on '/afs' >>>>>> >>>>>> A thread on OpenAFS mailing list suggests that it is because I have >>>>>> wrong salt >>>>>> with my afs service key. The right one should be "des-cbc-crc:v4", but >>>>>> following fails >>>>>> when I tried to cretae the keytab file: >>>>>> ==== >>>>>> [root at smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p >>>>>> afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA --keytab /etc/afs.keytab -e >>>>>> des-cbc-crc:v4 -P >>>>>> New Principal Password: >>>>>> Verify Principal Password: >>>>>> Bad or unsupported salt type (1)! >>>>>> Failed to create key material >>> OK, I just checkjed the code and found out that we do not support >>> creating keys with the 'v4' salt type in the ipa code. >>> >>> I am not sure why I skipped that salt type when I coded it up. >>> Probably because it is basically obsolete (and amounts to unsalted keys) >>> and the only thing that still uses it is AFS which uses DES that is also >>> a completely deprecated and insecure algorithm these days. >>> >>> Unfortunately it is not something that can be changed via some >>> parameter, if this is really needed I can only suggest opening a ticket >>> in freeipa trac instance. >>> >>> But can't AFS use some decent crypto these days, like AES ? >>> >>> Simo. >>> >>> >> -- >> ------------------ >> Qing Chang >> Senior Systems Administrator >> M6-624 Research Computing >> Sunnybrook Health Sciences Centre >> 2075 Bayview Ave. >> Toronto, Ontario, M4N 3M5 >> (416) 480-6100 x3263 >> qchang at sri.utoronto.ca >> ------------------ >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users -- ------------------ Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qchang at sri.utoronto.ca ------------------ From simo at redhat.com Wed Jul 11 19:23:33 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Jul 2012 15:23:33 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFDD22E.4000301@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> Message-ID: <1342034613.2599.90.camel@willson.li.ssimo.org> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: > Because the integration of Kerberos in IPA, Kerberos tools can be used > only in limited > situations, when creating afs/DOMAIN at REALM with kadmin, I got this > error: > add_principal: Kerberos database constraints violated while creating > "afs/DOMAIN at REALM" > Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. -- Simo Sorce * Red Hat, Inc * New York From qchang at sri.utoronto.ca Wed Jul 11 20:01:28 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Wed, 11 Jul 2012 16:01:28 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <1342034613.2599.90.camel@willson.li.ssimo.org> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> <1342034613.2599.90.camel@willson.li.ssimo.org> Message-ID: <4FFDDB98.2040202@sri.utoronto.ca> On 11/07/2012 3:23 PM, Simo Sorce wrote: > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: >> Because the integration of Kerberos in IPA, Kerberos tools can be used >> only in limited >> situations, when creating afs/DOMAIN at REALM with kadmin, I got this >> error: >> add_principal: Kerberos database constraints violated while creating >> "afs/DOMAIN at REALM" >> > Use ipa service-add to add services, never use kadmin.local, it will not > work, we hard-coded failures in the DB driver to prevent users from > doing that as kadmin doesn't know where to put and how to properly fill > up objects. > > However you can use kadmin.local on a pre-existing principal to obtain a > new keytab. > > Simo. > keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root at smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN at REALM, IPA still does not like the fact the is no host entry: [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. Thanks, Qing From simo at redhat.com Wed Jul 11 20:50:15 2012 From: simo at redhat.com (Simo Sorce) Date: Wed, 11 Jul 2012 16:50:15 -0400 Subject: [Freeipa-users] ipa samba win7 In-Reply-To: <1341939593.54183.YahooMailNeo@web120005.mail.ne1.yahoo.com> References: <1341925275.11808.YahooMailNeo@web120004.mail.ne1.yahoo.com> <1341928609.2599.44.camel@willson.li.ssimo.org> <1341939593.54183.YahooMailNeo@web120005.mail.ne1.yahoo.com> Message-ID: <1342039815.2599.102.camel@willson.li.ssimo.org> On Tue, 2012-07-10 at 09:59 -0700, george he wrote: > Hi Simo, > Could you advise how to add > > 1. the samba samAccount objectclass to a user, and > 2. the sambaGroups class to a group? > > I guess I would need to use ldap commands, which I don't know enough. Yes we do not have pre-canned scripts for samba integration yet. > By the way, do I need to add both of the above, or if everybody is > allowed to use the samba share, (and they are all in ipausers group), > I would only need to add the sambaGroups class to ipausers group? Up to you which groups you want to 'samba-enable', however the groups needs to be 'posix' groups, and we recently changed ipausers to be a non-posix group. Of course existing installations will not be affected but if you are planning new ones keep in mind ipausers cannot generally be used as a samba group unless you turn it into a posix groups first. however also keep in mind we discourage using ipausers as a posix group for performance reasons in domain with many users and recommend instead to create smaller targeted groups. Simo. -- Simo Sorce * Red Hat, Inc * New York From dpal at redhat.com Wed Jul 11 21:46:53 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 Jul 2012 17:46:53 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFDDB98.2040202@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> <1342034613.2599.90.camel@willson.li.ssimo.org> <4FFDDB98.2040202@sri.utoronto.ca> Message-ID: <4FFDF44D.4030509@redhat.com> On 07/11/2012 04:01 PM, Qing Chang wrote: > > > On 11/07/2012 3:23 PM, Simo Sorce wrote: >> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: >>> Because the integration of Kerberos in IPA, Kerberos tools can be used >>> only in limited >>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this >>> error: >>> add_principal: Kerberos database constraints violated while creating >>> "afs/DOMAIN at REALM" >>> >> Use ipa service-add to add services, never use kadmin.local, it will not >> work, we hard-coded failures in the DB driver to prevent users from >> doing that as kadmin doesn't know where to put and how to properly fill >> up objects. >> >> However you can use kadmin.local on a pre-existing principal to obtain a >> new keytab. >> >> Simo. >> > keytab with v4 salt was created successfully using kadmin, > unfortunately OpenAFS > still spit out th same error message:[root at smb1 ~]# fs setacl /afs > system:anyuser rl > fs: You don't have the required access rights on '/afs' > > When --force was used with ipa servcie-add to created > afs/DOMAIN at REALM, IPA > still does not like the fact the is no host entry: > [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service > to. Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. > > Thanks, > Qing > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jul 11 21:50:44 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 Jul 2012 17:50:44 -0400 Subject: [Freeipa-users] self service password reset In-Reply-To: References: Message-ID: <4FFDF534.5040002@redhat.com> On 07/11/2012 02:59 PM, KodaK wrote: > Has anyone rolled out a self-service password reset utility for IPA? > If so did you use something off the shelf that speaks LDAP or roll > your own? > > I'm looking at this: > > http://code.google.com/p/pwm/ > > But I'm just starting down this path. > > Thanks, > > --Jason > If you search the archives you will find someone who already tried this. See https://bugzilla.redhat.com/show_bug.cgi?id=742606 -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Jul 11 22:15:43 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 11 Jul 2012 22:15:43 +0000 Subject: [Freeipa-users] self service password reset In-Reply-To: References: Message-ID: Note that this is also a future feature planned for 3.x https://fedorahosted.org/freeipa/ticket/2276 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com http://www.citrixonline.com On Jul 11, 2012, at 11:59 AM, KodaK wrote: Has anyone rolled out a self-service password reset utility for IPA? If so did you use something off the shelf that speaks LDAP or roll your own? I'm looking at this: http://code.google.com/p/pwm/ But I'm just starting down this path. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Wed Jul 11 22:23:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 11 Jul 2012 18:23:18 -0400 Subject: [Freeipa-users] self service password reset In-Reply-To: References: Message-ID: <4FFDFCD6.9010000@redhat.com> On 07/11/2012 06:15 PM, JR Aquino wrote: > Note that this is also a future feature planned for 3.x > > https://fedorahosted.org/freeipa/ticket/2276 > Slightly different issue. This ticket is about allowing you to change your password when it is expired when one logs into the web UI. It is a more narrow use case than the mentioned utility. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GIAC Certified Incident Handler | GIAC WebApp Penetration Tester > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrixonline.com > http://www.citrixonline.com > > On Jul 11, 2012, at 11:59 AM, KodaK wrote: > > Has anyone rolled out a self-service password reset utility for IPA? > If so did you use something off the shelf that speaks LDAP or roll > your own? > > I'm looking at this: > > http://code.google.com/p/pwm/ > > But I'm just starting down this path. > > Thanks, > > --Jason > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From JR.Aquino at citrix.com Wed Jul 11 23:16:47 2012 From: JR.Aquino at citrix.com (JR Aquino) Date: Wed, 11 Jul 2012 23:16:47 +0000 Subject: [Freeipa-users] self service password reset In-Reply-To: <4FFDFCD6.9010000@redhat.com> References: <4FFDFCD6.9010000@redhat.com> Message-ID: <68EF76ED-92E3-465B-97AD-E080BF447E23@citrixonline.com> On Jul 11, 2012, at 3:23 PM, Dmitri Pal wrote: On 07/11/2012 06:15 PM, JR Aquino wrote: Note that this is also a future feature planned for 3.x https://fedorahosted.org/freeipa/ticket/2276 Slightly different issue. This ticket is about allowing you to change your password when it is expired when one logs into the web UI. It is a more narrow use case than the mentioned utility. Hrm. while the pwm tool DOES offer a great deal of other really cool looking features, it looks like it was only sited as an example in the BZ, and that the core problem described was "self password reset without ssh/kerb/etc) The corresponding fix also seems only to implement only that one feature. I am interested in the other features that pwm advertises though! Perhaps I will get a free moment to test it out and report back on compatibility. Benjamin Reed 2011-09-30 14:06:31 EDT Not a bug per se, but an enhancement request. While it's possible for a user to reset their own password, it currently requires being hooked into some level of "real" account access, like SSH'ing in or providing kerberos credentials. We are using FreeIPA to provide a user-management backend for web-based services we are providing to our customers, and don't want them to have to configure Kerberos, or SSH into an account, just to set their password. It would be nice to have a "password reset" tool that is accessible securely (like over HTTPS) which doesn't require special credentials other than knowledge of the existing username and password. One such example I'll be evaluating since there is no built-in facility for this is PWM: ^ That sounds like needing an HTTPS interface to perform self password resets on accounts that are expired :) The detailed notes in the corresponding FreeIPA ticket seem to be in parallel as well: https://fedorahosted.org/freeipa/ticket/1907 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrixonline.com http://www.citrixonline.com On Jul 11, 2012, at 11:59 AM, KodaK wrote: Has anyone rolled out a self-service password reset utility for IPA? If so did you use something off the shelf that speaks LDAP or roll your own? I'm looking at this: http://code.google.com/p/pwm/ But I'm just starting down this path. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From qchang at sri.utoronto.ca Thu Jul 12 14:24:18 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Thu, 12 Jul 2012 10:24:18 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFDF44D.4030509@redhat.com> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> <1342034613.2599.90.camel@willson.li.ssimo.org> <4FFDDB98.2040202@sri.utoronto.ca> <4FFDF44D.4030509@redhat.com> Message-ID: <4FFEDE12.6050101@sri.utoronto.ca> On 11/07/2012 5:46 PM, Dmitri Pal wrote: > On 07/11/2012 04:01 PM, Qing Chang wrote: >> >> On 11/07/2012 3:23 PM, Simo Sorce wrote: >>> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: >>>> Because the integration of Kerberos in IPA, Kerberos tools can be used >>>> only in limited >>>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this >>>> error: >>>> add_principal: Kerberos database constraints violated while creating >>>> "afs/DOMAIN at REALM" >>>> >>> Use ipa service-add to add services, never use kadmin.local, it will not >>> work, we hard-coded failures in the DB driver to prevent users from >>> doing that as kadmin doesn't know where to put and how to properly fill >>> up objects. >>> >>> However you can use kadmin.local on a pre-existing principal to obtain a >>> new keytab. >>> >>> Simo. >>> >> keytab with v4 salt was created successfully using kadmin, >> unfortunately OpenAFS >> still spit out th same error message:[root at smb1 ~]# fs setacl /afs >> system:anyuser rl >> fs: You don't have the required access rights on '/afs' >> >> When --force was used with ipa servcie-add to created >> afs/DOMAIN at REALM, IPA >> still does not like the fact the is no host entry: >> [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca >> ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service >> to. > Is there any problem of adding host entries into IPA? > ipa host-add will create a host entry. It is not mean that you have to > do something else with it. I have no problem creating host entries in IPA. It looks like IPA does assume a service principal has to have a corresponding host principal, which is reasonable in normal circumstances. Now that I have created keytab with v4 successfully, it may have become an issue that I have to raise on OpenAFS list. Thanks, Qing > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ---------- From pvoborni at redhat.com Thu Jul 12 16:43:26 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 12 Jul 2012 18:43:26 +0200 Subject: [Freeipa-users] self service password reset In-Reply-To: References: Message-ID: <4FFEFEAE.6070704@redhat.com> On 07/11/2012 08:59 PM, KodaK wrote: > Has anyone rolled out a self-service password reset utility for IPA? > If so did you use something off the shelf that speaks LDAP or roll > your own? > > I'm looking at this: > > http://code.google.com/p/pwm/ > > But I'm just starting down this path. > > Thanks, > > --Jason > With FreeIPA 3.0 beta 1 it's really easy to write own page for password reset because of new API for that [1]. You don't have to though. Beta 1 already contains a stand-alone reset page (it was added along with password reset in forms-based auth)[2]. It looks like this: http://pvoborni.fedorapeople.org/ui/reset_password.html Custom page could you code like this, or just plain html form. data = { user: username, old_password: old_password, new_password: new_password }; request = { url: '/ipa/session/change_password', data: data, contentType: 'application/x-www-form-urlencoded', processData: true, dataType: 'html', async: false, type: 'POST', success: success_handler, error: error_handler }; $.ajax(request); [1] https://fedorahosted.org/freeipa/ticket/2276 [2] https://fedorahosted.org/freeipa/ticket/2755 -- Petr Vobornik From qchang at sri.utoronto.ca Thu Jul 12 19:14:54 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Thu, 12 Jul 2012 15:14:54 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFDF44D.4030509@redhat.com> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> <1342034613.2599.90.camel@willson.li.ssimo.org> <4FFDDB98.2040202@sri.utoronto.ca> <4FFDF44D.4030509@redhat.com> Message-ID: <4FFF222E.4020008@sri.utoronto.ca> On 11/07/2012 5:46 PM, Dmitri Pal wrote: > On 07/11/2012 04:01 PM, Qing Chang wrote: >> >> On 11/07/2012 3:23 PM, Simo Sorce wrote: >>> On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: >>>> Because the integration of Kerberos in IPA, Kerberos tools can be used >>>> only in limited >>>> situations, when creating afs/DOMAIN at REALM with kadmin, I got this >>>> error: >>>> add_principal: Kerberos database constraints violated while creating >>>> "afs/DOMAIN at REALM" >>>> >>> Use ipa service-add to add services, never use kadmin.local, it will not >>> work, we hard-coded failures in the DB driver to prevent users from >>> doing that as kadmin doesn't know where to put and how to properly fill >>> up objects. >>> >>> However you can use kadmin.local on a pre-existing principal to obtain a >>> new keytab. >>> >>> Simo. >>> >> keytab with v4 salt was created successfully using kadmin, >> unfortunately OpenAFS >> still spit out th same error message:[root at smb1 ~]# fs setacl /afs >> system:anyuser rl >> fs: You don't have the required access rights on '/afs' >> >> When --force was used with ipa servcie-add to created >> afs/DOMAIN at REALM, IPA >> still does not like the fact the is no host entry: >> [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca >> ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service >> to. sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: ===== kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/admin at SRI.UTORONTO.CA) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] ===== I also tried ":normal" and ":afs3", no salts added for any types. Is the IPA code not doing it, or I am missing something? Thanks, Qing > Is there any problem of adding host entries into IPA? > ipa host-add will create a host entry. It is not mean that you have to > do something else with it. > >> Thanks, >> Qing >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Jul 12 20:31:45 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 12 Jul 2012 16:31:45 -0400 Subject: [Freeipa-users] IPA + OpenAFS In-Reply-To: <4FFF222E.4020008@sri.utoronto.ca> References: <4FFC8828.8060209@sri.utoronto.ca> <1342009685.2599.63.camel@willson.li.ssimo.org> <4FFD8B8D.5020407@sri.utoronto.ca> <1342031042.2599.86.camel@willson.li.ssimo.org> <4FFDCE3C.8030508@sri.utoronto.ca> <4FFDD22E.4000301@sri.utoronto.ca> <1342034613.2599.90.camel@willson.li.ssimo.org> <4FFDDB98.2040202@sri.utoronto.ca> <4FFDF44D.4030509@redhat.com> <4FFF222E.4020008@sri.utoronto.ca> Message-ID: <1342125105.2718.27.camel@willson.li.ssimo.org> On Thu, 2012-07-12 at 15:14 -0400, Qing Chang wrote: > > On 11/07/2012 5:46 PM, Dmitri Pal wrote: > > On 07/11/2012 04:01 PM, Qing Chang wrote: > > > > > > On 11/07/2012 3:23 PM, Simo Sorce wrote: > > > > On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: > > > > > Because the integration of Kerberos in IPA, Kerberos tools can be used > > > > > only in limited > > > > > situations, when creating afs/DOMAIN at REALM with kadmin, I got this > > > > > error: > > > > > add_principal: Kerberos database constraints violated while creating > > > > > "afs/DOMAIN at REALM" > > > > > > > > > Use ipa service-add to add services, never use kadmin.local, it will not > > > > work, we hard-coded failures in the DB driver to prevent users from > > > > doing that as kadmin doesn't know where to put and how to properly fill > > > > up objects. > > > > > > > > However you can use kadmin.local on a pre-existing principal to obtain a > > > > new keytab. > > > > > > > > Simo. > > > > > > > keytab with v4 salt was created successfully using kadmin, > > > unfortunately OpenAFS > > > still spit out th same error message:[root at smb1 ~]# fs setacl /afs > > > system:anyuser rl > > > fs: You don't have the required access rights on '/afs' > > > > > > When --force was used with ipa servcie-add to created > > > afs/DOMAIN at REALM, IPA > > > still does not like the fact the is no host entry: > > > [root at ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca > > > ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service > > > to. > sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created > keytab with no salt: > ===== > kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs > afs/openafs.sri.utoronto.ca > Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, > encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. > kadmin.local: getprinc afs/openafs.sri.utoronto.ca > Principal: afs/openafs.sri.utoronto.ca at SRI.UTORONTO.CA > Expiration date: [never] > Last password change: Thu Jul 12 15:08:16 EDT 2012 > Password expiration date: [none] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 7 days 00:00:00 > Last modified: Thu Jul 12 15:08:16 EDT 2012 > (admin/admin at SRI.UTORONTO.CA) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 1 > Key: vno 20, des-cbc-crc, no salt > MKey: vno 1 > Attributes: REQUIRES_PRE_AUTH > Policy: [none] > ===== > > I also tried ":normal" and ":afs3", no salts added for any types. Is > the IPA > code not doing it, or I am missing something? v4 means 'no salt' afaik. Simo. -- Simo Sorce * Red Hat, Inc * New York From sbingram at gmail.com Thu Jul 12 21:29:01 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 12 Jul 2012 14:29:01 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage Message-ID: I was previously using 2.1.4 and know that there was a substantial memory leak in the directory server. After upgrading to 2.20, I notice that although overall memory usage seems higher, the "creep" upwards is not as quick. Although memory still tends to trend upward leaving me to worry that dirsrv will crash when it runs out of memory. I've checked the entrycachehitratio and it is 99. I also then checked the size of id2entry.db4 and found it to be 1024000. So I then checked nssldap-cachesize and found it to be 10485760. According to what I've read on the list, this seems about right. Is there anything else I can check? This is a pretty small directory, but gets quite a bit of activity from serving mail configuration in addition to authentication. However, I can't imagine that it would consume 1.5GB and keep climbing in memory usage. Steve From Steven.Jones at vuw.ac.nz Thu Jul 12 21:59:45 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 12 Jul 2012 21:59:45 +0000 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Ingram [sbingram at gmail.com] Sent: Friday, 13 July 2012 9:29 a.m. To: freeipa-users Subject: [Freeipa-users] 2.20 dirsrv memory usage I was previously using 2.1.4 and know that there was a substantial memory leak in the directory server. After upgrading to 2.20, I notice that although overall memory usage seems higher, the "creep" upwards is not as quick. Although memory still tends to trend upward leaving me to worry that dirsrv will crash when it runs out of memory. I've checked the entrycachehitratio and it is 99. I also then checked the size of id2entry.db4 and found it to be 1024000. So I then checked nssldap-cachesize and found it to be 10485760. According to what I've read on the list, this seems about right. Is there anything else I can check? This is a pretty small directory, but gets quite a bit of activity from serving mail configuration in addition to authentication. However, I can't imagine that it would consume 1.5GB and keep climbing in memory usage. Steve _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From sbingram at gmail.com Thu Jul 12 22:10:19 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 12 Jul 2012 15:10:19 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: > Hi, > > I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... Yes, I saw your conversation with Rich on this list about that. And, yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still having issues. It was an upgrade from 2.1.3, but the upgrade seemed to complete without issue. I'm also not even doing replication yet so I'm not sure why memory is so high. Web interface is much slower too so perhaps something else is wrong. Steve From sbingram at gmail.com Thu Jul 12 22:19:31 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 12 Jul 2012 15:19:31 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote: > On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >> Hi, >> >> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... > > Yes, I saw your conversation with Rich on this list about that. And, > yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still > having issues. It was an upgrade from 2.1.3, but the upgrade seemed to > complete without issue. I'm also not even doing replication yet so I'm > not sure why memory is so high. Web interface is much slower too so > perhaps something else is wrong. Oops, I meant Rob, not Rich. Steve From dpal at redhat.com Thu Jul 12 22:41:49 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 12 Jul 2012 18:41:49 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <4FFF52AD.1080205@redhat.com> On 07/12/2012 06:19 PM, Stephen Ingram wrote: > On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote: >> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >>> Hi, >>> >>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... >> Yes, I saw your conversation with Rich on this list about that. And, >> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >> complete without issue. I'm also not even doing replication yet so I'm >> not sure why memory is so high. Web interface is much slower too so >> perhaps something else is wrong. > Oops, I meant Rob, not Rich. Do you use any things exposed via compat tree? Do you have a lot of modifications that affect the data that is exposed via this tree? I suspect that the leak is somewhere there. Try turning off the things that you do not use if there are any. > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Thu Jul 12 22:55:06 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Thu, 12 Jul 2012 15:55:06 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <4FFF52AD.1080205@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FFF52AD.1080205@redhat.com> Message-ID: On Thu, Jul 12, 2012 at 3:41 PM, Dmitri Pal wrote: > On 07/12/2012 06:19 PM, Stephen Ingram wrote: >> On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote: >>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... >>> Yes, I saw your conversation with Rich on this list about that. And, >>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>> complete without issue. I'm also not even doing replication yet so I'm >>> not sure why memory is so high. Web interface is much slower too so >>> perhaps something else is wrong. >> Oops, I meant Rob, not Rich. > > Do you use any things exposed via compat tree? > Do you have a lot of modifications that affect the data that is exposed > via this tree? > I suspect that the leak is somewhere there. > > Try turning off the things that you do not use if there are any. I only query cn=users,cn=accounts,dc=example,dc=com and cn=groups,cn=accounts,dc=example,dc=com containers for mail info and use for Kerberos auth. There are only very infrequent mods to those trees previously mentioned via the Web UI. Almost all activity is reads, but lots of them for the mail servers (validating users, etc.). I plan to use replication and DNS, but not using now. From this, I don't think I'm using the compat tree. Would turning it off help anyway? Steve From dpal at redhat.com Thu Jul 12 22:56:43 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 12 Jul 2012 18:56:43 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FFF52AD.1080205@redhat.com> Message-ID: <4FFF562B.6070200@redhat.com> On 07/12/2012 06:55 PM, Stephen Ingram wrote: > On Thu, Jul 12, 2012 at 3:41 PM, Dmitri Pal wrote: >> On 07/12/2012 06:19 PM, Stephen Ingram wrote: >>> On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote: >>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... >>>> Yes, I saw your conversation with Rich on this list about that. And, >>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>> complete without issue. I'm also not even doing replication yet so I'm >>>> not sure why memory is so high. Web interface is much slower too so >>>> perhaps something else is wrong. >>> Oops, I meant Rob, not Rich. >> Do you use any things exposed via compat tree? >> Do you have a lot of modifications that affect the data that is exposed >> via this tree? >> I suspect that the leak is somewhere there. >> >> Try turning off the things that you do not use if there are any. > I only query cn=users,cn=accounts,dc=example,dc=com and > cn=groups,cn=accounts,dc=example,dc=com containers for mail info and > use for Kerberos auth. There are only very infrequent mods to those > trees previously mentioned via the Web UI. Almost all activity is > reads, but lots of them for the mail servers (validating users, etc.). > I plan to use replication and DNS, but not using now. From this, I > don't think I'm using the compat tree. Would turning it off help > anyway? > > Steve It is worth a try. There is a known slow minor leak in the compat plugin. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Jul 12 22:57:27 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 12 Jul 2012 18:57:27 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <4FFF52AD.1080205@redhat.com> Message-ID: <4FFF5657.9010101@redhat.com> On 07/12/2012 06:55 PM, Stephen Ingram wrote: > On Thu, Jul 12, 2012 at 3:41 PM, Dmitri Pal wrote: >> On 07/12/2012 06:19 PM, Stephen Ingram wrote: >>> On Thu, Jul 12, 2012 at 3:10 PM, Stephen Ingram wrote: >>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... >>>> Yes, I saw your conversation with Rich on this list about that. And, >>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>> complete without issue. I'm also not even doing replication yet so I'm >>>> not sure why memory is so high. Web interface is much slower too so >>>> perhaps something else is wrong. >>> Oops, I meant Rob, not Rich. >> Do you use any things exposed via compat tree? >> Do you have a lot of modifications that affect the data that is exposed >> via this tree? >> I suspect that the leak is somewhere there. >> >> Try turning off the things that you do not use if there are any. > I only query cn=users,cn=accounts,dc=example,dc=com and > cn=groups,cn=accounts,dc=example,dc=com containers for mail info and > use for Kerberos auth. There are only very infrequent mods to those > trees previously mentioned via the Web UI. Almost all activity is > reads, but lots of them for the mail servers (validating users, etc.). > I plan to use replication and DNS, but not using now. From this, I > don't think I'm using the compat tree. Would turning it off help > anyway? > > Steve Please use documented tools to disable it. Do not do it manually via LDAP. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Jul 13 13:14:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 13 Jul 2012 09:14:09 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50001F21.8030506@redhat.com> Stephen Ingram wrote: > On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones wrote: >> Hi, >> >> I had huge memory issues pre 6.3, now its low and flat....Sounds like you have an issue somewhere. My normal cpu use is a few hundred mhz....but when "something" goes wrong such as replication failing that climbs...ditto memory use.... > > Yes, I saw your conversation with Rich on this list about that. And, > yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still > having issues. It was an upgrade from 2.1.3, but the upgrade seemed to > complete without issue. I'm also not even doing replication yet so I'm > not sure why memory is so high. Web interface is much slower too so > perhaps something else is wrong. Can you tell where it is being slow? Does it seem related to retrieving data from LDAP? You might check your 389-ds access logs and look for searches with notes=U. Perhaps you are missing an index. rob From loris at lgs.com.ve Fri Jul 13 15:46:34 2012 From: loris at lgs.com.ve (Loris Santamaria) Date: Fri, 13 Jul 2012 11:16:34 -0430 Subject: [Freeipa-users] Slowdowns in freeIPA 2.2.0 Message-ID: <1342194394.1991.15.camel@toron.pzo.lgs.com.ve> I have this test server with 8.000 entries, recently upgraded from 2.1.3 to 2.2.0 and I'm seeing some big slowdowns and I would like to know where to look to debug them. The server is centos 6.3 with ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 First of all in 2.2.0 ldapsearch with "-Y GSSAPI" is much slower than using plain autentication: # time ldapsearch -x uid=bdteg01662 dn # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m0.006s user 0m0.001s sys 0m0.003s # time ldapsearch -Y GSSAPI uid=bdteg01662 dn SASL/GSSAPI authentication started SASL username: admin at XXX.GOB.VE SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: uid=bdteg01662 # requesting: dn # # bdteg01662, users, accounts, xxx.gob.ve dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 real 0m2.344s user 0m0.007s sys 0m0.005s As a consequence of this all of the ipa commands run a bit slow. But the real slowdown is in the web interface, every search is terribly slow and any search that returns more than 4 or 5 entries never completes, it shows a dialogue that says just "Unknown error". In the dirsrv access logs I see that the search completes in a short time and the apache error log doesn't show any error whatsoever. Note this is a test system, there are no other users of this server, and the compat plugin is disabled. -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6187 bytes Desc: not available URL: From dpal at redhat.com Fri Jul 13 15:51:53 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 13 Jul 2012 11:51:53 -0400 Subject: [Freeipa-users] Slowdowns in freeIPA 2.2.0 In-Reply-To: <1342194394.1991.15.camel@toron.pzo.lgs.com.ve> References: <1342194394.1991.15.camel@toron.pzo.lgs.com.ve> Message-ID: <50004419.3060404@redhat.com> On 07/13/2012 11:46 AM, Loris Santamaria wrote: > I have this test server with 8.000 entries, recently upgraded from 2.1.3 > to 2.2.0 and I'm seeing some big slowdowns and I would like to know > where to look to debug them. The server is centos 6.3 with > ipa-server-2.2.0-16.el6.x86_64 and 389-ds-base-1.2.10.2-20.el6_3.x86_64 > > First of all in 2.2.0 ldapsearch with "-Y GSSAPI" is much slower than > using plain autentication: > Hm. The only difference would be a new kerberos driver. Please take a look at the KDC logs and see what is going on there. > # time ldapsearch -x uid=bdteg01662 dn > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: uid=bdteg01662 > # requesting: dn > # > > # bdteg01662, users, accounts, xxx.gob.ve > dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > real 0m0.006s > user 0m0.001s > sys 0m0.003s > > # time ldapsearch -Y GSSAPI uid=bdteg01662 dn > SASL/GSSAPI authentication started > SASL username: admin at XXX.GOB.VE > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base (default) with scope subtree > # filter: uid=bdteg01662 > # requesting: dn > # > > # bdteg01662, users, accounts, xxx.gob.ve > dn: uid=bdteg01662,cn=users,cn=accounts,dc=xxx,dc=gob,dc=ve > > # search result > search: 4 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > real 0m2.344s > user 0m0.007s > sys 0m0.005s > > As a consequence of this all of the ipa commands run a bit slow. But the > real slowdown is in the web interface, every search is terribly slow and > any search that returns more than 4 or 5 entries never completes, it > shows a dialogue that says just "Unknown error". In the dirsrv access > logs I see that the search completes in a short time and the apache > error log doesn't show any error whatsoever. > > Note this is a test system, there are no other users of this server, and > the compat plugin is disabled. > IPA in 2.2 uses memcached and session caching so web UI should be faster than in earlier versions. I wonder if the version of the memcached is misbehaving on CentOS 6.3. Can you please provide mode details on that front? Look at the httpd logs. There might be something that would give you some hints about what is going on. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmercier at gmail.com Fri Jul 13 20:13:03 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 13 Jul 2012 16:13:03 -0400 Subject: [Freeipa-users] BIND named.conf Message-ID: Hello, When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with adding slaves to the named.conf file? example on ipaserver1: zone "myzone.tld" { type slave; file "slave/myzone.db" masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; Thanks, Mike From sakodak at gmail.com Fri Jul 13 21:11:37 2012 From: sakodak at gmail.com (KodaK) Date: Fri, 13 Jul 2012 16:11:37 -0500 Subject: [Freeipa-users] BIND named.conf In-Reply-To: References: Message-ID: On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier wrote: > Hello, > > When using IPA 2.2.0 with DNS setup (--setup-dns), is there any issues with adding slaves to the named.conf file? > > example on ipaserver1: > > zone "myzone.tld" { > type slave; > file "slave/myzone.db" > masters { u.x.y.z; w.x.y.z; }; > allow-notify { u.x.y.z; w.x.y.z; }; > also-notify { ipaserver2 }; > }; I'm no expert, but I think you'd want to use the command line option dnsconfig-mod: ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 myzone.tld -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From mmercier at gmail.com Fri Jul 13 23:04:56 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 13 Jul 2012 19:04:56 -0400 Subject: [Freeipa-users] BIND named.conf In-Reply-To: References: Message-ID: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> Hello, I am by no means an expert either, but I believe what you are recommending would forward requests for "myzone.tld" to the ip.of.forwarder1 etc. I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all the data) of "myzone.tld", and have ipaserver2 slave this data from ipaserver1. Thanks, Mike On 13-Jul-12, at 5:11 PM, KodaK wrote: > On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier > wrote: >> Hello, >> >> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >> issues with adding slaves to the named.conf file? >> >> example on ipaserver1: >> >> zone "myzone.tld" { >> type slave; >> file "slave/myzone.db" >> masters { u.x.y.z; w.x.y.z; }; >> allow-notify { u.x.y.z; w.x.y.z; }; >> also-notify { ipaserver2 }; >> }; > > > I'm no expert, but I think you'd want to use the command line option > dnsconfig-mod: > > ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 > myzone.tld > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 From dpal at redhat.com Fri Jul 13 23:10:47 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 13 Jul 2012 19:10:47 -0400 Subject: [Freeipa-users] BIND named.conf In-Reply-To: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> Message-ID: <5000AAF7.6080206@redhat.com> On 07/13/2012 07:04 PM, Michael Mercier wrote: > Hello, > > I am by no means an expert either, but I believe what you are > recommending would forward requests for "myzone.tld" to the > ip.of.forwarder1 etc. > I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all > the data) of "myzone.tld", and have ipaserver2 slave this data from > ipaserver1. > The replicas in IPA do not need to be specially configured to be slaves of each other. They have the same data which is replicated by LDAP back end so it is not clear why you are trying to configure the replicas to be in master-slave relation. > Thanks, > Mike > > On 13-Jul-12, at 5:11 PM, KodaK wrote: > >> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier >> wrote: >>> Hello, >>> >>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >>> issues with adding slaves to the named.conf file? >>> >>> example on ipaserver1: >>> >>> zone "myzone.tld" { >>> type slave; >>> file "slave/myzone.db" >>> masters { u.x.y.z; w.x.y.z; }; >>> allow-notify { u.x.y.z; w.x.y.z; }; >>> also-notify { ipaserver2 }; >>> }; >> >> >> I'm no expert, but I think you'd want to use the command line option >> dnsconfig-mod: >> >> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 >> myzone.tld >> >> >> -- >> The government is going to read our mail anyway, might as well make it >> tough for them. GPG Public key ID: B6A1A7C6 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mmercier at gmail.com Sat Jul 14 01:20:31 2012 From: mmercier at gmail.com (Michael Mercier) Date: Fri, 13 Jul 2012 21:20:31 -0400 Subject: [Freeipa-users] BIND named.conf In-Reply-To: <5000AAF7.6080206@redhat.com> References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> Message-ID: I will try to be more clear... My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. I have another zone (call it "myzone.tld") hosted on some other systems. I would like ipaserver1 and ipaserver2 to both be a slave for this zone (not use a forwarder for the zone). Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in named.conf, is there anything that I should be concerned about if I were to add: zone "myzone.tld" { type slave; file "slave/myzone.db" masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; to ipaserver1? I had considered adding the zone via 'ipa dnszone-add ipaserver1.intranet.local' but I did not find anything specific in the documentation describing how to configure the new zone as a slave of another system. Also, the number of entries in the zone is large and there are a many updates per day and I was uncertain of the type of performance I could expect. Thanks, Mike On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: > On 07/13/2012 07:04 PM, Michael Mercier wrote: >> Hello, >> >> I am by no means an expert either, but I believe what you are >> recommending would forward requests for "myzone.tld" to the >> ip.of.forwarder1 etc. >> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all >> the data) of "myzone.tld", and have ipaserver2 slave this data from >> ipaserver1. >> > > The replicas in IPA do not need to be specially configured to be > slaves > of each other. They have the same data which is replicated by LDAP > back > end so it is not clear why you are trying to configure the replicas to > be in master-slave relation. > > >> Thanks, >> Mike >> >> On 13-Jul-12, at 5:11 PM, KodaK wrote: >> >>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier >>> >>> wrote: >>>> Hello, >>>> >>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >>>> issues with adding slaves to the named.conf file? >>>> >>>> example on ipaserver1: >>>> >>>> zone "myzone.tld" { >>>> type slave; >>>> file "slave/myzone.db" >>>> masters { u.x.y.z; w.x.y.z; }; >>>> allow-notify { u.x.y.z; w.x.y.z; }; >>>> also-notify { ipaserver2 }; >>>> }; >>> >>> >>> I'm no expert, but I think you'd want to use the command line option >>> dnsconfig-mod: >>> >>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 >>> myzone.tld >>> >>> >>> -- >>> The government is going to read our mail anyway, might as well >>> make it >>> tough for them. GPG Public key ID: B6A1A7C6 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Sat Jul 14 01:39:11 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 13 Jul 2012 21:39:11 -0400 Subject: [Freeipa-users] BIND named.conf In-Reply-To: References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> Message-ID: <1342229951.2718.140.camel@willson.li.ssimo.org> On Fri, 2012-07-13 at 21:20 -0400, Michael Mercier wrote: > I will try to be more clear... > > My IPA zone is named intranet.local running on ipaserver1 and > ipaserver2. > I have another zone (call it "myzone.tld") hosted on some other > systems. I would like ipaserver1 and ipaserver2 to both be a slave > for this zone (not use a forwarder for the zone). > > Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in > named.conf, is there anything that I should be concerned about if I > were to add: > > zone "myzone.tld" { > type slave; > file "slave/myzone.db" > masters { u.x.y.z; w.x.y.z; }; > allow-notify { u.x.y.z; w.x.y.z; }; > also-notify { ipaserver2 }; > }; > > to ipaserver1? This will work, the only "concern" is that the IPA framework will be totally oblivious of this zone, so no manipulation will be possible. So as long as no conflicting zone is present in LDAP bind will happily server the manually configured slave zone as any normal bind instance would. > I had considered adding the zone via 'ipa dnszone-add > ipaserver1.intranet.local' but I did not find anything specific in the > documentation describing how to configure the new zone as a slave of > another system. Slave zones are not supported via the LDAP storage and IPA framework at this time. > Also, the number of entries in the zone is large and > there are a many updates per day and I was uncertain of the type of > performance I could expect. Unfortunately slaving is not supported at the moment, but just out of curiosity what is the ballpark number for "many updates" ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dale at themacartneyclan.com Sat Jul 14 07:58:50 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Sat, 14 Jul 2012 08:58:50 +0100 Subject: [Freeipa-users] New HowTo Doc: YubiRadius integration with group-validated FreeIPA Users using LDAPS Message-ID: <500126BA.7030904@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Morning all I've just published a walk through on tapping the YubiRadius virtual appliance into FreeIPA. Target audience level : Beginner Link to page is : http://freeipa.org/page/YubiRadius_integration_with_group-validated_FreeIPA_Users_using_LDAPS Have a great weekend all. Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQASalAAoJEAJsWS61tB+qcnYP/3VvXUKeY5pQC5XW1vwORLwm pm+NunMspcgIyatbPg+Olfk3KIbFo2NsyaiA1mnubNMsWbuk65Hy4KC0qSCMm+E5 sonsG6jIUz4fT1OI+CuWwFcIMU7tJvlPo8wPtcQDltd5twHVCwcZo8QITOTqClC5 aXyf4muQkpz8dZD3u8OFvCRHwcjaT8zlshoMHC0t9UR3HCubYMU3uDbXU3e4enF2 52rNPlDN5us3EL9Q61gETMxqSr8WESP4NbD7PoZwPfoDOp15v+m37nqGRcu0pKZL yLvOPbzVOA6v4YtbPpkK0or6OeBUjlhRtvLdAC2SK4gN0ehXzkUj1N3ebzROq6Pv lhbJ++4lWmZZElv/y83NAYvdpfN+3ukOrCaMABxiKcKpsxK8FjV0o8YetTT60/4T OKFASkZLT9KPafPLgRY4zxiGEKwyiw+IJ4F2cs2n2KRd+XrmamVQh9ZrBXbib8Fi cc4YfV31wYIWD/AIGY9wiKG9KXG1Lb+ETkAmStZRsaql0I0BU9K75jdBsyWtqxNZ VeRgInwbGz0Hp8/wcaLMpdW+km7aPDY6wGk3DlfUlF+Yv047p6e6FvyX3RuoKVcj qS3KKLovw10psV/m5c8R28GaHL760TjEWyLv86bKG1P+xxXt9W86215RSdA9LA1J TptVrN/s5tbK9G34AbGc =Poca -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From root at nachtmaus.us Sun Jul 15 23:31:38 2012 From: root at nachtmaus.us (david) Date: Sun, 15 Jul 2012 18:31:38 -0500 Subject: [Freeipa-users] BIND named.conf In-Reply-To: References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> Message-ID: <020b01cd62e1$fbccd080$f3667180$@nachtmaus.us> One thing to be aware of, you may see some performance hits if the master for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR and so any time the slave receives notification, he will ask for an IXFR and will instead receive an AXFR. If the zones are small, this is not a big deal, but a busy dynamic zone with a hundred thousand records with just a couple of slaves (6 in the case I am thinking of), the master server was brought to his knees just from zone transfers. As you can imagine, this is also extremely stressful on the slave servers, receiving and processing the full AXFR every time there is a single record change. If your master for myzone.tld uses standard bind zone files, then this is not a big deal. -DTK -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Michael Mercier Sent: Friday, July 13, 2012 8:21 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] BIND named.conf I will try to be more clear... My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. I have another zone (call it "myzone.tld") hosted on some other systems. I would like ipaserver1 and ipaserver2 to both be a slave for this zone (not use a forwarder for the zone). Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in named.conf, is there anything that I should be concerned about if I were to add: zone "myzone.tld" { type slave; file "slave/myzone.db" masters { u.x.y.z; w.x.y.z; }; allow-notify { u.x.y.z; w.x.y.z; }; also-notify { ipaserver2 }; }; to ipaserver1? I had considered adding the zone via 'ipa dnszone-add ipaserver1.intranet.local' but I did not find anything specific in the documentation describing how to configure the new zone as a slave of another system. Also, the number of entries in the zone is large and there are a many updates per day and I was uncertain of the type of performance I could expect. Thanks, Mike On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: > On 07/13/2012 07:04 PM, Michael Mercier wrote: >> Hello, >> >> I am by no means an expert either, but I believe what you are >> recommending would forward requests for "myzone.tld" to the >> ip.of.forwarder1 etc. >> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all >> the data) of "myzone.tld", and have ipaserver2 slave this data from >> ipaserver1. >> > > The replicas in IPA do not need to be specially configured to be > slaves of each other. They have the same data which is replicated by > LDAP back end so it is not clear why you are trying to configure the > replicas to be in master-slave relation. > > >> Thanks, >> Mike >> >> On 13-Jul-12, at 5:11 PM, KodaK wrote: >> >>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier >>> >>> wrote: >>>> Hello, >>>> >>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >>>> issues with adding slaves to the named.conf file? >>>> >>>> example on ipaserver1: >>>> >>>> zone "myzone.tld" { >>>> type slave; >>>> file "slave/myzone.db" >>>> masters { u.x.y.z; w.x.y.z; }; >>>> allow-notify { u.x.y.z; w.x.y.z; }; >>>> also-notify { ipaserver2 }; >>>> }; >>> >>> >>> I'm no expert, but I think you'd want to use the command line option >>> dnsconfig-mod: >>> >>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 >>> myzone.tld >>> >>> >>> -- >>> The government is going to read our mail anyway, might as well make >>> it tough for them. GPG Public key ID: B6A1A7C6 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Mon Jul 16 08:03:54 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 16 Jul 2012 10:03:54 +0200 Subject: [Freeipa-users] BIND named.conf In-Reply-To: <020b01cd62e1$fbccd080$f3667180$@nachtmaus.us> References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> <020b01cd62e1$fbccd080$f3667180$@nachtmaus.us> Message-ID: <5003CAEA.1070207@redhat.com> Hello, AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should work with Dynamic update and IXFR well. Combination of IXFR & manual change to zone text file needs special attention (for dynamic zones): You need to run rndc freeze && "modify zone" && rndc thaw. If you have "ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should work. This detail should be only "hard part", if I didn't miss something. Petr^2 Spacek On 07/16/2012 01:31 AM, david wrote: > > One thing to be aware of, you may see some performance hits if the master > for that zone is setup for dynamic updates. A dynamic zone cannot send IXFR > and so any time the slave receives notification, he will ask for an IXFR and > will instead receive an AXFR. If the zones are small, this is not a big > deal, but a busy dynamic zone with a hundred thousand records with just a > couple of slaves (6 in the case I am thinking of), the master server was > brought to his knees just from zone transfers. As you can imagine, this is > also extremely stressful on the slave servers, receiving and processing the > full AXFR every time there is a single record change. If your master for > myzone.tld uses standard bind zone files, then this is not a big deal. > > > -DTK > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Michael Mercier > Sent: Friday, July 13, 2012 8:21 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] BIND named.conf > > I will try to be more clear... > > My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. > I have another zone (call it "myzone.tld") hosted on some other systems. I > would like ipaserver1 and ipaserver2 to both be a slave for this zone (not > use a forwarder for the zone). > > Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in > named.conf, is there anything that I should be concerned about if I were to > add: > > zone "myzone.tld" { > type slave; > file "slave/myzone.db" > masters { u.x.y.z; w.x.y.z; }; > allow-notify { u.x.y.z; w.x.y.z; }; > also-notify { ipaserver2 }; > }; > > to ipaserver1? > > I had considered adding the zone via 'ipa dnszone-add > ipaserver1.intranet.local' but I did not find anything specific in the > documentation describing how to configure the new zone as a slave of another > system. Also, the number of entries in the zone is large and there are a > many updates per day and I was uncertain of the type of performance I could > expect. > > Thanks, > Mike > On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: > >> On 07/13/2012 07:04 PM, Michael Mercier wrote: >>> Hello, >>> >>> I am by no means an expert either, but I believe what you are >>> recommending would forward requests for "myzone.tld" to the >>> ip.of.forwarder1 etc. >>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all >>> the data) of "myzone.tld", and have ipaserver2 slave this data from >>> ipaserver1. >>> >> >> The replicas in IPA do not need to be specially configured to be >> slaves of each other. They have the same data which is replicated by >> LDAP back end so it is not clear why you are trying to configure the >> replicas to be in master-slave relation. >> >> >>> Thanks, >>> Mike >>> >>> On 13-Jul-12, at 5:11 PM, KodaK wrote: >>> >>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier >>>> >>>> wrote: >>>>> Hello, >>>>> >>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >>>>> issues with adding slaves to the named.conf file? >>>>> >>>>> example on ipaserver1: >>>>> >>>>> zone "myzone.tld" { >>>>> type slave; >>>>> file "slave/myzone.db" >>>>> masters { u.x.y.z; w.x.y.z; }; >>>>> allow-notify { u.x.y.z; w.x.y.z; }; >>>>> also-notify { ipaserver2 }; >>>>> }; >>>> >>>> >>>> I'm no expert, but I think you'd want to use the command line option >>>> dnsconfig-mod: >>>> >>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 >>>> myzone.tld From simo at redhat.com Mon Jul 16 12:24:05 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 Jul 2012 08:24:05 -0400 Subject: [Freeipa-users] New HowTo Doc: YubiRadius integration with group-validated FreeIPA Users using LDAPS In-Reply-To: <500126BA.7030904@themacartneyclan.com> References: <500126BA.7030904@themacartneyclan.com> Message-ID: <1342441445.2718.144.camel@willson.li.ssimo.org> On Sat, 2012-07-14 at 08:58 +0100, Dale Macartney wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Morning all > > I've just published a walk through on tapping the YubiRadius virtual > appliance into FreeIPA. > > Target audience level : Beginner > > Link to page is : > http://freeipa.org/page/YubiRadius_integration_with_group-validated_FreeIPA_Users_using_LDAPS > > > Have a great weekend all. Thanks Dale, great stuff. Simo. -- Simo Sorce * Red Hat, Inc * New York From mmercier at gmail.com Mon Jul 16 13:08:14 2012 From: mmercier at gmail.com (Michael Mercier) Date: Mon, 16 Jul 2012 09:08:14 -0400 Subject: [Freeipa-users] BIND named.conf In-Reply-To: <1342229951.2718.140.camel@willson.li.ssimo.org> References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> <1342229951.2718.140.camel@willson.li.ssimo.org> Message-ID: <581AA3DA-D954-4395-9F11-94459813C3C5@gmail.com> Hello, On 2012-07-13, at 9:39 PM, Simo Sorce wrote: >> > > Unfortunately slaving is not supported at the moment, but just out of > curiosity what is the ballpark number for "many updates" ? > Doing a quick check on the system, anywhere between 600 and 1000 record updates per minute. Thanks, Mike From sbingram at gmail.com Mon Jul 16 16:19:26 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 16 Jul 2012 09:19:26 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <50001F21.8030506@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> Message-ID: On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden wrote: > Stephen Ingram wrote: >> >> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >> wrote: >>> >>> Hi, >>> >>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you >>> have an issue somewhere. My normal cpu use is a few hundred mhz....but when >>> "something" goes wrong such as replication failing that climbs...ditto >>> memory use.... >> >> >> Yes, I saw your conversation with Rich on this list about that. And, >> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >> complete without issue. I'm also not even doing replication yet so I'm >> not sure why memory is so high. Web interface is much slower too so >> perhaps something else is wrong. > > > Can you tell where it is being slow? Does it seem related to retrieving data > from LDAP? I'm not really sure yet what is causing the slowness. I have the same number of directory entries as before the upgrade. It was very quick with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 days--without a doubt much, much slower. > You might check your 389-ds access logs and look for searches with notes=U. > Perhaps you are missing an index. Yes there are lots of notes=U. What does this mean? Was something missed in the upgrade script? Steve From rmeggins at redhat.com Mon Jul 16 16:35:35 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jul 2012 10:35:35 -0600 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> Message-ID: <500442D7.9020200@redhat.com> On 07/16/2012 10:19 AM, Stephen Ingram wrote: > On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden wrote: >> Stephen Ingram wrote: >>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >>> wrote: >>>> Hi, >>>> >>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like you >>>> have an issue somewhere. My normal cpu use is a few hundred mhz....but when >>>> "something" goes wrong such as replication failing that climbs...ditto >>>> memory use.... >>> >>> Yes, I saw your conversation with Rich on this list about that. And, >>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>> complete without issue. I'm also not even doing replication yet so I'm >>> not sure why memory is so high. Web interface is much slower too so >>> perhaps something else is wrong. >> >> Can you tell where it is being slow? Does it seem related to retrieving data >> from LDAP? > I'm not really sure yet what is causing the slowness. I have the same > number of directory entries as before the upgrade. It was very quick > with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 > days--without a doubt much, much slower. > >> You might check your 389-ds access logs and look for searches with notes=U. >> Perhaps you are missing an index. > Yes there are lots of notes=U. What does this mean? Was something > missed in the upgrade script? Try running logconv.pl > > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sbingram at gmail.com Mon Jul 16 17:48:16 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 16 Jul 2012 10:48:16 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <500442D7.9020200@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> Message-ID: On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson wrote: > On 07/16/2012 10:19 AM, Stephen Ingram wrote: >> >> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >> wrote: >>> >>> Stephen Ingram wrote: >>>> >>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >>>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like >>>>> you >>>>> have an issue somewhere. My normal cpu use is a few hundred mhz....but >>>>> when >>>>> "something" goes wrong such as replication failing that climbs...ditto >>>>> memory use.... >>>> >>>> >>>> Yes, I saw your conversation with Rich on this list about that. And, >>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>> complete without issue. I'm also not even doing replication yet so I'm >>>> not sure why memory is so high. Web interface is much slower too so >>>> perhaps something else is wrong. >>> >>> >>> Can you tell where it is being slow? Does it seem related to retrieving >>> data >>> from LDAP? >> >> I'm not really sure yet what is causing the slowness. I have the same >> number of directory entries as before the upgrade. It was very quick >> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >> days--without a doubt much, much slower. >> >>> You might check your 389-ds access logs and look for searches with >>> notes=U. >>> Perhaps you are missing an index. >> >> Yes there are lots of notes=U. What does this mean? Was something >> missed in the upgrade script? > > Try running logconv.pl Nice! I'm guessing that notes=U are unindexed searches then. I have 34 over the last 24 hours so I'm not sure this would be causing the issue as the slowness persists through every click. I've traced the unindexed searches back to the time of Web UI access and they don't match. I also don't see any other obvious errors when running logconv.pl. One strange thing I have noticed is that the 389 server logs seem to update in "spurts". If I'm tailing the logs while I access a Web UI page, there is nothing, then a couple of seconds later, I see the logs quickly scroll with new entires. Has this always been the case? I don't seem to remember this before. Steve From rmeggins at redhat.com Mon Jul 16 18:34:17 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Jul 2012 12:34:17 -0600 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> Message-ID: <50045EA9.9070709@redhat.com> On 07/16/2012 11:48 AM, Stephen Ingram wrote: > On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson wrote: >> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>> wrote: >>>> Stephen Ingram wrote: >>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >>>>> wrote: >>>>>> Hi, >>>>>> >>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like >>>>>> you >>>>>> have an issue somewhere. My normal cpu use is a few hundred mhz....but >>>>>> when >>>>>> "something" goes wrong such as replication failing that climbs...ditto >>>>>> memory use.... >>>>> >>>>> Yes, I saw your conversation with Rich on this list about that. And, >>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>>> complete without issue. I'm also not even doing replication yet so I'm >>>>> not sure why memory is so high. Web interface is much slower too so >>>>> perhaps something else is wrong. >>>> >>>> Can you tell where it is being slow? Does it seem related to retrieving >>>> data >>>> from LDAP? >>> I'm not really sure yet what is causing the slowness. I have the same >>> number of directory entries as before the upgrade. It was very quick >>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >>> days--without a doubt much, much slower. >>> >>>> You might check your 389-ds access logs and look for searches with >>>> notes=U. >>>> Perhaps you are missing an index. >>> Yes there are lots of notes=U. What does this mean? Was something >>> missed in the upgrade script? >> Try running logconv.pl > Nice! I'm guessing that notes=U are unindexed searches then. I have 34 > over the last 24 hours so I'm not sure this would be causing the issue > as the slowness persists through every click. Yeah, I would expect to see a lot more than 34 if that were the cause. Can you post the search filters that are unindexed? > I've traced the > unindexed searches back to the time of Web UI access and they don't > match. I also don't see any other obvious errors when running > logconv.pl. > > One strange thing I have noticed is that the 389 server logs seem to > update in "spurts". If I'm tailing the logs while I access a Web UI > page, there is nothing, then a couple of seconds later, I see the logs > quickly scroll with new entires. Has this always been the case? I > don't seem to remember this before. Yes. The 389 access log is buffered, for performance reasons. > > Steve From sbingram at gmail.com Mon Jul 16 19:11:33 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 16 Jul 2012 12:11:33 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <50045EA9.9070709@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> Message-ID: On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson wrote: > On 07/16/2012 11:48 AM, Stephen Ingram wrote: >> >> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson >> wrote: >>> >>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>>> >>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>>> wrote: >>>>> >>>>> Stephen Ingram wrote: >>>>>> >>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >>>>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like >>>>>>> you >>>>>>> have an issue somewhere. My normal cpu use is a few hundred >>>>>>> mhz....but >>>>>>> when >>>>>>> "something" goes wrong such as replication failing that >>>>>>> climbs...ditto >>>>>>> memory use.... >>>>>> >>>>>> >>>>>> Yes, I saw your conversation with Rich on this list about that. And, >>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>>>> complete without issue. I'm also not even doing replication yet so I'm >>>>>> not sure why memory is so high. Web interface is much slower too so >>>>>> perhaps something else is wrong. >>>>> >>>>> >>>>> Can you tell where it is being slow? Does it seem related to retrieving >>>>> data >>>>> from LDAP? >>>> >>>> I'm not really sure yet what is causing the slowness. I have the same >>>> number of directory entries as before the upgrade. It was very quick >>>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >>>> days--without a doubt much, much slower. >>>> >>>>> You might check your 389-ds access logs and look for searches with >>>>> notes=U. >>>>> Perhaps you are missing an index. >>>> >>>> Yes there are lots of notes=U. What does this mean? Was something >>>> missed in the upgrade script? >>> >>> Try running logconv.pl >> >> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 >> over the last 24 hours so I'm not sure this would be causing the issue >> as the slowness persists through every click. > > Yeah, I would expect to see a lot more than 34 if that were the cause. > > Can you post the search filters that are unindexed? Sure, here's a partial list (sanitized): filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) attrs="fqdn" filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" attrs="fqdn" filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" attrs="fqdn" filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" attrs="fqdn" filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" attrs="fqdn" All the rest are the same, just with different hosts. >> I've traced the >> unindexed searches back to the time of Web UI access and they don't >> match. I also don't see any other obvious errors when running >> logconv.pl. >> >> One strange thing I have noticed is that the 389 server logs seem to >> update in "spurts". If I'm tailing the logs while I access a Web UI >> page, there is nothing, then a couple of seconds later, I see the logs >> quickly scroll with new entires. Has this always been the case? I >> don't seem to remember this before. > > Yes. The 389 access log is buffered, for performance reasons. Just thought it might be relevant. I'm not sure what is causing the extreme slowness. I've also shut off memcached and tried without it with no discernible difference. The directory seems to be handling the load of external queries just fine, although I'm not sure I've solved the memory issue--I'm still testing with the compat plugin disabled to see if I can stop the memory creep. Maybe it's something in the code of the Web UI itself as its even slow when changing from page to page of users and hosts. Steve From simo at redhat.com Mon Jul 16 19:17:48 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 Jul 2012 15:17:48 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> Message-ID: <1342466268.3219.11.camel@willson.li.ssimo.org> On Mon, 2012-07-16 at 12:11 -0700, Stephen Ingram wrote: > On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson wrote: > > On 07/16/2012 11:48 AM, Stephen Ingram wrote: > >> > >> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson > >> wrote: > >>> > >>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: > >>>> > >>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden > >>>> wrote: > >>>>> > >>>>> Stephen Ingram wrote: > >>>>>> > >>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones > >>>>>> wrote: > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like > >>>>>>> you > >>>>>>> have an issue somewhere. My normal cpu use is a few hundred > >>>>>>> mhz....but > >>>>>>> when > >>>>>>> "something" goes wrong such as replication failing that > >>>>>>> climbs...ditto > >>>>>>> memory use.... > >>>>>> > >>>>>> > >>>>>> Yes, I saw your conversation with Rich on this list about that. And, > >>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still > >>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to > >>>>>> complete without issue. I'm also not even doing replication yet so I'm > >>>>>> not sure why memory is so high. Web interface is much slower too so > >>>>>> perhaps something else is wrong. > >>>>> > >>>>> > >>>>> Can you tell where it is being slow? Does it seem related to retrieving > >>>>> data > >>>>> from LDAP? > >>>> > >>>> I'm not really sure yet what is causing the slowness. I have the same > >>>> number of directory entries as before the upgrade. It was very quick > >>>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 > >>>> days--without a doubt much, much slower. > >>>> > >>>>> You might check your 389-ds access logs and look for searches with > >>>>> notes=U. > >>>>> Perhaps you are missing an index. > >>>> > >>>> Yes there are lots of notes=U. What does this mean? Was something > >>>> missed in the upgrade script? > >>> > >>> Try running logconv.pl > >> > >> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 > >> over the last 24 hours so I'm not sure this would be causing the issue > >> as the slowness persists through every click. > > > > Yeah, I would expect to see a lot more than 34 if that were the cause. > > > > Can you post the search filters that are unindexed? > > Sure, here's a partial list (sanitized): > > filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) > attrs="fqdn" > filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > > All the rest are the same, just with different hosts. > > >> I've traced the > >> unindexed searches back to the time of Web UI access and they don't > >> match. I also don't see any other obvious errors when running > >> logconv.pl. > >> > >> One strange thing I have noticed is that the 389 server logs seem to > >> update in "spurts". If I'm tailing the logs while I access a Web UI > >> page, there is nothing, then a couple of seconds later, I see the logs > >> quickly scroll with new entires. Has this always been the case? I > >> don't seem to remember this before. > > > > Yes. The 389 access log is buffered, for performance reasons. > > Just thought it might be relevant. I'm not sure what is causing the > extreme slowness. I've also shut off memcached and tried without it > with no discernible difference. The directory seems to be handling the > load of external queries just fine, although I'm not sure I've solved > the memory issue--I'm still testing with the compat plugin disabled to > see if I can stop the memory creep. Maybe it's something in the code > of the Web UI itself as its even slow when changing from page to page > of users and hosts. Looks like the symptoms of not using session cookies. Do you see constant activity getting tickets for ldap/ipa.server.fqdn in the krb5kdc.log ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rcritten at redhat.com Mon Jul 16 19:23:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Jul 2012 15:23:06 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> Message-ID: <50046A1A.4010100@redhat.com> Stephen Ingram wrote: > On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson wrote: >> On 07/16/2012 11:48 AM, Stephen Ingram wrote: >>> >>> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson >>> wrote: >>>> >>>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>>>> >>>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>>>> wrote: >>>>>> >>>>>> Stephen Ingram wrote: >>>>>>> >>>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven Jones >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds like >>>>>>>> you >>>>>>>> have an issue somewhere. My normal cpu use is a few hundred >>>>>>>> mhz....but >>>>>>>> when >>>>>>>> "something" goes wrong such as replication failing that >>>>>>>> climbs...ditto >>>>>>>> memory use.... >>>>>>> >>>>>>> >>>>>>> Yes, I saw your conversation with Rich on this list about that. And, >>>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed to >>>>>>> complete without issue. I'm also not even doing replication yet so I'm >>>>>>> not sure why memory is so high. Web interface is much slower too so >>>>>>> perhaps something else is wrong. >>>>>> >>>>>> >>>>>> Can you tell where it is being slow? Does it seem related to retrieving >>>>>> data >>>>>> from LDAP? >>>>> >>>>> I'm not really sure yet what is causing the slowness. I have the same >>>>> number of directory entries as before the upgrade. It was very quick >>>>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >>>>> days--without a doubt much, much slower. >>>>> >>>>>> You might check your 389-ds access logs and look for searches with >>>>>> notes=U. >>>>>> Perhaps you are missing an index. >>>>> >>>>> Yes there are lots of notes=U. What does this mean? Was something >>>>> missed in the upgrade script? >>>> >>>> Try running logconv.pl >>> >>> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 >>> over the last 24 hours so I'm not sure this would be causing the issue >>> as the slowness persists through every click. >> >> Yeah, I would expect to see a lot more than 34 if that were the cause. >> >> Can you post the search filters that are unindexed? > > Sure, here's a partial list (sanitized): > > filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) > attrs="fqdn" > filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" > attrs="fqdn" > > All the rest are the same, just with different hosts. > >>> I've traced the >>> unindexed searches back to the time of Web UI access and they don't >>> match. I also don't see any other obvious errors when running >>> logconv.pl. >>> >>> One strange thing I have noticed is that the 389 server logs seem to >>> update in "spurts". If I'm tailing the logs while I access a Web UI >>> page, there is nothing, then a couple of seconds later, I see the logs >>> quickly scroll with new entires. Has this always been the case? I >>> don't seem to remember this before. >> >> Yes. The 389 access log is buffered, for performance reasons. > > Just thought it might be relevant. I'm not sure what is causing the > extreme slowness. I've also shut off memcached and tried without it > with no discernible difference. The directory seems to be handling the > load of external queries just fine, although I'm not sure I've solved > the memory issue--I'm still testing with the compat plugin disabled to > see if I can stop the memory creep. Maybe it's something in the code > of the Web UI itself as its even slow when changing from page to page > of users and hosts. Shutting of memcached is just going to make things even slower. Things you can try on a quiet system: 1. Create /etc/ipa/server.conf: [global] debug=True Restart Apache Use the UI to do a few things. Verify in the logs that the session cache is being used. 2. Check your browser configuration. You don't need delegation-uris set any more. Having it set might mask other problems (you still need negotiation-auth.trusted-uris set). 3. Watch what URI is being used in the Apache access log. It should be /ipa/session/json. rob From Steven.Jones at vuw.ac.nz Mon Jul 16 21:01:53 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 16 Jul 2012 21:01:53 +0000 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> Is this possible? If so how is it done? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jul 16 21:04:04 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 16 Jul 2012 21:04:04 +0000 Subject: [Freeipa-users] admin users for groups Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD33832@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I want to set a group of admin level users admin rights to select user and host groups, can this be done in IPA? How? So they need to be able to add users from the general pool to specific groups and add specific hosts to specific groups only, can these be done? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 16 21:32:18 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Jul 2012 17:32:18 -0400 Subject: [Freeipa-users] admin users for groups In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD33832@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33832@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50048862.20408@redhat.com> Steven Jones wrote: > Hi, > > I want to set a group of admin level users admin rights to select user > and host groups, can this be done in IPA? > > How? > > So they need to be able to add users from the general pool to specific > groups and add specific hosts to specific groups only, can these be done? It depends on how many groups and hostgroups you're talking about. The approach will differ depending on the answer. This is going to be hard to do using the IPA cli tools. You'll probably have to restort to creating an aci by hand to do this. The permission module limits the types of rules that can be mixed together, something that a raw aci isn't restricted by. This is a start, for example. It grants the 'modify specific group membership' permission the ability to write groups g2, g3 and g4. aci: (targetattr = "member")(targetfilter = "(|(cn=g2)(cn=g3)(cn=g4))")(version 3.0;acl "permission:Modify specific group membership";allow (write) groupdn = "ldap:///cn=modify specific group membership,cn=permissions,cn=pbac,dc=example,dc=com";) The twist is depending on where this aci is installed it could affect anything with cn=g2, g3 or g4. You'll also want a (target = "ldap:///cn=*,cn=groups,cn=accounts,dc=example,dc=com"). This will limit it to just user groups. We install acis in $SUFFIX which is why target is needed. You'd then create a privilege and assign the permission to it, create a role and add the privilege to it. Then you'd add your group to the role and members of that group should be able to manage the members of just g2, g3 and g4. Or, using the cli, you could create a series of permissions to manage one group at a time, add those all to one privilege, add that one privilege to a role, etc. Like I said, it depends on the number of groups you want to manage and how hairy you're willing to let things get. rob From rcritten at redhat.com Mon Jul 16 21:33:00 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 16 Jul 2012 17:33:00 -0400 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5004888C.3020906@redhat.com> Steven Jones wrote: > Is this possible? > > If so how is it done? I'm not sure what you're asking. rob From Steven.Jones at vuw.ac.nz Mon Jul 16 21:32:36 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 16 Jul 2012 21:32:36 +0000 Subject: [Freeipa-users] stopping su - Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz> I have craeted a sshd rule only for the HBAC, but I find a std user can su - to root, is this correect behavior? How do I? or can I? stop this unless explicitly allowed? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -------------- next part -------------- An HTML attachment was scrubbed... URL: From erinn.looneytriggs at gmail.com Mon Jul 16 21:38:25 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Mon, 16 Jul 2012 13:38:25 -0800 Subject: [Freeipa-users] stopping su - In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <500489D1.90703@gmail.com> On 07/16/2012 01:32 PM, Steven Jones wrote: > I have craeted a sshd rule only for the HBAC, but I find a std user can > su - to root, is this correect behavior? > > How do I? or can I? stop this unless explicitly allowed? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > You need to control this via PAM. So for me I restrict su to only be allowed for members of the wheel group, from /etc/pam.d/su: auth required pam_wheel.so use_uid There are comments in the file that will get you where you want to go. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From Steven.Jones at vuw.ac.nz Mon Jul 16 21:45:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 16 Jul 2012 21:45:52 +0000 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <5004888C.3020906@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004888C.3020906@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcritten at redhat.com] Sent: Tuesday, 17 July 2012 9:33 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? Steven Jones wrote: > Is this possible? > > If so how is it done? I'm not sure what you're asking. rob From Steven.Jones at vuw.ac.nz Mon Jul 16 21:47:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 16 Jul 2012 21:47:48 +0000 Subject: [Freeipa-users] stopping su - In-Reply-To: <500489D1.90703@gmail.com> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, OK, so to confirm this cant be done in a centralised way via IPA? In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] Sent: Tuesday, 17 July 2012 9:38 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] stopping su - On 07/16/2012 01:32 PM, Steven Jones wrote: > I have craeted a sshd rule only for the HBAC, but I find a std user can > su - to root, is this correect behavior? > > How do I? or can I? stop this unless explicitly allowed? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > You need to control this via PAM. So for me I restrict su to only be allowed for members of the wheel group, from /etc/pam.d/su: auth required pam_wheel.so use_uid There are comments in the file that will get you where you want to go. -Erinn From simo at redhat.com Mon Jul 16 21:50:08 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 16 Jul 2012 17:50:08 -0400 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> , <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1342475408.3219.15.camel@willson.li.ssimo.org> On Mon, 2012-07-16 at 21:45 +0000, Steven Jones wrote: > Hi, > > If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). > > If user2 logins I want them unable to su - X at all and especially not root. > > If an admin logins in I want them to be able to su - anybody... > > In a way before I could do that with the wheel group and pam. I think you want to look at sudo -i Simo. -- Simo Sorce * Red Hat, Inc * New York From erinn.looneytriggs at gmail.com Tue Jul 17 04:31:46 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Mon, 16 Jul 2012 20:31:46 -0800 Subject: [Freeipa-users] stopping su - In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5004EAB2.70908@gmail.com> On 07/16/2012 01:47 PM, Steven Jones wrote: > Hi, > > OK, so to confirm this cant be done in a centralised way via IPA? > > In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] > Sent: Tuesday, 17 July 2012 9:38 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] stopping su - > > On 07/16/2012 01:32 PM, Steven Jones wrote: >> I have craeted a sshd rule only for the HBAC, but I find a std user can >> su - to root, is this correect behavior? >> >> How do I? or can I? stop this unless explicitly allowed? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > You need to control this via PAM. So for me I restrict su to only be > allowed for members of the wheel group, from /etc/pam.d/su: > > auth required pam_wheel.so use_uid > > There are comments in the file that will get you where you want to go. > > -Erinn > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > I can't speak to whether it can or cannot be done centrally in any sort of authoritative way, might be possible there are hbac setting for su and I can't really answer your question about suing to oracle. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From Steven.Jones at vuw.ac.nz Tue Jul 17 04:40:10 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 04:40:10 +0000 Subject: [Freeipa-users] stopping su - In-Reply-To: <5004EAB2.70908@gmail.com> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004EAB2.70908@gmail.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I could do, auth required pam_wheel.so root_only use_uid But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. I assume simo's hint is, sudo -i su - oracle I will have to experiment. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] Sent: Tuesday, 17 July 2012 4:31 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] stopping su - On 07/16/2012 01:47 PM, Steven Jones wrote: > Hi, > > OK, so to confirm this cant be done in a centralised way via IPA? > > In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] > Sent: Tuesday, 17 July 2012 9:38 a.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] stopping su - > > On 07/16/2012 01:32 PM, Steven Jones wrote: >> I have craeted a sshd rule only for the HBAC, but I find a std user can >> su - to root, is this correect behavior? >> >> How do I? or can I? stop this unless explicitly allowed? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > You need to control this via PAM. So for me I restrict su to only be > allowed for members of the wheel group, from /etc/pam.d/su: > > auth required pam_wheel.so use_uid > > There are comments in the file that will get you where you want to go. > > -Erinn > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > I can't speak to whether it can or cannot be done centrally in any sort of authoritative way, might be possible there are hbac setting for su and I can't really answer your question about suing to oracle. -Erinn From root at nachtmaus.us Tue Jul 17 04:42:27 2012 From: root at nachtmaus.us (david) Date: Mon, 16 Jul 2012 23:42:27 -0500 Subject: [Freeipa-users] BIND named.conf In-Reply-To: <5003CAEA.1070207@redhat.com> References: <96003FDE-86B7-4F05-A327-B3E74B7DEB61@gmail.com> <5000AAF7.6080206@redhat.com> <020b01cd62e1$fbccd080$f3667180$@nachtmaus.us> <5003CAEA.1070207@redhat.com> Message-ID: <02b201cd63d6$91b91730$b52b4590$@nachtmaus.us> Sorry, I was unclear. The problem is not dynamic in terms of "nsupdate" versus manually editing zonefiles, but rather backed by a dynamic source, such as a database, directory, etc. For a DLZ-backed zone, there is no straightforward way for the server responding to the IXFR request to know which records are new with certainty, so he just ships out the whole zone. Last time I saw this was on a BIND9+DLZ+database solution. -DTK -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek Sent: Monday, July 16, 2012 3:04 AM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] BIND named.conf Hello, AFAIK there were some issues with IXFR till BIND 8.2.3, but BIND 9 should work with Dynamic update and IXFR well. Combination of IXFR & manual change to zone text file needs special attention (for dynamic zones): You need to run rndc freeze && "modify zone" && rndc thaw. If you have "ixfr-from-differences yes" configured in /etc/named.conf, then IXFR should work. This detail should be only "hard part", if I didn't miss something. Petr^2 Spacek On 07/16/2012 01:31 AM, david wrote: > > One thing to be aware of, you may see some performance hits if the > master for that zone is setup for dynamic updates. A dynamic zone > cannot send IXFR and so any time the slave receives notification, he > will ask for an IXFR and will instead receive an AXFR. If the zones > are small, this is not a big deal, but a busy dynamic zone with a > hundred thousand records with just a couple of slaves (6 in the case I > am thinking of), the master server was brought to his knees just from > zone transfers. As you can imagine, this is also extremely stressful > on the slave servers, receiving and processing the full AXFR every > time there is a single record change. If your master for myzone.tld uses standard bind zone files, then this is not a big deal. > > > -DTK > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Michael Mercier > Sent: Friday, July 13, 2012 8:21 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] BIND named.conf > > I will try to be more clear... > > My IPA zone is named intranet.local running on ipaserver1 and ipaserver2. > I have another zone (call it "myzone.tld") hosted on some other > systems. I would like ipaserver1 and ipaserver2 to both be a slave > for this zone (not use a forwarder for the zone). > > Considering that ipaserver1 and ipaserver2 use the dynamic-db entry in > named.conf, is there anything that I should be concerned about if I > were to > add: > > zone "myzone.tld" { > type slave; > file "slave/myzone.db" > masters { u.x.y.z; w.x.y.z; }; > allow-notify { u.x.y.z; w.x.y.z; }; > also-notify { ipaserver2 }; > }; > > to ipaserver1? > > I had considered adding the zone via 'ipa dnszone-add > ipaserver1.intranet.local' but I did not find anything specific in the > documentation describing how to configure the new zone as a slave of > another system. Also, the number of entries in the zone is large and > there are a many updates per day and I was uncertain of the type of > performance I could expect. > > Thanks, > Mike > On 13-Jul-12, at 7:10 PM, Dmitri Pal wrote: > >> On 07/13/2012 07:04 PM, Michael Mercier wrote: >>> Hello, >>> >>> I am by no means an expert either, but I believe what you are >>> recommending would forward requests for "myzone.tld" to the >>> ip.of.forwarder1 etc. >>> I want ipaserver1 to actually be a slave (do AXFR / IXFR -- hold all >>> the data) of "myzone.tld", and have ipaserver2 slave this data from >>> ipaserver1. >>> >> >> The replicas in IPA do not need to be specially configured to be >> slaves of each other. They have the same data which is replicated by >> LDAP back end so it is not clear why you are trying to configure the >> replicas to be in master-slave relation. >> >> >>> Thanks, >>> Mike >>> >>> On 13-Jul-12, at 5:11 PM, KodaK wrote: >>> >>>> On Fri, Jul 13, 2012 at 3:13 PM, Michael Mercier >>>> >>>> wrote: >>>>> Hello, >>>>> >>>>> When using IPA 2.2.0 with DNS setup (--setup-dns), is there any >>>>> issues with adding slaves to the named.conf file? >>>>> >>>>> example on ipaserver1: >>>>> >>>>> zone "myzone.tld" { >>>>> type slave; >>>>> file "slave/myzone.db" >>>>> masters { u.x.y.z; w.x.y.z; }; >>>>> allow-notify { u.x.y.z; w.x.y.z; }; >>>>> also-notify { ipaserver2 }; }; >>>> >>>> >>>> I'm no expert, but I think you'd want to use the command line >>>> option >>>> dnsconfig-mod: >>>> >>>> ipa dnsconfig-mod --forwarder=ip.of.forwarder1;ip.of.forwarder2 >>>> myzone.tld _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From william at firstyear.id.au Tue Jul 17 04:54:05 2012 From: william at firstyear.id.au (William Brown) Date: Tue, 17 Jul 2012 14:24:05 +0930 Subject: [Freeipa-users] stopping su - In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004EAB2.70908@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5004EFED.7000001@firstyear.id.au> > auth required pam_wheel.so root_only use_uid > > But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. > Also, you can create and manage these files with spacewalk / satellite. Though in the future arguably it would be useful for IPA to have some level of satellite integration for this exact scenario. -- Sincerely, William Brown pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 940 bytes Desc: OpenPGP digital signature URL: From prmarino1 at gmail.com Tue Jul 17 06:51:43 2012 From: prmarino1 at gmail.com (Paul Robert Marino) Date: Tue, 17 Jul 2012 02:51:43 -0400 Subject: [Freeipa-users] stopping su - In-Reply-To: <5004EAB2.70908@gmail.com> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz> <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004EAB2.70908@gmail.com> Message-ID: I understand where you are going with this Don't think about su - oracle directly A sudo -u oracle -H isn't quite what you are looking for either because you want the environment vaiables to auto load and oracle dbas can be ( not all but many) very lazy about loading them manually. The best option is sudo su - oracle. You can lock that down in the sudoers config and you can lock the su permissions to the wheel group via the local configuration files in /etc/security or via the pam module. either way you need to add in configuration file managment, which is not what freeipa is for. On Jul 17, 2012 12:34 AM, "Erinn Looney-Triggs" < erinn.looneytriggs at gmail.com> wrote: > On 07/16/2012 01:47 PM, Steven Jones wrote: > > Hi, > > > > OK, so to confirm this cant be done in a centralised way via IPA? > > > > In which case when setting a HBAC with sshd only why cant i su - oracle > but I can su - root? > > > > regards > > > > Steven Jones > > > > Technical Specialist - Linux RHCE > > > > Victoria University, Wellington, NZ > > > > 0064 4 463 6272 > > > > ________________________________________ > > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] > on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] > > Sent: Tuesday, 17 July 2012 9:38 a.m. > > To: freeipa-users at redhat.com > > Subject: Re: [Freeipa-users] stopping su - > > > > On 07/16/2012 01:32 PM, Steven Jones wrote: > >> I have craeted a sshd rule only for the HBAC, but I find a std user can > >> su - to root, is this correect behavior? > >> > >> How do I? or can I? stop this unless explicitly allowed? > >> > >> regards > >> > >> Steven Jones > >> > >> Technical Specialist - Linux RHCE > >> > >> Victoria University, Wellington, NZ > >> > >> 0064 4 463 6272 > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > > > > > You need to control this via PAM. So for me I restrict su to only be > > allowed for members of the wheel group, from /etc/pam.d/su: > > > > auth required pam_wheel.so use_uid > > > > There are comments in the file that will get you where you want to go. > > > > -Erinn > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > I can't speak to whether it can or cannot be done centrally in any sort > of authoritative way, might be possible there are hbac setting for su > and I can't really answer your question about suing to oracle. > > -Erinn > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Duncan.Innes at virginmoney.com Tue Jul 17 10:39:06 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Tue, 17 Jul 2012 11:39:06 +0100 Subject: [Freeipa-users] Backup & Restore Message-ID: <56343345B145C043AE990701E3D193952B5485@EXVS2.nrplc.localnet> Hi folks, Just wondering if there's any specifically designed tools to allow backups & restores of a FreeIPA design - or if there are any best practice guidelines at least. Thanks Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 7801 134507 | duncan.innes at virginmoney.com Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. -------------- next part -------------- An HTML attachment was scrubbed... URL: From arpittolani at gmail.com Tue Jul 17 11:03:51 2012 From: arpittolani at gmail.com (Arpit Tolani) Date: Tue, 17 Jul 2012 16:33:51 +0530 Subject: [Freeipa-users] Backup & Restore In-Reply-To: <56343345B145C043AE990701E3D193952B5485@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193952B5485@EXVS2.nrplc.localnet> Message-ID: Hello On Tue, Jul 17, 2012 at 4:09 PM, Innes, Duncan wrote: > ** > Hi folks, > > Just wondering if there's any specifically designed tools to allow backups > & restores of a FreeIPA design - or if there are any best practice > guidelines at least. > > Thanks > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00335.html https://access.redhat.com/knowledge/solutions/67800 Regards Arpit Tolani > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dale at themacartneyclan.com Tue Jul 17 11:04:11 2012 From: dale at themacartneyclan.com (Dale Macartney) Date: Tue, 17 Jul 2012 12:04:11 +0100 Subject: [Freeipa-users] Backup & Restore In-Reply-To: <56343345B145C043AE990701E3D193952B5485@EXVS2.nrplc.localnet> References: <56343345B145C043AE990701E3D193952B5485@EXVS2.nrplc.localnet> Message-ID: <500546AB.6000608@themacartneyclan.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Duncan I spent a substantial amount of time on restorations last week. I was working towards a "System State Backup" method of backing up IPA. I managed to get a restoration working on a completely clean system by doing a file level restore. What type of restoration are you seeking? complete server rebuild, or partial restoration? Dale On 17/07/12 11:39, Innes, Duncan wrote: > Hi folks, > > Just wondering if there's any specifically designed tools to allow backups & restores of a FreeIPA design - or if there are any best practice guidelines at least. > > Thanks > > Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44 7801 134507 | _duncan.innes at virginmoney.com_ > > ------------------------- > Northern Rock plc is part of the Virgin Money group of companies. > > This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. > > Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. > > Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. > > Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. > > Virgin Money Management Services Limited. Company no. 3072772. > > Virgin Money Holdings (UK) Limited. Company no. 3087587. > > Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. > > Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. > > The above companies use the trading name Virgin Money. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQBUaqAAoJEAJsWS61tB+qg5EP/0kjbey/+EylGgDyZdBAcV+e /23HkJlmTJLfaKhh/41blBxnuS/gwU4k69hVkMTpoeqKXiHoc3pZ20SqJqawBsZT B2TwzCeBVpKA81Zfi6KeAzpbiw5rozCWBF3fLiEzMHkHCk9VoNkuh7LNqTK/bVkV UJedV88nByakmgs4sii27etwMY1dw4Hh99vPD2L9KMOAEiKA5eZG013vavpXOtl6 oUjLuLy6+3j9x9FW6izHlN9BG3ko/KJSXIS3CthEZ3mTJUHUVqvbMET4/DFglo0b iRkszMWi5Kryb9jxyg3B5J1H1Xk5ciUv82AIO+jNBnJ6P/KemiJ+78KYHd6pAi1K +cp69DatN6vrJQnbqsMq28bHVJ3mihntDbI8JGRRumvp4SesHzwJ6fQiYZ3aXyX7 vpwqIqzHYhTFAbfvcJUfhT6y5Qv85VJON5SOMzlmsWDFXiUpGxlSCptbGUddEv28 fw77S6GQ3/eKzcfAyRhn8m+c0lGkiuLb9LHpcVbJSSrdj1uN3pkRQhjS/rI5fomN 3SRViMEWgr4iVVt8f9ONBYWZ99e2bHFmGjN2tikyaa6dpUo1G075GthGUZGOi6AC SjiT+MmQYrTdqgO+4BK5HK+pNiAGwqpbah3dMxUVTgqSZaRwRynG+xv1JvsahleV Wu4POyb205lHoayeS3Zu =zMDl -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc Type: application/pgp-keys Size: 5790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xB5B41FAA.asc.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From dpal at redhat.com Tue Jul 17 11:07:55 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 17 Jul 2012 07:07:55 -0400 Subject: [Freeipa-users] stopping su - In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004EAB2.70908@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5005478B.4030002@redhat.com> On 07/17/2012 12:40 AM, Steven Jones wrote: > Hi, > > I could do, > > auth required pam_wheel.so root_only use_uid > > But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. > > I assume simo's hint is, > > sudo -i su - oracle AFAIU if you are looking for centrally manged setting you need to use sudo. With su and HBAC IPA can just control which user can authenticate using "su" but not for local users like root. I think that if the oracle user is centrally managed you would be able to define an HBAC rule that would prevent oracle user from doing su on a group of hosts, but I doubt that this is what you want. Seems like sudo will give you much more flexibility. > I will have to experiment. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] > Sent: Tuesday, 17 July 2012 4:31 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] stopping su - > > On 07/16/2012 01:47 PM, Steven Jones wrote: >> Hi, >> >> OK, so to confirm this cant be done in a centralised way via IPA? >> >> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] >> Sent: Tuesday, 17 July 2012 9:38 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] stopping su - >> >> On 07/16/2012 01:32 PM, Steven Jones wrote: >>> I have craeted a sshd rule only for the HBAC, but I find a std user can >>> su - to root, is this correect behavior? >>> >>> How do I? or can I? stop this unless explicitly allowed? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> You need to control this via PAM. So for me I restrict su to only be >> allowed for members of the wheel group, from /etc/pam.d/su: >> >> auth required pam_wheel.so use_uid >> >> There are comments in the file that will get you where you want to go. >> >> -Erinn >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > I can't speak to whether it can or cannot be done centrally in any sort > of authoritative way, might be possible there are hbac setting for su > and I can't really answer your question about suing to oracle. > > -Erinn > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From arpittolani at gmail.com Tue Jul 17 11:13:50 2012 From: arpittolani at gmail.com (Arpit Tolani) Date: Tue, 17 Jul 2012 16:43:50 +0530 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Hello On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones wrote: > Hi, > > If I login as say user1, I want that user to be able to su - oracle, but > not to say su - root (or to any other user). > > If user2 logins I want them unable to su - X at all and especially not > root. > > If an admin logins in I want them to be able to su - anybody... > > In a way before I could do that with the wheel group and pam. > > regards > > Steven Jones > rob > # cat /etc/pam.d/su auth sufficient pam_rootok.so auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1 auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2 auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so With above configuration. members of group1 will be able to su only to users in /etc/security/su-group1-access members of group2 will be able to su only to users in /etc/security/su-group2-access users which are not in group1 & group2 both will not be able to su to anyone root will be able to su to anyone Hope that helps, Change it as per your requirement. Regards Arpit Tolani -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue Jul 17 12:48:28 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 17 Jul 2012 08:48:28 -0400 Subject: [Freeipa-users] [Fwd: Re: [Freeipa-devel] stopping su -] Message-ID: <1342529308.3219.34.camel@willson.li.ssimo.org> This was probably meant for thew freeipa-users mailing list. Simo. -- Simo Sorce * Red Hat, Inc * New York -------------- next part -------------- An embedded message was scrubbed... From: William Brown Subject: Re: [Freeipa-devel] [Freeipa-users] stopping su - Date: Tue, 17 Jul 2012 14:18:21 +0930 Size: 5931 URL: From sakodak at gmail.com Tue Jul 17 15:50:09 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 17 Jul 2012 10:50:09 -0500 Subject: [Freeipa-users] another sudo su question Message-ID: I've been banging my head on this for a couple of days, and I can't find anything in the docs or by searching. I'm trying to do what I think should be pretty simple: I have a group of users and an application account, all in IPA. I want users in that group to be able to "sudo su - appacct". What I've found is that I probably can't do it exactly like that, so now I'm trying "sudo -i appacct", but I can't get that to work either. My rule is set up like this: rule name: become-appacct sudo option: -i appacct (I'm not sure this is right.) user groups: admins, appgroup host groups: apphostgroup Everything else is blank. Note that this is just the current configuration, I've tried a bunch of iterations. Any help? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From dpal at redhat.com Tue Jul 17 16:06:11 2012 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 17 Jul 2012 12:06:11 -0400 Subject: [Freeipa-users] another sudo su question In-Reply-To: References: Message-ID: <50058D73.3080902@redhat.com> On 07/17/2012 11:50 AM, KodaK wrote: > I've been banging my head on this for a couple of days, and I can't > find anything in the docs or by searching. > > I'm trying to do what I think should be pretty simple: I have a group > of users and an application account, all in IPA. I want users in that > group to be able to "sudo su - appacct". > > What I've found is that I probably can't do it exactly like that, so > now I'm trying "sudo -i appacct", but I can't get that to work either. > > My rule is set up like this: > > rule name: become-appacct > sudo option: -i appacct (I'm not sure this is right.) > user groups: admins, appgroup > host groups: apphostgroup > > Everything else is blank. Note that this is just the current > configuration, I've tried a bunch of iterations. > > Any help? > > Thanks, > > --Jason > If you are using IPA it internally has a different schema for sudo than the one published on the sudo web site http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD It is then transformed into a traditional sudo schema using the compat tree. So what you need to do is make sure you create the right sudo rule. Your sudo rule should use: user groups: admins, appgroup host groups: apphostgroup command: sudo -i If appacct is a user managed by IPA then he should be selected as "run as" user. If this account is not managed by IPA it should be an "external" user Use UI or CLI to add it. Doing it via ldap would not work unless you use the internal schema. objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' ) -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sakodak at gmail.com Tue Jul 17 18:40:47 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 17 Jul 2012 13:40:47 -0500 Subject: [Freeipa-users] another sudo su question In-Reply-To: <50058D73.3080902@redhat.com> References: <50058D73.3080902@redhat.com> Message-ID: On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal wrote: > On 07/17/2012 11:50 AM, KodaK wrote: >> I've been banging my head on this for a couple of days, and I can't >> find anything in the docs or by searching. >> >> I'm trying to do what I think should be pretty simple: I have a group >> of users and an application account, all in IPA. I want users in that >> group to be able to "sudo su - appacct". >> >> What I've found is that I probably can't do it exactly like that, so >> now I'm trying "sudo -i appacct", but I can't get that to work either. >> >> My rule is set up like this: >> >> rule name: become-appacct >> sudo option: -i appacct (I'm not sure this is right.) >> user groups: admins, appgroup >> host groups: apphostgroup >> >> Everything else is blank. Note that this is just the current >> configuration, I've tried a bunch of iterations. >> >> Any help? >> >> Thanks, >> >> --Jason >> > If you are using IPA it internally has a different schema for sudo than > the one published on the sudo web site > http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD > > It is then transformed into a traditional sudo schema using the compat tree. > > So what you need to do is make sure you create the right sudo rule. > > Your sudo rule should use: > user groups: admins, appgroup > host groups: apphostgroup > command: sudo -i Thanks. I had some fighting to do to get sudo to talk to ldap on this box, but I have that going now. If I understand you correctly, I've created a rule like you've suggested. however, I get: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. (I've given up on obfuscation.) Here's the debug output: [jebalicki at slncdcl01 ~]$ sudo -i cdcadmin LDAP Config Summary =================== uri ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com ldap_version 3 sudoers_base ou=SUDOers,dc=unix,dc=magellanhealth,dc=com binddn uid=sudo,cn=sysaccounts,cn=etc,dc=unix,dc=magellanhealth,dc=com bindpw xxxxxxxxxxxxxxx bind_timelimit 5000 timelimit 15 ssl start_tls tls_checkpeer (yes) tls_cacertfile /etc/ipa/ca.crt =================== sudo: ldap_initialize(ld, ldap://slpidml01.unix.magellanhealth.com ldap://slpidml02.unix.magellanhealth.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 1 sudo: ldap_set_option: tls_cacertfile -> /etc/ipa/ca.crt sudo: ldap_set_option: timelimit -> 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=jebalicki)(sudoUser=%jebalicki)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%unixadmins)(sudoUser=ALL))' sudo: found:cn=become-cdcadmin,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoRunAsUser 'cdcadmin' ... not sudo: found:cn=test rule,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap sudoHost '+cdchosts' ... MATCH! sudo: ldap sudoCommand '/bin/cat' ... not sudo: found:cn=tds-web-restart,ou=sudoers,dc=unix,dc=magellanhealth,dc=com sudo: ldap sudoHost '+tdswebhosts' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x00 [sudo] password for jebalicki: Sorry, user jebalicki is not allowed to execute '/bin/bash -c cdcadmin' as root on slncdcl01.unix.magellanhealth.com. [jebalicki at slncdcl01 ~]$ And here's the rule: [root at slpidml01 ~]# ipa sudorule-show become-cdcadmin ipa: INFO: trying https://slpidml01.unix.magellanhealth.com/ipa/xml ipa: INFO: Forwarding 'sudorule_show' to server u'http://slpidml01.unix.magellanhealth.com/ipa/xml' Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: sudo -i RunAs Users: cdcadmin [root at slpidml01 ~]# > If appacct is a user managed by IPA then he should be selected as "run > as" user. > If this account is not managed by IPA it should be an "external" user > > Use UI or CLI to add it. Doing it via ldap would not work unless you use > the internal schema. > > objectClasses: (2.16.840.1.113730.3.8.8.1 NAME 'ipaSudoRule' SUP ipaAssociation > > > STRUCTURAL MAY ( externalUser $ externalHost $ hostMask $ memberAllowCmd $ memberDenyCmd $ > > > cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ > > > ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory $ > sudoNotBefore $ sudoNotAfter $$ sudoOrder ) X-ORIGIN 'IPA v2' ) > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sakodak at gmail.com Tue Jul 17 18:48:42 2012 From: sakodak at gmail.com (KodaK) Date: Tue, 17 Jul 2012 13:48:42 -0500 Subject: [Freeipa-users] another sudo su question In-Reply-To: References: <50058D73.3080902@redhat.com> Message-ID: On Tue, Jul 17, 2012 at 1:40 PM, KodaK wrote: > On Tue, Jul 17, 2012 at 11:06 AM, Dmitri Pal wrote: >> On 07/17/2012 11:50 AM, KodaK wrote: >>> I've been banging my head on this for a couple of days, and I can't >>> find anything in the docs or by searching. >>> >>> I'm trying to do what I think should be pretty simple: I have a group >>> of users and an application account, all in IPA. I want users in that >>> group to be able to "sudo su - appacct". >>> >>> What I've found is that I probably can't do it exactly like that, so >>> now I'm trying "sudo -i appacct", but I can't get that to work either. >>> >>> My rule is set up like this: >>> >>> rule name: become-appacct >>> sudo option: -i appacct (I'm not sure this is right.) >>> user groups: admins, appgroup >>> host groups: apphostgroup >>> >>> Everything else is blank. Note that this is just the current >>> configuration, I've tried a bunch of iterations. >>> >>> Any help? >>> >>> Thanks, >>> >>> --Jason >>> >> If you are using IPA it internally has a different schema for sudo than >> the one published on the sudo web site >> http://git.fedorahosted.org/git/?p=freeipa.git;a=blob;f=install/share/65ipasudo.ldif;h=7a85c8659c33794d3127d208452dcb54ad34d59e;hb=HEAD >> >> It is then transformed into a traditional sudo schema using the compat tree. >> >> So what you need to do is make sure you create the right sudo rule. >> >> Your sudo rule should use: >> user groups: admins, appgroup >> host groups: apphostgroup >> command: sudo -i > > Thanks. I had some fighting to do to get sudo to talk to ldap on this > box, but I have that going now. > > If I understand you correctly, I've created a rule like you've > suggested. however, I get: > > Sorry, user jebalicki is not allowed to execute '/bin/bash -c > cdcadmin' as root on slncdcl01.unix.magellanhealth.com. I got it. I was able to use: Rule name: become-cdcadmin Enabled: TRUE User Groups: admins, stsg Host Groups: cdchosts Sudo Allow Commands: /bin/su - cdcadmin I thought I tried that first, but I must have had something else wrong. Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sbingram at gmail.com Tue Jul 17 20:53:32 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 17 Jul 2012 13:53:32 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <50046A1A.4010100@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> Message-ID: On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden wrote: > Stephen Ingram wrote: >> >> On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson >> wrote: >>> >>> On 07/16/2012 11:48 AM, Stephen Ingram wrote: >>>> >>>> >>>> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson >>>> wrote: >>>>> >>>>> >>>>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>>>>> >>>>>> >>>>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> Stephen Ingram wrote: >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven >>>>>>>> Jones >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds >>>>>>>>> like >>>>>>>>> you >>>>>>>>> have an issue somewhere. My normal cpu use is a few hundred >>>>>>>>> mhz....but >>>>>>>>> when >>>>>>>>> "something" goes wrong such as replication failing that >>>>>>>>> climbs...ditto >>>>>>>>> memory use.... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Yes, I saw your conversation with Rich on this list about that. And, >>>>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed >>>>>>>> to >>>>>>>> complete without issue. I'm also not even doing replication yet so >>>>>>>> I'm >>>>>>>> not sure why memory is so high. Web interface is much slower too so >>>>>>>> perhaps something else is wrong. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Can you tell where it is being slow? Does it seem related to >>>>>>> retrieving >>>>>>> data >>>>>>> from LDAP? >>>>>> >>>>>> >>>>>> I'm not really sure yet what is causing the slowness. I have the same >>>>>> number of directory entries as before the upgrade. It was very quick >>>>>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >>>>>> days--without a doubt much, much slower. >>>>>> >>>>>>> You might check your 389-ds access logs and look for searches with >>>>>>> notes=U. >>>>>>> Perhaps you are missing an index. >>>>>> >>>>>> >>>>>> Yes there are lots of notes=U. What does this mean? Was something >>>>>> missed in the upgrade script? >>>>> >>>>> >>>>> Try running logconv.pl >>>> >>>> >>>> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 >>>> over the last 24 hours so I'm not sure this would be causing the issue >>>> as the slowness persists through every click. >>> >>> >>> Yeah, I would expect to see a lot more than 34 if that were the cause. >>> >>> Can you post the search filters that are unindexed? >> >> >> Sure, here's a partial list (sanitized): >> >> >> filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) >> attrs="fqdn" >> >> filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >> attrs="fqdn" >> >> filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >> attrs="fqdn" >> >> filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >> attrs="fqdn" >> >> filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >> attrs="fqdn" >> >> All the rest are the same, just with different hosts. >> >>>> I've traced the >>>> unindexed searches back to the time of Web UI access and they don't >>>> match. I also don't see any other obvious errors when running >>>> logconv.pl. >>>> >>>> One strange thing I have noticed is that the 389 server logs seem to >>>> update in "spurts". If I'm tailing the logs while I access a Web UI >>>> page, there is nothing, then a couple of seconds later, I see the logs >>>> quickly scroll with new entires. Has this always been the case? I >>>> don't seem to remember this before. >>> >>> >>> Yes. The 389 access log is buffered, for performance reasons. >> >> >> Just thought it might be relevant. I'm not sure what is causing the >> extreme slowness. I've also shut off memcached and tried without it >> with no discernible difference. The directory seems to be handling the >> load of external queries just fine, although I'm not sure I've solved >> the memory issue--I'm still testing with the compat plugin disabled to >> see if I can stop the memory creep. Maybe it's something in the code >> of the Web UI itself as its even slow when changing from page to page >> of users and hosts. > > > Shutting of memcached is just going to make things even slower. I really didn't see much difference so I turned it back on right away. > Things you can try on a quiet system: > > 1. Create /etc/ipa/server.conf: > > [global] > debug=True > > Restart Apache > > Use the UI to do a few things. Verify in the logs that the session cache is > being used. Yes, it is. It's interesting, 2.2 is slower such that you can see the frame load, and then the loading symbol spins below in the display area for a few seconds while that loads up. Before, with 2.1.3, you really couldn't distinguish the two as they loaded so quickly. > 2. Check your browser configuration. You don't need delegation-uris set any > more. Having it set might mask other problems (you still need > negotiation-auth.trusted-uris set). I forgot about this. I changed it, completely cleared the browser cache and accessed without any noticeable difference. > 3. Watch what URI is being used in the Apache access log. It should be > /ipa/session/json. Check. this is where it lands. I'm beginning to think this is just the Web UI itself instead of 389 although it is really difficult to tell. I've poured over the debug logs and didn't see anything that caused me concern. It's certainly usable, but I just got really spoiled by the unbelievable quickness of 2.1.3. When your release notes indicate it should be faster, what are you comparing it to? Maybe this only happens with upgraded instances and not fresh installs. Steve From rcritten at redhat.com Tue Jul 17 21:01:09 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 17 Jul 2012 17:01:09 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> Message-ID: <5005D295.2020708@redhat.com> Stephen Ingram wrote: > On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden wrote: >> Stephen Ingram wrote: >>> >>> On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson >>> wrote: >>>> >>>> On 07/16/2012 11:48 AM, Stephen Ingram wrote: >>>>> >>>>> >>>>> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson >>>>> wrote: >>>>>> >>>>>> >>>>>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>>>>>> >>>>>>> >>>>>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> Stephen Ingram wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven >>>>>>>>> Jones >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds >>>>>>>>>> like >>>>>>>>>> you >>>>>>>>>> have an issue somewhere. My normal cpu use is a few hundred >>>>>>>>>> mhz....but >>>>>>>>>> when >>>>>>>>>> "something" goes wrong such as replication failing that >>>>>>>>>> climbs...ditto >>>>>>>>>> memory use.... >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Yes, I saw your conversation with Rich on this list about that. And, >>>>>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is still >>>>>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade seemed >>>>>>>>> to >>>>>>>>> complete without issue. I'm also not even doing replication yet so >>>>>>>>> I'm >>>>>>>>> not sure why memory is so high. Web interface is much slower too so >>>>>>>>> perhaps something else is wrong. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Can you tell where it is being slow? Does it seem related to >>>>>>>> retrieving >>>>>>>> data >>>>>>>> from LDAP? >>>>>>> >>>>>>> >>>>>>> I'm not really sure yet what is causing the slowness. I have the same >>>>>>> number of directory entries as before the upgrade. It was very quick >>>>>>> with 2.1.3, but once I upgraded, I felt like I was back to the pre-2.0 >>>>>>> days--without a doubt much, much slower. >>>>>>> >>>>>>>> You might check your 389-ds access logs and look for searches with >>>>>>>> notes=U. >>>>>>>> Perhaps you are missing an index. >>>>>>> >>>>>>> >>>>>>> Yes there are lots of notes=U. What does this mean? Was something >>>>>>> missed in the upgrade script? >>>>>> >>>>>> >>>>>> Try running logconv.pl >>>>> >>>>> >>>>> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 >>>>> over the last 24 hours so I'm not sure this would be causing the issue >>>>> as the slowness persists through every click. >>>> >>>> >>>> Yeah, I would expect to see a lot more than 34 if that were the cause. >>>> >>>> Can you post the search filters that are unindexed? >>> >>> >>> Sure, here's a partial list (sanitized): >>> >>> >>> filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) >>> attrs="fqdn" >>> >>> filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>> attrs="fqdn" >>> >>> filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>> attrs="fqdn" >>> >>> filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>> attrs="fqdn" >>> >>> filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>> attrs="fqdn" >>> >>> All the rest are the same, just with different hosts. >>> >>>>> I've traced the >>>>> unindexed searches back to the time of Web UI access and they don't >>>>> match. I also don't see any other obvious errors when running >>>>> logconv.pl. >>>>> >>>>> One strange thing I have noticed is that the 389 server logs seem to >>>>> update in "spurts". If I'm tailing the logs while I access a Web UI >>>>> page, there is nothing, then a couple of seconds later, I see the logs >>>>> quickly scroll with new entires. Has this always been the case? I >>>>> don't seem to remember this before. >>>> >>>> >>>> Yes. The 389 access log is buffered, for performance reasons. >>> >>> >>> Just thought it might be relevant. I'm not sure what is causing the >>> extreme slowness. I've also shut off memcached and tried without it >>> with no discernible difference. The directory seems to be handling the >>> load of external queries just fine, although I'm not sure I've solved >>> the memory issue--I'm still testing with the compat plugin disabled to >>> see if I can stop the memory creep. Maybe it's something in the code >>> of the Web UI itself as its even slow when changing from page to page >>> of users and hosts. >> >> >> Shutting of memcached is just going to make things even slower. > > I really didn't see much difference so I turned it back on right away. > >> Things you can try on a quiet system: >> >> 1. Create /etc/ipa/server.conf: >> >> [global] >> debug=True >> >> Restart Apache >> >> Use the UI to do a few things. Verify in the logs that the session cache is >> being used. > > Yes, it is. It's interesting, 2.2 is slower such that you can see the > frame load, and then the loading symbol spins below in the display > area for a few seconds while that loads up. Before, with 2.1.3, you > really couldn't distinguish the two as they loaded so quickly. A lot of what gets loaded a just big javascript files. I wonder if there is a DNS problem, that would explain the slowness. The javascript and much of the UI is completely unprotected by anything. >> 2. Check your browser configuration. You don't need delegation-uris set any >> more. Having it set might mask other problems (you still need >> negotiation-auth.trusted-uris set). > > I forgot about this. I changed it, completely cleared the browser > cache and accessed without any noticeable difference. > >> 3. Watch what URI is being used in the Apache access log. It should be >> /ipa/session/json. > > Check. this is where it lands. > > I'm beginning to think this is just the Web UI itself instead of 389 > although it is really difficult to tell. I've poured over the debug > logs and didn't see anything that caused me concern. > > It's certainly usable, but I just got really spoiled by the > unbelievable quickness of 2.1.3. When your release notes indicate it > should be faster, what are you comparing it to? Maybe this only > happens with upgraded instances and not fresh installs. It is always possible something didn't get upgraded properly but I've done 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is faster we're always referring to the previous version (or versions). Since sessions are being used the only bottleneck should be 389-ds and our massaging of that data. The only thing that should be slow is the retrieval of actual data. The pages themselves should return and be rendered fairly quickly and the data should follow shortly. If everything is slower then it is something else (network, DNS, browser, etc). You might try creating a new browser profile to rule things out. rob From sbingram at gmail.com Tue Jul 17 21:43:47 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Tue, 17 Jul 2012 14:43:47 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5005D295.2020708@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> Message-ID: On Tue, Jul 17, 2012 at 2:01 PM, Rob Crittenden wrote: > Stephen Ingram wrote: >> >> On Mon, Jul 16, 2012 at 12:23 PM, Rob Crittenden >> wrote: >>> >>> Stephen Ingram wrote: >>>> >>>> >>>> On Mon, Jul 16, 2012 at 11:34 AM, Rich Megginson >>>> wrote: >>>>> >>>>> >>>>> On 07/16/2012 11:48 AM, Stephen Ingram wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Jul 16, 2012 at 9:35 AM, Rich Megginson >>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 07/16/2012 10:19 AM, Stephen Ingram wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Jul 13, 2012 at 6:14 AM, Rob Crittenden >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Stephen Ingram wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Jul 12, 2012 at 2:59 PM, Steven >>>>>>>>>> Jones >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I had huge memory issues pre 6.3, now its low and flat....Sounds >>>>>>>>>>> like >>>>>>>>>>> you >>>>>>>>>>> have an issue somewhere. My normal cpu use is a few hundred >>>>>>>>>>> mhz....but >>>>>>>>>>> when >>>>>>>>>>> "something" goes wrong such as replication failing that >>>>>>>>>>> climbs...ditto >>>>>>>>>>> memory use.... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Yes, I saw your conversation with Rich on this list about that. >>>>>>>>>> And, >>>>>>>>>> yes, 6.2 (2.1.3) was bad for me too. I'm not sure why 2.2.0 is >>>>>>>>>> still >>>>>>>>>> having issues. It was an upgrade from 2.1.3, but the upgrade >>>>>>>>>> seemed >>>>>>>>>> to >>>>>>>>>> complete without issue. I'm also not even doing replication yet so >>>>>>>>>> I'm >>>>>>>>>> not sure why memory is so high. Web interface is much slower too >>>>>>>>>> so >>>>>>>>>> perhaps something else is wrong. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Can you tell where it is being slow? Does it seem related to >>>>>>>>> retrieving >>>>>>>>> data >>>>>>>>> from LDAP? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I'm not really sure yet what is causing the slowness. I have the >>>>>>>> same >>>>>>>> number of directory entries as before the upgrade. It was very quick >>>>>>>> with 2.1.3, but once I upgraded, I felt like I was back to the >>>>>>>> pre-2.0 >>>>>>>> days--without a doubt much, much slower. >>>>>>>> >>>>>>>>> You might check your 389-ds access logs and look for searches with >>>>>>>>> notes=U. >>>>>>>>> Perhaps you are missing an index. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Yes there are lots of notes=U. What does this mean? Was something >>>>>>>> missed in the upgrade script? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Try running logconv.pl >>>>>> >>>>>> >>>>>> >>>>>> Nice! I'm guessing that notes=U are unindexed searches then. I have 34 >>>>>> over the last 24 hours so I'm not sure this would be causing the issue >>>>>> as the slowness persists through every click. >>>>> >>>>> >>>>> >>>>> Yeah, I would expect to see a lot more than 34 if that were the cause. >>>>> >>>>> Can you post the search filters that are unindexed? >>>> >>>> >>>> >>>> Sure, here's a partial list (sanitized): >>>> >>>> >>>> >>>> filter="(managedBy=fqdn=ec2-x.x.x.us-west-2.compute.amazonaws.com,cn=computers,cn=accounts,dc=example,dc=com) >>>> attrs="fqdn" >>>> >>>> >>>> filter="(managedBy=fqdn=imap.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>>> attrs="fqdn" >>>> >>>> >>>> filter="(managedBy=fqdn=imap1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>>> attrs="fqdn" >>>> >>>> >>>> filter="(managedBy=fqdn=imap2.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>>> attrs="fqdn" >>>> >>>> >>>> filter="(managedBy=fqdn=ipa1.example.com,cn=computers,cn=accounts,dc=example,dc=com)" >>>> attrs="fqdn" >>>> >>>> All the rest are the same, just with different hosts. >>>> >>>>>> I've traced the >>>>>> unindexed searches back to the time of Web UI access and they don't >>>>>> match. I also don't see any other obvious errors when running >>>>>> logconv.pl. >>>>>> >>>>>> One strange thing I have noticed is that the 389 server logs seem to >>>>>> update in "spurts". If I'm tailing the logs while I access a Web UI >>>>>> page, there is nothing, then a couple of seconds later, I see the logs >>>>>> quickly scroll with new entires. Has this always been the case? I >>>>>> don't seem to remember this before. >>>>> >>>>> >>>>> >>>>> Yes. The 389 access log is buffered, for performance reasons. >>>> >>>> >>>> >>>> Just thought it might be relevant. I'm not sure what is causing the >>>> extreme slowness. I've also shut off memcached and tried without it >>>> with no discernible difference. The directory seems to be handling the >>>> load of external queries just fine, although I'm not sure I've solved >>>> the memory issue--I'm still testing with the compat plugin disabled to >>>> see if I can stop the memory creep. Maybe it's something in the code >>>> of the Web UI itself as its even slow when changing from page to page >>>> of users and hosts. >>> >>> >>> >>> Shutting of memcached is just going to make things even slower. >> >> >> I really didn't see much difference so I turned it back on right away. >> >>> Things you can try on a quiet system: >>> >>> 1. Create /etc/ipa/server.conf: >>> >>> [global] >>> debug=True >>> >>> Restart Apache >>> >>> Use the UI to do a few things. Verify in the logs that the session cache >>> is >>> being used. >> >> >> Yes, it is. It's interesting, 2.2 is slower such that you can see the >> frame load, and then the loading symbol spins below in the display >> area for a few seconds while that loads up. Before, with 2.1.3, you >> really couldn't distinguish the two as they loaded so quickly. > > > A lot of what gets loaded a just big javascript files. I wonder if there is > a DNS problem, that would explain the slowness. The javascript and much of > the UI is completely unprotected by anything. Hmmm. DNS issues? What sort of things would I be looking for? ipa1.example.com resolves both ways both from IPA and outside nameserver that doesn't connect at all with IPA. Would there be anything else? Could a DNS conflict within the DNS portion of IPA cause an issue? >>> 2. Check your browser configuration. You don't need delegation-uris set >>> any >>> more. Having it set might mask other problems (you still need >>> negotiation-auth.trusted-uris set). >> >> >> I forgot about this. I changed it, completely cleared the browser >> cache and accessed without any noticeable difference. >> >>> 3. Watch what URI is being used in the Apache access log. It should be >>> /ipa/session/json. >> >> >> Check. this is where it lands. >> >> I'm beginning to think this is just the Web UI itself instead of 389 >> although it is really difficult to tell. I've poured over the debug >> logs and didn't see anything that caused me concern. >> >> It's certainly usable, but I just got really spoiled by the >> unbelievable quickness of 2.1.3. When your release notes indicate it >> should be faster, what are you comparing it to? Maybe this only >> happens with upgraded instances and not fresh installs. > > > It is always possible something didn't get upgraded properly but I've done > 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is > faster we're always referring to the previous version (or versions). Maybe I was just lucky with 2.1.3. On a first load it might take some time to load the "frame" as I call it. But the data would load almost instantaneously from there (certainly no more than 1 s) as you moved from page to page. Here, even if I return to the same page, the system acts as if the data is begin fetched for the very first time as it is no faster than the first load. Maybe that is significant to the problem? > Since sessions are being used the only bottleneck should be 389-ds and our > massaging of that data. The only thing that should be slow is the retrieval > of actual data. The pages themselves should return and be rendered fairly > quickly and the data should follow shortly. If everything is slower then it > is something else (network, DNS, browser, etc). Perhaps the problem is in another package that came along for the ride with the upgrade to 6.3. As the memory requirements are substantially higher, maybe there were some adjustments elsewhere (new kadmind, httpd). I'll start hunting through other logs as well to see what I can find. > You might try creating a new browser profile to rule things out. I tried this with no success. Steve From Steven.Jones at vuw.ac.nz Tue Jul 17 22:03:06 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:03:06 +0000 Subject: [Freeipa-users] stopping su - In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz> <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004EAB2.70908@gmail.com>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B167@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Actually this for me anyway is exactly what IPA should be for....its security, its centrally managed and it saves workload. Doing this across 200+ servers needs to be centralised or IPA becomes pointless, very limited ie one point password, add and remove users (oh big deal I can use salt to do that in effect). As I'd have to do IPA stuff and then local....its saves me little if anything in work / automation. Now if it doesn't do this well OK, but half my problem is determining what IPA can and cant do, the devil is in the detail as they say. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8><------ You can lock that down in the sudoers config and you can lock the su permissions to the wheel group via the local configuration files in /etc/security or via the pam module. either way you need to add in configuration file managment, which is not what freeipa is for. 8><---- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jul 17 22:04:01 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:04:01 +0000 Subject: [Freeipa-users] stopping su - In-Reply-To: <5005478B.4030002@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004EAB2.70908@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5005478B.4030002@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B176@STAWINCOX10MBX1.staff.vuw.ac.nz> but presumably I can control sudo with IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Tuesday, 17 July 2012 11:07 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] stopping su - On 07/17/2012 12:40 AM, Steven Jones wrote: > Hi, > > I could do, > > auth required pam_wheel.so root_only use_uid > > But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. > > I assume simo's hint is, > > sudo -i su - oracle AFAIU if you are looking for centrally manged setting you need to use sudo. With su and HBAC IPA can just control which user can authenticate using "su" but not for local users like root. I think that if the oracle user is centrally managed you would be able to define an HBAC rule that would prevent oracle user from doing su on a group of hosts, but I doubt that this is what you want. Seems like sudo will give you much more flexibility. > I will have to experiment. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] > Sent: Tuesday, 17 July 2012 4:31 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] stopping su - > > On 07/16/2012 01:47 PM, Steven Jones wrote: >> Hi, >> >> OK, so to confirm this cant be done in a centralised way via IPA? >> >> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] >> Sent: Tuesday, 17 July 2012 9:38 a.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] stopping su - >> >> On 07/16/2012 01:32 PM, Steven Jones wrote: >>> I have craeted a sshd rule only for the HBAC, but I find a std user can >>> su - to root, is this correect behavior? >>> >>> How do I? or can I? stop this unless explicitly allowed? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> You need to control this via PAM. So for me I restrict su to only be >> allowed for members of the wheel group, from /etc/pam.d/su: >> >> auth required pam_wheel.so use_uid >> >> There are comments in the file that will get you where you want to go. >> >> -Erinn >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > I can't speak to whether it can or cannot be done centrally in any sort > of authoritative way, might be possible there are hbac setting for su > and I can't really answer your question about suing to oracle. > > -Erinn > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jul 17 22:06:09 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:06:09 +0000 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz>, Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz> Can I get this clarified as I am getting really confused, Can I do this in/via IPA or not? Yes or no I think will suffice. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Arpit Tolani [arpittolani at gmail.com] Sent: Tuesday, 17 July 2012 11:13 p.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? Hello On Tue, Jul 17, 2012 at 3:15 AM, Steven Jones > wrote: Hi, If I login as say user1, I want that user to be able to su - oracle, but not to say su - root (or to any other user). If user2 logins I want them unable to su - X at all and especially not root. If an admin logins in I want them to be able to su - anybody... In a way before I could do that with the wheel group and pam. regards Steven Jones rob # cat /etc/pam.d/su auth sufficient pam_rootok.so auth [default=1 success=ok ignore=ignore] pam_wheel.so trust use_uid group=group1 auth [success=2 default=die] pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group1-access auth [default=die success=ok ignore=ignore] pam_wheel.so trust use_uid group=group2 auth requisite pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-group2-access auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so With above configuration. members of group1 will be able to su only to users in /etc/security/su-group1-access members of group2 will be able to su only to users in /etc/security/su-group2-access users which are not in group1 & group2 both will not be able to su to anyone root will be able to su to anyone Hope that helps, Change it as per your requirement. Regards Arpit Tolani -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue Jul 17 22:09:20 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:09:20 +0000 Subject: [Freeipa-users] another sudo su question In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B19D@STAWINCOX10MBX1.staff.vuw.ac.nz> This is exactly my sort of thing as well. We seem to be in the freeipa group yet ppl are telling me to use pam.d...no one has really said you cannot do this in IPA, or you can and this is how...... :/ The very idea of using IPA is to stop having to do such local configuration.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of KodaK [sakodak at gmail.com] Sent: Wednesday, 18 July 2012 3:50 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] another sudo su question I've been banging my head on this for a couple of days, and I can't find anything in the docs or by searching. I'm trying to do what I think should be pretty simple: I have a group of users and an application account, all in IPA. I want users in that group to be able to "sudo su - appacct". What I've found is that I probably can't do it exactly like that, so now I'm trying "sudo -i appacct", but I can't get that to work either. My rule is set up like this: rule name: become-appacct sudo option: -i appacct (I'm not sure this is right.) user groups: admins, appgroup host groups: apphostgroup Everything else is blank. Note that this is just the current configuration, I've tried a bunch of iterations. Any help? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From erinn.looneytriggs at gmail.com Tue Jul 17 22:17:36 2012 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Tue, 17 Jul 2012 14:17:36 -0800 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5005E480.4050907@gmail.com> On 07/17/2012 02:06 PM, Steven Jones wrote: > Can I get this clarified as I am getting really confused, > > Can I do this in/via IPA or not? > > Yes or no I think will suffice. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > *From:* Arpit Tolani [arpittolani at gmail.com] > *Sent:* Tuesday, 17 July 2012 11:13 p.m. > *To:* Steven Jones > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] How to set a user group rule to allow su > - oracle only? I think that is because you are talking about two separate things. You want to control entry to root via su, this may or may not be controllable with IPA, but probably not. You want to control entry to the oracle user via sudo and restrict that to a group of users, that is entirely possible within IPA. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From simo at redhat.com Tue Jul 17 22:18:05 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 17 Jul 2012 18:18:05 -0400 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1342563485.3219.50.camel@willson.li.ssimo.org> On Tue, 2012-07-17 at 22:06 +0000, Steven Jones wrote: > Can I get this clarified as I am getting really confused, > > Can I do this in/via IPA or not? > > Yes or no I think will suffice. Not using 'su', but you can using sudo as explained in other messages. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Jul 17 22:18:58 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:18:58 +0000 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <1342563485.3219.50.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz> , <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1342563485.3219.50.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B1D0@STAWINCOX10MBX1.staff.vuw.ac.nz> Thankyou. :D regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Wednesday, 18 July 2012 10:18 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? On Tue, 2012-07-17 at 22:06 +0000, Steven Jones wrote: > Can I get this clarified as I am getting really confused, > > Can I do this in/via IPA or not? > > Yes or no I think will suffice. Not using 'su', but you can using sudo as explained in other messages. Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Jul 17 22:29:08 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 17 Jul 2012 22:29:08 +0000 Subject: [Freeipa-users] How to set a user group rule to allow su - oracle only? In-Reply-To: <5005E480.4050907@gmail.com> References: <833D8E48405E064EBC54C84EC6B36E404CD3381B@STAWINCOX10MBX1.staff.vuw.ac.nz> <5004888C.3020906@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD338AF@STAWINCOX10MBX1.staff.vuw.ac.nz>, <833D8E48405E064EBC54C84EC6B36E404CD3B186@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5005E480.4050907@gmail.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD3B1E5@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Thanks...yes I dont care "how" as such. Im trying to translate traditional linux/unix ways of doing things into IPA where possible...maybe that's where I'm communicating poorly and causing confusion, sorry about that. Its like english and french, I want the french but only have the english words to ask in. :/ su - root can be local, thats OK as that is unique and exists locally. But I need to do a lot of as kodak wants and have a group of users login as themselves and then get to an application "user". Typically this would be say oracle...but I dont want the user oracle to be able to ssh in...so that can be IPA controlled, I know, which I'd rather do than putting a deny into sshd_config....as when you want to refresh a database you could have a HBAC for Oracle defined between 2 specific hosts for a set length of time say. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] Sent: Wednesday, 18 July 2012 10:17 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] How to set a user group rule to allow su - oracle only? On 07/17/2012 02:06 PM, Steven Jones wrote: > Can I get this clarified as I am getting really confused, > > Can I do this in/via IPA or not? > > Yes or no I think will suffice. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > *From:* Arpit Tolani [arpittolani at gmail.com] > *Sent:* Tuesday, 17 July 2012 11:13 p.m. > *To:* Steven Jones > *Cc:* Rob Crittenden; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] How to set a user group rule to allow su > - oracle only? I think that is because you are talking about two separate things. You want to control entry to root via su, this may or may not be controllable with IPA, but probably not. You want to control entry to the oracle user via sudo and restrict that to a group of users, that is entirely possible within IPA. -Erinn From jdennis at redhat.com Tue Jul 17 22:56:56 2012 From: jdennis at redhat.com (John Dennis) Date: Tue, 17 Jul 2012 18:56:56 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> Message-ID: <5005EDB8.7090803@redhat.com> On 07/17/2012 05:43 PM, Stephen Ingram wrote: > [ details of performance analysis snipped for brevity ] I wonder if we shouldn't add some timing metrics to our code. As it is it's very hard to know where time is being spent. When I wrote the session code I added some timestamps used for managing session timeouts. It wouldn't be too hard to expand this to time how long it takes a command to execute because it's evaluated for every command. Combined with timestamping in the UI code we could get a reasonable idea of where some bottlenecks lie (or don't). -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pvoborni at redhat.com Wed Jul 18 13:45:42 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 18 Jul 2012 15:45:42 +0200 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> Message-ID: <5006BE06.7020109@redhat.com> On 07/17/2012 11:43 PM, Stephen Ingram wrote: 8><------ >>> >>> I'm beginning to think this is just the Web UI itself instead of 389 >>> although it is really difficult to tell. I've poured over the debug >>> logs and didn't see anything that caused me concern. >>> >>> It's certainly usable, but I just got really spoiled by the >>> unbelievable quickness of 2.1.3. When your release notes indicate it >>> should be faster, what are you comparing it to? Maybe this only >>> happens with upgraded instances and not fresh installs. >> >> >> It is always possible something didn't get upgraded properly but I've done >> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >> faster we're always referring to the previous version (or versions). > > Maybe I was just lucky with 2.1.3. On a first load it might take some > time to load the "frame" as I call it. But the data would load almost > instantaneously from there (certainly no more than 1 s) as you moved > from page to page. Here, even if I return to the same page, the system > acts as if the data is begin fetched for the very first time as it is > no faster than the first load. Maybe that is significant to the > problem? I think the culprit is Web UI paging capabilities introduced in 2.2. With lot of users, responses might grow in size. You can check their size and duration in browser developers tools. I suggest chrome/chromium - press F12 and choose 'network' tab. This new feature can't be disabled in configuration. To test if the slowdown is done by paging you can (at own risk) replace line /usr/share/ipa/ui/facet.js:538 that.pagination = spec.pagination === undefined ? true : spec.pagination; with: that.pagination = false; Note: It will break some other parts of the UI - so for testing only. > Steve > -- Petr Vobornik From sbingram at gmail.com Wed Jul 18 17:53:16 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 10:53:16 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5005EDB8.7090803@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5005EDB8.7090803@redhat.com> Message-ID: On Tue, Jul 17, 2012 at 3:56 PM, John Dennis wrote: > On 07/17/2012 05:43 PM, Stephen Ingram wrote: > >> [ details of performance analysis snipped for brevity ] > > I wonder if we shouldn't add some timing metrics to our code. As it is it's > very hard to know where time is being spent. > > When I wrote the session code I added some timestamps used for managing > session timeouts. It wouldn't be too hard to expand this to time how long it > takes a command to execute because it's evaluated for every command. > Combined with timestamping in the UI code we could get a reasonable idea of > where some bottlenecks lie (or don't). I've never used this before so I'm not sure how it would work, but it sounds great. It's really difficult to tell what's causing the issue when there are so many processes occurring. Steve From dpal at redhat.com Wed Jul 18 17:53:41 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jul 2012 13:53:41 -0400 Subject: [Freeipa-users] stopping su - In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD3B176@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD33890@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500489D1.90703@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD348C6@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5004EAB2.70908@gmail.com> <833D8E48405E064EBC54C84EC6B36E404CD36B24@STAWINCOX10MBX1.staff.vuw.ac.nz>, <5005478B.4030002@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD3B176@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <5006F825.1050306@redhat.com> On 07/17/2012 06:04 PM, Steven Jones wrote: > but presumably I can control sudo with IPA? Yes you do. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] > Sent: Tuesday, 17 July 2012 11:07 p.m. > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] stopping su - > > On 07/17/2012 12:40 AM, Steven Jones wrote: >> Hi, >> >> I could do, >> >> auth required pam_wheel.so root_only use_uid >> >> But I really want to do this with IPA or I have to get on each server and add and remove admins by hand (hint 300 servers)...that is the idea of something like IPA for me....do it once centrally. >> >> I assume simo's hint is, >> >> sudo -i su - oracle > AFAIU if you are looking for centrally manged setting you need to use sudo. > With su and HBAC IPA can just control which user can authenticate using > "su" but not for local users like root. > > I think that if the oracle user is centrally managed you would be able > to define an HBAC rule that would prevent oracle user from doing su on a > group of hosts, but I doubt that this is what you want. > Seems like sudo will give you much more flexibility. > >> I will have to experiment. >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] >> Sent: Tuesday, 17 July 2012 4:31 p.m. >> To: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] stopping su - >> >> On 07/16/2012 01:47 PM, Steven Jones wrote: >>> Hi, >>> >>> OK, so to confirm this cant be done in a centralised way via IPA? >>> >>> In which case when setting a HBAC with sshd only why cant i su - oracle but I can su - root? >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Erinn Looney-Triggs [erinn.looneytriggs at gmail.com] >>> Sent: Tuesday, 17 July 2012 9:38 a.m. >>> To: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] stopping su - >>> >>> On 07/16/2012 01:32 PM, Steven Jones wrote: >>>> I have craeted a sshd rule only for the HBAC, but I find a std user can >>>> su - to root, is this correect behavior? >>>> >>>> How do I? or can I? stop this unless explicitly allowed? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> You need to control this via PAM. So for me I restrict su to only be >>> allowed for members of the wheel group, from /etc/pam.d/su: >>> >>> auth required pam_wheel.so use_uid >>> >>> There are comments in the file that will get you where you want to go. >>> >>> -Erinn >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> I can't speak to whether it can or cannot be done centrally in any sort >> of authoritative way, might be possible there are hbac setting for su >> and I can't really answer your question about suing to oracle. >> >> -Erinn >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Wed Jul 18 17:59:49 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jul 2012 13:59:49 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5005EDB8.7090803@redhat.com> Message-ID: <5006F995.2050108@redhat.com> On 07/18/2012 01:53 PM, Stephen Ingram wrote: > On Tue, Jul 17, 2012 at 3:56 PM, John Dennis wrote: >> On 07/17/2012 05:43 PM, Stephen Ingram wrote: >> >>> [ details of performance analysis snipped for brevity ] >> I wonder if we shouldn't add some timing metrics to our code. As it is it's >> very hard to know where time is being spent. >> >> When I wrote the session code I added some timestamps used for managing >> session timeouts. It wouldn't be too hard to expand this to time how long it >> takes a command to execute because it's evaluated for every command. >> Combined with timestamping in the UI code we could get a reasonable idea of >> where some bottlenecks lie (or don't). > I've never used this before so I'm not sure how it would work, but it > sounds great. It's really difficult to tell what's causing the issue > when there are so many processes occurring. > While we are going with the technical digging let us also try to collect the sufficient information about the problem. Here is some questions that would help us to reproduce the issue. 1) If the problem with every frame of just some specific UI pages? Can you for example see IPA Configuration panel or log as a self service user? Are those fast? 2) Say it is users is so how many users do you have? Is it thousands? Or may be it is a specific group? We might need to reproduce the same setup and see what is going on. > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Wed Jul 18 18:59:02 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 11:59:02 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5006BE06.7020109@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik wrote: > On 07/17/2012 11:43 PM, Stephen Ingram wrote: > > 8><------ > > >>>> >>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>> although it is really difficult to tell. I've poured over the debug >>>> logs and didn't see anything that caused me concern. >>>> >>>> It's certainly usable, but I just got really spoiled by the >>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>> should be faster, what are you comparing it to? Maybe this only >>>> happens with upgraded instances and not fresh installs. >>> >>> >>> >>> It is always possible something didn't get upgraded properly but I've >>> done >>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>> faster we're always referring to the previous version (or versions). >> >> >> Maybe I was just lucky with 2.1.3. On a first load it might take some >> time to load the "frame" as I call it. But the data would load almost >> instantaneously from there (certainly no more than 1 s) as you moved >> from page to page. Here, even if I return to the same page, the system >> acts as if the data is begin fetched for the very first time as it is >> no faster than the first load. Maybe that is significant to the >> problem? > > > I think the culprit is Web UI paging capabilities introduced in 2.2. With > lot of users, responses might grow in size. You can check their size and > duration in browser developers tools. I suggest chrome/chromium - press F12 > and choose 'network' tab. > > This new feature can't be disabled in configuration. To test if the slowdown > is done by paging you can (at own risk) replace line > /usr/share/ipa/ui/facet.js:538 > > that.pagination = spec.pagination === undefined ? true : spec.pagination; > > with: > > that.pagination = false; > > Note: It will break some other parts of the UI - so for testing only. I've made the substitution in the code (was line 507 for me-do I have a different version?). Looking at the time chart in Chrome I see that the bulk of the time is for /ipa/session waiting. Would "waiting" mean waiting for the directory server or memcached? Here's a portion of the initial load of the Users page: json/ipa/session POST 200 Success application/json jquery.js:7365 Script 33.94KB 33.10KB 1.57s 1.47s 96ms (1.37s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 568.09KB 564.36KB 3.92s 2.95s 963ms (2.85s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 556.94KB 553.40KB 3.78s 2.94s 836ms (2.83s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 46.93KB 46.38KB 1.87s 1.71s (1.60s waiting) Now, with the pagination turned back on: json/ipa/session POST 200 Success application/json jquery.js:7365 Script 33.94KB 33.10KB 1.58s 1.48s 100ms (1.38s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 568.09KB 564.36KB 4.05s 3.09s 964ms (2.98s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 556.94KB 553.40KB 3.84s 2.99s 855ms (2.88s waiting) json/ipa/session POST 200 Success application/json jquery.js:7365 Script 46.93KB 46.38KB 1.52s 1.51s (1.40s waiting) Steve From jdennis at redhat.com Wed Jul 18 19:28:21 2012 From: jdennis at redhat.com (John Dennis) Date: Wed, 18 Jul 2012 15:28:21 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> Message-ID: <50070E55.90307@redhat.com> On 07/18/2012 02:59 PM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik wrote: >> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >> >> 8><------ >> >> >>>>> >>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>> although it is really difficult to tell. I've poured over the debug >>>>> logs and didn't see anything that caused me concern. >>>>> >>>>> It's certainly usable, but I just got really spoiled by the >>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>> should be faster, what are you comparing it to? Maybe this only >>>>> happens with upgraded instances and not fresh installs. >>>> >>>> >>>> >>>> It is always possible something didn't get upgraded properly but I've >>>> done >>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>> faster we're always referring to the previous version (or versions). >>> >>> >>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>> time to load the "frame" as I call it. But the data would load almost >>> instantaneously from there (certainly no more than 1 s) as you moved >>> from page to page. Here, even if I return to the same page, the system >>> acts as if the data is begin fetched for the very first time as it is >>> no faster than the first load. Maybe that is significant to the >>> problem? >> >> >> I think the culprit is Web UI paging capabilities introduced in 2.2. With >> lot of users, responses might grow in size. You can check their size and >> duration in browser developers tools. I suggest chrome/chromium - press F12 >> and choose 'network' tab. >> >> This new feature can't be disabled in configuration. To test if the slowdown >> is done by paging you can (at own risk) replace line >> /usr/share/ipa/ui/facet.js:538 >> >> that.pagination = spec.pagination === undefined ? true : spec.pagination; >> >> with: >> >> that.pagination = false; >> >> Note: It will break some other parts of the UI - so for testing only. > > I've made the substitution in the code (was line 507 for me-do I have > a different version?). Looking at the time chart in Chrome I see that > the bulk of the time is for /ipa/session waiting. Would "waiting" mean > waiting for the directory server or memcached? Actually neither, it means waiting for a response from the web server (technically it's making an RPC call via HTTP Ajax). The RPC call needs to go through the web server, memcached, and typically will invoke one or more directory server queries, and run a bunch of Python to massage everything before the RPC returns with the result. It doesn't look like you've got much difference in times between with pagination on and pagination off. I don't know the pagination code but I suspect it's run after the RPC call returns so the RPC timing is not telling us much with respect to that. Waiting for up to 3 seconds for an RPC call does seem on the high side. Do you have a lot of LDAP data? But really, unless we get timing results for each component we're grasping at straws :-( > > Here's a portion of the initial load of the Users page: > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 33.94KB 33.10KB 1.57s 1.47s 96ms (1.37s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 568.09KB 564.36KB 3.92s 2.95s 963ms (2.85s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 556.94KB 553.40KB 3.78s 2.94s 836ms (2.83s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 46.93KB 46.38KB 1.87s 1.71s (1.60s waiting) > > Now, with the pagination turned back on: > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 33.94KB 33.10KB 1.58s 1.48s 100ms (1.38s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 568.09KB 564.36KB 4.05s 3.09s 964ms (2.98s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 556.94KB 553.40KB 3.84s 2.99s 855ms (2.88s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 46.93KB 46.38KB 1.52s 1.51s (1.40s waiting) > > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Wed Jul 18 19:45:34 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 12:45:34 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <50070E55.90307@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: > On 07/18/2012 02:59 PM, Stephen Ingram wrote: >> >> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >> wrote: >>> >>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>> >>> 8><------ >>> >>> >>>>>> >>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>> although it is really difficult to tell. I've poured over the debug >>>>>> logs and didn't see anything that caused me concern. >>>>>> >>>>>> It's certainly usable, but I just got really spoiled by the >>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>> happens with upgraded instances and not fresh installs. >>>>> >>>>> >>>>> >>>>> >>>>> It is always possible something didn't get upgraded properly but I've >>>>> done >>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>> faster we're always referring to the previous version (or versions). >>>> >>>> >>>> >>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>> time to load the "frame" as I call it. But the data would load almost >>>> instantaneously from there (certainly no more than 1 s) as you moved >>>> from page to page. Here, even if I return to the same page, the system >>>> acts as if the data is begin fetched for the very first time as it is >>>> no faster than the first load. Maybe that is significant to the >>>> problem? >>> >>> >>> >>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>> lot of users, responses might grow in size. You can check their size and >>> duration in browser developers tools. I suggest chrome/chromium - press >>> F12 >>> and choose 'network' tab. >>> >>> This new feature can't be disabled in configuration. To test if the >>> slowdown >>> is done by paging you can (at own risk) replace line >>> /usr/share/ipa/ui/facet.js:538 >>> >>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>> >>> with: >>> >>> that.pagination = false; >>> >>> Note: It will break some other parts of the UI - so for testing only. >> >> >> I've made the substitution in the code (was line 507 for me-do I have >> a different version?). Looking at the time chart in Chrome I see that >> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >> waiting for the directory server or memcached? > > > Actually neither, it means waiting for a response from the web server > (technically it's making an RPC call via HTTP Ajax). The RPC call needs to > go through the web server, memcached, and typically will invoke one or more > directory server queries, and run a bunch of Python to massage everything > before the RPC returns with the result. > > It doesn't look like you've got much difference in times between with > pagination on and pagination off. I don't know the pagination code but I > suspect it's run after the RPC call returns so the RPC timing is not telling > us much with respect to that. > > Waiting for up to 3 seconds for an RPC call does seem on the high side. Do > you have a lot of LDAP data? No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has any significant amount of hosts in it. > But really, unless we get timing results for each component we're grasping > at straws :-( Understood. Steve From sbingram at gmail.com Wed Jul 18 19:51:53 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 12:51:53 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5006F995.2050108@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5005EDB8.7090803@redhat.com> <5006F995.2050108@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 10:59 AM, Dmitri Pal wrote: > On 07/18/2012 01:53 PM, Stephen Ingram wrote: >> On Tue, Jul 17, 2012 at 3:56 PM, John Dennis wrote: >>> On 07/17/2012 05:43 PM, Stephen Ingram wrote: >>> >>>> [ details of performance analysis snipped for brevity ] >>> I wonder if we shouldn't add some timing metrics to our code. As it is it's >>> very hard to know where time is being spent. >>> >>> When I wrote the session code I added some timestamps used for managing >>> session timeouts. It wouldn't be too hard to expand this to time how long it >>> takes a command to execute because it's evaluated for every command. >>> Combined with timestamping in the UI code we could get a reasonable idea of >>> where some bottlenecks lie (or don't). >> I've never used this before so I'm not sure how it would work, but it >> sounds great. It's really difficult to tell what's causing the issue >> when there are so many processes occurring. >> > > > While we are going with the technical digging let us also try to collect > the sufficient information about the problem. > > Here is some questions that would help us to reproduce the issue. > > 1) If the problem with every frame of just some specific UI pages? The frame seems to load quickly. It is the inside part that contains the data that is much slower. > Can you for example see IPA Configuration panel or log as a self service > user? Are those fast? I'm not sure what you mean by configuration panel, but if I login as admin or self-service user, they are both equally slow. > 2) Say it is users is so how many users do you have? Is it thousands? No, only 49 users at the moment. We're still adding people. There isn't a lot of data in the directory period--another reason I'm so surprised by the slowness. > Or may be it is a specific group? I notice that everyone is automatically subscribed to the ipausers group. Hasn't that been changed such that the subscription is no longer automatic? Maybe it is taking too long to enumerate that group? I can unsubscribe the users if needed. Our groups only contain 3 users on average. > We might need to reproduce the same setup and see what is going on. I'm more than willing to help in any way I can. I'm even considering pulling our old 2.1.3 system from backup, but it would be difficult as this on is in production now. I switched because of the memory leak in 2.1.3. Steve From dpal at redhat.com Wed Jul 18 20:06:38 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jul 2012 16:06:38 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> Message-ID: <5007174E.3080404@redhat.com> On 07/18/2012 03:45 PM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>> wrote: >>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>> >>>> 8><------ >>>> >>>> >>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>> logs and didn't see anything that caused me concern. >>>>>>> >>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>> happens with upgraded instances and not fresh installs. >>>>>> >>>>>> >>>>>> >>>>>> It is always possible something didn't get upgraded properly but I've >>>>>> done >>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>> faster we're always referring to the previous version (or versions). >>>>> >>>>> >>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>> time to load the "frame" as I call it. But the data would load almost >>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>> from page to page. Here, even if I return to the same page, the system >>>>> acts as if the data is begin fetched for the very first time as it is >>>>> no faster than the first load. Maybe that is significant to the >>>>> problem? >>>> >>>> >>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>> lot of users, responses might grow in size. You can check their size and >>>> duration in browser developers tools. I suggest chrome/chromium - press >>>> F12 >>>> and choose 'network' tab. >>>> >>>> This new feature can't be disabled in configuration. To test if the >>>> slowdown >>>> is done by paging you can (at own risk) replace line >>>> /usr/share/ipa/ui/facet.js:538 >>>> >>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>> >>>> with: >>>> >>>> that.pagination = false; >>>> >>>> Note: It will break some other parts of the UI - so for testing only. >>> >>> I've made the substitution in the code (was line 507 for me-do I have >>> a different version?). Looking at the time chart in Chrome I see that >>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>> waiting for the directory server or memcached? >> >> Actually neither, it means waiting for a response from the web server >> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >> go through the web server, memcached, and typically will invoke one or more >> directory server queries, and run a bunch of Python to massage everything >> before the RPC returns with the result. >> >> It doesn't look like you've got much difference in times between with >> pagination on and pagination off. I don't know the pagination code but I >> suspect it's run after the RPC call returns so the RPC timing is not telling >> us much with respect to that. >> >> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >> you have a lot of LDAP data? > No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has > any significant amount of hosts in it. > >> But really, unless we get timing results for each component we're grasping >> at straws :-( > Understood. > > Steve > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Do you have a replica and does this replica behave the same? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sbingram at gmail.com Wed Jul 18 20:27:43 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 13:27:43 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5007174E.3080404@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: > On 07/18/2012 03:45 PM, Stephen Ingram wrote: >> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>> wrote: >>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>> >>>>> 8><------ >>>>> >>>>> >>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>> >>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>> >>>>>>> >>>>>>> >>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>> done >>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>> faster we're always referring to the previous version (or versions). >>>>>> >>>>>> >>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>> from page to page. Here, even if I return to the same page, the system >>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>> no faster than the first load. Maybe that is significant to the >>>>>> problem? >>>>> >>>>> >>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>> lot of users, responses might grow in size. You can check their size and >>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>> F12 >>>>> and choose 'network' tab. >>>>> >>>>> This new feature can't be disabled in configuration. To test if the >>>>> slowdown >>>>> is done by paging you can (at own risk) replace line >>>>> /usr/share/ipa/ui/facet.js:538 >>>>> >>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>> >>>>> with: >>>>> >>>>> that.pagination = false; >>>>> >>>>> Note: It will break some other parts of the UI - so for testing only. >>>> >>>> I've made the substitution in the code (was line 507 for me-do I have >>>> a different version?). Looking at the time chart in Chrome I see that >>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>> waiting for the directory server or memcached? >>> >>> Actually neither, it means waiting for a response from the web server >>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>> go through the web server, memcached, and typically will invoke one or more >>> directory server queries, and run a bunch of Python to massage everything >>> before the RPC returns with the result. >>> >>> It doesn't look like you've got much difference in times between with >>> pagination on and pagination off. I don't know the pagination code but I >>> suspect it's run after the RPC call returns so the RPC timing is not telling >>> us much with respect to that. >>> >>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>> you have a lot of LDAP data? >> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >> any significant amount of hosts in it. >> >>> But really, unless we get timing results for each component we're grasping >>> at straws :-( >> Understood. >> >> Steve >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Do you have a replica and does this replica behave the same? No replica yet. I wanted to get the memory leak issue solved first. All I have to compare to is the old 2.1.3 before. This one is much slower. I just can't seem to figure out what's wrong. The upgrade seemed to complete successfully and there were no errors in the log. The only things I've found thus far (earlier in this thread) are the unindexed entries (all hosts entries) that Rich seemed to think might be slowing things up. As the slowness is on every page, I wouldn't think that would be the problem. I wouldn't have said as much about this were it not for the promised faster speed mentioned in the release notes. It's comparable to the old 2.0 release candidates so I thought it might have been due to the complexity of the feature additions. Steve From dpal at redhat.com Wed Jul 18 20:52:05 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jul 2012 16:52:05 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> Message-ID: <500721F5.4040004@redhat.com> On 07/18/2012 04:27 PM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: >> On 07/18/2012 03:45 PM, Stephen Ingram wrote: >>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>>> wrote: >>>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>>> >>>>>> 8><------ >>>>>> >>>>>> >>>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>>> >>>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>>> >>>>>>>> >>>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>>> done >>>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>>> faster we're always referring to the previous version (or versions). >>>>>>> >>>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>>> from page to page. Here, even if I return to the same page, the system >>>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>>> no faster than the first load. Maybe that is significant to the >>>>>>> problem? >>>>>> >>>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>>> lot of users, responses might grow in size. You can check their size and >>>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>>> F12 >>>>>> and choose 'network' tab. >>>>>> >>>>>> This new feature can't be disabled in configuration. To test if the >>>>>> slowdown >>>>>> is done by paging you can (at own risk) replace line >>>>>> /usr/share/ipa/ui/facet.js:538 >>>>>> >>>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>>> >>>>>> with: >>>>>> >>>>>> that.pagination = false; >>>>>> >>>>>> Note: It will break some other parts of the UI - so for testing only. >>>>> I've made the substitution in the code (was line 507 for me-do I have >>>>> a different version?). Looking at the time chart in Chrome I see that >>>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>>> waiting for the directory server or memcached? >>>> Actually neither, it means waiting for a response from the web server >>>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>>> go through the web server, memcached, and typically will invoke one or more >>>> directory server queries, and run a bunch of Python to massage everything >>>> before the RPC returns with the result. >>>> >>>> It doesn't look like you've got much difference in times between with >>>> pagination on and pagination off. I don't know the pagination code but I >>>> suspect it's run after the RPC call returns so the RPC timing is not telling >>>> us much with respect to that. >>>> >>>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>>> you have a lot of LDAP data? >>> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >>> any significant amount of hosts in it. >>> >>>> But really, unless we get timing results for each component we're grasping >>>> at straws :-( >>> Understood. >>> >>> Steve >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> Do you have a replica and does this replica behave the same? > No replica yet. I wanted to get the memory leak issue solved first. > All I have to compare to is the old 2.1.3 before. This one is much > slower. I just can't seem to figure out what's wrong. The upgrade > seemed to complete successfully and there were no errors in the log. > The only things I've found thus far (earlier in this thread) are the > unindexed entries (all hosts entries) that Rich seemed to think might > be slowing things up. As the slowness is on every page, I wouldn't > think that would be the problem. > > I wouldn't have said as much about this were it not for the promised > faster speed mentioned in the release notes. It's comparable to the > old 2.0 release candidates so I thought it might have been due to the > complexity of the feature additions. > > Steve Is the time correct on this system? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From ptader at linuxscope.com Wed Jul 18 20:58:19 2012 From: ptader at linuxscope.com (Paul Tader) Date: Wed, 18 Jul 2012 15:58:19 -0500 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <4FEE28B2.4040000@redhat.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> <4FD5FDB7.6030809@linuxscope.com> <4FEE2434.7090305@linuxscope.com> <4FEE28B2.4040000@redhat.com> Message-ID: <5007236B.9060501@linuxscope.com> On 6/29/12 5:14 PM, Rob Crittenden wrote: > Paul Tader wrote: >> On 6/11/12 9:16 AM, Paul Tader wrote: >>> On 6/5/12 2:33 PM, Rob Crittenden wrote: >>>> JR Aquino wrote: >>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >>>>> >>>>>> A couple days ago my (apache) certificates expired. Users are able to >>>>>> kinit but tools such as sudo fail because of the expired >>>>>> certificates. Lots of reading/Google'ing later I found this script >>>>>> (steps) to renew these certs: >>>>> >>>>> I'm just curious, but, isn't certmonger supposed to automatically >>>>> renew these? Is certmonger failing in this case? >>>> >>>> Yes, the first thing to do is figure out why certmonger didn't >>>> automatically renew the certificates. Then it should be as simple as >>>> setting the date back, letting certmonger do its thing, then setting it >>>> forward again. >>>> >>>> That is very strange certmonger output. You might try setting the date >>>> back a couple of days and trying something like: >>>> >>>> ipa-getcert resubmit -i 20110706215145 >>>> >>>> And see what the status goes to. >>>> >>>> rob >>> >>> (Sorry for the delay reply) >>> >>> No luck with setting the date back and resubmitting the certificate. >>> >>> >>> >>> # /etc/init.d/ntpd stop >>> Stopping ntpd (via systemctl): [ OK ] >>> >>> # date 060112002012 >>> Fri Jun 1 12:00:00 CDT 2012 >>> >>> # /etc/init.d/httpd stop >>> Stopping httpd (via systemctl): [ OK ] >>> # /etc/init.d/httpd start >>> Starting httpd (via systemctl): [ OK ] >>> >>> # ipa-getcert resubmit -i 20110706215145 >>> Resubmitting "20110706215145" to "IPA". >>> >>> # ipa-getcert list >>> Number of certificates and requests being tracked: 3. >>> Request ID '20110706215109': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl failed >>> to execute the HTTP POST transaction, explaining: SSL connect error). >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>> >>> >>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>> >>> >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=RELAM.NET >>> subject: CN=srv01.company.net,O=REALM.NET >>> expires: 2012-06-03 20:19:49 UTC >>> eku: id-kp-serverAuth >>> track: yes >>> auto-renew: yes >>> Request ID '20110706215129': >>> status: CA_UNREACHABLE >>> ca-error: Server failed request, will retry: -504 (libcurl failed >>> to execute the HTTP POST transaction, explaining: SSL connect error). >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> >>> >>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>> >>> >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=REALM.NET >>> subject: CN=srv01.company.net,O=REALM.NET >>> expires: 2012-06-03 20:19:49 UTC >>> eku: id-kp-serverAuth >>> track: yes >>> auto-renew: yes >>> Request ID '20110706215145': >>> status: GENERATING_CSR >>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>> server. Certificate operation cannot be completed: Unable to >>> communicate with CMS (Unauthorized)). >>> stuck: no >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=REALM.NET >>> subject: CN=srv01.company.net,O=REALM.NET >>> expires: 2012-06-03 20:19:49 UTC >>> eku: id-kp-serverAuth >>> track: yes >>> auto-renew: yes >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> Still working on this problem. I've imported new self signed certs >> because I don't think I can renew expired certs and now all of the >> entries list like this: >> >> Request ID '20110706215145': >> status: NEED_CSR_GEN_TOKEN >> ca-error: Error setting up ccache for local "host" service using >> default keytab. >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=REALM.NET >> subject: CN=ipa01.domain.net,O=REALM.NET >> expires: 2012-06-03 20:19:49 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> >> >> Any tips or suggestions? I've saved off the old files so I think I can >> go back to the expired certs. > > This means that the keytab isn't working for certmonger. This could be a > couple of things. I'd try this first: > > # kinit host/$(hostname) -kt /etc/krb5.keytab > > And > > # kvno host/$(hostname) > > rob Output below: # kinit host/$(hostname) -kt /etc/krb5.keytab kinit: Password incorrect while getting initial credentials # kvno host/$(hostname) kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting client principal name From sbingram at gmail.com Wed Jul 18 21:09:52 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 14:09:52 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <500721F5.4040004@redhat.com> References: <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote: > On 07/18/2012 04:27 PM, Stephen Ingram wrote: >> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: >>> On 07/18/2012 03:45 PM, Stephen Ingram wrote: >>>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>>>> wrote: >>>>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>>>> >>>>>>> 8><------ >>>>>>> >>>>>>> >>>>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>>>> >>>>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>>>> >>>>>>>>> >>>>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>>>> done >>>>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>>>> faster we're always referring to the previous version (or versions). >>>>>>>> >>>>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>>>> from page to page. Here, even if I return to the same page, the system >>>>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>>>> no faster than the first load. Maybe that is significant to the >>>>>>>> problem? >>>>>>> >>>>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>>>> lot of users, responses might grow in size. You can check their size and >>>>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>>>> F12 >>>>>>> and choose 'network' tab. >>>>>>> >>>>>>> This new feature can't be disabled in configuration. To test if the >>>>>>> slowdown >>>>>>> is done by paging you can (at own risk) replace line >>>>>>> /usr/share/ipa/ui/facet.js:538 >>>>>>> >>>>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>>>> >>>>>>> with: >>>>>>> >>>>>>> that.pagination = false; >>>>>>> >>>>>>> Note: It will break some other parts of the UI - so for testing only. >>>>>> I've made the substitution in the code (was line 507 for me-do I have >>>>>> a different version?). Looking at the time chart in Chrome I see that >>>>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>>>> waiting for the directory server or memcached? >>>>> Actually neither, it means waiting for a response from the web server >>>>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>>>> go through the web server, memcached, and typically will invoke one or more >>>>> directory server queries, and run a bunch of Python to massage everything >>>>> before the RPC returns with the result. >>>>> >>>>> It doesn't look like you've got much difference in times between with >>>>> pagination on and pagination off. I don't know the pagination code but I >>>>> suspect it's run after the RPC call returns so the RPC timing is not telling >>>>> us much with respect to that. >>>>> >>>>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>>>> you have a lot of LDAP data? >>>> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >>>> any significant amount of hosts in it. >>>> >>>>> But really, unless we get timing results for each component we're grasping >>>>> at straws :-( >>>> Understood. >>>> >>>> Steve >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Do you have a replica and does this replica behave the same? >> No replica yet. I wanted to get the memory leak issue solved first. >> All I have to compare to is the old 2.1.3 before. This one is much >> slower. I just can't seem to figure out what's wrong. The upgrade >> seemed to complete successfully and there were no errors in the log. >> The only things I've found thus far (earlier in this thread) are the >> unindexed entries (all hosts entries) that Rich seemed to think might >> be slowing things up. As the slowness is on every page, I wouldn't >> think that would be the problem. >> >> I wouldn't have said as much about this were it not for the promised >> faster speed mentioned in the release notes. It's comparable to the >> old 2.0 release candidates so I thought it might have been due to the >> complexity of the feature additions. >> >> Steve > Is the time correct on this system? Yes. HW clock is GMT and localtime is Pacific Daylight Time and it is accurate to the minute. Steve From rcritten at redhat.com Wed Jul 18 21:16:30 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 18 Jul 2012 17:16:30 -0400 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <5007236B.9060501@linuxscope.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> <4FD5FDB7.6030809@linuxscope.com> <4FEE2434.7090305@linuxscope.com> <4FEE28B2.4040000@redhat.com> <5007236B.9060501@linuxscope.com> Message-ID: <500727AE.8000005@redhat.com> Paul Tader wrote: > On 6/29/12 5:14 PM, Rob Crittenden wrote: >> Paul Tader wrote: >>> On 6/11/12 9:16 AM, Paul Tader wrote: >>>> On 6/5/12 2:33 PM, Rob Crittenden wrote: >>>>> JR Aquino wrote: >>>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >>>>>> >>>>>>> A couple days ago my (apache) certificates expired. Users are >>>>>>> able to >>>>>>> kinit but tools such as sudo fail because of the expired >>>>>>> certificates. Lots of reading/Google'ing later I found this script >>>>>>> (steps) to renew these certs: >>>>>> >>>>>> I'm just curious, but, isn't certmonger supposed to automatically >>>>>> renew these? Is certmonger failing in this case? >>>>> >>>>> Yes, the first thing to do is figure out why certmonger didn't >>>>> automatically renew the certificates. Then it should be as simple as >>>>> setting the date back, letting certmonger do its thing, then >>>>> setting it >>>>> forward again. >>>>> >>>>> That is very strange certmonger output. You might try setting the date >>>>> back a couple of days and trying something like: >>>>> >>>>> ipa-getcert resubmit -i 20110706215145 >>>>> >>>>> And see what the status goes to. >>>>> >>>>> rob >>>> >>>> (Sorry for the delay reply) >>>> >>>> No luck with setting the date back and resubmitting the certificate. >>>> >>>> >>>> >>>> # /etc/init.d/ntpd stop >>>> Stopping ntpd (via systemctl): [ OK ] >>>> >>>> # date 060112002012 >>>> Fri Jun 1 12:00:00 CDT 2012 >>>> >>>> # /etc/init.d/httpd stop >>>> Stopping httpd (via systemctl): [ OK ] >>>> # /etc/init.d/httpd start >>>> Starting httpd (via systemctl): [ OK ] >>>> >>>> # ipa-getcert resubmit -i 20110706215145 >>>> Resubmitting "20110706215145" to "IPA". >>>> >>>> # ipa-getcert list >>>> Number of certificates and requests being tracked: 3. >>>> Request ID '20110706215109': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl failed >>>> to execute the HTTP POST transaction, explaining: SSL connect error). >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=RELAM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20110706215129': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl failed >>>> to execute the HTTP POST transaction, explaining: SSL connect error). >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=REALM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20110706215145': >>>> status: GENERATING_CSR >>>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>>> server. Certificate operation cannot be completed: Unable to >>>> communicate with CMS (Unauthorized)). >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=REALM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> Still working on this problem. I've imported new self signed certs >>> because I don't think I can renew expired certs and now all of the >>> entries list like this: >>> >>> Request ID '20110706215145': >>> status: NEED_CSR_GEN_TOKEN >>> ca-error: Error setting up ccache for local "host" service using >>> default keytab. >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=REALM.NET >>> subject: CN=ipa01.domain.net,O=REALM.NET >>> expires: 2012-06-03 20:19:49 UTC >>> eku: id-kp-serverAuth >>> track: yes >>> auto-renew: yes >>> >>> >>> Any tips or suggestions? I've saved off the old files so I think I can >>> go back to the expired certs. >> >> This means that the keytab isn't working for certmonger. This could be a >> couple of things. I'd try this first: >> >> # kinit host/$(hostname) -kt /etc/krb5.keytab >> >> And >> >> # kvno host/$(hostname) >> >> rob > > Output below: > > # kinit host/$(hostname) -kt /etc/krb5.keytab > kinit: Password incorrect while getting initial credentials > > # kvno host/$(hostname) > kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting > client principal name > Not sure how or why but it would appear that the host principal on your server is out-of-whack. I'd get a new one with: # ipa-getkeytab -s $(hostname) -k /etc/krb5.keytab -p host/$(hostname) That should make the kinit and kvno work, and certmonger as well. rob From ptader at linuxscope.com Wed Jul 18 21:25:39 2012 From: ptader at linuxscope.com (Paul Tader) Date: Wed, 18 Jul 2012 16:25:39 -0500 Subject: [Freeipa-users] FreeIPA webserver cert expired. In-Reply-To: <5007236B.9060501@linuxscope.com> References: <4FCE4D7D.4090700@linuxscope.com> <58AFF337-9503-4DC7-9152-378791C00043@citrixonline.com> <4FCE5F03.3000901@redhat.com> <4FD5FDB7.6030809@linuxscope.com> <4FEE2434.7090305@linuxscope.com> <4FEE28B2.4040000@redhat.com> <5007236B.9060501@linuxscope.com> Message-ID: <500729D3.4090600@linuxscope.com> On 7/18/12 3:58 PM, Paul Tader wrote: > On 6/29/12 5:14 PM, Rob Crittenden wrote: >> Paul Tader wrote: >>> On 6/11/12 9:16 AM, Paul Tader wrote: >>>> On 6/5/12 2:33 PM, Rob Crittenden wrote: >>>>> JR Aquino wrote: >>>>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: >>>>>> >>>>>>> A couple days ago my (apache) certificates expired. Users are >>>>>>> able to >>>>>>> kinit but tools such as sudo fail because of the expired >>>>>>> certificates. Lots of reading/Google'ing later I found this script >>>>>>> (steps) to renew these certs: >>>>>> >>>>>> I'm just curious, but, isn't certmonger supposed to automatically >>>>>> renew these? Is certmonger failing in this case? >>>>> >>>>> Yes, the first thing to do is figure out why certmonger didn't >>>>> automatically renew the certificates. Then it should be as simple as >>>>> setting the date back, letting certmonger do its thing, then >>>>> setting it >>>>> forward again. >>>>> >>>>> That is very strange certmonger output. You might try setting the date >>>>> back a couple of days and trying something like: >>>>> >>>>> ipa-getcert resubmit -i 20110706215145 >>>>> >>>>> And see what the status goes to. >>>>> >>>>> rob >>>> >>>> (Sorry for the delay reply) >>>> >>>> No luck with setting the date back and resubmitting the certificate. >>>> >>>> >>>> >>>> # /etc/init.d/ntpd stop >>>> Stopping ntpd (via systemctl): [ OK ] >>>> >>>> # date 060112002012 >>>> Fri Jun 1 12:00:00 CDT 2012 >>>> >>>> # /etc/init.d/httpd stop >>>> Stopping httpd (via systemctl): [ OK ] >>>> # /etc/init.d/httpd start >>>> Starting httpd (via systemctl): [ OK ] >>>> >>>> # ipa-getcert resubmit -i 20110706215145 >>>> Resubmitting "20110706215145" to "IPA". >>>> >>>> # ipa-getcert list >>>> Number of certificates and requests being tracked: 3. >>>> Request ID '20110706215109': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl failed >>>> to execute the HTTP POST transaction, explaining: SSL connect error). >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=RELAM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20110706215129': >>>> status: CA_UNREACHABLE >>>> ca-error: Server failed request, will retry: -504 (libcurl failed >>>> to execute the HTTP POST transaction, explaining: SSL connect error). >>>> stuck: yes >>>> key pair storage: >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> >>>> >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=REALM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> Request ID '20110706215145': >>>> status: GENERATING_CSR >>>> ca-error: Server failed request, will retry: 4301 (RPC failed at >>>> server. Certificate operation cannot be completed: Unable to >>>> communicate with CMS (Unauthorized)). >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> >>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> >>>> Certificate DB' >>>> CA: IPA >>>> issuer: CN=Certificate Authority,O=REALM.NET >>>> subject: CN=srv01.company.net,O=REALM.NET >>>> expires: 2012-06-03 20:19:49 UTC >>>> eku: id-kp-serverAuth >>>> track: yes >>>> auto-renew: yes >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> Still working on this problem. I've imported new self signed certs >>> because I don't think I can renew expired certs and now all of the >>> entries list like this: >>> >>> Request ID '20110706215145': >>> status: NEED_CSR_GEN_TOKEN >>> ca-error: Error setting up ccache for local "host" service using >>> default keytab. >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>> Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=REALM.NET >>> subject: CN=ipa01.domain.net,O=REALM.NET >>> expires: 2012-06-03 20:19:49 UTC >>> eku: id-kp-serverAuth >>> track: yes >>> auto-renew: yes >>> >>> >>> Any tips or suggestions? I've saved off the old files so I think I can >>> go back to the expired certs. >> >> This means that the keytab isn't working for certmonger. This could be a >> couple of things. I'd try this first: >> >> # kinit host/$(hostname) -kt /etc/krb5.keytab >> >> And >> >> # kvno host/$(hostname) >> >> rob > > Output below: > > # kinit host/$(hostname) -kt /etc/krb5.keytab > kinit: Password incorrect while getting initial credentials > > # kvno host/$(hostname) > kvno: Credentials cache file '/tmp/krb5cc_0' not found while getting > client principal name > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Thanks Rob, that fixed that part. Any suggestions regarding the expired apache cert that's causing this issue? $ sudo -l sudo: ldap_start_tls_s(): Connect error sudo: no valid sudoers sources found, quitting From dpal at redhat.com Wed Jul 18 21:26:02 2012 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 18 Jul 2012 17:26:02 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> Message-ID: <500729EA.4040507@redhat.com> On 07/18/2012 05:09 PM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote: >> On 07/18/2012 04:27 PM, Stephen Ingram wrote: >>> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: >>>> On 07/18/2012 03:45 PM, Stephen Ingram wrote: >>>>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>>>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>>>>> wrote: >>>>>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>>>>> >>>>>>>> 8><------ >>>>>>>> >>>>>>>> >>>>>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>>>>> >>>>>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>>>>> >>>>>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>>>>> done >>>>>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>>>>> faster we're always referring to the previous version (or versions). >>>>>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>>>>> from page to page. Here, even if I return to the same page, the system >>>>>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>>>>> no faster than the first load. Maybe that is significant to the >>>>>>>>> problem? >>>>>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>>>>> lot of users, responses might grow in size. You can check their size and >>>>>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>>>>> F12 >>>>>>>> and choose 'network' tab. >>>>>>>> >>>>>>>> This new feature can't be disabled in configuration. To test if the >>>>>>>> slowdown >>>>>>>> is done by paging you can (at own risk) replace line >>>>>>>> /usr/share/ipa/ui/facet.js:538 >>>>>>>> >>>>>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>>>>> >>>>>>>> with: >>>>>>>> >>>>>>>> that.pagination = false; >>>>>>>> >>>>>>>> Note: It will break some other parts of the UI - so for testing only. >>>>>>> I've made the substitution in the code (was line 507 for me-do I have >>>>>>> a different version?). Looking at the time chart in Chrome I see that >>>>>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>>>>> waiting for the directory server or memcached? >>>>>> Actually neither, it means waiting for a response from the web server >>>>>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>>>>> go through the web server, memcached, and typically will invoke one or more >>>>>> directory server queries, and run a bunch of Python to massage everything >>>>>> before the RPC returns with the result. >>>>>> >>>>>> It doesn't look like you've got much difference in times between with >>>>>> pagination on and pagination off. I don't know the pagination code but I >>>>>> suspect it's run after the RPC call returns so the RPC timing is not telling >>>>>> us much with respect to that. >>>>>> >>>>>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>>>>> you have a lot of LDAP data? >>>>> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >>>>> any significant amount of hosts in it. >>>>> >>>>>> But really, unless we get timing results for each component we're grasping >>>>>> at straws :-( >>>>> Understood. >>>>> >>>>> Steve >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Do you have a replica and does this replica behave the same? >>> No replica yet. I wanted to get the memory leak issue solved first. >>> All I have to compare to is the old 2.1.3 before. This one is much >>> slower. I just can't seem to figure out what's wrong. The upgrade >>> seemed to complete successfully and there were no errors in the log. >>> The only things I've found thus far (earlier in this thread) are the >>> unindexed entries (all hosts entries) that Rich seemed to think might >>> be slowing things up. As the slowness is on every page, I wouldn't >>> think that would be the problem. >>> >>> I wouldn't have said as much about this were it not for the promised >>> faster speed mentioned in the release notes. It's comparable to the >>> old 2.0 release candidates so I thought it might have been due to the >>> complexity of the feature additions. >>> >>> Steve >> Is the time correct on this system? > Yes. HW clock is GMT and localtime is Pacific Daylight Time and it is > accurate to the minute. > > Steve Can you check the Kerberos logs whether the ldap service ticket is acquired on every http request via browser? Also http logs might shed some light on what is going on a request. May be this would give us some hint. What you are experiencing is wrong and alarming. This is why I want to drill down to the root of the problem. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Thu Jul 19 00:02:52 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 00:02:52 +0000 Subject: [Freeipa-users] IPA and UIDS <500 Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Is there a rule or something that makes users with a UID of less than 500 not work? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Jul 19 00:39:12 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 00:39:12 +0000 Subject: [Freeipa-users] a user called oracle Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD524D4@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I want to create a user that users who can login to a host can sudo -i to....but I dont want to allow that user ssh or login but must exist on the server such that the sudo -i command will succeed. I cannot see how this is done, can it be done? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From sgallagh at redhat.com Thu Jul 19 00:42:43 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Jul 2012 20:42:43 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-07-19 at 00:02 +0000, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From sgallagh at redhat.com Thu Jul 19 00:43:18 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Wed, 18 Jul 2012 20:43:18 -0400 Subject: [Freeipa-users] a user called oracle In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD524D4@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524D4@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1342658598.2492.123.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-07-19 at 00:39 +0000, Steven Jones wrote: > Hi, > > I want to create a user that users who can login to a host can sudo -i to....but I dont want to allow that user ssh or login but must exist on the server such that the sudo -i command will succeed. > > I cannot see how this is done, can it be done? Set their shell to /bin/nologin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From Steven.Jones at vuw.ac.nz Thu Jul 19 00:51:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 00:51:48 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD524F2@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, So this is a rule that is hard coded into IPA? I agree on the principle unfortunately I have several accounts that do things like apache, run applications on the host.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Gallagher [sgallagh at redhat.com] Sent: Thursday, 19 July 2012 12:42 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 00:02 +0000, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). From Steven.Jones at vuw.ac.nz Thu Jul 19 00:53:55 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 00:53:55 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> Actually its pam....unless IPA is as well. Which makes sense then to have an application run < 500 so inherently it cannot be logged into via ssh.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Stephen Gallagher [sgallagh at redhat.com] Sent: Thursday, 19 July 2012 12:42 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 00:02 +0000, Steven Jones wrote: > Hi, > > Is there a rule or something that makes users with a UID of less than > 500 not work? Yes, on Red Hat and older Fedora systems, UIDs below 500 are reserved for system services such as the apache user. On newer Fedora systems (and most other distributions such as Debian and Ubuntu), the reserved range has been increased to 1000. So it's never safe to use an ID below those values. (And as a general rule, it's best to keep your network IDs above 10,000 to avoid conflicts with local user accounts as well). From sbingram at gmail.com Thu Jul 19 06:29:34 2012 From: sbingram at gmail.com (Stephen Ingram) Date: Wed, 18 Jul 2012 23:29:34 -0700 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <500729EA.4040507@redhat.com> References: <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> <500729EA.4040507@redhat.com> Message-ID: On Wed, Jul 18, 2012 at 2:26 PM, Dmitri Pal wrote: > On 07/18/2012 05:09 PM, Stephen Ingram wrote: >> On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote: >>> On 07/18/2012 04:27 PM, Stephen Ingram wrote: >>>> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: >>>>> On 07/18/2012 03:45 PM, Stephen Ingram wrote: >>>>>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>>>>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>>>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>>>>>> wrote: >>>>>>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>>>>>> >>>>>>>>> 8><------ >>>>>>>>> >>>>>>>>> >>>>>>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>>>>>> >>>>>>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>>>>>> >>>>>>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>>>>>> done >>>>>>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>>>>>> faster we're always referring to the previous version (or versions). >>>>>>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>>>>>> from page to page. Here, even if I return to the same page, the system >>>>>>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>>>>>> no faster than the first load. Maybe that is significant to the >>>>>>>>>> problem? >>>>>>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>>>>>> lot of users, responses might grow in size. You can check their size and >>>>>>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>>>>>> F12 >>>>>>>>> and choose 'network' tab. >>>>>>>>> >>>>>>>>> This new feature can't be disabled in configuration. To test if the >>>>>>>>> slowdown >>>>>>>>> is done by paging you can (at own risk) replace line >>>>>>>>> /usr/share/ipa/ui/facet.js:538 >>>>>>>>> >>>>>>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>>>>>> >>>>>>>>> with: >>>>>>>>> >>>>>>>>> that.pagination = false; >>>>>>>>> >>>>>>>>> Note: It will break some other parts of the UI - so for testing only. >>>>>>>> I've made the substitution in the code (was line 507 for me-do I have >>>>>>>> a different version?). Looking at the time chart in Chrome I see that >>>>>>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>>>>>> waiting for the directory server or memcached? >>>>>>> Actually neither, it means waiting for a response from the web server >>>>>>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>>>>>> go through the web server, memcached, and typically will invoke one or more >>>>>>> directory server queries, and run a bunch of Python to massage everything >>>>>>> before the RPC returns with the result. >>>>>>> >>>>>>> It doesn't look like you've got much difference in times between with >>>>>>> pagination on and pagination off. I don't know the pagination code but I >>>>>>> suspect it's run after the RPC call returns so the RPC timing is not telling >>>>>>> us much with respect to that. >>>>>>> >>>>>>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>>>>>> you have a lot of LDAP data? >>>>>> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >>>>>> any significant amount of hosts in it. >>>>>> >>>>>>> But really, unless we get timing results for each component we're grasping >>>>>>> at straws :-( >>>>>> Understood. >>>>>> >>>>>> Steve >>>>> Do you have a replica and does this replica behave the same? >>>> No replica yet. I wanted to get the memory leak issue solved first. >>>> All I have to compare to is the old 2.1.3 before. This one is much >>>> slower. I just can't seem to figure out what's wrong. The upgrade >>>> seemed to complete successfully and there were no errors in the log. >>>> The only things I've found thus far (earlier in this thread) are the >>>> unindexed entries (all hosts entries) that Rich seemed to think might >>>> be slowing things up. As the slowness is on every page, I wouldn't >>>> think that would be the problem. >>>> >>>> I wouldn't have said as much about this were it not for the promised >>>> faster speed mentioned in the release notes. It's comparable to the >>>> old 2.0 release candidates so I thought it might have been due to the >>>> complexity of the feature additions. >>>> >>>> Steve >>> Is the time correct on this system? >> Yes. HW clock is GMT and localtime is Pacific Daylight Time and it is >> accurate to the minute. >> >> Steve > Can you check the Kerberos logs whether the ldap service ticket is > acquired on every http request via browser? That looks to be the case. I tailed the log while accessing each page and got: Jul 18 22:43:15 ipa1.example.com krb5kdc[1243](info): TGS_REQ (4 etypes {18 17 16 23}) xxx.xx.xx.xx: ISSUE: authtime 1342640481, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa1.example.com at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM Jul 18 22:43:15 ipa1.example.com krb5kdc[1243](info): ... CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM Jul 18 22:43:16 ipa1.example.com krb5kdc[1243](info): TGS_REQ (4 etypes {18 17 16 23}) xxx.xx.xx.xx: ISSUE: authtime 1342640481, etypes {rep=18 tkt=18 ses=18}, HTTP/ipa1.example.com at EXAMPLE.COM for ldap/ipa1.example.com at EXAMPLE.COM Jul 18 22:43:16 ipa1.example.com krb5kdc[1243](info): ... CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM Interestingly, this even came up when doing something as simple as moving to the next page of users. I'm guessing this isn't correct? > Also http logs might shed some light on what is going on a request. May > be this would give us some hint. Everything there looks normal. It's accessing /ipa/session/json every time and the error log shows what appear to be queries to the directory server. I compared this to my older v 2.1.3 logs and it looks the same except for the addition of the session. > What you are experiencing is wrong and alarming. This is why I want to > drill down to the root of the problem. I agree. I was all excited to see the faster IPA and instead I'm stuck with one that chugs along. Perhaps it is several things together that are adding up to more time. Petr pointed me in a great direction using the developer panel in Chrome to see the various pieces that are taking time. This is illuminating each component that loads. For example, a simple click to a new page of users generates two hits to /ipa/session: json /ipa/session POST 200 Success application/json jquery.js:7365 Script 9.30KB 8.78KB 1.47s 1.46s 1.46s 6ms json /ipa/session POST 200 Success application/json jquery.js:7365 Script 74.65KB 73.41KB 1.80s 1.61s 1.61s As you can see just flipping the page took 3.27s for something that used to be almost instantaneous. As each request waits for a response, I'm not sure why this shouldn't be one request. Perhaps, with the kerberos requests, the directory server query and the Web UI jquery stuff, it requires two requests and things are simply adding up. Steve From pvoborni at redhat.com Thu Jul 19 09:02:25 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 19 Jul 2012 11:02:25 +0200 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD16BDC@STAWINCOX10MBX1.staff.vuw.ac.nz> <50001F21.8030506@redhat.com> <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> Message-ID: <5007CD21.1070502@redhat.com> On 07/18/2012 08:59 PM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik wrote: >> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >> >> 8><------ >> >> >>>>> >>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>> although it is really difficult to tell. I've poured over the debug >>>>> logs and didn't see anything that caused me concern. >>>>> >>>>> It's certainly usable, but I just got really spoiled by the >>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>> should be faster, what are you comparing it to? Maybe this only >>>>> happens with upgraded instances and not fresh installs. >>>> >>>> >>>> >>>> It is always possible something didn't get upgraded properly but I've >>>> done >>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>> faster we're always referring to the previous version (or versions). >>> >>> >>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>> time to load the "frame" as I call it. But the data would load almost >>> instantaneously from there (certainly no more than 1 s) as you moved >>> from page to page. Here, even if I return to the same page, the system >>> acts as if the data is begin fetched for the very first time as it is >>> no faster than the first load. Maybe that is significant to the >>> problem? >> >> >> I think the culprit is Web UI paging capabilities introduced in 2.2. With >> lot of users, responses might grow in size. You can check their size and >> duration in browser developers tools. I suggest chrome/chromium - press F12 >> and choose 'network' tab. >> >> This new feature can't be disabled in configuration. To test if the slowdown >> is done by paging you can (at own risk) replace line >> /usr/share/ipa/ui/facet.js:538 >> >> that.pagination = spec.pagination === undefined ? true : spec.pagination; >> >> with: >> >> that.pagination = false; >> >> Note: It will break some other parts of the UI - so for testing only. > > I've made the substitution in the code (was line 507 for me-do I have > a different version?). I was looking at the top of FreeIPA 2.2 branch. RHEL version differs a bit. It shouldn't matter in this case though. > Looking at the time chart in Chrome I see that > the bulk of the time is for /ipa/session waiting. Would "waiting" mean > waiting for the directory server or memcached? Basically all the stuff, which is needed for processing of the request. The pipeline is something like (I don't want to go into details): httpd -> mod_wsgi -> python -> memcache, dir server request .... and back. From what I see I think the problem is not on Web UI side. Most of the time is waiting for server response. I initially thought the problem lies in a large number of users (1000+). But in other post you mentioned that it is under 100. Hence this new paging feature shouldn't be a big problem. > > Here's a portion of the initial load of the Users page: The first 3 requests are inital load of web UI (not including .js files and such) - you can see they are the same in both cases. I don't see a login request so session is already established. > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 33.94KB 33.10KB 1.57s 1.47s 96ms (1.37s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 568.09KB 564.36KB 3.92s 2.95s 963ms (2.85s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 556.94KB 553.40KB 3.78s 2.94s 836ms (2.83s waiting) This one is user load: > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 46.93KB 46.38KB 1.87s 1.71s (1.60s waiting) > > Now, with the pagination turned back on: > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 33.94KB 33.10KB 1.58s 1.48s 100ms (1.38s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 568.09KB 564.36KB 4.05s 3.09s 964ms (2.98s waiting) > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 556.94KB 553.40KB 3.84s 2.99s 855ms (2.88s waiting) Here you can see a change. With pagination turned on it should be two request. One to get primary keys (logins) and second to get users. The latter is missing in this list. With a lot of users the first response grows. With low number of users it is in fact smaller than with pagination turned off. > json/ipa/session POST 200 Success application/json jquery.js:7365 > Script 46.93KB 46.38KB 1.52s 1.51s (1.40s waiting) As I mentioned you are missing one request so it will add aprox. 1.5s. The second request is kinda a slowdown from IPA 2.1.4 but the main issue is still the long server processing time. > > Steve > -- Petr Vobornik From sgallagh at redhat.com Thu Jul 19 11:36:34 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Jul 2012 07:36:34 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-07-19 at 00:53 +0000, Steven Jones wrote: > Actually its pam....unless IPA is as well. > > Which makes sense then to have an application run < 500 so inherently it cannot be logged into via ssh.... Well, it's possible to configure your system to allow logging in to users below 500, but it's not recommended. The real risk is of having system services with an ID that conflicts with a user. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From simo at redhat.com Thu Jul 19 13:04:30 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 19 Jul 2012 09:04:30 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1342703070.3219.211.camel@willson.li.ssimo.org> On Thu, 2012-07-19 at 07:36 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 00:53 +0000, Steven Jones wrote: > > Actually its pam....unless IPA is as well. > > > > Which makes sense then to have an application run < 500 so inherently it cannot be logged into via ssh.... > > Well, it's possible to configure your system to allow logging in to > users below 500, but it's not recommended. The real risk is of having > system services with an ID that conflicts with a user. In general we do not recommend to set ids on your own, let ipa choose IDs unless you have a constraint that prevents you from letting that happen. Simo. -- Simo Sorce * Red Hat, Inc * New York From jdennis at redhat.com Thu Jul 19 15:01:16 2012 From: jdennis at redhat.com (John Dennis) Date: Thu, 19 Jul 2012 11:01:16 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> <500729EA.4040507@redhat.com> Message-ID: <5008213C.8070201@redhat.com> Rob may have already contacted you with this, but if not we would like to get more debugging information by have the server log what is occurring when it processes your requests. To do this you'll need to turn on the debug flag in the IPA configuration file /etc/ipa/default.conf, add a line that says: debug = True Then restart the server to pick up the new configuration. The information will be written to /var/log/httpd/error_log. We only need the contents of the log from when the server was restarted with debug logging enabled. For privacy reasons I suggest you send the contents of the log to one of the IPA team members directly in a private email, not to the public freeipa list. Thanks! John -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Thu Jul 19 15:12:46 2012 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 19 Jul 2012 18:12:46 +0300 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: <5008213C.8070201@redhat.com> References: <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> <500729EA.4040507@redhat.com> <5008213C.8070201@redhat.com> Message-ID: <20120719151246.GB1052@redhat.com> On Thu, 19 Jul 2012, John Dennis wrote: >Rob may have already contacted you with this, but if not we would >like to get more debugging information by have the server log what is >occurring when it processes your requests. > >To do this you'll need to turn on the debug flag in the IPA >configuration file /etc/ipa/default.conf, add a line that says: > >debug = True > >Then restart the server to pick up the new configuration. The >information will be written to /var/log/httpd/error_log. > >We only need the contents of the log from when the server was >restarted with debug logging enabled. For privacy reasons I suggest >you send the contents of the log to one of the IPA team members >directly in a private email, not to the public freeipa list. In addition we would like to see what's happening with krb5 communication under httpd processes. In order to obtain that tracing information you need to do following: 1. Add KRB5_TRACE=/tmp/http_krb5_trace.log to /etc/sysconfig/httpd 2. Restart httpd (or httpd.service in Fedora) 3. Now you need to create the file and chown it to apache's user so that httpd processes would be able to write to it: find out PID of any of httpd processes, doesn't matter which one touch /proc/$PID/cwd/tmp/http_krb5_trace.log chown apache /proc/$PID/cwd/tmp/http_krb5_trace.log 4. Now you can issue IPA commands and you'll get krb5 client tracing in /proc/$PID/cwd/tmp/http_krb5_trace.log The reason why (3) talks about PID of httpd process is because in Fedora, unlike in RHEL6.x, systemd is handling services startup and systemd confines httpd to a private /tmp. Using /proc/$PID/cwd/tmp is the easiest way to reach that private tmp. 5. Once finished and copied /proc/$PID/cwd/tmp/http_krb5_trace.log to an archive location, make sure to remove the file and its reference from /etc/sysconfig/httpd and restart the service. -- / Alexander Bokovoy From Duncan.Innes at virginmoney.com Thu Jul 19 15:44:04 2012 From: Duncan.Innes at virginmoney.com (Innes, Duncan) Date: Thu, 19 Jul 2012 16:44:04 +0100 Subject: [Freeipa-users] IPA and UIDS <500 References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com><833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz><1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> Message-ID: <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> On Thu, 2012-07-19 at 07:36 -0400, Stephen Gallagher wrote: > > On Thu, 2012-07-19 at 00:53 +0000, Steven Jones wrote: > > > Actually its pam....unless IPA is as well. > > > > > > Which makes sense then to have an application run < 500 so inherently it cannot be logged into via ssh.... > > > > Well, it's possible to configure your system to allow logging in to > > users below 500, but it's not recommended. The real risk is of having > > system services with an ID that conflicts with a user. > > In general we do not recommend to set ids on your own, let ipa choose > IDs unless you have a constraint that prevents you from letting that > happen. Does this mean that it's impossible to have IPA authenticate the oracle user or any other user that is normally below 500? Our security team is asking that we manage the passwords of oracle and other users centrally. Can IPA do this for me? Thanks Duncan Northern Rock plc is part of the Virgin Money group of companies. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392. Virgin Money Management Services Limited. Company no. 3072772. Virgin Money Holdings (UK) Limited. Company no. 3087587. Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. The above companies use the trading name Virgin Money. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Thu Jul 19 15:59:45 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Thu, 19 Jul 2012 11:59:45 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> Message-ID: <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > Does this mean that it's impossible to have IPA authenticate the > oracle user or any other user that is normally below 500? > > Our security team is asking that we manage the passwords of oracle and > other users centrally. Can IPA do this for me? It's not impossible, but it requires some mangling of your PAM stacks in /etc/pam.d/* That said, it's generally a bad idea to have passwords on users < 500. It should not be possible to log into them at all, and instead you should rely on granting (restricted) sudo privileges to real users allowing them to impersonate the service user instead. So instead of allowing people to log into the box as 'oracle', they should log in as 'myusername' and then run 'sudo -u oracle '. This provides better auditing support as well, since you will always know which real user modified your database configuration (rather than trying to piece together who logged in as 'oracle' directly). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From dpal at redhat.com Thu Jul 19 16:37:18 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 19 Jul 2012 12:37:18 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <500837BE.2030308@redhat.com> On 07/19/2012 11:59 AM, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: >> Does this mean that it's impossible to have IPA authenticate the >> oracle user or any other user that is normally below 500? >> >> Our security team is asking that we manage the passwords of oracle and >> other users centrally. Can IPA do this for me? > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > I think Stephen meant to say that it is in fact possible but not recommended and would require changes to PAM configuration to allow logins for centrally managed users with low UIDs. In IPA you can change UID of the user manually if you really know what you are doing but approach below is much more secure, compliant and elegant. > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Jul 19 16:44:50 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 19 Jul 2012 12:44:50 -0400 Subject: [Freeipa-users] 2.20 dirsrv memory usage In-Reply-To: References: <500442D7.9020200@redhat.com> <50045EA9.9070709@redhat.com> <50046A1A.4010100@redhat.com> <5005D295.2020708@redhat.com> <5006BE06.7020109@redhat.com> <50070E55.90307@redhat.com> <5007174E.3080404@redhat.com> <500721F5.4040004@redhat.com> <500729EA.4040507@redhat.com> Message-ID: <50083982.1050505@redhat.com> On 07/19/2012 02:29 AM, Stephen Ingram wrote: > On Wed, Jul 18, 2012 at 2:26 PM, Dmitri Pal wrote: >> On 07/18/2012 05:09 PM, Stephen Ingram wrote: >>> On Wed, Jul 18, 2012 at 1:52 PM, Dmitri Pal wrote: >>>> On 07/18/2012 04:27 PM, Stephen Ingram wrote: >>>>> On Wed, Jul 18, 2012 at 1:06 PM, Dmitri Pal wrote: >>>>>> On 07/18/2012 03:45 PM, Stephen Ingram wrote: >>>>>>> On Wed, Jul 18, 2012 at 12:28 PM, John Dennis wrote: >>>>>>>> On 07/18/2012 02:59 PM, Stephen Ingram wrote: >>>>>>>>> On Wed, Jul 18, 2012 at 6:45 AM, Petr Vobornik >>>>>>>>> wrote: >>>>>>>>>> On 07/17/2012 11:43 PM, Stephen Ingram wrote: >>>>>>>>>> >>>>>>>>>> 8><------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> I'm beginning to think this is just the Web UI itself instead of 389 >>>>>>>>>>>>> although it is really difficult to tell. I've poured over the debug >>>>>>>>>>>>> logs and didn't see anything that caused me concern. >>>>>>>>>>>>> >>>>>>>>>>>>> It's certainly usable, but I just got really spoiled by the >>>>>>>>>>>>> unbelievable quickness of 2.1.3. When your release notes indicate it >>>>>>>>>>>>> should be faster, what are you comparing it to? Maybe this only >>>>>>>>>>>>> happens with upgraded instances and not fresh installs. >>>>>>>>>>>> It is always possible something didn't get upgraded properly but I've >>>>>>>>>>>> done >>>>>>>>>>>> 2.1.3 -> 2.2.0 upgrades and haven't seen this. When we say something is >>>>>>>>>>>> faster we're always referring to the previous version (or versions). >>>>>>>>>>> Maybe I was just lucky with 2.1.3. On a first load it might take some >>>>>>>>>>> time to load the "frame" as I call it. But the data would load almost >>>>>>>>>>> instantaneously from there (certainly no more than 1 s) as you moved >>>>>>>>>>> from page to page. Here, even if I return to the same page, the system >>>>>>>>>>> acts as if the data is begin fetched for the very first time as it is >>>>>>>>>>> no faster than the first load. Maybe that is significant to the >>>>>>>>>>> problem? >>>>>>>>>> I think the culprit is Web UI paging capabilities introduced in 2.2. With >>>>>>>>>> lot of users, responses might grow in size. You can check their size and >>>>>>>>>> duration in browser developers tools. I suggest chrome/chromium - press >>>>>>>>>> F12 >>>>>>>>>> and choose 'network' tab. >>>>>>>>>> >>>>>>>>>> This new feature can't be disabled in configuration. To test if the >>>>>>>>>> slowdown >>>>>>>>>> is done by paging you can (at own risk) replace line >>>>>>>>>> /usr/share/ipa/ui/facet.js:538 >>>>>>>>>> >>>>>>>>>> that.pagination = spec.pagination === undefined ? true : spec.pagination; >>>>>>>>>> >>>>>>>>>> with: >>>>>>>>>> >>>>>>>>>> that.pagination = false; >>>>>>>>>> >>>>>>>>>> Note: It will break some other parts of the UI - so for testing only. >>>>>>>>> I've made the substitution in the code (was line 507 for me-do I have >>>>>>>>> a different version?). Looking at the time chart in Chrome I see that >>>>>>>>> the bulk of the time is for /ipa/session waiting. Would "waiting" mean >>>>>>>>> waiting for the directory server or memcached? >>>>>>>> Actually neither, it means waiting for a response from the web server >>>>>>>> (technically it's making an RPC call via HTTP Ajax). The RPC call needs to >>>>>>>> go through the web server, memcached, and typically will invoke one or more >>>>>>>> directory server queries, and run a bunch of Python to massage everything >>>>>>>> before the RPC returns with the result. >>>>>>>> >>>>>>>> It doesn't look like you've got much difference in times between with >>>>>>>> pagination on and pagination off. I don't know the pagination code but I >>>>>>>> suspect it's run after the RPC call returns so the RPC timing is not telling >>>>>>>> us much with respect to that. >>>>>>>> >>>>>>>> Waiting for up to 3 seconds for an RPC call does seem on the high side. Do >>>>>>>> you have a lot of LDAP data? >>>>>>> No. 49 users, 17 hosts, 25 services, 6 DNS zones, only 1 of which has >>>>>>> any significant amount of hosts in it. >>>>>>> >>>>>>>> But really, unless we get timing results for each component we're grasping >>>>>>>> at straws :-( >>>>>>> Understood. >>>>>>> >>>>>>> Steve >>>>>> Do you have a replica and does this replica behave the same? >>>>> No replica yet. I wanted to get the memory leak issue solved first. >>>>> All I have to compare to is the old 2.1.3 before. This one is much >>>>> slower. I just can't seem to figure out what's wrong. The upgrade >>>>> seemed to complete successfully and there were no errors in the log. >>>>> The only things I've found thus far (earlier in this thread) are the >>>>> unindexed entries (all hosts entries) that Rich seemed to think might >>>>> be slowing things up. As the slowness is on every page, I wouldn't >>>>> think that would be the problem. >>>>> >>>>> I wouldn't have said as much about this were it not for the promised >>>>> faster speed mentioned in the release notes. It's comparable to the >>>>> old 2.0 release candidates so I thought it might have been due to the >>>>> complexity of the feature additions. >>>>> >>>>> Steve >>>> Is the time correct on this system? >>> Yes. HW clock is GMT and localtime is Pacific Daylight Time and it is >>> accurate to the minute. >>> >>> Steve >> Can you check the Kerberos logs whether the ldap service ticket is >> acquired on every http request via browser? > That looks to be the case. I tailed the log while accessing each page and got: > > Jul 18 22:43:15 ipa1.example.com krb5kdc[1243](info): TGS_REQ (4 > etypes {18 17 16 23}) xxx.xx.xx.xx: ISSUE: authtime 1342640481, etypes > {rep=18 tkt=18 ses=18}, HTTP/ipa1.example.com at EXAMPLE.COM for > ldap/ipa1.example.com at EXAMPLE.COM > > Jul 18 22:43:15 ipa1.example.com krb5kdc[1243](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM > > Jul 18 22:43:16 ipa1.example.com krb5kdc[1243](info): TGS_REQ (4 > etypes {18 17 16 23}) xxx.xx.xx.xx: ISSUE: authtime 1342640481, etypes > {rep=18 tkt=18 ses=18}, HTTP/ipa1.example.com at EXAMPLE.COM for > ldap/ipa1.example.com at EXAMPLE.COM > > Jul 18 22:43:16 ipa1.example.com krb5kdc[1243](info): ... > CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM > > Interestingly, this even came up when doing something as simple as > moving to the next page of users. I'm guessing this isn't correct? > This is the indication that something is not working with the session caching. I think we need the debug logs as John suggested to drill down into the reason. >> Also http logs might shed some light on what is going on a request. May >> be this would give us some hint. > Everything there looks normal. It's accessing /ipa/session/json every > time and the error log shows what appear to be queries to the > directory server. I compared this to my older v 2.1.3 logs and it > looks the same except for the addition of the session. > >> What you are experiencing is wrong and alarming. This is why I want to >> drill down to the root of the problem. > I agree. I was all excited to see the faster IPA and instead I'm stuck > with one that chugs along. Perhaps it is several things together that > are adding up to more time. Petr pointed me in a great direction using > the developer panel in Chrome to see the various pieces that are > taking time. This is illuminating each component that loads. For > example, a simple click to a new page of users generates two hits to > /ipa/session: > > json /ipa/session POST 200 Success application/json jquery.js:7365 > Script 9.30KB 8.78KB 1.47s 1.46s 1.46s 6ms > json /ipa/session POST 200 Success application/json jquery.js:7365 > Script 74.65KB 73.41KB 1.80s 1.61s 1.61s > > As you can see just flipping the page took 3.27s for something that > used to be almost instantaneous. As each request waits for a response, > I'm not sure why this shouldn't be one request. Perhaps, with the > kerberos requests, the directory server query and the Web UI jquery > stuff, it requires two requests and things are simply adding up. > > Steve -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simo at redhat.com Thu Jul 19 17:09:56 2012 From: simo at redhat.com (Simo Sorce) Date: Thu, 19 Jul 2012 13:09:56 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com> Message-ID: <1342717796.3219.220.camel@willson.li.ssimo.org> On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York From bdwheele at indiana.edu Thu Jul 19 18:13:09 2012 From: bdwheele at indiana.edu (Brian Wheeler) Date: Thu, 19 Jul 2012 14:13:09 -0400 Subject: [Freeipa-users] Fedora 17 -- ipa-server-install fails at "configuring certificate server instance" Message-ID: <50084E35.4050701@indiana.edu> I've been fighting with this for a couple of hours so it must be time to ask for help :) I've got a clean (and up to date) Fedora 17 install and when I try to install freeipa it fails when its running pkisilent to configure the certificate server instance. ================== Configuring certificate server: Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname wombat.dlib.indiana.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-dxxeEf -client_certdb_pwd XXXXXXXX -preop_pin hR0AShCYdzVB5g5frPxh -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=DLIB.INDIANA.EDU -ldap_host wombat.dlib.indiana.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DLIB.INDIANA.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DLIB.INDIANA.EDU -ca_server_cert_subject_name CN=wombat.dlib.indiana.edu,O=DLIB.INDIANA.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=DLIB.INDIANA.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=DLIB.INDIANA.EDU -external false -clone false' returned non-zero exit status 255 Unexpected error - see ipaserver-install.log for details: Configuration of CA failed ================= The relevant logs in ipaserver-install.log seem to be: ============ Attempting to connect to: wombat.dlib.indiana.edu:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ####################################################################### 2012-07-19T18:06:23Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) at java.net.Socket.connect(Socket.java:579) at java.net.Socket.connect(Socket.java:528) at java.net.Socket.(Socket.java:425) at java.net.Socket.(Socket.java:241) at HTTPClient.sslConnect(HTTPClient.java:326) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) ============= Any troubleshooting hints for this? From rcritten at redhat.com Thu Jul 19 19:04:04 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Jul 2012 15:04:04 -0400 Subject: [Freeipa-users] Fedora 17 -- ipa-server-install fails at "configuring certificate server instance" In-Reply-To: <50084E35.4050701@indiana.edu> References: <50084E35.4050701@indiana.edu> Message-ID: <50085A24.8090305@redhat.com> Brian Wheeler wrote: > I've been fighting with this for a couple of hours so it must be time to > ask for help :) > > I've got a clean (and up to date) Fedora 17 install and when I try to > install freeipa it fails when its running pkisilent to configure the > certificate server instance. > ================== > Configuring certificate server: Estimated time 3 minutes 30 seconds > [1/17]: creating certificate server user > [2/17]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > wombat.dlib.indiana.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-dxxeEf > -client_certdb_pwd XXXXXXXX -preop_pin hR0AShCYdzVB5g5frPxh -domain_name > IPA -admin_user admin -admin_email root at localhost -admin_password > XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type > rsa -agent_cert_subject CN=ipa-ca-agent,O=DLIB.INDIANA.EDU -ldap_host > wombat.dlib.indiana.edu -ldap_port 7389 -bind_dn cn=Directory Manager > -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 > -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd > XXXXXXXX -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=DLIB.INDIANA.EDU > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=DLIB.INDIANA.EDU > -ca_server_cert_subject_name > CN=wombat.dlib.indiana.edu,O=DLIB.INDIANA.EDU > -ca_audit_signing_cert_subject_name CN=CA Audit,O=DLIB.INDIANA.EDU > -ca_sign_cert_subject_name CN=Certificate Authority,O=DLIB.INDIANA.EDU > -external false -clone false' returned non-zero exit status 255 > Unexpected error - see ipaserver-install.log for details: > Configuration of CA failed > ================= > > The relevant logs in ipaserver-install.log seem to be: > ============ > Attempting to connect to: wombat.dlib.indiana.edu:9445 > Exception in LoginPanel(): java.lang.NullPointerException > ERROR: ConfigureCA: LoginPanel() failure > ERROR: unable to create CA > > ####################################################################### > > 2012-07-19T18:06:23Z DEBUG stderr=Exception: Unable to Send > Request:java.net.ConnectException: Connection refused > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) > > at > java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) > > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:391) > at java.net.Socket.connect(Socket.java:579) > at java.net.Socket.connect(Socket.java:528) > at java.net.Socket.(Socket.java:425) > at java.net.Socket.(Socket.java:241) > at HTTPClient.sslConnect(HTTPClient.java:326) > at ConfigureCA.LoginPanel(ConfigureCA.java:244) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > java.lang.NullPointerException > at ConfigureCA.LoginPanel(ConfigureCA.java:245) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) > at ConfigureCA.main(ConfigureCA.java:1672) > ============= > > Any troubleshooting hints for this? Try re-installing the pki-selinux package. What I would do is this: # ipa-server-install --uninstall -U # ls -ld /var/lib/pki-ca If it exists run: # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force # yum reinstall pki-selinux We're not sure why re-installing that package is required sometimes, the dogtag team has a bug open on it, https://bugzilla.redhat.com/show_bug.cgi?id=746275 rob rob From Steven.Jones at vuw.ac.nz Thu Jul 19 20:52:44 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 20:52:44 +0000 Subject: [Freeipa-users] Creating new users with one name Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD589D7@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, One thing and its sort of strange but when you so to create a new user you have assumed that the user has both a forename and a surname so this is compulsory. This isn't always the case, we have users who have one name and its not their forename or their surname and that's legal, at least here in NZ. Should I raise this as a "bug"? I'm not sure what happens when we win-sync from AD in such cases as that is a single occupied field that gets replicated, and a blank for one will this be OK? Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Jul 19 21:00:17 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 21:00:17 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <1342717796.3219.220.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> ,<1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz> So, Im am trying to do just this but failing, So rather than, ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" then, ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner" regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com] Sent: Friday, 20 July 2012 5:09 a.m. To: Stephen Gallagher Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: > On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: > > Does this mean that it's impossible to have IPA authenticate the > > oracle user or any other user that is normally below 500? > > > > Our security team is asking that we manage the passwords of oracle and > > other users centrally. Can IPA do this for me? > > It's not impossible, but it requires some mangling of your PAM stacks > in /etc/pam.d/* > > That said, it's generally a bad idea to have passwords on users < 500. > It should not be possible to log into them at all, and instead you > should rely on granting (restricted) sudo privileges to real users > allowing them to impersonate the service user instead. > > So instead of allowing people to log into the box as 'oracle', they > should log in as 'myusername' and then run 'sudo -u oracle '. > This provides better auditing support as well, since you will always > know which real user modified your database configuration (rather than > trying to piece together who logged in as 'oracle' directly). Note you can also allow sudo -i which gives you an interactive shell just like su - would, but you can control sudo configuration centrally. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Thu Jul 19 21:20:45 2012 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 19 Jul 2012 17:20:45 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50087A2D.50905@redhat.com> On 07/19/2012 05:00 PM, Steven Jones wrote: > So, > > Im am trying to do just this but failing, > > So rather than, > > ipa sudorule-add-allow-command --sudocmds "/bin/su - banner" > > then, > > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i banner" > Banner should not be a part of the command. He should be put into the run as user if this is an ipa managed user or into external run as user if this user is not managed by IPA but defined on a local system. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com] > Sent: Friday, 20 July 2012 5:09 a.m. > To: Stephen Gallagher > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] IPA and UIDS <500 > > On Thu, 2012-07-19 at 11:59 -0400, Stephen Gallagher wrote: >> On Thu, 2012-07-19 at 16:44 +0100, Innes, Duncan wrote: >>> Does this mean that it's impossible to have IPA authenticate the >>> oracle user or any other user that is normally below 500? >>> >>> Our security team is asking that we manage the passwords of oracle and >>> other users centrally. Can IPA do this for me? >> It's not impossible, but it requires some mangling of your PAM stacks >> in /etc/pam.d/* >> >> That said, it's generally a bad idea to have passwords on users < 500. >> It should not be possible to log into them at all, and instead you >> should rely on granting (restricted) sudo privileges to real users >> allowing them to impersonate the service user instead. >> >> So instead of allowing people to log into the box as 'oracle', they >> should log in as 'myusername' and then run 'sudo -u oracle '. >> This provides better auditing support as well, since you will always >> know which real user modified your database configuration (rather than >> trying to piece together who logged in as 'oracle' directly). > Note you can also allow sudo -i which gives you an interactive shell > just like su - would, but you can control sudo configuration centrally. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Thu Jul 19 21:32:27 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 19 Jul 2012 17:32:27 -0400 Subject: [Freeipa-users] Creating new users with one name In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD589D7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD589D7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50087CEB.6010800@redhat.com> Steven Jones wrote: > Hi, > > One thing and its sort of strange but when you so to create a new user you have assumed that the user has both a forename and a surname so this is compulsory. > > This isn't always the case, we have users who have one name and its not their forename or their surname and that's legal, at least here in NZ. > > Should I raise this as a "bug"? > > I'm not sure what happens when we win-sync from AD in such cases as that is a single occupied field that gets replicated, and a blank for one will this be OK? It is a requirement of the person objectClass. Feel free to open a bug. rob From Steven.Jones at vuw.ac.nz Thu Jul 19 21:39:28 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 21:39:28 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <50087A2D.50905@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50087A2D.50905@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> ah right....ive been trying to do this in IPA and failing.... So I actually want, ipa sudorule-add banner-rule ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" ipa sudorule-add-host --groups banner-server-group banner-rule ipa sudorule-add-user --groups become-banner-saas-prod banner-rule ipa sudorule-add-user --user banner banner-rule ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Jul 19 22:06:30 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 19 Jul 2012 22:06:30 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50087A2D.50905@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD59BC7@STAWINCOX10MBX1.staff.vuw.ac.nz> having problems with, ipa sudorule-add-host --groups banner-server-group banner-rule So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Steven Jones Sent: Friday, 20 July 2012 9:39 a.m. To: freeipa-users at redhat.com Subject: RE: [Freeipa-users] IPA and UIDS <500 ah right....ive been trying to do this in IPA and failing.... So I actually want, ipa sudorule-add banner-rule ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" ipa sudorule-add-host --groups banner-server-group banner-rule ipa sudorule-add-user --groups become-banner-saas-prod banner-rule ipa sudorule-add-user --user banner banner-rule ? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From dpal at redhat.com Fri Jul 20 13:52:49 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 20 Jul 2012 09:52:49 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD59BC7@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50087A2D.50905@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD59BC7@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <500962B1.6030806@redhat.com> On 07/19/2012 06:06 PM, Steven Jones wrote: > having problems with, > > ipa sudorule-add-host --groups banner-server-group banner-rule > > > So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? > > Should work with host groups and user groups. I do not have the exact syntax in front of me. Please check the ipa help system it has all the details. If something does not work as advertised please collect all the details, logs, output and file a bug or ticket. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Steven Jones > Sent: Friday, 20 July 2012 9:39 a.m. > To: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] IPA and UIDS <500 > > ah right....ive been trying to do this in IPA and failing.... > > So I actually want, > > ipa sudorule-add banner-rule > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" > ipa sudorule-add-host --groups banner-server-group banner-rule > ipa sudorule-add-user --groups become-banner-saas-prod banner-rule > ipa sudorule-add-user --user banner banner-rule > > > ? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rcritten at redhat.com Fri Jul 20 14:00:06 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Jul 2012 10:00:06 -0400 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <500962B1.6030806@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50087A2D.50905@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD59BC7@STAWINCOX10MBX1.staff.vuw.ac.nz> <500962B1.6030806@redhat.com> Message-ID: <50096466.5010304@redhat.com> Dmitri Pal wrote: > On 07/19/2012 06:06 PM, Steven Jones wrote: >> having problems with, >> >> ipa sudorule-add-host --groups banner-server-group banner-rule >> >> >> So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? >> >> > Should work with host groups and user groups. > I do not have the exact syntax in front of me. > Please check the ipa help system it has all the details. > If something does not work as advertised please collect all the details, > logs, output and file a bug or ticket. > To add the banner-server-group hostgroup to the sudo rule: ipa sudorule-add-host --hostgroups banner-server-group banner-rule From jlinoff at tabula.com Fri Jul 20 19:03:39 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Fri, 20 Jul 2012 12:03:39 -0700 Subject: [Freeipa-users] User can't login via ssh from external source Message-ID: <8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com> Hi Everybody: I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging problem with a new user that I just setup. That user cannot ssh into any host on the realm from an external source. They get a permission denied problem but "old-user" with the same HBAC configuration works. % ssh -A -t -o Port=9346 new-user at somehost.example.com new-user at somehost.example.com's password: Permission denied, please try again. % ssh -A -t -o Port=9346 old-user at somehost.example.com old-user at somehost.example.com's password: Last login: ... [old-user at somehost ~]$ I checked their password by setting up a TGT using kinit. It worked. I was also able to ssh into another host on the network. % kinit new-user Password for new-user at EXAMPLE.COM % ssh new-user at somehost Last login: ... Could not chdir to home directory ... -bash-4.1$ exit That seems to indicate that the password is correct and that the permissions are correct but to be sure I ran an hbactest on the server: % ipa hbactest --user=new-user --service=ssh --host=somehost -------------------- Access granted: True -------------------- ... I did see something strange in /var/log/messages: Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity check failed Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity check failed Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity check failed So I reset the password using the ipa passwd command: % ipa passwd new-user New Password: Etner New Password again to verify: ------------------------------------------- Changed password for new-user at EXAMPLE.COM ------------------------------------------ But I am still getting the Permission denied error. What am I doing wrong? How can I debug this? Any help would be greatly appreciated. Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Jul 20 19:21:23 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 20 Jul 2012 15:21:23 -0400 Subject: [Freeipa-users] User can't login via ssh from external source In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com> Message-ID: <5009AFB3.80408@redhat.com> On 07/20/2012 03:03 PM, Joe Linoff wrote: > > Hi Everybody: > > > > I am using FreeIPA 2.2.0 on CentOS 6.3 and am having a challenging > problem with a new user that I just setup. > > > > That user cannot ssh into any host on the realm from an external > source. They get a permission denied problem but "old-user" with the > same HBAC configuration works. > > > > % ssh -A -t -o Port=9346 new-user at somehost.example.com > > new-user at somehost.example.com's password: > > Permission denied, please try again. > > % ssh -A -t -o Port=9346 old-user at somehost.example.com > > old-user at somehost.example.com's password: > > Last login: ... > > [old-user at somehost ~]$ > > > > I checked their password by setting up a TGT using kinit. It worked. I > was also able to ssh into another host on the network. > > > > % kinit new-user > > Password for new-user at EXAMPLE.COM > > % ssh new-user at somehost > > Last login: ... > > Could not chdir to home directory ... > > -bash-4.1$ exit > > > > That seems to indicate that the password is correct and that the > permissions are correct but to be sure I ran an hbactest on the server: > > > > % ipa hbactest --user=new-user --service=ssh --host=somehost > > -------------------- > > Access granted: True > > -------------------- > > ... > > > > I did see something strange in /var/log/messages: > > > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:16 somehost [sssd[krb5_child[16478]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:26 somehost [sssd[krb5_child[16481]]]: Decrypt integrity > check failed > > Jul 20 11:48:54 somehost [sssd[krb5_child[16488]]]: Password has expired > > Jul 20 11:48:55 somehost [sssd[krb5_child[16488]]]: Decrypt integrity > check failed > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Password has expired > > Jul 20 11:49:05 somehost [sssd[krb5_child[16491]]]: Decrypt integrity > check failed > > > > So I reset the password using the ipa passwd command: > > > > % ipa passwd new-user > > New Password: > > Etner New Password again to verify: > > ------------------------------------------- > > Changed password for new-user at EXAMPLE.COM > > ------------------------------------------ > > > > But I am still getting the Permission denied error. > > > > What am I doing wrong? How can I debug this? Any help would be greatly > appreciated. > > > When you set the password on the server using the ipa passwd command you make it know to the admin. This is why it is right away expired and requires a change. A user needs to log in through the client that allows changing the password as a part of the authentication. It looks like your ssh is not configured to do password change (I suspect it uses GSSAPI but I might be wrong). So either the ssh needs to be configured to do the password change over the pam stack or you need to login as this user and change his password and then you will be able to ssh. > Thanks, > > > > Joe > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgallagh at redhat.com Fri Jul 20 20:23:40 2012 From: sgallagh at redhat.com (Stephen Gallagher) Date: Fri, 20 Jul 2012 16:23:40 -0400 Subject: [Freeipa-users] User can't login via ssh from external source In-Reply-To: <5009AFB3.80408@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010E137C@mantaray.tabula.com> <5009AFB3.80408@redhat.com> Message-ID: <1342815820.3554.9.camel@sgallagh520.sgallagh.bos.redhat.com> On Fri, 2012-07-20 at 15:21 -0400, Dmitri Pal wrote: > On 07/20/2012 03:03 PM, Joe Linoff wrote: > When you set the password on the server using the ipa passwd command > you make it know to the admin. This is why it is right away expired > and requires a change. > A user needs to log in through the client that allows changing the > password as a part of the authentication. > It looks like your ssh is not configured to do password change (I > suspect it uses GSSAPI but I might be wrong). > So either the ssh needs to be configured to do the password change > over the pam stack or you need to login as this user and change his > password and then you will be able to ssh. To clarify, what you need to do is make sure that the following options are set in /etc/ssh/sshd_config: UsePAM yes PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication yes ChallengeResponseAuthentication yes This should hopefully resolve the issue for you. Note: KerberosAuthentication is NOT the same as disabling the single-sign-on. That's done by GSSAPIAuthentication. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part URL: From qchang at sri.utoronto.ca Fri Jul 20 20:56:03 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Fri, 20 Jul 2012 16:56:03 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion Message-ID: <5009C5E3.9040807@sri.utoronto.ca> Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show "memberUid" attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for "compat" tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? 2, Can the migration script be modified to convert "memberUid" to "member" for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? 3, What does Samba use, compat or accounts? I do have a Samba server setup as an IPA client and it works very well, but I don't seem to be able to find a place to specify either compat or accounts for user and group look up, I assume IPA client libraries take care of it. In fact there is no entries that are related to LDAP in my smb.conf, there is only a few lines related to IPA/Kerberos: ===== security = user passdb backend = smbpasswd # Kerberos options realm = SRI.UTORONTO.CA kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab ===== Thanks in advance! Qing From rcritten at redhat.com Fri Jul 20 21:14:58 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 20 Jul 2012 17:14:58 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion In-Reply-To: <5009C5E3.9040807@sri.utoronto.ca> References: <5009C5E3.9040807@sri.utoronto.ca> Message-ID: <5009CA52.9000807@redhat.com> Qing Chang wrote: > Greetings, > > Migration from OpedLDAP to IPA creates a pair of subtrees for both users > and groups: > compat and accounts, use groups as an example: > dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca > dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca > > IPA web GUI does not show "memberUid" attribute, although it is > migrated correctly, > by adding a user to the group in the web GUI, it reveals that member is > added to both > compat and accounts, but differently: > accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca > compat: memberUid: qchang > > It also reveals that GUI does not display anything for "compat" tree, > but I can use > ldap tools to show compat entries. > My questions: > 1, why do we have two trees created? I vaguely remember that it is > mentioned that > compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. > 2, Can the migration script be modified to convert "memberUid" to > "member" for > accounts tree? Or can I modify it manually and load the tree with > ldapmod without > breaking IPA? It already can, see the --schema option. > 3, What does Samba use, compat or accounts? I do have a Samba server > setup as > an IPA client and it works very well, but I don't seem to be able > to find a place > to specify either compat or accounts for user and group look up, I > assume IPA > client libraries take care of it. In fact there is no entries that > are related to LDAP > in my smb.conf, there is only a few lines related to IPA/Kerberos: > ===== > security = user > passdb backend = smbpasswd > > # Kerberos options > realm = SRI.UTORONTO.CA > kerberos method = dedicated keytab > dedicated keytab file = /etc/krb5.keytab > ===== I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in. rob From dpal at redhat.com Fri Jul 20 21:17:42 2012 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 20 Jul 2012 17:17:42 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion In-Reply-To: <5009C5E3.9040807@sri.utoronto.ca> References: <5009C5E3.9040807@sri.utoronto.ca> Message-ID: <5009CAF6.5090108@redhat.com> On 07/20/2012 04:56 PM, Qing Chang wrote: > Greetings, > > Migration from OpedLDAP to IPA creates a pair of subtrees for both > users and groups: > compat and accounts, use groups as an example: > dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca > dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca > > IPA web GUI does not show "memberUid" attribute, although it is > migrated correctly, > by adding a user to the group in the web GUI, it reveals that member > is added to both > compat and accounts, but differently: > accounts: member: > uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca > compat: memberUid: qchang > > It also reveals that GUI does not display anything for "compat" tree, > but I can use > ldap tools to show compat entries. > > My questions: > 1, why do we have two trees created? I vaguely remember that it is > mentioned that > compat is for support of IPA as an NIS proxy? Compat tree is a different view of the data stored in the main tree. Main tree follows schema defined by RFC 2307bis for users and groups. Compat displays same data in RFC 2307 format for clients that do not understand 2307bis schema (for example for Solaris clients). NIS uses compat tree for its data. Internal SUDO schema is also different from the standard for the benefits of the referential integrity so the external, standard schema is exposed via compat tree. > 2, Can the migration script be modified to convert "memberUid" to > "member" for > accounts tree? Or can I modify it manually and load the tree with > ldapmod without > breaking IPA? It is not clear what you are trying to do. Main tree is already in the right format. Changing the data directly would not work. Please use ipa commands. You can point clients to either main tree or compat tree depending upon what schema they expect. You can also switch the compat tree completely. There is a command to do so added in 2.2. > 3, What does Samba use, compat or accounts? I do have a Samba server > setup as > an IPA client and it works very well, but I don't seem to be able > to find a place > to specify either compat or accounts for user and group look up, I > assume IPA > client libraries take care of it. In fact there is no entries that > are related to LDAP > in my smb.conf, there is only a few lines related to IPA/Kerberos: Samba uses main tree but I do not think you configured anything other than authentication. It seems that samba is using a local back end. You need more info from samba gurus. You can catch them on irc on freenode.net or they might chime in here. > ===== > security = user > passdb backend = smbpasswd > > # Kerberos options > realm = SRI.UTORONTO.CA > kerberos method = dedicated keytab > dedicated keytab file = /etc/krb5.keytab > ===== > > Thanks in advance! > Qing > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Steven.Jones at vuw.ac.nz Sun Jul 22 22:35:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 22 Jul 2012 22:35:51 +0000 Subject: [Freeipa-users] IPA and UIDS <500 In-Reply-To: <500962B1.6030806@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD524BA@STAWINCOX10MBX1.staff.vuw.ac.nz> , <1342658563.2492.122.camel@sgallagh520.sgallagh.bos.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD524FF@STAWINCOX10MBX1.staff.vuw.ac.nz> <1342697794.2492.124.camel@sgallagh520.sgallagh.bos.redhat.com> <1342703070.3219.211.camel@willson.li.ssimo.org> <56343345B145C043AE990701E3D193953368D0@EXVS2.nrplc.localnet> <1342713585.2492.147.camel@sgallagh520.sgallagh.bos.redhat.com>, <1342717796.3219.220.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD589FA@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50087A2D.50905@redhat.com>, <833D8E48405E064EBC54C84EC6B36E404CD58A19@STAWINCOX10MBX1.staff.vuw.ac.nz> <833D8E48405E064EBC54C84EC6B36E404CD59BC7@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500962B1.6030806@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6079A@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I have had a RH support case open since the 17th....I keep getting different opinions on how to do it, none of which work so far. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com] Sent: Saturday, 21 July 2012 1:52 a.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA and UIDS <500 On 07/19/2012 06:06 PM, Steven Jones wrote: > having problems with, > > ipa sudorule-add-host --groups banner-server-group banner-rule > > > So I want to use a host-group so I can run this command accross multiple servers, I take it I cant so I have to add it per host? > > Should work with host groups and user groups. I do not have the exact syntax in front of me. Please check the ipa help system it has all the details. If something does not work as advertised please collect all the details, logs, output and file a bug or ticket. > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Steven Jones > Sent: Friday, 20 July 2012 9:39 a.m. > To: freeipa-users at redhat.com > Subject: RE: [Freeipa-users] IPA and UIDS <500 > > ah right....ive been trying to do this in IPA and failing.... > > So I actually want, > > ipa sudorule-add banner-rule > ipa sudorule-add-allow-command --sudocmds "/bin/sudo -i" > ipa sudorule-add-host --groups banner-server-group banner-rule > ipa sudorule-add-user --groups become-banner-saas-prod banner-rule > ipa sudorule-add-user --user banner banner-rule > > > ? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From amessina at messinet.com Mon Jul 23 09:08:25 2012 From: amessina at messinet.com (Anthony Messina) Date: Mon, 23 Jul 2012 04:08:25 -0500 Subject: [Freeipa-users] FreeIPA, rkhunter & "unknown rootkit" Message-ID: <500D1489.9000608@messinet.com> I have installed freeipa-server-2.2.0-1.fc17.x86_64 and it's running well. I have also installed rkhunter-1.4.0-1.fc17.noarch on the IPA server and each morning I receive the following report from rkhunter. I imagine/hope that these are not actual rootkits and was wondering if anyone knew of a way to inform rkhunter/rkhunter.conf to "never mind" these as they seem like they would be a normal part of the IPA/CA process. By the way, UID 995 is the pkiuser on my IPA system. Thanks for any input. -A rkhunter warning output follows: Warning: The following processes are using suspicious files: Command: java UID: 995 PID: 1513 Pathname: /var/log/pki-ca/system Possible Rootkit: Unknown rootkit Command: java UID: 1518 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1523 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1524 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1525 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1526 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1527 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1528 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1529 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1530 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1531 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1540 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1541 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1557 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1558 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1559 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1560 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1561 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1628 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1629 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1636 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1638 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1641 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1643 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1646 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1648 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1651 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1653 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1654 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1655 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1658 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1660 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1662 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1663 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1664 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1665 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1666 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1667 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1668 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1670 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1671 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1672 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1673 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1674 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1675 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1676 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1677 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1678 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1679 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 1680 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2254 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2255 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2256 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2257 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2418 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2419 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2420 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit Command: java UID: 2421 PID: 1513 Pathname: 14287633 Possible Rootkit: Unknown rootkit -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: From sakodak at gmail.com Mon Jul 23 14:42:12 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 23 Jul 2012 09:42:12 -0500 Subject: [Freeipa-users] servers going out of sync Message-ID: Alright, this is pretty bad. My servers keep going out of sync. I have four replicas, slpidml01 through 04. I only figure it out when weird things start happening. Is there a log somewhere that I can parse that says that updates aren't getting sent out? What are the types of things that can cause this? I've googled around a bit and I don't see anyone else having a problem as bad as this seems to be. I'll be opening a ticket at RH, but I just wanted to put a feeler out here to see if anyone else has similar issues. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From sakodak at gmail.com Mon Jul 23 14:49:42 2012 From: sakodak at gmail.com (KodaK) Date: Mon, 23 Jul 2012 09:49:42 -0500 Subject: [Freeipa-users] servers going out of sync In-Reply-To: References: Message-ID: On Mon, Jul 23, 2012 at 9:42 AM, KodaK wrote: > Alright, this is pretty bad. > > My servers keep going out of sync. I have four replicas, slpidml01 > through 04. I only figure it out when weird things start happening. > Is there a log somewhere that I can parse that says that updates > aren't getting sent out? What are the types of things that can cause > this? > > I've googled around a bit and I don't see anyone else having a problem > as bad as this seems to be. I'll be opening a ticket at RH, but I > just wanted to put a feeler out here to see if anyone else has similar > issues. > I'm getting this on all my servers when I try to force a re-initialization from the first server: [root at slpidml03 ~]# ipa-replica-manage re-initialize --from slpidml01.unix.magellanhealth.com ipa: INFO: Setting agreement cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping tree,cn=config [slpidml01.unix.magellanhealth.com] reports: Update failed! Status: [-2 - System error] [root at slpidml03 ~]# -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 From pspacek at redhat.com Mon Jul 23 15:07:08 2012 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 23 Jul 2012 17:07:08 +0200 Subject: [Freeipa-users] servers going out of sync In-Reply-To: References: Message-ID: <500D689C.6000602@redhat.com> On 07/23/2012 04:49 PM, KodaK wrote: > On Mon, Jul 23, 2012 at 9:42 AM, KodaK wrote: >> Alright, this is pretty bad. >> >> My servers keep going out of sync. I have four replicas, slpidml01 >> through 04. I only figure it out when weird things start happening. >> Is there a log somewhere that I can parse that says that updates >> aren't getting sent out? What are the types of things that can cause >> this? >> >> I've googled around a bit and I don't see anyone else having a problem >> as bad as this seems to be. I'll be opening a ticket at RH, but I >> just wanted to put a feeler out here to see if anyone else has similar >> issues. >> > > I'm getting this on all my servers when I try to force a > re-initialization from the first server: > > [root at slpidml03 ~]# ipa-replica-manage re-initialize --from > slpidml01.unix.magellanhealth.com > ipa: INFO: Setting agreement > cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping > tree,cn=config schedule to 2358-2359 0 to force synch > ipa: INFO: Deleting schedule 2358-2359 0 from agreement > cn=meToslpidml03.unix.magellanhealth.com,cn=replica,cn=dc\3Dunix\2Cdc\3Dmagellanhealth\2Cdc\3Dcom,cn=mapping > tree,cn=config > [slpidml01.unix.magellanhealth.com] reports: Update failed! Status: > [-2 - System error] > [root at slpidml03 ~]# > Hello, file /var/log/dirsrv/slapd-/errors should say more details about the "System error". Petr^2 Spacek From qchang at sri.utoronto.ca Mon Jul 23 18:35:02 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Mon, 23 Jul 2012 14:35:02 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion In-Reply-To: <5009CA52.9000807@redhat.com> References: <5009C5E3.9040807@sri.utoronto.ca> <5009CA52.9000807@redhat.com> Message-ID: <500D9956.2030002@sri.utoronto.ca> On 20/07/2012 5:14 PM, Rob Crittenden wrote: > Qing Chang wrote: >> Greetings, >> >> Migration from OpedLDAP to IPA creates a pair of subtrees for both users >> and groups: >> compat and accounts, use groups as an example: >> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca >> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca >> >> IPA web GUI does not show "memberUid" attribute, although it is >> migrated correctly, >> by adding a user to the group in the web GUI, it reveals that member is >> added to both >> compat and accounts, but differently: >> accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca >> compat: memberUid: qchang >> >> It also reveals that GUI does not display anything for "compat" tree, >> but I can use >> ldap tools to show compat entries. >> My questions: >> 1, why do we have two trees created? I vaguely remember that it is >> mentioned that >> compat is for support of IPA as an NIS proxy? > > cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It > isn't a separate copy. > > It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. > >> 2, Can the migration script be modified to convert "memberUid" to >> "member" for >> accounts tree? Or can I modify it manually and load the tree with >> ldapmod without >> breaking IPA? > > It already can, see the --schema option. > it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. Thanks, Qing >> 3, What does Samba use, compat or accounts? I do have a Samba server >> setup as >> an IPA client and it works very well, but I don't seem to be able >> to find a place >> to specify either compat or accounts for user and group look up, I >> assume IPA >> client libraries take care of it. In fact there is no entries that >> are related to LDAP >> in my smb.conf, there is only a few lines related to IPA/Kerberos: >> ===== >> security = user >> passdb backend = smbpasswd >> >> # Kerberos options >> realm = SRI.UTORONTO.CA >> kerberos method = dedicated keytab >> dedicated keytab file = /etc/krb5.keytab >> ===== > > I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in. > > rob From rcritten at redhat.com Mon Jul 23 19:33:47 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Jul 2012 15:33:47 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion In-Reply-To: <500D9956.2030002@sri.utoronto.ca> References: <5009C5E3.9040807@sri.utoronto.ca> <5009CA52.9000807@redhat.com> <500D9956.2030002@sri.utoronto.ca> Message-ID: <500DA71B.4040300@redhat.com> Qing Chang wrote: > > > On 20/07/2012 5:14 PM, Rob Crittenden wrote: >> Qing Chang wrote: >>> Greetings, >>> >>> Migration from OpedLDAP to IPA creates a pair of subtrees for both users >>> and groups: >>> compat and accounts, use groups as an example: >>> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca >>> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca >>> >>> IPA web GUI does not show "memberUid" attribute, although it is >>> migrated correctly, >>> by adding a user to the group in the web GUI, it reveals that member is >>> added to both >>> compat and accounts, but differently: >>> accounts: member: >>> uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca >>> compat: memberUid: qchang >>> >>> It also reveals that GUI does not display anything for "compat" tree, >>> but I can use >>> ldap tools to show compat entries. >>> My questions: >>> 1, why do we have two trees created? I vaguely remember that it is >>> mentioned that >>> compat is for support of IPA as an NIS proxy? >> >> cn=compat is a view of the data in rfc2307-compatible format (so >> memberUid instead of member). It isn't a separate copy. >> >> It is so clients that don't support 2307bis can still authenticate and >> identify users using nss_ldap. >> >>> 2, Can the migration script be modified to convert "memberUid" to >>> "member" for >>> accounts tree? Or can I modify it manually and load the tree with >>> ldapmod without >>> breaking IPA? >> >> It already can, see the --schema option. >> > it says: > --schema=['RFC2307bis', 'RFC2307'] > The schema used on the LDAP server. Supported > values > are RFC2307 and RFC2307bis. The default is > RFC2307bis > > I assume I am using the default. Does this mean that I should use > RFC2307 instead? > It does not make much sense to me because my OpenLDAP server is using > RFC2307 if I understand your comments above right. If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to specify membership) then use --schema=RFC2307. You are specifying the remote schema, not the local schema. rob From jlinoff at tabula.com Mon Jul 23 20:50:54 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 23 Jul 2012 13:50:54 -0700 Subject: [Freeipa-users] User can't login via ssh from external Message-ID: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jul 23 21:21:25 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 23 Jul 2012 21:21:25 +0000 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6295B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, In the gui you can do a hbac test of the rule. Also what are the UIDS? IPA provided 32bit ones? or your own? I'd suggest re-setting that user's password and get them to login and reset the password, that works for me, it was a sign of bad/failed replication in my system I think (now fixed). regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Joe Linoff [jlinoff at tabula.com] Sent: Tuesday, 24 July 2012 8:50 a.m. To: sgallagh at redhat.com; dpal at redhat.com Cc: Joe Linoff; freeipa-users at redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn?t work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can?t figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Mon Jul 23 21:55:42 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 23 Jul 2012 14:55:42 -0700 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010E1424@mantaray.tabula.com> Hi Folks: I managed to get the user working doing the following (all from the CLI): 1. Deleted the user (ipa user-del new-user) 2. Re-added the user 3. Add the user to administrator groups. 4. Changed/set the password. 5. Removed the administrator privileges. 6. Attempt report ssh login. Steps 3 and 5 are a hack but I can demonstrate that not doing them causes the strange login problem. I can also show that the HBAC rules are enforced properly after step 5 is run so this works for me. I just don't understand why it is necessary. Thank you for all of your help and suggestions. Regards, Joe From: Joe Linoff Sent: Monday, July 23, 2012 1:51 PM To: sgallagh at redhat.com; dpal at redhat.com Cc: freeipa-users at redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Stephen and Dmitri: Thank you for the sshd GSSAPI configuration suggestion. I tried it this morning but it didn't work. That particular user is still not able to login. What is even more interesting is that I created a user with the identical setup and the new user worked (i.e., they were able to ssh in remotely). I am really confused by this because it does not appear to be a global setup issue like ssh. It may be some sort of HBAC rule violation or something else equally strange. I just can't figure it out. Can you suggest any other ways to troubleshoot this? Thanks, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From jlinoff at tabula.com Mon Jul 23 22:04:14 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 23 Jul 2012 15:04:14 -0700 Subject: [Freeipa-users] User can't login via ssh from external Message-ID: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using "ipa hbactest ...". It showed that the rules were correct. Do you think that the GUI might provide a different result? > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID's were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn't seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? > I'd suggest re-setting that user's password and get them to login and reset the password, that > works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and "ipa passwd" to change the password but neither solved the problem. In both cases I was able to run "kinit new-user" and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. Regards, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon Jul 23 22:18:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 23 Jul 2012 22:18:13 +0000 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD629E6@STAWINCOX10MBX1.staff.vuw.ac.nz> as below. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Joe Linoff [jlinoff at tabula.com] Sent: Tuesday, 24 July 2012 10:04 a.m. To: Steven Jones Cc: freeipa-users at redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using ?ipa hbactest ??. It showed that the rules were correct. Do you think that the GUI might provide a different result? ======== probably not ======== > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID?s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn?t seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? =========== pam prevents any user with a UID <500 from logging in with ssh (that bit me last week). =========== > I'd suggest re-setting that user's password and get them to login and reset the password, that > works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and ?ipa passwd? to change the password but neither solved the problem. In both cases I was able to run ?kinit new-user? and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. ====== Yes, I had the same symptoms, removing and re-adding a user worked for me also but re-setting the user's password in the web ui also worked and its easier. It came down to failed replication I think, as now that is solved the issue has not re-appeared for users. ====== Regards, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jul 23 22:20:52 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Jul 2012 18:20:52 -0400 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1424@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010E1424@mantaray.tabula.com> Message-ID: <500DCE44.4010301@redhat.com> Joe Linoff wrote: > Hi Folks: > > I managed to get the user working doing the following (all from the CLI): > > 1.Deleted the user (ipa user-del new-user) > > 2.Re-added the user > > 3.Add the user to administrator groups. > > 4.Changed/set the password. > > 5.Removed the administrator privileges. > > 6.Attempt report ssh login. > > Steps 3 and 5 are a hack but I can demonstrate that /not /doing them > causes the strange login problem. I can also show that the HBAC rules > are enforced properly after step 5 is run so this works for me. I just > don?t understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob > Thank you for all of your help and suggestions. > > Regards, > > Joe > > *From:*Joe Linoff > *Sent:* Monday, July 23, 2012 1:51 PM > *To:* sgallagh at redhat.com; dpal at redhat.com > *Cc:* freeipa-users at redhat.com; Joe Linoff > *Subject:* Re: [Freeipa-users] User can't login via ssh from external > > Hi Stephen and Dmitri: > > Thank you for the sshd GSSAPI configuration suggestion. I tried it this > morning but it didn?t work. That particular user is still not able to > login. What is even more interesting is that I created a user with the > identical setup and the new user worked (i.e., they were able to ssh in > remotely). > > I am really confused by this because it does not appear to be a global > setup issue like ssh. It may be some sort of HBAC rule violation or > something else equally strange. I just can?t figure it out. > > Can you suggest any other ways to troubleshoot this? > > > Thanks, > > Joe > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Mon Jul 23 22:22:55 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 23 Jul 2012 18:22:55 -0400 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> Message-ID: <500DCEBF.5040506@redhat.com> Joe Linoff wrote: > Hi Steve: > > Thank you for your suggestions. > > > In the gui you can do a hbac test of the rule. > > I ran the hbactest rule testing from the command line using ?ipa > hbactest ??. It showed that the rules were correct. Do you think that > the GUI might provide a different result? No, the GUI and CLI share exactly the same backend code. > > Also what are the UIDS? IPA provided 32bit ones? or your own? > > The UID?s were provided by IPA. Actually during testing I also provided > my own at one point but reverted back when that didn?t seem to make a > difference. > > Can you explain why that might cause the problem? For example, would > duplicates break the system or are there ranges of UIDs that are not legal? The issue is if the UIDS are < 1000 they are treated as local in sssd. > > I'd suggest re-setting that user's password and get them to login and > reset the password, that > > > works for me, it was a sign of bad/failed replication in my system I > think (now fixed). > > I tried that using kpasswd and ?ipa passwd? to change the password but > neither solved the problem. In both cases I was able to run ?kinit > new-user? and set the credentials using the new password but new-user > could not ssh in. > > It was a really strange problem. It looks like something got out of sync > but I could not (and cannot) figure out where. It is doubly difficult > because removing and re-adding the user worked. In addition, adding > other users worked. It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. regards rob From jlinoff at tabula.com Mon Jul 23 22:30:13 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 23 Jul 2012 15:30:13 -0700 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <500DCE44.4010301@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010E1414@mantaray.tabula.com> <8AD4194C251EC74CB897E261038F4478010E1424@mantaray.tabula.com> <500DCE44.4010301@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010E142A@mantaray.tabula.com> Hi Rob: Thank you for helping. > Are you performing a login between steps 3 and 5? Otherwise all that does is add > a member/memberof and then remove it. I don't see how this would affect anything. Hmmm, good point. I think that I was probably doing a "kinit" between steps 3 and 5 which would amount to the same thing, right? Regards, Joe -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, July 23, 2012 3:21 PM To: Joe Linoff Cc: sgallagh at redhat.com; dpal at redhat.com; freeipa-users at redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: > Hi Folks: > > I managed to get the user working doing the following (all from the CLI): > > 1.Deleted the user (ipa user-del new-user) > > 2.Re-added the user > > 3.Add the user to administrator groups. > > 4.Changed/set the password. > > 5.Removed the administrator privileges. > > 6.Attempt report ssh login. > > Steps 3 and 5 are a hack but I can demonstrate that /not /doing them > causes the strange login problem. I can also show that the HBAC rules > are enforced properly after step 5 is run so this works for me. I just > don't understand why it is necessary. Are you performing a login between steps 3 and 5? Otherwise all that does is add a member/memberof and then remove it. I don't see how this would affect anything. rob > Thank you for all of your help and suggestions. > > Regards, > > Joe > > *From:*Joe Linoff > *Sent:* Monday, July 23, 2012 1:51 PM > *To:* sgallagh at redhat.com; dpal at redhat.com > *Cc:* freeipa-users at redhat.com; Joe Linoff > *Subject:* Re: [Freeipa-users] User can't login via ssh from external > > Hi Stephen and Dmitri: > > Thank you for the sshd GSSAPI configuration suggestion. I tried it > this morning but it didn't work. That particular user is still not > able to login. What is even more interesting is that I created a user > with the identical setup and the new user worked (i.e., they were able > to ssh in remotely). > > I am really confused by this because it does not appear to be a global > setup issue like ssh. It may be some sort of HBAC rule violation or > something else equally strange. I just can't figure it out. > > Can you suggest any other ways to troubleshoot this? > > > Thanks, > > Joe > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From jlinoff at tabula.com Mon Jul 23 22:33:19 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Mon, 23 Jul 2012 15:33:19 -0700 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <500DCEBF.5040506@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> <500DCEBF.5040506@redhat.com> Message-ID: <8AD4194C251EC74CB897E261038F4478010E142B@mantaray.tabula.com> Hi Rob: > The issue is if the UIDS are < 1000 they are treated as local in sssd. Ahh, of course, thanks. I never assigned any UIDs < 1000 (or less than 10000 for that matter). > It could be that sssd cached something and wouldn't let it go, too. If you can reproduce > this it is probably worthwhile bump up the log level and add pam debug logging to see > what is happening. That is a great idea and it makes sense given what I was seeing. I will give it a try. I just wasn't sure which service I should be analyzing. Regards, Joe -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Monday, July 23, 2012 3:23 PM To: Joe Linoff Cc: Steven.Jones at vuw.ac.nz; freeipa-users at redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external Joe Linoff wrote: > Hi Steve: > > Thank you for your suggestions. > > > In the gui you can do a hbac test of the rule. > > I ran the hbactest rule testing from the command line using "ipa > hbactest ...". It showed that the rules were correct. Do you think that > the GUI might provide a different result? No, the GUI and CLI share exactly the same backend code. > > Also what are the UIDS? IPA provided 32bit ones? or your own? > > The UID's were provided by IPA. Actually during testing I also > provided my own at one point but reverted back when that didn't seem > to make a difference. > > Can you explain why that might cause the problem? For example, would > duplicates break the system or are there ranges of UIDs that are not legal? The issue is if the UIDS are < 1000 they are treated as local in sssd. > > I'd suggest re-setting that user's password and get them to login > and reset the password, that > > > works for me, it was a sign of bad/failed replication in my system > I think (now fixed). > > I tried that using kpasswd and "ipa passwd" to change the password but > neither solved the problem. In both cases I was able to run "kinit > new-user" and set the credentials using the new password but new-user > could not ssh in. > > It was a really strange problem. It looks like something got out of > sync but I could not (and cannot) figure out where. It is doubly > difficult because removing and re-adding the user worked. In addition, > adding other users worked. It could be that sssd cached something and wouldn't let it go, too. If you can reproduce this it is probably worthwhile bump up the log level and add pam debug logging to see what is happening. regards rob From Steven.Jones at vuw.ac.nz Mon Jul 23 23:38:16 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 23 Jul 2012 23:38:16 +0000 Subject: [Freeipa-users] winsync msi Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, For the winsync agreement my Windows and security teams want to know its details, eg who wrote it, it is Microsoft certified etc. Where will I find such info? All I have is http://port389.org/wiki/Download Which doesn't tell me much. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From rmeggins at redhat.com Tue Jul 24 00:11:12 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 23 Jul 2012 18:11:12 -0600 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <500DE820.7090907@redhat.com> On 07/23/2012 05:38 PM, Steven Jones wrote: > Hi, > > For the winsync agreement my Windows and security teams want to know its details, > > eg who wrote it, Red Hat - do you need to know the names of the developers? > it is Microsoft certified etc. Not that I know of - how would one go about doing that? > > Where will I find such info? > > All I have is > > http://port389.org/wiki/Download > > Which doesn't tell me much. There is more info in the actual .msi file. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Tue Jul 24 00:32:39 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 24 Jul 2012 00:32:39 +0000 Subject: [Freeipa-users] winsync msi In-Reply-To: <500DE820.7090907@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Tuesday, 24 July 2012 12:11 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync msi On 07/23/2012 05:38 PM, Steven Jones wrote: > Hi, > > For the winsync agreement my Windows and security teams want to know its details, > > eg who wrote it, Red Hat - do you need to know the names of the developers? > it is Microsoft certified etc. Not that I know of - how would one go about doing that? > > Where will I find such info? > > All I have is > > http://port389.org/wiki/Download > > Which doesn't tell me much. There is more info in the actual .msi file. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Tue Jul 24 05:45:10 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 24 Jul 2012 07:45:10 +0200 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <500DCEBF.5040506@redhat.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> <500DCEBF.5040506@redhat.com> Message-ID: <20120724054510.GA10817@hendrix.redhat.com> On Mon, Jul 23, 2012 at 06:22:55PM -0400, Rob Crittenden wrote: > Joe Linoff wrote: > >Hi Steve: > > > >Thank you for your suggestions. > > > > > In the gui you can do a hbac test of the rule. > > > >I ran the hbactest rule testing from the command line using ?ipa > >hbactest ??. It showed that the rules were correct. Do you think that > >the GUI might provide a different result? > > No, the GUI and CLI share exactly the same backend code. > > > > Also what are the UIDS? IPA provided 32bit ones? or your own? > > > >The UID?s were provided by IPA. Actually during testing I also provided > >my own at one point but reverted back when that didn?t seem to make a > >difference. > > > >Can you explain why that might cause the problem? For example, would > >duplicates break the system or are there ranges of UIDs that are not legal? > > The issue is if the UIDS are < 1000 they are treated as local in sssd. > > > > I'd suggest re-setting that user's password and get them to login and > >reset the password, that > > > > > works for me, it was a sign of bad/failed replication in my system I > >think (now fixed). > > > >I tried that using kpasswd and ?ipa passwd? to change the password but > >neither solved the problem. In both cases I was able to run ?kinit > >new-user? and set the credentials using the new password but new-user > >could not ssh in. > > > >It was a really strange problem. It looks like something got out of sync > >but I could not (and cannot) figure out where. It is doubly difficult > >because removing and re-adding the user worked. In addition, adding > >other users worked. > > It could be that sssd cached something and wouldn't let it go, too. > If you can reproduce this it is probably worthwhile bump up the log > level and add pam debug logging to see what is happening. As Rob says, I think we should take a look at SSSD and system logs. Can you paste or attach the couple of lines that are appended to /var/log/secure during the login attempt? That should give us a clue on whether the SSSD PAM modules are contacted. Can you also add "debug_level = 8" to the [pam] and [domain/$name] sections of the SSSD, restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$name.log ? Feel free to sanitize the logs before sending them out. From sigbjorn at nixtra.com Tue Jul 24 08:22:56 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 24 Jul 2012 10:22:56 +0200 (CEST) Subject: [Freeipa-users] "Request is a replay" Message-ID: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> Hi, I keep seing this error message in our production environment "Request is a replay" in variuos services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to RHEL 6.3 / IPA 2.2. Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Request is a replay) Seaching google seem to suggest that this is an error with time. However we have NTP configured (IPA servers as NTP servers) which is synchronized to external NTP servers. There has been no issue before, and I cannot find issue with the time being out of sync on the machines where this is happening. Rgds, Siggi From qchang at sri.utoronto.ca Tue Jul 24 12:54:01 2012 From: qchang at sri.utoronto.ca (Qing Chang) Date: Tue, 24 Jul 2012 08:54:01 -0400 Subject: [Freeipa-users] Openldap to IPA migration confusion In-Reply-To: <500DA71B.4040300@redhat.com> References: <5009C5E3.9040807@sri.utoronto.ca> <5009CA52.9000807@redhat.com> <500D9956.2030002@sri.utoronto.ca> <500DA71B.4040300@redhat.com> Message-ID: <500E9AE9.3070405@sri.utoronto.ca> On 23/07/2012 3:33 PM, Rob Crittenden wrote: > Qing Chang wrote: >> >> >> On 20/07/2012 5:14 PM, Rob Crittenden wrote: >>> Qing Chang wrote: >>>> Greetings, >>>> >>>> Migration from OpedLDAP to IPA creates a pair of subtrees for both users >>>> and groups: >>>> compat and accounts, use groups as an example: >>>> dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca >>>> dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca >>>> >>>> IPA web GUI does not show "memberUid" attribute, although it is >>>> migrated correctly, >>>> by adding a user to the group in the web GUI, it reveals that member is >>>> added to both >>>> compat and accounts, but differently: >>>> accounts: member: >>>> uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca >>>> compat: memberUid: qchang >>>> >>>> It also reveals that GUI does not display anything for "compat" tree, >>>> but I can use >>>> ldap tools to show compat entries. >>>> My questions: >>>> 1, why do we have two trees created? I vaguely remember that it is >>>> mentioned that >>>> compat is for support of IPA as an NIS proxy? >>> >>> cn=compat is a view of the data in rfc2307-compatible format (so >>> memberUid instead of member). It isn't a separate copy. >>> >>> It is so clients that don't support 2307bis can still authenticate and >>> identify users using nss_ldap. >>> >>>> 2, Can the migration script be modified to convert "memberUid" to >>>> "member" for >>>> accounts tree? Or can I modify it manually and load the tree with >>>> ldapmod without >>>> breaking IPA? >>> >>> It already can, see the --schema option. >>> >> it says: >> --schema=['RFC2307bis', 'RFC2307'] >> The schema used on the LDAP server. Supported >> values >> are RFC2307 and RFC2307bis. The default is >> RFC2307bis >> >> I assume I am using the default. Does this mean that I should use >> RFC2307 instead? >> It does not make much sense to me because my OpenLDAP server is using >> RFC2307 if I understand your comments above right. > > If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to > specify membership) then use --schema=RFC2307. > > You are specifying the remote schema, not the local schema. > Indeed it is the remote schema, for future reference, this my command line: # ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group --group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup > rob Your help is much appreciated! Qing From mmercier at gmail.com Tue Jul 24 13:57:31 2012 From: mmercier at gmail.com (Michael Mercier) Date: Tue, 24 Jul 2012 09:57:31 -0400 Subject: [Freeipa-users] IPA3 beta - CA will not install Message-ID: <7A33515B-31EA-4600-AFD9-348D1DF713C9@gmail.com> Hello, I am attempting to install the IPA 3.x beta on Fedora 17 and running into some difficulty. I performed the following steps attempting the install (following setup instructions for FreeIPA 2.2): 1. Download Fedora 17 2. Install Fedora 17 with VMWare 3. add hostname to /etc/hosts - 172.16.112.10 ipaserver.beta.local ipaserver 4. yum update 5. open the following ports on the firewall tcp 80,443,389,636,88,464,53,7839 udp 88,464,53,123 iptables -L ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kerberos ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kpasswd ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7389 ACCEPT udp -- anywhere anywhere state NEW udp dpt:kerberos ACCEPT udp -- anywhere anywhere state NEW udp dpt:kpasswd ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp 6. Disable NetworkManger and enable network 7. reboot 8. add freeipa repository baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch 9. yum install freeipa-server bind bind-dyndb-ldap 10. ipa-server-install Attached is the log file. Thanks, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: ipaserver-install.log Type: application/octet-stream Size: 18129 bytes Desc: not available URL: From pviktori at redhat.com Tue Jul 24 14:09:25 2012 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 24 Jul 2012 16:09:25 +0200 Subject: [Freeipa-users] IPA3 beta - CA will not install In-Reply-To: <7A33515B-31EA-4600-AFD9-348D1DF713C9@gmail.com> References: <7A33515B-31EA-4600-AFD9-348D1DF713C9@gmail.com> Message-ID: <500EAC95.10109@redhat.com> On 07/24/2012 03:57 PM, Michael Mercier wrote: > Hello, > > I am attempting to install the IPA 3.x beta on Fedora 17 and running into some difficulty. > > I performed the following steps attempting the install (following setup instructions for FreeIPA 2.2): > > 1. Download Fedora 17 > 2. Install Fedora 17 with VMWare > 3. add hostname to /etc/hosts - 172.16.112.10 ipaserver.beta.local ipaserver > 4. yum update > 5. open the following ports on the firewall tcp 80,443,389,636,88,464,53,7839 udp 88,464,53,123 > > iptables -L > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldap > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ldaps > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kerberos > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:kpasswd > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:7389 > ACCEPT udp -- anywhere anywhere state NEW udp dpt:kerberos > ACCEPT udp -- anywhere anywhere state NEW udp dpt:kpasswd > ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain > ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp > > 6. Disable NetworkManger and enable network > 7. reboot > 8. add freeipa repository > baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch > 9. yum install freeipa-server bind bind-dyndb-ldap > 10. ipa-server-install > > Attached is the log file. > > Thanks, > Mike > > This was reported a while ago, see https://www.redhat.com/archives/freeipa-users/2012-July/msg00167.html for the workaround. -- Petr? From rcritten at redhat.com Tue Jul 24 14:21:26 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 24 Jul 2012 10:21:26 -0400 Subject: [Freeipa-users] IPA3 beta - CA will not install In-Reply-To: <500EAC95.10109@redhat.com> References: <7A33515B-31EA-4600-AFD9-348D1DF713C9@gmail.com> <500EAC95.10109@redhat.com> Message-ID: <500EAF66.4020202@redhat.com> Petr Viktorin wrote: > On 07/24/2012 03:57 PM, Michael Mercier wrote: >> Hello, >> >> I am attempting to install the IPA 3.x beta on Fedora 17 and running >> into some difficulty. >> >> I performed the following steps attempting the install (following >> setup instructions for FreeIPA 2.2): >> >> 1. Download Fedora 17 >> 2. Install Fedora 17 with VMWare >> 3. add hostname to /etc/hosts - 172.16.112.10 ipaserver.beta.local >> ipaserver >> 4. yum update >> 5. open the following ports on the firewall tcp >> 80,443,389,636,88,464,53,7839 udp 88,464,53,123 >> >> iptables -L >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:ssh >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:http >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:https >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:ldap >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:ldaps >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:kerberos >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:kpasswd >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:domain >> ACCEPT tcp -- anywhere anywhere state >> NEW tcp dpt:7389 >> ACCEPT udp -- anywhere anywhere state >> NEW udp dpt:kerberos >> ACCEPT udp -- anywhere anywhere state >> NEW udp dpt:kpasswd >> ACCEPT udp -- anywhere anywhere state >> NEW udp dpt:domain >> ACCEPT udp -- anywhere anywhere state >> NEW udp dpt:ntp >> >> 6. Disable NetworkManger and enable network >> 7. reboot >> 8. add freeipa repository >> baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch >> 9. yum install freeipa-server bind bind-dyndb-ldap >> 10. ipa-server-install >> >> Attached is the log file. >> >> Thanks, >> Mike >> >> > > This was reported a while ago, see > https://www.redhat.com/archives/freeipa-users/2012-July/msg00167.html > for the workaround. > > Or try updating the pki-* packages to 9.0.21, the packages are in updates-testing. The dogtag team fixed an SELinux issue introduced in a recently selinux-policy update. rob From rmeggins at redhat.com Tue Jul 24 14:54:01 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 24 Jul 2012 08:54:01 -0600 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <500EB709.3080105@redhat.com> On 07/23/2012 06:32 PM, Steven Jones wrote: > Hi, > > No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. Can you point me at another open source project that provides Windows binaries that provides some sort of guarantee or statement or documentation like this? I'd like to see what other projects do and provide something similar. Or is this the first (and only?) time anyone in your organization has ever installed any open source software on Windows? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Tuesday, 24 July 2012 12:11 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/23/2012 05:38 PM, Steven Jones wrote: >> Hi, >> >> For the winsync agreement my Windows and security teams want to know its details, >> >> eg who wrote it, > Red Hat - do you need to know the names of the developers? > >> it is Microsoft certified etc. > Not that I know of - how would one go about doing that? >> Where will I find such info? >> >> All I have is >> >> http://port389.org/wiki/Download >> >> Which doesn't tell me much. > There is more info in the actual .msi file. >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Tue Jul 24 18:29:33 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 24 Jul 2012 14:29:33 -0400 Subject: [Freeipa-users] "Request is a replay" In-Reply-To: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> Message-ID: <1343154573.3219.335.camel@willson.li.ssimo.org> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: > Hi, > > I keep seing this error message in our production environment "Request is a replay" in variuos > services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to RHEL 6.3 / IPA > 2.2. > > > Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more information (Request is a replay) > > Seaching google seem to suggest that this is an error with time. However we have NTP configured > (IPA servers as NTP servers) which is synchronized to external NTP servers. There has been no > issue before, and I cannot find issue with the time being out of sync on the machines where this > is happening. This error usually appears only when a same request is found in the replay cache. It shouldn't be related to time issues, in that case you usually get clock-skew. Can you tell me what operation was being performed by sssd when you caught that error ? Can you check if immediately before another identical operation had been performed ? Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Tue Jul 24 21:15:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 24 Jul 2012 21:15:41 +0000 Subject: [Freeipa-users] winsync msi In-Reply-To: <500EB709.3080105@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi Rich, I can appreciate what you are saying, but.... Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. Crazy thing of course is, yes IPA is free....... ;] I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... :) regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Wednesday, 25 July 2012 2:54 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync msi On 07/23/2012 06:32 PM, Steven Jones wrote: > Hi, > > No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. Can you point me at another open source project that provides Windows binaries that provides some sort of guarantee or statement or documentation like this? I'd like to see what other projects do and provide something similar. Or is this the first (and only?) time anyone in your organization has ever installed any open source software on Windows? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Tuesday, 24 July 2012 12:11 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/23/2012 05:38 PM, Steven Jones wrote: >> Hi, >> >> For the winsync agreement my Windows and security teams want to know its details, >> >> eg who wrote it, > Red Hat - do you need to know the names of the developers? > >> it is Microsoft certified etc. > Not that I know of - how would one go about doing that? >> Where will I find such info? >> >> All I have is >> >> http://port389.org/wiki/Download >> >> Which doesn't tell me much. > There is more info in the actual .msi file. >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Wed Jul 25 07:09:01 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 25 Jul 2012 09:09:01 +0200 (CEST) Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <1343154573.3219.335.camel@willson.li.ssimo.org> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> Message-ID: <19082.213.225.75.97.1343200141.squirrel@www.nixtra.com> On Tue, July 24, 2012 20:29, Simo Sorce wrote: > On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> I keep seing this error message in our production environment "Request is a replay" in variuos >> services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to RHEL 6.3 / >> IPA >> 2.2. >> >> >> >> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Request is a replay) >> >> Seaching google seem to suggest that this is an error with time. However we have NTP configured >> (IPA servers as NTP servers) which is synchronized to external NTP servers. There has been no >> issue before, and I cannot find issue with the time being out of sync on the machines where this >> is happening. > > This error usually appears only when a same request is found in the > replay cache. It shouldn't be related to time issues, in that case you usually get clock-skew. > > Can you tell me what operation was being performed by sssd when you > caught that error ? Can you check if immediately before another identical operation had been > performed ? > Unfortunately no, I believe I was doing an "ls -l" on a nfs drive where sssd had to look up some uids, or a "ps -ef" where sssd also had to look up some uids or something related. I am unable to recreate the error with any specific commands, it's occuring randomly. Mind you, it's occuring to all kerberos based services, not just sssd. Rgds, Siggi From sigbjorn at nixtra.com Wed Jul 25 07:54:36 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 25 Jul 2012 09:54:36 +0200 (CEST) Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <1343154573.3219.335.camel@willson.li.ssimo.org> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> Message-ID: <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> On Tue, July 24, 2012 20:29, Simo Sorce wrote: > On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: > >> Hi, >> >> >> I keep seing this error message in our production environment "Request is a replay" in variuos >> services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to RHEL 6.3 / >> IPA >> 2.2. >> >> >> >> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Request is a replay) >> >> Seaching google seem to suggest that this is an error with time. However we have NTP configured >> (IPA servers as NTP servers) which is synchronized to external NTP servers. There has been no >> issue before, and I cannot find issue with the time being out of sync on the machines where this >> is happening. > > This error usually appears only when a same request is found in the > replay cache. It shouldn't be related to time issues, in that case you usually get clock-skew. > > Can you tell me what operation was being performed by sssd when you > caught that error ? Can you check if immediately before another identical operation had been > performed ? > That being said, I do have 1 IPA server (out of 3) that has significantly higher CPU usage than the other 2, the 15-minute load average is sitting at between 0.85 and 0.95 the entire day, where ns-slapd 389-ds process is running at 100% most of the time. Load: 1.02, 0.94, 0.87 In comparison the other two IPA servers has a 15-minute average between 0.10 - 0.30 throughout the day, and the ns-slapd process is far from being such a cpu hog. On the server having high load, running even a command such as "ipactl status" can take up to 20 seconds to complete, where "Directory Service: RUNNING" returns after a second or so, and to list the rest of the services takes the remainding 19 seconds. Also the web interface on this particular IPA server is rendered unusable, returning "Limits exceeded for the query" for almost any action. Restarting all the IPA servies (ipactl restart) on the problematic host soemwhat improves the situation, however that particular server returns to having heavy load quickly. Using logconv.pl to analyze the dirsrv access log file displays that the server in question has the lowest search queries per min with 106 queries/min. The other servers have 710 search queries/sec and 168 queries/sec. For modifications all the IPA servers has about 5-6 queries/sec. For unindexed searches the problematic server is the server with the lowest number. It does however have more than twice the amount of GSSAPI binds than the other servers with over 61000 GSSAPI binds over a 17 hour period. The problematic server is a physical server with 2 x AMD 2.4GHz Quad core CPU and 8GB of RAM. This issue is also impacting all the clients, where I see random hangs with anything involving a ldap or kerberos query to the IPA servers. Any suggestions? Regards, Siggi From rmeggins at redhat.com Wed Jul 25 13:58:14 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Jul 2012 07:58:14 -0600 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <500FFB76.5020003@redhat.com> On 07/24/2012 03:15 PM, Steven Jones wrote: > Hi Rich, > > I can appreciate what you are saying, but.... > > Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. > > So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. > > IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. > > Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? > > So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. > > Crazy thing of course is, yes IPA is free....... > > ;] > > I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... Ok. If you are a Red Hat paying customer, you should get the RedHat-PassSync .msi from an official Red Hat channel. We are working on addressing this issue. > > :) > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 25 July 2012 2:54 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/23/2012 06:32 PM, Steven Jones wrote: >> Hi, >> >> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. > Can you point me at another open source project that provides Windows > binaries that provides some sort of guarantee or statement or > documentation like this? I'd like to see what other projects do and > provide something similar. > > Or is this the first (and only?) time anyone in your organization has > ever installed any open source software on Windows? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Tuesday, 24 July 2012 12:11 p.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/23/2012 05:38 PM, Steven Jones wrote: >>> Hi, >>> >>> For the winsync agreement my Windows and security teams want to know its details, >>> >>> eg who wrote it, >> Red Hat - do you need to know the names of the developers? >> >>> it is Microsoft certified etc. >> Not that I know of - how would one go about doing that? >>> Where will I find such info? >>> >>> All I have is >>> >>> http://port389.org/wiki/Download >>> >>> Which doesn't tell me much. >> There is more info in the actual .msi file. >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Wed Jul 25 20:41:46 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 25 Jul 2012 20:41:46 +0000 Subject: [Freeipa-users] winsync msi In-Reply-To: <500FFB76.5020003@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Ah ok, I have the "official" one. One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 26 July 2012 1:58 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync msi On 07/24/2012 03:15 PM, Steven Jones wrote: > Hi Rich, > > I can appreciate what you are saying, but.... > > Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. > > So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. > > IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. > > Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? > > So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. > > Crazy thing of course is, yes IPA is free....... > > ;] > > I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... Ok. If you are a Red Hat paying customer, you should get the RedHat-PassSync .msi from an official Red Hat channel. We are working on addressing this issue. > > :) > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Wednesday, 25 July 2012 2:54 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/23/2012 06:32 PM, Steven Jones wrote: >> Hi, >> >> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. > Can you point me at another open source project that provides Windows > binaries that provides some sort of guarantee or statement or > documentation like this? I'd like to see what other projects do and > provide something similar. > > Or is this the first (and only?) time anyone in your organization has > ever installed any open source software on Windows? > >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Tuesday, 24 July 2012 12:11 p.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/23/2012 05:38 PM, Steven Jones wrote: >>> Hi, >>> >>> For the winsync agreement my Windows and security teams want to know its details, >>> >>> eg who wrote it, >> Red Hat - do you need to know the names of the developers? >> >>> it is Microsoft certified etc. >> Not that I know of - how would one go about doing that? >>> Where will I find such info? >>> >>> All I have is >>> >>> http://port389.org/wiki/Download >>> >>> Which doesn't tell me much. >> There is more info in the actual .msi file. >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jlinoff at tabula.com Wed Jul 25 21:38:36 2012 From: jlinoff at tabula.com (Joe Linoff) Date: Wed, 25 Jul 2012 14:38:36 -0700 Subject: [Freeipa-users] User can't login via ssh from external Message-ID: <8AD4194C251EC74CB897E261038F4478010E150D@mantaray.tabula.com> > As Rob says, I think we should take a look at SSSD and system logs. > Can you paste or attach the couple of lines that are appended to /var/log/secure during > the login attempt? That should give us a clue on whether the SSSD PAM modules are contacted. > Can you also add "debug_level = 8" to the [pam] and [domain/$name] sections of the SSSD, > restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$name.log ? > Feel free to sanitize the logs before sending them out. Thank you. Unfortunately I am unable to reproduce the problem so I am not sure that this is a good use of your time. If I find that I can reproduce it, I will capture the logs and send them on. Does that make sense? Thank you for your suggestions and help. Regards, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 25 23:59:53 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Jul 2012 17:59:53 -0600 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50108879.7090007@redhat.com> On 07/25/2012 02:41 PM, Steven Jones wrote: > Hi, > > Ah ok, I have the "official" one. From where did you get it? And does it allay your concerns? > > One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. Which page is that? The Howto:WindowsSync? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Thursday, 26 July 2012 1:58 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/24/2012 03:15 PM, Steven Jones wrote: >> Hi Rich, >> >> I can appreciate what you are saying, but.... >> >> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. >> >> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. >> >> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. >> >> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? >> >> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. >> >> Crazy thing of course is, yes IPA is free....... >> >> ;] >> >> I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... > Ok. If you are a Red Hat paying customer, you should get the > RedHat-PassSync .msi from an official Red Hat channel. We are working > on addressing this issue. >> :) >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Wednesday, 25 July 2012 2:54 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/23/2012 06:32 PM, Steven Jones wrote: >>> Hi, >>> >>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. >> Can you point me at another open source project that provides Windows >> binaries that provides some sort of guarantee or statement or >> documentation like this? I'd like to see what other projects do and >> provide something similar. >> >> Or is this the first (and only?) time anyone in your organization has >> ever installed any open source software on Windows? >> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [rmeggins at redhat.com] >>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> For the winsync agreement my Windows and security teams want to know its details, >>>> >>>> eg who wrote it, >>> Red Hat - do you need to know the names of the developers? >>> >>>> it is Microsoft certified etc. >>> Not that I know of - how would one go about doing that? >>>> Where will I find such info? >>>> >>>> All I have is >>>> >>>> http://port389.org/wiki/Download >>>> >>>> Which doesn't tell me much. >>> There is more info in the actual .msi file. >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From Steven.Jones at vuw.ac.nz Thu Jul 26 00:11:01 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 00:11:01 +0000 Subject: [Freeipa-users] winsync msi In-Reply-To: <50108879.7090007@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108879.7090007@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD65372@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, >From a RH support case as I dont have access to the RDS channel. No, its doesn't allay my Windows and security ppls concerns.... http://port389.org/wiki/Download "This is an Active Directory "plug-in" that intercepts password changes made to AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the Windows Sync feature of 389 DS). Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. " regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 26 July 2012 11:59 a.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync msi On 07/25/2012 02:41 PM, Steven Jones wrote: > Hi, > > Ah ok, I have the "official" one. From where did you get it? And does it allay your concerns? > > One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. Which page is that? The Howto:WindowsSync? > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Thursday, 26 July 2012 1:58 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/24/2012 03:15 PM, Steven Jones wrote: >> Hi Rich, >> >> I can appreciate what you are saying, but.... >> >> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. >> >> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. >> >> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. >> >> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? >> >> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. >> >> Crazy thing of course is, yes IPA is free....... >> >> ;] >> >> I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... > Ok. If you are a Red Hat paying customer, you should get the > RedHat-PassSync .msi from an official Red Hat channel. We are working > on addressing this issue. >> :) >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Wednesday, 25 July 2012 2:54 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/23/2012 06:32 PM, Steven Jones wrote: >>> Hi, >>> >>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. >> Can you point me at another open source project that provides Windows >> binaries that provides some sort of guarantee or statement or >> documentation like this? I'd like to see what other projects do and >> provide something similar. >> >> Or is this the first (and only?) time anyone in your organization has >> ever installed any open source software on Windows? >> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [rmeggins at redhat.com] >>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> For the winsync agreement my Windows and security teams want to know its details, >>>> >>>> eg who wrote it, >>> Red Hat - do you need to know the names of the developers? >>> >>>> it is Microsoft certified etc. >>> Not that I know of - how would one go about doing that? >>>> Where will I find such info? >>>> >>>> All I have is >>>> >>>> http://port389.org/wiki/Download >>>> >>>> Which doesn't tell me much. >>> There is more info in the actual .msi file. >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > From rmeggins at redhat.com Thu Jul 26 00:28:01 2012 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Jul 2012 18:28:01 -0600 Subject: [Freeipa-users] winsync msi In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD65372@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108879.7090007@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD65372@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50108F11.7080708@redhat.com> On 07/25/2012 06:11 PM, Steven Jones wrote: > Hi, > > From a RH support case as I dont have access to the RDS channel. We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi files. > > No, its doesn't allay my Windows and security ppls concerns.... I was speaking specifically about your original concerns: "No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability." Does the fact that you are now getting a Red Hat branded binary from an official Red Hat download site allay these particular fears? > > http://port389.org/wiki/Download > > "This is an Active Directory "plug-in" that intercepts password changes made to AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the Windows Sync feature of 389 DS). > > Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. " "This is an Active Directory "plug-in" that intercepts password changes made to AD Domain Controllers and sends the clear text password over an encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync. It works in conjunction with the Windows Sync feature of 389. You must install this on every Domain Controller. " Better? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Thursday, 26 July 2012 11:59 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/25/2012 02:41 PM, Steven Jones wrote: >> Hi, >> >> Ah ok, I have the "official" one. > From where did you get it? And does it allay your concerns? > >> One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. > Which page is that? The Howto:WindowsSync? > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Thursday, 26 July 2012 1:58 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/24/2012 03:15 PM, Steven Jones wrote: >>> Hi Rich, >>> >>> I can appreciate what you are saying, but.... >>> >>> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. >>> >>> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. >>> >>> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. >>> >>> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? >>> >>> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. >>> >>> Crazy thing of course is, yes IPA is free....... >>> >>> ;] >>> >>> I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... >> Ok. If you are a Red Hat paying customer, you should get the >> RedHat-PassSync .msi from an official Red Hat channel. We are working >> on addressing this issue. >>> :) >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [rmeggins at redhat.com] >>> Sent: Wednesday, 25 July 2012 2:54 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/23/2012 06:32 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. >>> Can you point me at another open source project that provides Windows >>> binaries that provides some sort of guarantee or statement or >>> documentation like this? I'd like to see what other projects do and >>> provide something similar. >>> >>> Or is this the first (and only?) time anyone in your organization has >>> ever installed any open source software on Windows? >>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rich Megginson [rmeggins at redhat.com] >>>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] winsync msi >>>> >>>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> For the winsync agreement my Windows and security teams want to know its details, >>>>> >>>>> eg who wrote it, >>>> Red Hat - do you need to know the names of the developers? >>>> >>>>> it is Microsoft certified etc. >>>> Not that I know of - how would one go about doing that? >>>>> Where will I find such info? >>>>> >>>>> All I have is >>>>> >>>>> http://port389.org/wiki/Download >>>>> >>>>> Which doesn't tell me much. >>>> There is more info in the actual .msi file. >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From Steven.Jones at vuw.ac.nz Thu Jul 26 00:32:50 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 00:32:50 +0000 Subject: [Freeipa-users] winsync msi In-Reply-To: <50108F11.7080708@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD62A5D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500DE820.7090907@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD62AF3@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500EB709.3080105@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD63D71@STAWINCOX10MBX1.staff.vuw.ac.nz>, <500FFB76.5020003@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD64D8D@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108879.7090007@redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD65372@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50108F11.7080708@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6539B@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, I will ask.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rich Megginson [rmeggins at redhat.com] Sent: Thursday, 26 July 2012 12:28 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync msi On 07/25/2012 06:11 PM, Steven Jones wrote: > Hi, > > From a RH support case as I dont have access to the RDS channel. We just updated the RHEL 6.3 downloads to have the RedHat-PassSync .msi files. > > No, its doesn't allay my Windows and security ppls concerns.... I was speaking specifically about your original concerns: "No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability." Does the fact that you are now getting a Red Hat branded binary from an official Red Hat download site allay these particular fears? > > http://port389.org/wiki/Download > > "This is an Active Directory "plug-in" that intercepts password changes made to AD and sends the clear text password to 389 DS to keep the passwords in sync (when using the Windows Sync feature of 389 DS). > > Tested with Windows 2008 and 2003 Server 32-bit and 64-bit. " "This is an Active Directory "plug-in" that intercepts password changes made to AD Domain Controllers and sends the clear text password over an encrypted connection (SSL/TLS) to 389 DS to keep the passwords in sync. It works in conjunction with the Windows Sync feature of 389. You must install this on every Domain Controller. " Better? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Rich Megginson [rmeggins at redhat.com] > Sent: Thursday, 26 July 2012 11:59 a.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] winsync msi > > On 07/25/2012 02:41 PM, Steven Jones wrote: >> Hi, >> >> Ah ok, I have the "official" one. > From where did you get it? And does it allay your concerns? > >> One thing on the free site, it says the password is transmitted as clear text, no mention of over an encrypted secure channel....the security guys had a fit.....so if you update that web page it would help the cause. > Which page is that? The Howto:WindowsSync? > >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________________ >> From: Rich Megginson [rmeggins at redhat.com] >> Sent: Thursday, 26 July 2012 1:58 a.m. >> To: Steven Jones >> Cc: freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] winsync msi >> >> On 07/24/2012 03:15 PM, Steven Jones wrote: >>> Hi Rich, >>> >>> I can appreciate what you are saying, but.... >>> >>> Not on Windows but specifically AD, the very core of our 21,000+ user base, that makes such an add on significant and gets focus. What we have seen with another similar (yes, commercial) MSI was a clash with another MSI added to AD, the result was not pretty....hence the Windows ppl are very careful when something like this is proposed. >>> >>> So actually some sites where this has been installed commercially would be good, if need be I can raise a call to RH support? or RH NZ rep to get that info in confidence / NDA. >>> >>> IPA like AD is not just another application, its at the very centre of everything. For us it will be the second or third most important system we have. It will probably connect us to ppl across the world and them to us (via federation/shibboleth) let alone our internal user base. >>> >>> Lets see if I can show this, so 99.9% uptime on an application is 9 hours off line per year.....per user.....say 100 users? >>> >>> So 1 hour off line in a business day with 21,000+ users.....21,000 hours lost plus all the meetings on why and how to make sure it wont happen again. If we were down for say a day or two....it would be in the IT if not National papers....(yes OK NZ is small)....I think my new occupation and some of the managers would be....road sweeping.....this makes them very risk adverse. >>> >>> Crazy thing of course is, yes IPA is free....... >>> >>> ;] >>> >>> I can appreciate things seem very strange in that context. Consider that its taken me 7 years to go from being employed specifically long enough to get rid of Redhat/linux (and Solaris) and be 100% win2000 site to having 100 RHEL servers with most of the mission critical things on them.....all down to the quality of open source really......proof is in the eating....its proven very tasty...... >> Ok. If you are a Red Hat paying customer, you should get the >> RedHat-PassSync .msi from an official Red Hat channel. We are working >> on addressing this issue. >>> :) >>> >>> regards >>> >>> Steven Jones >>> >>> Technical Specialist - Linux RHCE >>> >>> Victoria University, Wellington, NZ >>> >>> 0064 4 463 6272 >>> >>> ________________________________________ >>> From: Rich Megginson [rmeggins at redhat.com] >>> Sent: Wednesday, 25 July 2012 2:54 a.m. >>> To: Steven Jones >>> Cc: freeipa-users at redhat.com >>> Subject: Re: [Freeipa-users] winsync msi >>> >>> On 07/23/2012 06:32 PM, Steven Jones wrote: >>>> Hi, >>>> >>>> No not specific developers but some sort of statement of ownership from RedHat I suppose. So they are I assume looking for some sort of confidence that it wont trash AD and if I install it and it does trash our AD some liability. >>> Can you point me at another open source project that provides Windows >>> binaries that provides some sort of guarantee or statement or >>> documentation like this? I'd like to see what other projects do and >>> provide something similar. >>> >>> Or is this the first (and only?) time anyone in your organization has >>> ever installed any open source software on Windows? >>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> 0064 4 463 6272 >>>> >>>> ________________________________________ >>>> From: Rich Megginson [rmeggins at redhat.com] >>>> Sent: Tuesday, 24 July 2012 12:11 p.m. >>>> To: Steven Jones >>>> Cc: freeipa-users at redhat.com >>>> Subject: Re: [Freeipa-users] winsync msi >>>> >>>> On 07/23/2012 05:38 PM, Steven Jones wrote: >>>>> Hi, >>>>> >>>>> For the winsync agreement my Windows and security teams want to know its details, >>>>> >>>>> eg who wrote it, >>>> Red Hat - do you need to know the names of the developers? >>>> >>>>> it is Microsoft certified etc. >>>> Not that I know of - how would one go about doing that? >>>>> Where will I find such info? >>>>> >>>>> All I have is >>>>> >>>>> http://port389.org/wiki/Download >>>>> >>>>> Which doesn't tell me much. >>>> There is more info in the actual .msi file. >>>>> regards >>>>> >>>>> Steven Jones >>>>> >>>>> Technical Specialist - Linux RHCE >>>>> >>>>> Victoria University, Wellington, NZ >>>>> >>>>> 0064 4 463 6272 >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > From Steven.Jones at vuw.ac.nz Thu Jul 26 01:39:12 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 01:39:12 +0000 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD65483@STAWINCOX10MBX1.staff.vuw.ac.nz> I am now getting this.... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: Joe Linoff [jlinoff at tabula.com] Sent: Tuesday, 24 July 2012 10:04 a.m. To: Steven Jones Cc: freeipa-users at redhat.com; Joe Linoff Subject: Re: [Freeipa-users] User can't login via ssh from external Hi Steve: Thank you for your suggestions. > In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using ?ipa hbactest ??. It showed that the rules were correct. Do you think that the GUI might provide a different result? > Also what are the UIDS? IPA provided 32bit ones? or your own? The UID?s were provided by IPA. Actually during testing I also provided my own at one point but reverted back when that didn?t seem to make a difference. Can you explain why that might cause the problem? For example, would duplicates break the system or are there ranges of UIDs that are not legal? > I'd suggest re-setting that user's password and get them to login and reset the password, that > works for me, it was a sign of bad/failed replication in my system I think (now fixed). I tried that using kpasswd and ?ipa passwd? to change the password but neither solved the problem. In both cases I was able to run ?kinit new-user? and set the credentials using the new password but new-user could not ssh in. It was a really strange problem. It looks like something got out of sync but I could not (and cannot) figure out where. It is doubly difficult because removing and re-adding the user worked. In addition, adding other users worked. Regards, Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: From dietkinnie at gmail.com Thu Jul 26 07:47:01 2012 From: dietkinnie at gmail.com (Robert Bowell) Date: Thu, 26 Jul 2012 09:47:01 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed Message-ID: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed "attribute "idnsAllowTransfer" not allowed" and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 //DK -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Jul 26 07:56:11 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 26 Jul 2012 09:56:11 +0200 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <8AD4194C251EC74CB897E261038F4478010E150D@mantaray.tabula.com> References: <8AD4194C251EC74CB897E261038F4478010E150D@mantaray.tabula.com> Message-ID: <20120726075611.GA31732@zeppelin.brq.redhat.com> On Wed, Jul 25, 2012 at 02:38:36PM -0700, Joe Linoff wrote: > > As Rob says, I think we should take a look at SSSD and system logs. > > > > > Can you paste or attach the couple of lines that are appended to > /var/log/secure during > > > the login attempt? That should give us a clue on whether the SSSD PAM > modules are contacted. > > > > > Can you also add "debug_level = 8" to the [pam] and [domain/$name] > sections of the SSSD, > > > restart the SSSD and paste or attach /var/log/sssd/sssd_pam.log and > /var/log/sssd/sssd_$name.log ? > > > Feel free to sanitize the logs before sending them out. > > > > Thank you. Unfortunately I am unable to reproduce the problem so I am > not sure that this is a good use of your time. If I find that I can > reproduce it, I will capture the logs and send them on. > > > > Does that make sense? Sure, I'm glad your setup works now. From jhrozek at redhat.com Thu Jul 26 08:01:51 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 26 Jul 2012 10:01:51 +0200 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD65483@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> <833D8E48405E064EBC54C84EC6B36E404CD65483@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120726080151.GB31732@zeppelin.brq.redhat.com> On Thu, Jul 26, 2012 at 01:39:12AM +0000, Steven Jones wrote: > I am now getting this.... Steven, are you saying you can't login even though hbactest passes for your user? Can you then append or paste the last couple of lines of /var/log/secure and the relevat part of the SSSD domain log? Pasting the rules (sanitized) would help to replicate the problem, too. From sigbjorn at nixtra.com Thu Jul 26 12:08:27 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 26 Jul 2012 14:08:27 +0200 (CEST) Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> Message-ID: <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> On Wed, July 25, 2012 09:54, Sigbjorn Lie wrote: > On Tue, July 24, 2012 20:29, Simo Sorce wrote: > >> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: >> >> >>> Hi, >>> >>> >>> >>> I keep seing this error message in our production environment "Request is a replay" in >>> variuos services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to >>> RHEL 6.3 / >>> IPA >>> 2.2. >>> >>> >>> >>> >>> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may >>> provide more information (Request is a replay) >>> >>> Seaching google seem to suggest that this is an error with time. However we have NTP >>> configured (IPA servers as NTP servers) which is synchronized to external NTP servers. There >>> has been no issue before, and I cannot find issue with the time being out of sync on the >>> machines where this is happening. >> >> This error usually appears only when a same request is found in the >> replay cache. It shouldn't be related to time issues, in that case you usually get clock-skew. >> >> Can you tell me what operation was being performed by sssd when you >> caught that error ? Can you check if immediately before another identical operation had been >> performed ? >> > > That being said, I do have 1 IPA server (out of 3) that has significantly higher CPU usage than > the other 2, the 15-minute load average is sitting at between 0.85 and 0.95 the entire day, where > ns-slapd 389-ds process is running at 100% most of the time. > > Load: 1.02, 0.94, 0.87 > > > In comparison the other two IPA servers has a 15-minute average between 0.10 - 0.30 throughout > the day, and the ns-slapd process is far from being such a cpu hog. > > On the server having high load, running even a command such as "ipactl status" can take up to 20 > seconds to complete, where "Directory Service: RUNNING" returns after a second or so, and to list > the rest of the services takes the remainding 19 seconds. > > Also the web interface on this particular IPA server is rendered unusable, returning "Limits > exceeded for the query" for almost any action. > > Restarting all the IPA servies (ipactl restart) on the problematic host soemwhat improves the > situation, however that particular server returns to having heavy load quickly. > > Using logconv.pl to analyze the dirsrv access log file displays that the server in question has > the lowest search queries per min with 106 queries/min. The other servers have 710 search > queries/sec and 168 queries/sec. > > For modifications all the IPA servers has about 5-6 queries/sec. For unindexed searches the > problematic server is the server with the lowest number. It does however have more than twice the > amount of GSSAPI binds than the other servers with over 61000 GSSAPI binds over a 17 hour period. > > > The problematic server is a physical server with 2 x AMD 2.4GHz Quad core CPU and 8GB of RAM. > > > This issue is also impacting all the clients, where I see random hangs with anything involving a > ldap or kerberos query to the IPA servers. > > Any suggestions? > > Anyone ? I am starting to see the Replay error when using the "ipa" CLI tool as well, causing the request to drop out in an error. ipa dnsrecord-show example.com hostname ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Request is a replay) Rgds, Siggi From rcritten at redhat.com Thu Jul 26 12:53:35 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 Jul 2012 08:53:35 -0400 Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> Message-ID: <50113DCF.2060902@redhat.com> Sigbjorn Lie wrote: > On Wed, July 25, 2012 09:54, Sigbjorn Lie wrote: >> On Tue, July 24, 2012 20:29, Simo Sorce wrote: >> >>> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> I keep seing this error message in our production environment "Request is a replay" in >>>> variuos services using kerberos like ssh, sssd, automounter, squid +++ after the upgrade to >>>> RHEL 6.3 / >>>> IPA >>>> 2.2. >>>> >>>> >>>> >>>> >>>> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may >>>> provide more information (Request is a replay) >>>> >>>> Seaching google seem to suggest that this is an error with time. However we have NTP >>>> configured (IPA servers as NTP servers) which is synchronized to external NTP servers. There >>>> has been no issue before, and I cannot find issue with the time being out of sync on the >>>> machines where this is happening. >>> >>> This error usually appears only when a same request is found in the >>> replay cache. It shouldn't be related to time issues, in that case you usually get clock-skew. >>> >>> Can you tell me what operation was being performed by sssd when you >>> caught that error ? Can you check if immediately before another identical operation had been >>> performed ? >>> >> >> That being said, I do have 1 IPA server (out of 3) that has significantly higher CPU usage than >> the other 2, the 15-minute load average is sitting at between 0.85 and 0.95 the entire day, where >> ns-slapd 389-ds process is running at 100% most of the time. >> >> Load: 1.02, 0.94, 0.87 >> >> >> In comparison the other two IPA servers has a 15-minute average between 0.10 - 0.30 throughout >> the day, and the ns-slapd process is far from being such a cpu hog. >> >> On the server having high load, running even a command such as "ipactl status" can take up to 20 >> seconds to complete, where "Directory Service: RUNNING" returns after a second or so, and to list >> the rest of the services takes the remainding 19 seconds. >> >> Also the web interface on this particular IPA server is rendered unusable, returning "Limits >> exceeded for the query" for almost any action. >> >> Restarting all the IPA servies (ipactl restart) on the problematic host soemwhat improves the >> situation, however that particular server returns to having heavy load quickly. >> >> Using logconv.pl to analyze the dirsrv access log file displays that the server in question has >> the lowest search queries per min with 106 queries/min. The other servers have 710 search >> queries/sec and 168 queries/sec. >> >> For modifications all the IPA servers has about 5-6 queries/sec. For unindexed searches the >> problematic server is the server with the lowest number. It does however have more than twice the >> amount of GSSAPI binds than the other servers with over 61000 GSSAPI binds over a 17 hour period. >> >> >> The problematic server is a physical server with 2 x AMD 2.4GHz Quad core CPU and 8GB of RAM. >> >> >> This issue is also impacting all the clients, where I see random hangs with anything involving a >> ldap or kerberos query to the IPA servers. >> >> Any suggestions? >> >> > > Anyone ? > > I am starting to see the Replay error when using the "ipa" CLI tool as well, causing the request > to drop out in an error. > > ipa dnsrecord-show example.com hostname > ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor > code may provide more information (Request is a replay) Sorry, I had started a reply yesterday and got side-tracked and never sent it. For the one server is busier than others, how are your clients configured? Are you using DNS SRV records? For the replay, are your servers running in bare metal or in VMs? How about the clients? This sure seems like a time issue. rob From mmercier at gmail.com Thu Jul 26 13:22:10 2012 From: mmercier at gmail.com (Michael Mercier) Date: Thu, 26 Jul 2012 09:22:10 -0400 Subject: [Freeipa-users] 3.0 beta1 install on Fedora 17 - No DNS Zones Message-ID: Hello, I have installed FreeIPA 3.0 beta 1 on Fedora 17, and added a Fedora 17 client. I do not have anything under the Identity -> DNS tab (i.e. no DNS zones) I did the following when installing: On the server: [root at ipaserver ~]#ipa-server-install -- oops forgot to include DNS [root at ipaserver ~]#ipa-server-install --uninstall -U [root at ipaserver ~]#ipa-server-install --setup-dns --no-forwarders -- at some point the installer prompted with a message that a named.conf already existed, overwrite? -- I chose yes [root at ipaserver ~]# cd /var/named/ [root at ipaserver named]# ls data dynamic named.ca named.empty named.localhost named.loopback slaves [root at ipaserver named]# find . . ./named.loopback ./named.empty ./slaves ./named.localhost ./data ./data/named.run ./dynamic ./named.ca [root at ipaserver named]# cat /etc/named.conf options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; forward first; forwarders { }; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-credential "DNS/ipaserver.beta.local"; tkey-domain "BETA.LOCAL"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-BETA-LOCAL.socket"; arg "base cn=dns, dc=beta,dc=local"; arg "fake_mname ipaserver.beta.local."; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/ipaserver.beta.local"; arg "zone_refresh 0"; arg "psearch yes"; }; [root at ipaserver ~]# ifconfig eth0 eth0: flags=4163 mtu 1500 inet 172.16.112.10 netmask 255.255.255.0 broadcast 172.16.112.255 inet6 fe80::20c:29ff:fe56:53bd prefixlen 64 scopeid 0x20 ether 00:0c:29:56:53:bd txqueuelen 1000 (Ethernet) RX packets 33531 bytes 24153141 (23.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30428 bytes 17489346 (16.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 On the client: [root at ipaclient ~]#ipa-client-install --enable-dns-updates [root at ipaclient ~]# ifconfig eth0 eth0: flags=4163 mtu 1500 inet 172.16.112.11 netmask 255.255.255.0 broadcast 172.16.112.255 inet6 fe80::20c:29ff:fed4:9724 prefixlen 64 scopeid 0x20 ether 00:0c:29:d4:97:24 txqueuelen 1000 (Ethernet) RX packets 23591 bytes 24965586 (23.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12756 bytes 1274305 (1.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root at ipaclient ~]# nslookup ipaclient Server: 172.16.112.10 Address: 172.16.112.10#53 Name: ipaclient.beta.local Address: 172.16.112.11 [root at ipaclient ~]# nslookup ipaserver Server: 172.16.112.10 Address: 172.16.112.10#53 Name: ipaserver.beta.local Address: 172.16.112.10 [root at ipaclient ~]# ipa dnszone-show beta.local ipa: ERROR: beta.local: DNS zone not found [root at ipaclient ~]# ipa dns-resolve ipaserver.beta.local ----------------------------- Found 'ipaserver.beta.local.' ----------------------------- [root at ipaclient ~]# ipa dnsconfig-show --------------------------------- Global DNS configuration is empty --------------------------------- Any pointers? Thanks, Mike From rcritten at redhat.com Thu Jul 26 13:28:01 2012 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 26 Jul 2012 09:28:01 -0400 Subject: [Freeipa-users] 3.0 beta1 install on Fedora 17 - No DNS Zones In-Reply-To: References: Message-ID: <501145E1.7000501@redhat.com> Michael Mercier wrote: > Hello, > > I have installed FreeIPA 3.0 beta 1 on Fedora 17, and added a Fedora 17 client. > > I do not have anything under the Identity -> DNS tab (i.e. no DNS zones) > > I did the following when installing: > > > On the server: > [root at ipaserver ~]#ipa-server-install > -- oops forgot to include DNS > [root at ipaserver ~]#ipa-server-install --uninstall -U > [root at ipaserver ~]#ipa-server-install --setup-dns --no-forwarders > -- at some point the installer prompted with a message that a named.conf already existed, overwrite? > -- I chose yes > [root at ipaserver ~]# cd /var/named/ > [root at ipaserver named]# ls > data dynamic named.ca named.empty named.localhost named.loopback slaves > [root at ipaserver named]# find . > . > ./named.loopback > ./named.empty > ./slaves > ./named.localhost > ./data > ./data/named.run > ./dynamic > ./named.ca > [root at ipaserver named]# cat /etc/named.conf > options { > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > listen-on-v6 {any;}; > > // Put files that named is allowed to write in the data/ directory: > directory "/var/named"; // the default > dump-file "data/cache_dump.db"; > statistics-file "data/named_stats.txt"; > memstatistics-file "data/named_mem_stats.txt"; > > forward first; > forwarders { }; > > // Any host is permitted to issue recursive queries > allow-recursion { any; }; > > tkey-gssapi-credential "DNS/ipaserver.beta.local"; > tkey-domain "BETA.LOCAL"; > }; > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > * By default, SELinux policy does not allow named to modify the /var/named directory, > * so put the default debug log file in data/ : > */ > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > > dynamic-db "ipa" { > library "ldap.so"; > arg "uri ldapi://%2fvar%2frun%2fslapd-BETA-LOCAL.socket"; > arg "base cn=dns, dc=beta,dc=local"; > arg "fake_mname ipaserver.beta.local."; > arg "auth_method sasl"; > arg "sasl_mech GSSAPI"; > arg "sasl_user DNS/ipaserver.beta.local"; > arg "zone_refresh 0"; > arg "psearch yes"; > }; > > [root at ipaserver ~]# ifconfig eth0 > eth0: flags=4163 mtu 1500 > inet 172.16.112.10 netmask 255.255.255.0 broadcast 172.16.112.255 > inet6 fe80::20c:29ff:fe56:53bd prefixlen 64 scopeid 0x20 > ether 00:0c:29:56:53:bd txqueuelen 1000 (Ethernet) > RX packets 33531 bytes 24153141 (23.0 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 30428 bytes 17489346 (16.6 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > On the client: > [root at ipaclient ~]#ipa-client-install --enable-dns-updates > [root at ipaclient ~]# ifconfig eth0 > eth0: flags=4163 mtu 1500 > inet 172.16.112.11 netmask 255.255.255.0 broadcast 172.16.112.255 > inet6 fe80::20c:29ff:fed4:9724 prefixlen 64 scopeid 0x20 > ether 00:0c:29:d4:97:24 txqueuelen 1000 (Ethernet) > RX packets 23591 bytes 24965586 (23.8 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 12756 bytes 1274305 (1.2 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > [root at ipaclient ~]# nslookup ipaclient > Server: 172.16.112.10 > Address: 172.16.112.10#53 > > Name: ipaclient.beta.local > Address: 172.16.112.11 > > [root at ipaclient ~]# nslookup ipaserver > Server: 172.16.112.10 > Address: 172.16.112.10#53 > > Name: ipaserver.beta.local > Address: 172.16.112.10 > [root at ipaclient ~]# ipa dnszone-show beta.local > ipa: ERROR: beta.local: DNS zone not found > [root at ipaclient ~]# ipa dns-resolve ipaserver.beta.local > ----------------------------- > Found 'ipaserver.beta.local.' > ----------------------------- > [root at ipaclient ~]# ipa dnsconfig-show > --------------------------------- > Global DNS configuration is empty > --------------------------------- > > Any pointers? > > Thanks, > Mike I'd be curious what ipa dnszone-find returns. rob From mmercier at gmail.com Thu Jul 26 13:34:58 2012 From: mmercier at gmail.com (Michael Mercier) Date: Thu, 26 Jul 2012 09:34:58 -0400 Subject: [Freeipa-users] 3.0 beta1 install on Fedora 17 - No DNS Zones In-Reply-To: <501145E1.7000501@redhat.com> References: <501145E1.7000501@redhat.com> Message-ID: <45B5E2DB-EB68-4A8D-AE03-641EEB6D0643@gmail.com> Hello, Hmm... please ignore this... A reboot of the ipaserver seems to have resolved the issue. Thanks, Mike On 2012-07-26, at 9:28 AM, Rob Crittenden wrote: > Michael Mercier wrote: >> Hello, >> >> I have installed FreeIPA 3.0 beta 1 on Fedora 17, and added a Fedora 17 client. >> >> I do not have anything under the Identity -> DNS tab (i.e. no DNS zones) >> >> I did the following when installing: >> >> >> On the server: >> [root at ipaserver ~]#ipa-server-install >> -- oops forgot to include DNS >> [root at ipaserver ~]#ipa-server-install --uninstall -U >> [root at ipaserver ~]#ipa-server-install --setup-dns --no-forwarders >> -- at some point the installer prompted with a message that a named.conf already existed, overwrite? >> -- I chose yes >> [root at ipaserver ~]# cd /var/named/ >> [root at ipaserver named]# ls >> data dynamic named.ca named.empty named.localhost named.loopback slaves >> [root at ipaserver named]# find . >> . >> ./named.loopback >> ./named.empty >> ./slaves >> ./named.localhost >> ./data >> ./data/named.run >> ./dynamic >> ./named.ca >> [root at ipaserver named]# cat /etc/named.conf >> options { >> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces >> listen-on-v6 {any;}; >> >> // Put files that named is allowed to write in the data/ directory: >> directory "/var/named"; // the default >> dump-file "data/cache_dump.db"; >> statistics-file "data/named_stats.txt"; >> memstatistics-file "data/named_mem_stats.txt"; >> >> forward first; >> forwarders { }; >> >> // Any host is permitted to issue recursive queries >> allow-recursion { any; }; >> >> tkey-gssapi-credential "DNS/ipaserver.beta.local"; >> tkey-domain "BETA.LOCAL"; >> }; >> >> /* If you want to enable debugging, eg. using the 'rndc trace' command, >> * By default, SELinux policy does not allow named to modify the /var/named directory, >> * so put the default debug log file in data/ : >> */ >> logging { >> channel default_debug { >> file "data/named.run"; >> severity dynamic; >> }; >> }; >> >> zone "." IN { >> type hint; >> file "named.ca"; >> }; >> >> include "/etc/named.rfc1912.zones"; >> >> dynamic-db "ipa" { >> library "ldap.so"; >> arg "uri ldapi://%2fvar%2frun%2fslapd-BETA-LOCAL.socket"; >> arg "base cn=dns, dc=beta,dc=local"; >> arg "fake_mname ipaserver.beta.local."; >> arg "auth_method sasl"; >> arg "sasl_mech GSSAPI"; >> arg "sasl_user DNS/ipaserver.beta.local"; >> arg "zone_refresh 0"; >> arg "psearch yes"; >> }; >> >> [root at ipaserver ~]# ifconfig eth0 >> eth0: flags=4163 mtu 1500 >> inet 172.16.112.10 netmask 255.255.255.0 broadcast 172.16.112.255 >> inet6 fe80::20c:29ff:fe56:53bd prefixlen 64 scopeid 0x20 >> ether 00:0c:29:56:53:bd txqueuelen 1000 (Ethernet) >> RX packets 33531 bytes 24153141 (23.0 MiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 30428 bytes 17489346 (16.6 MiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> >> On the client: >> [root at ipaclient ~]#ipa-client-install --enable-dns-updates >> [root at ipaclient ~]# ifconfig eth0 >> eth0: flags=4163 mtu 1500 >> inet 172.16.112.11 netmask 255.255.255.0 broadcast 172.16.112.255 >> inet6 fe80::20c:29ff:fed4:9724 prefixlen 64 scopeid 0x20 >> ether 00:0c:29:d4:97:24 txqueuelen 1000 (Ethernet) >> RX packets 23591 bytes 24965586 (23.8 MiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 12756 bytes 1274305 (1.2 MiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> [root at ipaclient ~]# nslookup ipaclient >> Server: 172.16.112.10 >> Address: 172.16.112.10#53 >> >> Name: ipaclient.beta.local >> Address: 172.16.112.11 >> >> [root at ipaclient ~]# nslookup ipaserver >> Server: 172.16.112.10 >> Address: 172.16.112.10#53 >> >> Name: ipaserver.beta.local >> Address: 172.16.112.10 >> [root at ipaclient ~]# ipa dnszone-show beta.local >> ipa: ERROR: beta.local: DNS zone not found >> [root at ipaclient ~]# ipa dns-resolve ipaserver.beta.local >> ----------------------------- >> Found 'ipaserver.beta.local.' >> ----------------------------- >> [root at ipaclient ~]# ipa dnsconfig-show >> --------------------------------- >> Global DNS configuration is empty >> --------------------------------- >> >> Any pointers? >> >> Thanks, >> Mike > > I'd be curious what ipa dnszone-find returns. > > rob From sigbjorn at nixtra.com Thu Jul 26 13:37:48 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Thu, 26 Jul 2012 15:37:48 +0200 Subject: [Freeipa-users] 'Request is a replay' In-Reply-To: <50113DCF.2060902@redhat.com> References: <26584.213.225.75.97.1343118176.squirrel@www.nixtra.com> <1343154573.3219.335.camel@willson.li.ssimo.org> <25917.213.225.75.97.1343202876.squirrel@www.nixtra.com> <25082.213.225.75.97.1343304507.squirrel@www.nixtra.com> <50113DCF.2060902@redhat.com> Message-ID: <5011482C.9070507@nixtra.com> On 07/26/2012 02:53 PM, Rob Crittenden wrote: > Sigbjorn Lie wrote: >> On Wed, July 25, 2012 09:54, Sigbjorn Lie wrote: >>> On Tue, July 24, 2012 20:29, Simo Sorce wrote: >>> >>>> On Tue, 2012-07-24 at 10:22 +0200, Sigbjorn Lie wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> I keep seing this error message in our production environment >>>>> "Request is a replay" in >>>>> variuos services using kerberos like ssh, sssd, automounter, squid >>>>> +++ after the upgrade to >>>>> RHEL 6.3 / >>>>> IPA >>>>> 2.2. >>>>> >>>>> >>>>> >>>>> >>>>> Jul 24 10:16:11 server027 sssd_be: GSSAPI Error: Unspecified GSS >>>>> failure. Minor code may >>>>> provide more information (Request is a replay) >>>>> >>>>> Seaching google seem to suggest that this is an error with time. >>>>> However we have NTP >>>>> configured (IPA servers as NTP servers) which is synchronized to >>>>> external NTP servers. There >>>>> has been no issue before, and I cannot find issue with the time >>>>> being out of sync on the >>>>> machines where this is happening. >>>> >>>> This error usually appears only when a same request is found in the >>>> replay cache. It shouldn't be related to time issues, in that case >>>> you usually get clock-skew. >>>> >>>> Can you tell me what operation was being performed by sssd when you >>>> caught that error ? Can you check if immediately before another >>>> identical operation had been >>>> performed ? >>>> >>> >>> That being said, I do have 1 IPA server (out of 3) that has >>> significantly higher CPU usage than >>> the other 2, the 15-minute load average is sitting at between 0.85 >>> and 0.95 the entire day, where >>> ns-slapd 389-ds process is running at 100% most of the time. >>> >>> Load: 1.02, 0.94, 0.87 >>> >>> >>> In comparison the other two IPA servers has a 15-minute average >>> between 0.10 - 0.30 throughout >>> the day, and the ns-slapd process is far from being such a cpu hog. >>> >>> On the server having high load, running even a command such as >>> "ipactl status" can take up to 20 >>> seconds to complete, where "Directory Service: RUNNING" returns >>> after a second or so, and to list >>> the rest of the services takes the remainding 19 seconds. >>> >>> Also the web interface on this particular IPA server is rendered >>> unusable, returning "Limits >>> exceeded for the query" for almost any action. >>> >>> Restarting all the IPA servies (ipactl restart) on the problematic >>> host soemwhat improves the >>> situation, however that particular server returns to having heavy >>> load quickly. >>> >>> Using logconv.pl to analyze the dirsrv access log file displays that >>> the server in question has >>> the lowest search queries per min with 106 queries/min. The other >>> servers have 710 search >>> queries/sec and 168 queries/sec. >>> >>> For modifications all the IPA servers has about 5-6 queries/sec. For >>> unindexed searches the >>> problematic server is the server with the lowest number. It does >>> however have more than twice the >>> amount of GSSAPI binds than the other servers with over 61000 GSSAPI >>> binds over a 17 hour period. >>> >>> >>> The problematic server is a physical server with 2 x AMD 2.4GHz Quad >>> core CPU and 8GB of RAM. >>> >>> >>> This issue is also impacting all the clients, where I see random >>> hangs with anything involving a >>> ldap or kerberos query to the IPA servers. >>> >>> Any suggestions? >>> >>> >> >> Anyone ? >> >> I am starting to see the Replay error when using the "ipa" CLI tool >> as well, causing the request >> to drop out in an error. >> >> ipa dnsrecord-show example.com hostname >> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: >> Unspecified GSS failure. Minor >> code may provide more information (Request is a replay) > > Sorry, I had started a reply yesterday and got side-tracked and never > sent it. > I know that feeling. :) > For the one server is busier than others, how are your clients > configured? Are you using DNS SRV records? > We use DNS SRV records for everything LDAP that does support it -> SSSD and Linux automounter. Solaris clients, Red Hat 5 using nss_ldap, and NetApp use statically configured machines, however this is the second server in the server list for these machines. The primary server got more than 7x more LDAP queries per minute, and the load on the primary is much, much lower. All kerberos clients are using DNS SRV for lookups, no static configuration there. I see some hickups on the clients as well, when browsing nfs shares (looking up UIDs), unlocking a client etc. It would seem like these are related to the "faulty" IPA server with high load, as it seem to respond very slowly to a lot of ldap queries too. I have tried removing it from the DNS SRV records an hour ago, and things seem to run smoother. A few services are still looking up there though, and the load on the "faulty" server is still high even with fewer clients. The primary server that's now receiving most of the queries barely increased anything at all in CPU usage. > For the replay, are your servers running in bare metal or in VMs? How > about the clients? This sure seems like a time issue. The time is configured as it has been for a long time. The physical IPA servers are syncronized from external time sources, providing the rest of the network with time. We have 2 physical servers and 1 virtual server. I have looked into the time, and it does seem like everything is syncronized. The amount of clients has not changed much over the last few months. These issues started appearing just after the upgrade to RHEL 6.3 / IPA 2.2. Any suggestions to where to continue the troubleshooting? Regards, Siggi From pvoborni at redhat.com Thu Jul 26 13:49:51 2012 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 26 Jul 2012 15:49:51 +0200 Subject: [Freeipa-users] 3.0 beta1 install on Fedora 17 - No DNS Zones In-Reply-To: References: Message-ID: <50114AFF.5040402@redhat.com> On 07/26/2012 03:22 PM, Michael Mercier wrote: > Hello, > > I have installed FreeIPA 3.0 beta 1 on Fedora 17, and added a Fedora 17 client. > > I do not have anything under the Identity -> DNS tab (i.e. no DNS zones) > > I did the following when installing: > 8><--------------------------------- > --------------------------------- > > Any pointers? > > Thanks, > Mike > I think you are experiencing https://fedorahosted.org/freeipa/ticket/2906 It's a bug introduced by dns per-domain permissions https://fedorahosted.org/freeipa/ticket/2511. As you see in track, it should be fixed in beta 2. -- Petr Vobornik From tomasz at napierala.org Thu Jul 26 13:57:48 2012 From: tomasz at napierala.org (=?utf-8?Q?Tomasz_=27Zen=27_Napiera=C5=82a?=) Date: Thu, 26 Jul 2012 15:57:48 +0200 Subject: [Freeipa-users] dirsrv@PKI-IPA.service disappeared Message-ID: Hi, After upgrade from F16 to F17 FreeIPA 2.2.0.1 on secondary servers dirsrv at PKI-IPA.service disappeared. There is an entry for it in systemd, but no config files, etc. /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: dirsrv at PKI-IPA.service failed to run 'start' task: No such file or directory /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: Unit dirsrv at PKI-IPA.service entered failed state. I upgraded two replicas and then master during 2 days. What ca I do to fix that problem? Regards, -- Tomasz 'Zen' Napiera?a tomasz at napierala.org From Steven.Jones at vuw.ac.nz Thu Jul 26 21:12:35 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 21:12:35 +0000 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <20120726080151.GB31732@zeppelin.brq.redhat.com> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> <833D8E48405E064EBC54C84EC6B36E404CD65483@STAWINCOX10MBX1.staff.vuw.ac.nz>, <20120726080151.GB31732@zeppelin.brq.redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD66952@STAWINCOX10MBX1.staff.vuw.ac.nz> Yes, So, I reset the password and that failed, so I added the user to my desktop group logged in to my desktop with ssh localhost and set the password, then I could log into the client fine. Other users had no problem logging in via the HBAC rule.... This sort of behaviour is usually a pre-cursor to the replication totally failing, on average it lasts about 2 weeks.... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com] Sent: Thursday, 26 July 2012 8:01 p.m. To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] User can't login via ssh from external On Thu, Jul 26, 2012 at 01:39:12AM +0000, Steven Jones wrote: > I am now getting this.... Steven, are you saying you can't login even though hbactest passes for your user? Can you then append or paste the last couple of lines of /var/log/secure and the relevat part of the SSSD domain log? Pasting the rules (sanitized) would help to replicate the problem, too. _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Thu Jul 26 21:23:56 2012 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 26 Jul 2012 23:23:56 +0200 Subject: [Freeipa-users] User can't login via ssh from external In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66952@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <8AD4194C251EC74CB897E261038F4478010E1426@mantaray.tabula.com> <833D8E48405E064EBC54C84EC6B36E404CD65483@STAWINCOX10MBX1.staff.vuw.ac.nz> <20120726080151.GB31732@zeppelin.brq.redhat.com> <833D8E48405E064EBC54C84EC6B36E404CD66952@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <20120726212356.GA1844@hendrix.redhat.com> On Thu, Jul 26, 2012 at 09:12:35PM +0000, Steven Jones wrote: > Yes, > > So, I reset the password and that failed, so I added the user to my desktop group logged in to my desktop with ssh localhost and set the password, then I could log into the client fine. Other users had no problem logging in via the HBAC rule.... > > This sort of behaviour is usually a pre-cursor to the replication totally failing, on average it lasts about 2 weeks.... > > :( I'm sorry about the trouble but without more information it's hard for me to debug the problem. If you get hit by the problem in the future, can you: - test the HBAC rule with the "ipa hbactest" command - attach or paste the last couple of lines from the /var/log/secure file - attach or paste the relevant contents of /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$domain.log That should be enough info for us to start looking in the right direction. Thank you! From Steven.Jones at vuw.ac.nz Thu Jul 26 22:48:31 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 22:48:31 +0000 Subject: [Freeipa-users] resetting an admin account. Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz> I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, So I run a kinit admjonesst1 to reset it to a perm one and I get, ======== [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 Password for admjonesst1 at ODS.VUW.AC.NZ: Password expired. You must change it now. Enter new password: Enter it again: kinit: Cannot contact any KDC for requested realm while getting initial credentials [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 Password for admjonesst1 at ODS.VUW.AC.NZ: Password expired. You must change it now. Enter new password: Enter it again: kinit: Cannot contact any KDC for requested realm while getting initial credentials [jonesst1 at 8kxl72s ~]$ ======== The krb log says, ======= Jul 27 10:44:03 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: CLIENT KEY EXPIRED: admjonesst1 at ODS.VUW.AC.NZ for krbtgt/ODS.VUW.AC.NZ at ODS.VUW.AC.NZ, Password has expired Jul 27 10:44:03 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: NEEDED_PREAUTH: admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ, Additional pre-authentication required Jul 27 10:44:11 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: ISSUE: authtime 1343342651, etypes {rep=18 tkt=18 ses=18}, admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ Jul 27 10:44:41 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: CLIENT KEY EXPIRED: admjonesst1 at ODS.VUW.AC.NZ for krbtgt/ODS.VUW.AC.NZ at ODS.VUW.AC.NZ, Password has expired Jul 27 10:44:41 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: NEEDED_PREAUTH: admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ, Additional pre-authentication required Jul 27 10:44:46 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: ISSUE: authtime 1343342686, etypes {rep=18 tkt=18 ses=18}, admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ ======= Any idea what's going on here pls? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From Steven.Jones at vuw.ac.nz Thu Jul 26 23:05:48 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 26 Jul 2012 23:05:48 +0000 Subject: [Freeipa-users] resetting an admin account. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD66BAC@STAWINCOX10MBX1.staff.vuw.ac.nz> If I put the adm account into a user group and ssh in I can set a password, ==== [jonesst1 at 8kxl72s ~]$ ssh -l admjonesst1 localhost -p22 admjonesst1 at localhost's password: Password expired. Change your password now. Creating home directory for admjonesst1. WARNING: Your password has expired. You must change your password now and login again! Changing password for user admjonesst1. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to localhost closed. [jonesst1 at 8kxl72s ~]$ ssh -l admjonesst1 localhost -p22 admjonesst1 at localhost's password: Last login: Fri Jul 27 11:03:37 2012 from 127.0.0.1 [admjonesst1 at 8kxl72s ~]$ ==== regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Friday, 27 July 2012 10:48 a.m. Cc: freeipa-users at redhat.com Subject: [Freeipa-users] resetting an admin account. I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, So I run a kinit admjonesst1 to reset it to a perm one and I get, ======== [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 Password for admjonesst1 at ODS.VUW.AC.NZ: Password expired. You must change it now. Enter new password: Enter it again: kinit: Cannot contact any KDC for requested realm while getting initial credentials [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 Password for admjonesst1 at ODS.VUW.AC.NZ: Password expired. You must change it now. Enter new password: Enter it again: kinit: Cannot contact any KDC for requested realm while getting initial credentials [jonesst1 at 8kxl72s ~]$ ======== The krb log says, ======= Jul 27 10:44:03 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: CLIENT KEY EXPIRED: admjonesst1 at ODS.VUW.AC.NZ for krbtgt/ODS.VUW.AC.NZ at ODS.VUW.AC.NZ, Password has expired Jul 27 10:44:03 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: NEEDED_PREAUTH: admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ, Additional pre-authentication required Jul 27 10:44:11 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: ISSUE: authtime 1343342651, etypes {rep=18 tkt=18 ses=18}, admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ Jul 27 10:44:41 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: CLIENT KEY EXPIRED: admjonesst1 at ODS.VUW.AC.NZ for krbtgt/ODS.VUW.AC.NZ at ODS.VUW.AC.NZ, Password has expired Jul 27 10:44:41 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: NEEDED_PREAUTH: admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ, Additional pre-authentication required Jul 27 10:44:46 vuwunicoipam002.ods.vuw.ac.nz krb5kdc[4102](info): AS_REQ (4 etypes {18 17 16 23}) 130.195.245.249: ISSUE: authtime 1343342686, etypes {rep=18 tkt=18 ses=18}, admjonesst1 at ODS.VUW.AC.NZ for kadmin/changepw at ODS.VUW.AC.NZ ======= Any idea what's going on here pls? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From Steven.Jones at vuw.ac.nz Fri Jul 27 03:14:13 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 27 Jul 2012 03:14:13 +0000 Subject: [Freeipa-users] unable to logout of IPA Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> When in IPA, when I click on the "logout" I expect to logout so I can login as another user, ======= Logged In As: steven jones | Logout ======= Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From simo at redhat.com Fri Jul 27 04:01:29 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 27 Jul 2012 00:01:29 -0400 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <1343361689.2666.27.camel@willson.li.ssimo.org> On Fri, 2012-07-27 at 03:14 +0000, Steven Jones wrote: > When in IPA, when I click on the "logout" I expect to logout so I can login as another user, > > ======= > Logged In As: steven jones | Logout > ======= > > Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... > > So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York From Steven.Jones at vuw.ac.nz Fri Jul 27 04:39:51 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Fri, 27 Jul 2012 04:39:51 +0000 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <1343361689.2666.27.camel@willson.li.ssimo.org> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1343361689.2666.27.camel@willson.li.ssimo.org> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> So if i just click on logout, I should just logout as if i kdestroy'd? If so, when I do that why doesnt that "cleanup" occur? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Simo Sorce [simo at redhat.com] Sent: Friday, 27 July 2012 4:01 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] unable to logout of IPA On Fri, 2012-07-27 at 03:14 +0000, Steven Jones wrote: > When in IPA, when I click on the "logout" I expect to logout so I can login as another user, > > ======= > Logged In As: steven jones | Logout > ======= > > Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... > > So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York From danieljamesscott at gmail.com Fri Jul 27 06:06:01 2012 From: danieljamesscott at gmail.com (Dan Scott) Date: Thu, 26 Jul 2012 23:06:01 -0700 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? Maybe you could try a different browser to see if logging out works. Thanks, Dan On Thu, Jul 26, 2012 at 9:39 PM, Steven Jones wrote: > So if i just click on logout, I should just logout as if i kdestroy'd? > > If so, when I do that why doesnt that "cleanup" occur? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Friday, 27 July 2012 4:01 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] unable to logout of IPA > > On Fri, 2012-07-27 at 03:14 +0000, Steven Jones wrote: >> When in IPA, when I click on the "logout" I expect to logout so I can login as another user, >> >> ======= >> Logged In As: steven jones | Logout >> ======= >> >> Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... >> >> So what do I need to do to flush? reboot my workstation? > > logout or manually run kdestroy > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From sigbjorn at nixtra.com Fri Jul 27 07:06:10 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 27 Jul 2012 09:06:10 +0200 (CEST) Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac .nz> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz>, <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <19686.213.225.75.97.1343372770.squirrel@www.nixtra.com> What you're seing is Kerberos single sign on in action. You might log out of the web interface, but the next time you open firefox a new automatic sign on by kerberos is happening. If you kdestroy your kerberos credentials you can no longer access any kerberized services, until you request new kerberos credentials. You can check this by accessing the ipa web interface, run "klist", see that there is a HTTP/your-ipa-server.fqdn. Run "kinit", then run "klist" and all your tickets are gone. Access the IPA web interface again, run klist and you'll see a HTTP/your-ipa-server.fqdn. Kerberos single sign on in action. :) Rgds, Siggi On Fri, July 27, 2012 06:39, Steven Jones wrote: > So if i just click on logout, I should just logout as if i kdestroy'd? > > > If so, when I do that why doesnt that "cleanup" occur? > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: Simo Sorce [simo at redhat.com] > Sent: Friday, 27 July 2012 4:01 p.m. > To: Steven Jones > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] unable to logout of IPA > > > On Fri, 2012-07-27 at 03:14 +0000, Steven Jones wrote: > >> When in IPA, when I click on the "logout" I expect to logout so I can login as another user, >> >> >> ======= >> Logged In As: steven jones | Logout >> ======= >> >> >> Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox >> and restarting see me looged back in as my adm account... >> >> So what do I need to do to flush? reboot my workstation? >> > > logout or manually run kdestroy > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > From jdennis at redhat.com Fri Jul 27 13:28:05 2012 From: jdennis at redhat.com (John Dennis) Date: Fri, 27 Jul 2012 09:28:05 -0400 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50129765.8010700@redhat.com> On 07/27/2012 02:06 AM, Dan Scott wrote: > Hi, > > I'm not sure if this is relevant, but Firefox preserves session > cookies across browser restarts. This was discussed on the Security > Now! podcast recently: > > http://www.grc.com/sn/sn-360.htm > > Search for 'sessionstore' and read a little before and after. > > Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From pspacek at redhat.com Fri Jul 27 14:30:10 2012 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 27 Jul 2012 16:30:10 +0200 Subject: [Freeipa-users] unable to logout of IPA In-Reply-To: <50129765.8010700@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66EF9@STAWINCOX10MBX1.staff.vuw.ac.nz> <1343361689.2666.27.camel@willson.li.ssimo.org> <833D8E48405E064EBC54C84EC6B36E404CD66FA8@STAWINCOX10MBX1.staff.vuw.ac.nz> <50129765.8010700@redhat.com> Message-ID: <5012A5F2.102@redhat.com> On 07/27/2012 03:28 PM, John Dennis wrote: > On 07/27/2012 02:06 AM, Dan Scott wrote: >> Hi, >> >> I'm not sure if this is relevant, but Firefox preserves session >> cookies across browser restarts. This was discussed on the Security >> Now! podcast recently: >> >> http://www.grc.com/sn/sn-360.htm >> >> Search for 'sessionstore' and read a little before and after. >> >> Are session cookies relevant for kerberos authentication? > > It's only tangentially relevant. IPA does use session cookies. IPA logout > destroys the session on the server making the session cookie stored in the > browser invalid. > > However, SSO (Single Sign-On) continues to work as it's supposed to. As long > as you have valid credentials in your kerberos cache you'll be automatically > logged in (albeit with a brand new session and session cookie). All this is by > design. > > You can logout of IPA which destroys your session, but unless you also destroy > your credentials the automatic SSO process will be applied the next time you > visit the web UI. > > Would it be possible to add "login as another user" functionality? I mean "destroy session && ignore any Kerberos tickets && start form-based auth"? IMHO it could be handy, at least for demonstration purposes. Petr^2 Spacek From simo at redhat.com Fri Jul 27 15:29:18 2012 From: simo at redhat.com (Simo Sorce) Date: Fri, 27 Jul 2012 11:29:18 -0400 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: References: Message-ID: <1343402958.2666.44.camel@willson.li.ssimo.org> On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > Hi, > > > I'm encountering a strange problem.. upon trying to add a new DNS zone > the following message is being displayed "attribute > "idnsAllowTransfer" not allowed" and the DNS entry is not created. Has > any one ever encountered such a problem if so what needs to be done to > resolve it ? > > > IPA server version 2.1.3. API version 2.13 > Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York From dietkinnie at gmail.com Mon Jul 30 10:11:07 2012 From: dietkinnie at gmail.com (Robert Bowell) Date: Mon, 30 Jul 2012 12:11:07 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: <1343402958.2666.44.camel@willson.li.ssimo.org> References: <1343402958.2666.44.camel@willson.li.ssimo.org> Message-ID: Hi Simo, Thanks for your reply. Yes the IPA server has been updated from 2.1 to 2.2. Prior to the update, DNS zones could be created without any issues. I have also noticed that the command 'ipa ping' is displaying the incorrect IPA server version (IPA server version 2.1.90.rc1. API version 2.34) when infact the IPA server version 2.2.x should be displayed. Regards, Robert.. On 27 July 2012 17:29, Simo Sorce wrote: > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > Hi, > > > > > > I'm encountering a strange problem.. upon trying to add a new DNS zone > > the following message is being displayed "attribute > > "idnsAllowTransfer" not allowed" and the DNS entry is not created. Has > > any one ever encountered such a problem if so what needs to be done to > > resolve it ? > > > > > > IPA server version 2.1.3. API version 2.13 > > > > Was this server upgraded from a 2.0.x one ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon Jul 30 12:57:23 2012 From: simo at redhat.com (Simo Sorce) Date: Mon, 30 Jul 2012 08:57:23 -0400 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: References: <1343402958.2666.44.camel@willson.li.ssimo.org> Message-ID: <1343653043.20530.8.camel@willson.li.ssimo.org> On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: > Hi Simo, > > Thanks for your reply. > > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the > update, DNS zones could be created without any issues. > > I have also noticed that the command 'ipa ping' is displaying the > incorrect IPA server version (IPA server version 2.1.90.rc1. API > version 2.34) when infact the IPA server version 2.2.x should be > displayed. This is odd, have you restarted httpd since the update ? The symptom below seem to suggest somethinhg went wrong in updating the DNS schema where we added a few attributes to allow zone transfers. Can you check the ipaserver-upgrade.log file and see if there are any errors in there ? Simo. > Regards, > > Robert.. > > > On 27 July 2012 17:29, Simo Sorce wrote: > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > Hi, > > > > > > I'm encountering a strange problem.. upon trying to add a > new DNS zone > > the following message is being displayed "attribute > > "idnsAllowTransfer" not allowed" and the DNS entry is not > created. Has > > any one ever encountered such a problem if so what needs to > be done to > > resolve it ? > > > > > > IPA server version 2.1.3. API version 2.13 > > > > > Was this server upgraded from a 2.0.x one ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Simo Sorce * Red Hat, Inc * New York From john.blaut at gmail.com Mon Jul 30 13:21:52 2012 From: john.blaut at gmail.com (John Blaut) Date: Mon, 30 Jul 2012 15:21:52 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: <1343653043.20530.8.camel@willson.li.ssimo.org> References: <1343402958.2666.44.camel@willson.li.ssimo.org> <1343653043.20530.8.camel@willson.li.ssimo.org> Message-ID: Hi I am following the same issue with Robert. In /etc/dirsrv/slapd-/schema/99user.ldif we can see that these new attributes have been added. Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this is indeed the case as well within the LDAP data. However if I browse other pre-existing DNS zones using ldapsearch I see that these already have the two attributes in place, so I guess the update procedure managed to insert them somehow: idnsAllowQuery: any; idnsAllowTransfer: none; So we are a bit confused that when trying to add a new zone, we get errors due to these attributes. This is also preventing us to add new replicas (which require new reverse zones). Regards John On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce wrote: > On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: > > Hi Simo, > > > > Thanks for your reply. > > > > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the > > update, DNS zones could be created without any issues. > > > > I have also noticed that the command 'ipa ping' is displaying the > > incorrect IPA server version (IPA server version 2.1.90.rc1. API > > version 2.34) when infact the IPA server version 2.2.x should be > > displayed. > > This is odd, have you restarted httpd since the update ? > > The symptom below seem to suggest somethinhg went wrong in updating the > DNS schema where we added a few attributes to allow zone transfers. > > Can you check the ipaserver-upgrade.log file and see if there are any > errors in there ? > > Simo. > > > Regards, > > > > Robert.. > > > > > > On 27 July 2012 17:29, Simo Sorce wrote: > > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > > Hi, > > > > > > > > > I'm encountering a strange problem.. upon trying to add a > > new DNS zone > > > the following message is being displayed "attribute > > > "idnsAllowTransfer" not allowed" and the DNS entry is not > > created. Has > > > any one ever encountered such a problem if so what needs to > > be done to > > > resolve it ? > > > > > > > > > IPA server version 2.1.3. API version 2.13 > > > > > > > > > Was this server upgraded from a 2.0.x one ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Jul 30 15:18:12 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 Jul 2012 17:18:12 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: <1343653043.20530.8.camel@willson.li.ssimo.org> References: <1343402958.2666.44.camel@willson.li.ssimo.org> <1343653043.20530.8.camel@willson.li.ssimo.org> Message-ID: <5016A5B4.7030002@redhat.com> On 07/30/2012 02:57 PM, Simo Sorce wrote: > On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: >> Hi Simo, >> >> Thanks for your reply. >> >> Yes the IPA server has been updated from 2.1 to 2.2. Prior to the >> update, DNS zones could be created without any issues. >> >> I have also noticed that the command 'ipa ping' is displaying the >> incorrect IPA server version (IPA server version 2.1.90.rc1. API >> version 2.34) when infact the IPA server version 2.2.x should be >> displayed. > > This is odd, have you restarted httpd since the update ? > > The symptom below seem to suggest somethinhg went wrong in updating the > DNS schema where we added a few attributes to allow zone transfers. > > Can you check the ipaserver-upgrade.log file and see if there are any > errors in there ? > > Simo. > This error is described in ticket 2440 which is scheduled for 3.0.1 milestone: https://fedorahosted.org/freeipa/ticket/2440 The ticket contains more information about the issue including commands to verify it and also an LDIF file that should workaround the issue until a fixed version of IPA server is released. HTH, Martin From mkosek at redhat.com Mon Jul 30 15:26:13 2012 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 30 Jul 2012 17:26:13 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: References: <1343402958.2666.44.camel@willson.li.ssimo.org> <1343653043.20530.8.camel@willson.li.ssimo.org> Message-ID: <5016A795.70003@redhat.com> On 07/30/2012 03:21 PM, John Blaut wrote: > Hi > > I am following the same issue with Robert. > > In /etc/dirsrv/slapd-/schema/99user.ldif we can see that these new > attributes have been added. Hello John, I assume that the new attributes were not added to the MAY list in idnsZone objectclass due to an issue with IPA upgrade which is already described in the following ticket: https://fedorahosted.org/freeipa/ticket/2440 The ticket should contain more information about the issue and also an LDIF that should workaround it until a fix is released. > > Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see if this > is indeed the case as well within the LDAP data. > > However if I browse other pre-existing DNS zones using ldapsearch I see that > these already have the two attributes in place, so I guess the update procedure > managed to insert them somehow: > > idnsAllowQuery: any; > idnsAllowTransfer: none; If I understand it correctly, you have existing DNS zones with there attributes defined? I assume this would mean that idnsZone objectclass has the attribute list updated. But then it is quite strange that you get the '"idnsAllowTransfer" not allowed' error. Martin > > So we are a bit confused that when trying to add a new zone, we get errors due > to these attributes. This is also preventing us to add new replicas (which > require new reverse zones). > > Regards > > John > > > On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce > wrote: > > On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: > > Hi Simo, > > > > Thanks for your reply. > > > > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the > > update, DNS zones could be created without any issues. > > > > I have also noticed that the command 'ipa ping' is displaying the > > incorrect IPA server version (IPA server version 2.1.90.rc1. API > > version 2.34) when infact the IPA server version 2.2.x should be > > displayed. > > This is odd, have you restarted httpd since the update ? > > The symptom below seem to suggest somethinhg went wrong in updating the > DNS schema where we added a few attributes to allow zone transfers. > > Can you check the ipaserver-upgrade.log file and see if there are any > errors in there ? > > Simo. > > > Regards, > > > > Robert.. > > > > > > On 27 July 2012 17:29, Simo Sorce > wrote: > > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > > Hi, > > > > > > > > > I'm encountering a strange problem.. upon trying to add a > > new DNS zone > > > the following message is being displayed "attribute > > > "idnsAllowTransfer" not allowed" and the DNS entry is not > > created. Has > > > any one ever encountered such a problem if so what needs to > > be done to > > > resolve it ? > > > > > > > > > IPA server version 2.1.3. API version 2.13 > > > > > > > > > Was this server upgraded from a 2.0.x one ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From george_he7 at yahoo.com Mon Jul 30 15:00:01 2012 From: george_he7 at yahoo.com (george he) Date: Mon, 30 Jul 2012 08:00:01 -0700 (PDT) Subject: [Freeipa-users] ipa krbtpolicy-mod --maxlife Message-ID: <1343660401.90010.YahooMailNeo@web120003.mail.ne1.yahoo.com> Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 360000 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even though ipa krbtpolicy-show MYUSERNAME returns ? Max life: 360000 What am I missing? I'm using ipa2.2 on FC17. Thanks, George -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.blaut at gmail.com Mon Jul 30 16:09:24 2012 From: john.blaut at gmail.com (John Blaut) Date: Mon, 30 Jul 2012 18:09:24 +0200 Subject: [Freeipa-users] IPA Error 4205 attribute "idnsAllowTransfer" not allowed In-Reply-To: <5016A795.70003@redhat.com> References: <1343402958.2666.44.camel@willson.li.ssimo.org> <1343653043.20530.8.camel@willson.li.ssimo.org> <5016A795.70003@redhat.com> Message-ID: Hi Martin Thanks a lot for you reply. We applied the LDIF patch and now we managed to add new zones. Many thanks!! Yes, you understood well that the DNS zones already had these attributes defined. However using the ldapsearch query from the ticket, these attributes did not show up in the current schema (which is why we then proceeded with the patch which fixed the problem). It is strange how the attributes managed to make their way in the existing DNS zones when they were not supported in the schema. If it helps, after applying the patch what we also noticed is that in UI, the allow query and transfer options now show up as editable form elements. Before they were not editable but just printed values. Thanks again. Regards John On Mon, Jul 30, 2012 at 5:26 PM, Martin Kosek wrote: > > On 07/30/2012 03:21 PM, John Blaut wrote: > > Hi > > > > I am following the same issue with Robert. > > > > In /etc/dirsrv/slapd-/schema/99user.ldif we can see that these > new > > attributes have been added. > > Hello John, > > I assume that the new attributes were not added to the MAY list in idnsZone > objectclass due to an issue with IPA upgrade which is already described in > the > following ticket: > > https://fedorahosted.org/freeipa/ticket/2440 > > The ticket should contain more information about the issue and also an LDIF > that should workaround it until a fix is released. > > > > > Unfortunately I couldn't verify using ldapsearch on 'cn=schema' to see > if this > > is indeed the case as well within the LDAP data. > > > > However if I browse other pre-existing DNS zones using ldapsearch I see > that > > these already have the two attributes in place, so I guess the update > procedure > > managed to insert them somehow: > > > > idnsAllowQuery: any; > > idnsAllowTransfer: none; > > If I understand it correctly, you have existing DNS zones with there > attributes > defined? I assume this would mean that idnsZone objectclass has the > attribute > list updated. But then it is quite strange that you get the > '"idnsAllowTransfer" not allowed' error. > > Martin > > > > > So we are a bit confused that when trying to add a new zone, we get > errors due > > to these attributes. This is also preventing us to add new replicas > (which > > require new reverse zones). > > > > Regards > > > > John > > > > > > On Mon, Jul 30, 2012 at 2:57 PM, Simo Sorce > > wrote: > > > > On Mon, 2012-07-30 at 12:11 +0200, Robert Bowell wrote: > > > Hi Simo, > > > > > > Thanks for your reply. > > > > > > Yes the IPA server has been updated from 2.1 to 2.2. Prior to the > > > update, DNS zones could be created without any issues. > > > > > > I have also noticed that the command 'ipa ping' is displaying the > > > incorrect IPA server version (IPA server version 2.1.90.rc1. API > > > version 2.34) when infact the IPA server version 2.2.x should be > > > displayed. > > > > This is odd, have you restarted httpd since the update ? > > > > The symptom below seem to suggest somethinhg went wrong in updating > the > > DNS schema where we added a few attributes to allow zone transfers. > > > > Can you check the ipaserver-upgrade.log file and see if there are any > > errors in there ? > > > > Simo. > > > > > Regards, > > > > > > Robert.. > > > > > > > > > On 27 July 2012 17:29, Simo Sorce > > wrote: > > > On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: > > > > Hi, > > > > > > > > > > > > I'm encountering a strange problem.. upon trying to add a > > > new DNS zone > > > > the following message is being displayed "attribute > > > > "idnsAllowTransfer" not allowed" and the DNS entry is not > > > created. Has > > > > any one ever encountered such a problem if so what needs > to > > > be done to > > > > resolve it ? > > > > > > > > > > > > IPA server version 2.1.3. API version 2.13 > > > > > > > > > > > > > Was this server upgraded from a 2.0.x one ? > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > > > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Mon Jul 30 20:37:58 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 30 Jul 2012 22:37:58 +0200 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 Message-ID: <5016F0A6.8080607@nixtra.com> Hi, I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV records and is serving almost no clients anymore, but it would seem as my main issues is with the kerberos server. All kerberos services are performing very slowly, and the IPA servers has much higher CPU load now then what they had with IPA 2.1. Some services are timing out, like kerberized web servers, other kerberized services perform authentication very slowly. I had to switch our automounter away from kerberos authentication as it is no longer usable. Using SSH to log on to SSSD enabled hosts are also very slow, a login takes anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. The IPA web admin interface is definitely not faster than in IPA 2.1. For a comparison, listing out all the folders in an automount map, causing them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos authentication for the automounter. There are approx 130 folders in that automount map. After unmounting all the mounted folders, and changing to using a username and password authentication with a TLS connection, attempting the same operating again, and it now finishes in about 14 seconds for both the lookup from LDAP and the mount operation. After unmounting all the mounted folders again, changing to username and password authentication with a simple unencrypted bind, and then attempting the same operation and it now finishes both lookup and mount in just over 5 seconds! I don't have any timing for kerberized automount pre IPA-2.2, but we we're not talking about several minutes to mount all the folders in this automount map. Unfortunately mounting all the folders is what happens when the users use konqueror to browse the automount maps, so this is a very noticable issue. Even loading a new gnome-terminal or konsole terminal which causes an automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There we're no notiable delay when opening a new terminal window pre IPA-2.2. I am not using SSSD for the automounter. I do notice that the dbmodule for the kerberos server has changed from "kldap" to "ipadb.so" Perhaps there is some issues with the new library? Regards, Siggi From mkosek at redhat.com Tue Jul 31 07:04:43 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 31 Jul 2012 09:04:43 +0200 Subject: [Freeipa-users] ipa krbtpolicy-mod --maxlife In-Reply-To: <1343660401.90010.YahooMailNeo@web120003.mail.ne1.yahoo.com> References: <1343660401.90010.YahooMailNeo@web120003.mail.ne1.yahoo.com> Message-ID: <5017838B.20506@redhat.com> On 07/30/2012 05:00 PM, george he wrote: > Hello all, > I'm trying to change the krb ticket life time for myself, so I used > ipa krbtpolicy-mod MYUSERNAME --maxlife 360000 > but then after I do kinit, my new ticket is still going to expire after 24 > hours, which is the default ticket life, even though > ipa krbtpolicy-show MYUSERNAME > returns > Max life: 360000 > What am I missing? I'm using ipa2.2 on FC17. > Thanks, > George Hello George, I think there are 2 different things being mixed - maximal lifetime which can configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the lifetime of a ticket that is actually requested. The requested lifetime is by default 24h, as per krb5.conf man page: ticket_lifetime The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day (1d). If you change this default value in krb5.conf or specifically kinit with a chosen lifetime, you should get it: # ipa krbtpolicy-mod admin --maxlife 172800 Max life: 172800 # kinit -l 2d # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at REDHAT.COM Valid starting Expires Service principal 07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/REDHAT.COM at REDHAT.COM HTH, Martin From mkosek at redhat.com Tue Jul 31 07:12:08 2012 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 31 Jul 2012 09:12:08 +0200 Subject: [Freeipa-users] resetting an admin account. In-Reply-To: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz> References: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz> Message-ID: <50178548.80206@redhat.com> On 07/27/2012 12:48 AM, Steven Jones wrote: > I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, > > So I run a kinit admjonesst1 to reset it to a perm one and I get, > > ======== > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ > ======== > Would a kinit with a trace turned on show anything interesting? # KRB5_TRACE=/dev/stdout kinit admjonesst1 It may get us closer to the root cause of this issue. Martin From pspacek at redhat.com Tue Jul 31 08:20:43 2012 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 31 Jul 2012 10:20:43 +0200 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <5016F0A6.8080607@nixtra.com> References: <5016F0A6.8080607@nixtra.com> Message-ID: <5017955B.6030104@redhat.com> On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: > Hi, > > I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I > still have a LDAP server having unusual high cpu usage even after it's been > removed from the SRV records and is serving almost no clients anymore, but it > would seem as my main issues is with the kerberos server. > > All kerberos services are performing very slowly, and the IPA servers has much > higher CPU load now then what they had with IPA 2.1. Some services are timing > out, like kerberized web servers, other kerberized services perform > authentication very slowly. I had to switch our automounter away from kerberos > authentication as it is no longer usable. > > Using SSH to log on to SSSD enabled hosts are also very slow, a login takes > anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. > > The IPA web admin interface is definitely not faster than in IPA 2.1. > > For a comparison, listing out all the folders in an automount map, causing > them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 > when using kerberos authentication for the automounter. There are approx 130 > folders in that automount map. > > After unmounting all the mounted folders, and changing to using a username and > password authentication with a TLS connection, attempting the same operating > again, and it now finishes in about 14 seconds for both the lookup from LDAP > and the mount operation. > > After unmounting all the mounted folders again, changing to username and > password authentication with a simple unencrypted bind, and then attempting > the same operation and it now finishes both lookup and mount in just over 5 > seconds! > > I don't have any timing for kerberized automount pre IPA-2.2, but we we're not > talking about several minutes to mount all the folders in this automount map. > Unfortunately mounting all the folders is what happens when the users use > konqueror to browse the automount maps, so this is a very noticable issue. > > Even loading a new gnome-terminal or konsole terminal which causes an > automount folder to be mounted takes anything between 5 - 15 seconds after the > upgrade. There we're no notiable delay when opening a new terminal window pre > IPA-2.2. > > I am not using SSSD for the automounter. > > I do notice that the dbmodule for the kerberos server has changed from "kldap" > to "ipadb.so" Perhaps there is some issues with the new library? > > > > > Regards, > Siggi Hello, I'm not a Kerberos guy, so I can give only general advice: "Overloaded-CPU-problems" can be troubleshooted with OProfile. Oprofile is lightweight statistic profiler (AFAIK it was designed for production environment). Step-by-step documentation for RHEL 6 is available from: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.html#ch-OProfile As you can see in section 22.5.1., it allows to break whole CPU usage between processes, libraries and even individual symbols (if proper debuginfos are installed). I recommend to run OProfile on problematic system - results from opreport can provide missing clue to us. OProfile gives best results on bare-metal machines. On virtual machines you has to use timer mode in place of hardware performance counters, please see the documentation. Short getting started guide: http://oprofile.sourceforge.net/doc/overview.html#getting-started Nice article with theory && examples: http://people.redhat.com/wcohen/Oprofile.pdf Homepage with a lot of useful information: http://oprofile.sourceforge.net/ Petr^2 Spacek From sigbjorn at nixtra.com Tue Jul 31 08:50:25 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 31 Jul 2012 10:50:25 +0200 (CEST) Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <5017955B.6030104@redhat.com> References: <5016F0A6.8080607@nixtra.com> <5017955B.6030104@redhat.com> Message-ID: <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> On Tue, July 31, 2012 10:20, Petr Spacek wrote: > On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: > >> Hi, >> >> >> I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I >> still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV >> records and is serving almost no clients anymore, but it would seem as my main issues is with >> the kerberos server. >> >> All kerberos services are performing very slowly, and the IPA servers has much >> higher CPU load now then what they had with IPA 2.1. Some services are timing out, like >> kerberized web servers, other kerberized services perform authentication very slowly. I had to >> switch our automounter away from kerberos authentication as it is no longer usable. >> >> Using SSH to log on to SSSD enabled hosts are also very slow, a login takes >> anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. >> >> The IPA web admin interface is definitely not faster than in IPA 2.1. >> >> >> For a comparison, listing out all the folders in an automount map, causing >> them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos >> authentication for the automounter. There are approx 130 folders in that automount map. >> >> After unmounting all the mounted folders, and changing to using a username and >> password authentication with a TLS connection, attempting the same operating again, and it now >> finishes in about 14 seconds for both the lookup from LDAP and the mount operation. >> >> After unmounting all the mounted folders again, changing to username and >> password authentication with a simple unencrypted bind, and then attempting the same operation >> and it now finishes both lookup and mount in just over 5 seconds! >> >> I don't have any timing for kerberized automount pre IPA-2.2, but we we're not >> talking about several minutes to mount all the folders in this automount map. Unfortunately >> mounting all the folders is what happens when the users use konqueror to browse the automount >> maps, so this is a very noticable issue. >> >> Even loading a new gnome-terminal or konsole terminal which causes an >> automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There >> we're no notiable delay when opening a new terminal window pre IPA-2.2. >> >> >> I am not using SSSD for the automounter. >> >> >> I do notice that the dbmodule for the kerberos server has changed from "kldap" >> to "ipadb.so" Perhaps there is some issues with the new library? >> >> >> >> >> Regards, >> Siggi >> > > > Hello, > > > I'm not a Kerberos guy, so I can give only general advice: > "Overloaded-CPU-problems" can be troubleshooted with OProfile. > > > Oprofile is lightweight statistic profiler (AFAIK it was designed for > production environment). > > Step-by-step documentation for RHEL 6 is available from: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.ht > ml#ch-OProfile > > As you can see in section 22.5.1., it allows to break whole CPU usage between > processes, libraries and even individual symbols (if proper debuginfos are installed). > > I recommend to run OProfile on problematic system - results from opreport can > provide missing clue to us. > > OProfile gives best results on bare-metal machines. On virtual machines you > has to use timer mode in place of hardware performance counters, please see the documentation. > > > Short getting started guide: > http://oprofile.sourceforge.net/doc/overview.html#getting-started > > > Nice article with theory && examples: > http://people.redhat.com/wcohen/Oprofile.pdf > > > Homepage with a lot of useful information: > http://oprofile.sourceforge.net/ > > > Thank you. All 3 IPA servers are close to idle now after switching from kerberos to user/pwd bind for the Linux automounter. Still there is an issue with kerberos failing to issue a ticket every now and then and it's responding very slowly. There seem to be low activity on this list just now. Is the kerberos people away on vacation? Rgds, Siggi From simo at redhat.com Tue Jul 31 11:50:13 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 31 Jul 2012 07:50:13 -0400 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> References: <5016F0A6.8080607@nixtra.com> <5017955B.6030104@redhat.com> <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> Message-ID: <1343735413.20530.26.camel@willson.li.ssimo.org> On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote: > On Tue, July 31, 2012 10:20, Petr Spacek wrote: > > On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: > > > >> Hi, > >> > >> > >> I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I > >> still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV > >> records and is serving almost no clients anymore, but it would seem as my main issues is with > >> the kerberos server. > >> > >> All kerberos services are performing very slowly, and the IPA servers has much > >> higher CPU load now then what they had with IPA 2.1. Some services are timing out, like > >> kerberized web servers, other kerberized services perform authentication very slowly. I had to > >> switch our automounter away from kerberos authentication as it is no longer usable. > >> > >> Using SSH to log on to SSSD enabled hosts are also very slow, a login takes > >> anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. > >> > >> The IPA web admin interface is definitely not faster than in IPA 2.1. > >> > >> > >> For a comparison, listing out all the folders in an automount map, causing > >> them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos > >> authentication for the automounter. There are approx 130 folders in that automount map. > >> > >> After unmounting all the mounted folders, and changing to using a username and > >> password authentication with a TLS connection, attempting the same operating again, and it now > >> finishes in about 14 seconds for both the lookup from LDAP and the mount operation. > >> > >> After unmounting all the mounted folders again, changing to username and > >> password authentication with a simple unencrypted bind, and then attempting the same operation > >> and it now finishes both lookup and mount in just over 5 seconds! > >> > >> I don't have any timing for kerberized automount pre IPA-2.2, but we we're not > >> talking about several minutes to mount all the folders in this automount map. Unfortunately > >> mounting all the folders is what happens when the users use konqueror to browse the automount > >> maps, so this is a very noticable issue. > >> > >> Even loading a new gnome-terminal or konsole terminal which causes an > >> automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There > >> we're no notiable delay when opening a new terminal window pre IPA-2.2. > >> > >> > >> I am not using SSSD for the automounter. > >> > >> > >> I do notice that the dbmodule for the kerberos server has changed from "kldap" > >> to "ipadb.so" Perhaps there is some issues with the new library? > >> > >> > >> > >> > >> Regards, > >> Siggi > >> > > > > > > Hello, > > > > > > I'm not a Kerberos guy, so I can give only general advice: > > "Overloaded-CPU-problems" can be troubleshooted with OProfile. > > > > > > Oprofile is lightweight statistic profiler (AFAIK it was designed for > > production environment). > > > > Step-by-step documentation for RHEL 6 is available from: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.ht > > ml#ch-OProfile > > > > As you can see in section 22.5.1., it allows to break whole CPU usage between > > processes, libraries and even individual symbols (if proper debuginfos are installed). > > > > I recommend to run OProfile on problematic system - results from opreport can > > provide missing clue to us. > > > > OProfile gives best results on bare-metal machines. On virtual machines you > > has to use timer mode in place of hardware performance counters, please see the documentation. > > > > > > Short getting started guide: > > http://oprofile.sourceforge.net/doc/overview.html#getting-started > > > > > > Nice article with theory && examples: > > http://people.redhat.com/wcohen/Oprofile.pdf > > > > > > Homepage with a lot of useful information: > > http://oprofile.sourceforge.net/ > > > > > > > > Thank you. > > All 3 IPA servers are close to idle now after switching from kerberos to user/pwd bind for the > Linux automounter. > > Still there is an issue with kerberos failing to issue a ticket every now and then and it's > responding very slowly. > > There seem to be low activity on this list just now. Is the kerberos people away on vacation? Hi Siggi, some people are on vacation, some are busy covering others :-) Would you be able to take a wireshark trace of an automount going on ? I would like to see precise timing of packets on the wire to make a first assesment of where is the bottleneck. We did change from ldap.so to ipadb.so, but the structure of the drivers is not much different, so I am surprised it would be much slower, however it is possible, I would like to find out what is going on with your help. Simo. -- Simo Sorce * Red Hat, Inc * New York From george_he7 at yahoo.com Tue Jul 31 12:09:28 2012 From: george_he7 at yahoo.com (george he) Date: Tue, 31 Jul 2012 05:09:28 -0700 (PDT) Subject: [Freeipa-users] ipa krbtpolicy-mod --maxlife In-Reply-To: <5017838B.20506@redhat.com> References: <1343660401.90010.YahooMailNeo@web120003.mail.ne1.yahoo.com> <5017838B.20506@redhat.com> Message-ID: <1343736568.76311.YahooMailNeo@web120003.mail.ne1.yahoo.com> Thank you, Martin. This helps. George >________________________________ > From: Martin Kosek >To: george he >Cc: "freeipa-users at redhat.com" >Sent: Tuesday, July 31, 2012 3:04 AM >Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife > >On 07/30/2012 05:00 PM, george he wrote: >> Hello all, >> I'm trying to change the krb ticket life time for myself, so I used >> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000 >> but then after I do kinit, my new ticket is still going to expire after 24 >> hours, which is the default ticket life, even though >> ipa krbtpolicy-show MYUSERNAME >> returns >>? Max life: 360000 >> What am I missing? I'm using ipa2.2 on FC17. >> Thanks, >> George > >Hello George, > >I think there are 2 different things being mixed - maximal lifetime which can >configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the >lifetime of a ticket that is actually requested. > >The requested lifetime is by default 24h, as per krb5.conf man page: > >? ? ? ticket_lifetime >? ? ? ? ? ? ? The? value? of this tag is the default lifetime for initial >? ? ? ? ? ? ? tickets.? The default value for the tag is 1 day (1d). > >If you change this default value in krb5.conf or specifically kinit with a >chosen lifetime, you should get it: > ># ipa krbtpolicy-mod admin --maxlife 172800 >? Max life: 172800 > ># kinit -l 2d > ># klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: admin at REDHAT.COM > >Valid starting? ? Expires? ? ? ? ? ? Service principal >07/31/12 03:00:17? 08/02/12 03:00:14? krbtgt/REDHAT.COM at REDHAT.COM > >HTH, >Martin > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Tue Jul 31 19:08:41 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 31 Jul 2012 21:08:41 +0200 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <1343735413.20530.26.camel@willson.li.ssimo.org> References: <5016F0A6.8080607@nixtra.com> <5017955B.6030104@redhat.com> <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> <1343735413.20530.26.camel@willson.li.ssimo.org> Message-ID: <50182D39.7080407@nixtra.com> On 07/31/2012 01:50 PM, Simo Sorce wrote: > On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote: >> On Tue, July 31, 2012 10:20, Petr Spacek wrote: >>> On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: >>> >>>> Hi, >>>> >>>> >>>> I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I >>>> still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV >>>> records and is serving almost no clients anymore, but it would seem as my main issues is with >>>> the kerberos server. >>>> >>>> All kerberos services are performing very slowly, and the IPA servers has much >>>> higher CPU load now then what they had with IPA 2.1. Some services are timing out, like >>>> kerberized web servers, other kerberized services perform authentication very slowly. I had to >>>> switch our automounter away from kerberos authentication as it is no longer usable. >>>> >>>> Using SSH to log on to SSSD enabled hosts are also very slow, a login takes >>>> anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. >>>> >>>> The IPA web admin interface is definitely not faster than in IPA 2.1. >>>> >>>> >>>> For a comparison, listing out all the folders in an automount map, causing >>>> them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos >>>> authentication for the automounter. There are approx 130 folders in that automount map. >>>> >>>> After unmounting all the mounted folders, and changing to using a username and >>>> password authentication with a TLS connection, attempting the same operating again, and it now >>>> finishes in about 14 seconds for both the lookup from LDAP and the mount operation. >>>> >>>> After unmounting all the mounted folders again, changing to username and >>>> password authentication with a simple unencrypted bind, and then attempting the same operation >>>> and it now finishes both lookup and mount in just over 5 seconds! >>>> >>>> I don't have any timing for kerberized automount pre IPA-2.2, but we we're not >>>> talking about several minutes to mount all the folders in this automount map. Unfortunately >>>> mounting all the folders is what happens when the users use konqueror to browse the automount >>>> maps, so this is a very noticable issue. >>>> >>>> Even loading a new gnome-terminal or konsole terminal which causes an >>>> automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There >>>> we're no notiable delay when opening a new terminal window pre IPA-2.2. >>>> >>>> >>>> I am not using SSSD for the automounter. >>>> >>>> >>>> I do notice that the dbmodule for the kerberos server has changed from "kldap" >>>> to "ipadb.so" Perhaps there is some issues with the new library? >>>> >>>> >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>> >>> Hello, >>> >>> >>> I'm not a Kerberos guy, so I can give only general advice: >>> "Overloaded-CPU-problems" can be troubleshooted with OProfile. >>> >>> >>> Oprofile is lightweight statistic profiler (AFAIK it was designed for >>> production environment). >>> >>> Step-by-step documentation for RHEL 6 is available from: >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.ht >>> ml#ch-OProfile >>> >>> As you can see in section 22.5.1., it allows to break whole CPU usage between >>> processes, libraries and even individual symbols (if proper debuginfos are installed). >>> >>> I recommend to run OProfile on problematic system - results from opreport can >>> provide missing clue to us. >>> >>> OProfile gives best results on bare-metal machines. On virtual machines you >>> has to use timer mode in place of hardware performance counters, please see the documentation. >>> >>> >>> Short getting started guide: >>> http://oprofile.sourceforge.net/doc/overview.html#getting-started >>> >>> >>> Nice article with theory&& examples: >>> http://people.redhat.com/wcohen/Oprofile.pdf >>> >>> >>> Homepage with a lot of useful information: >>> http://oprofile.sourceforge.net/ >>> >>> >>> >> Thank you. >> >> All 3 IPA servers are close to idle now after switching from kerberos to user/pwd bind for the >> Linux automounter. >> >> Still there is an issue with kerberos failing to issue a ticket every now and then and it's >> responding very slowly. >> >> There seem to be low activity on this list just now. Is the kerberos people away on vacation? > Hi Siggi, > some people are on vacation, some are busy covering others :-) > > Would you be able to take a wireshark trace of an automount going on ? > I would like to see precise timing of packets on the wire to make a > first assesment of where is the bottleneck. > > We did change from ldap.so to ipadb.so, but the structure of the drivers > is not much different, so I am surprised it would be much slower, > however it is possible, I would like to find out what is going on with > your help. > OK, I will get that done when I'm back in the office tomorrow. I suspect it will be somewhat better than my first results as the load on the IPA servers are now much lower when the linux automounters are no longer using kerberos for authentication. It seem like there is a race condition going on as the shit didn't hit the fan until the week after the upgrade to IPA 2.2 when people returned to work. The slowness issues then gradually became worse and worse. I will send you the captures in a private email. Do you need anything besides TCP 389, 636 and TCP/UDP 88 ? Rgds, Siggi From Steven.Jones at vuw.ac.nz Tue Jul 31 20:56:41 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 31 Jul 2012 20:56:41 +0000 Subject: [Freeipa-users] resetting an admin account. In-Reply-To: <50178548.80206@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50178548.80206@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6926E@STAWINCOX10MBX1.staff.vuw.ac.nz> Hi, Both my replicas had stopped replicating, or the ldap db was corrupt...I need to test to see if this issue has gone away or not, but Im bogged down with essential work this morning. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Martin Kosek [mkosek at redhat.com] Sent: Tuesday, 31 July 2012 7:12 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] resetting an admin account. On 07/27/2012 12:48 AM, Steven Jones wrote: > I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, > > So I run a kinit admjonesst1 to reset it to a perm one and I get, > > ======== > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ > ======== > Would a kinit with a trace turned on show anything interesting? # KRB5_TRACE=/dev/stdout kinit admjonesst1 It may get us closer to the root cause of this issue. Martin From Steven.Jones at vuw.ac.nz Tue Jul 31 21:04:26 2012 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 31 Jul 2012 21:04:26 +0000 Subject: [Freeipa-users] resetting an admin account. In-Reply-To: <50178548.80206@redhat.com> References: <833D8E48405E064EBC54C84EC6B36E404CD66B77@STAWINCOX10MBX1.staff.vuw.ac.nz>, <50178548.80206@redhat.com> Message-ID: <833D8E48405E064EBC54C84EC6B36E404CD6927B@STAWINCOX10MBX1.staff.vuw.ac.nz> As it turns out I need to use it. :/ =========== [root at vuwunicoipam001 log]# kinit admjonesst1 Password for admjonesst1 at ODS.VUW.AC.NZ: Password expired. You must change it now. Enter new password: Enter it again: kinit: Password change failed while getting initial credentials [root at vuwunicoipam001 log]# KRB5_TRACE=/dev/stdout kinit admjonesst1 [14664] 1343768388.807457: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ [14664] 1343768388.812580: Sending request (188 bytes) to ODS.VUW.AC.NZ [14664] 1343768388.827875: Sending initial UDP request to dgram 10.70.3.12:88 [14664] 1343768388.832204: Received answer from dgram 10.70.3.12:88 [14664] 1343768388.832305: Response was from master KDC [14664] 1343768388.832336: Received error from KDC: -1765328361/Password has expired [14664] 1343768388.832362: Principal expired; getting changepw ticket [14664] 1343768388.832376: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ [14664] 1343768388.832426: Setting initial creds service to [14664] 1343768388.832467: Sending request (182 bytes) to ODS.VUW.AC.NZ (master) [14664] 1343768388.832580: Sending initial UDP request to dgram 10.70.3.12:88 [14664] 1343768388.836464: Received answer from dgram 10.70.3.12:88 [14664] 1343768388.836495: Received error from KDC: -1765328359/Additional pre-authentication required [14664] 1343768388.836531: Processing preauth types: 2, 136, 19, 133 [14664] 1343768388.836558: Selected etype info: etype aes256-cts, salt "02(``#Z='yW]W(>;", params "" [14664] 1343768388.836565: Received cookie: MIT Password for admjonesst1 at ODS.VUW.AC.NZ: [14664] 1343768395.526371: AS key obtained for encrypted timestamp: aes256-cts/6F6C [14664] 1343768395.526476: Encrypted timestamp (for 1343768395.526392): plain 301AA011180F32303132303733313230353935355AA1050203080838, encrypted 240EBF827652358C2E32722C8649CAFD5755F5A3F4F766B1379D50B3192D1AD65B99AD69D4065E33F2FC6C13EA370C7B62F7E61C57A2D75D [14664] 1343768395.526516: Produced preauth for next request: 133, 2 [14664] 1343768395.526548: Sending request (277 bytes) to ODS.VUW.AC.NZ (master) [14664] 1343768395.526902: Sending initial UDP request to dgram 10.70.3.12:88 [14664] 1343768395.603247: Received answer from dgram 10.70.3.12:88 [14664] 1343768395.603334: Processing preauth types: 19 [14664] 1343768395.603349: Selected etype info: etype aes256-cts, salt "02(``#Z='yW]W(>;", params "" [14664] 1343768395.603358: Produced preauth for next request: (empty) [14664] 1343768395.603373: AS key determined by preauth: aes256-cts/6F6C [14664] 1343768395.603492: Decrypted AS reply; session key is: aes256-cts/54E9 [14664] 1343768395.603526: FAST negotiation: available [14664] 1343768395.603575: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [14664] 1343768420.820829: Creating authenticator for admjonesst1 at ODS.VUW.AC.NZ -> kadmin/changepw at ODS.VUW.AC.NZ, seqnum 0, subkey aes256-cts/73EB, session key aes256-cts/54E9 [14664] 1343768420.828369: Sending initial UDP request to dgram 10.70.3.12:464 [14664] 1343768420.841384: Received answer from dgram 10.70.3.12:464 [14664] 1343768420.841509: Read AP-REP, time 1343768420.820855, subkey aes256-cts/73EB, seqnum 1037613661 kinit: Password change failed while getting initial credentials [root at vuwunicoipam001 log =============== So lets re-set the password again and re-try, =========== [root at vuwunicoipam001 log]# KRB5_TRACE=/dev/stdout kinit admjonesst1 [15004] 1343768598.486261: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ [15004] 1343768598.491785: Sending request (188 bytes) to ODS.VUW.AC.NZ [15004] 1343768598.507798: Sending initial UDP request to dgram 10.70.3.12:88 [15004] 1343768598.512326: Received answer from dgram 10.70.3.12:88 [15004] 1343768598.512429: Response was from master KDC [15004] 1343768598.512460: Received error from KDC: -1765328361/Password has expired [15004] 1343768598.512486: Principal expired; getting changepw ticket [15004] 1343768598.512499: Getting initial credentials for admjonesst1 at ODS.VUW.AC.NZ [15004] 1343768598.512549: Setting initial creds service to [15004] 1343768598.512591: Sending request (183 bytes) to ODS.VUW.AC.NZ (master) [15004] 1343768598.512828: Sending initial UDP request to dgram 10.70.3.12:88 [15004] 1343768598.516670: Received answer from dgram 10.70.3.12:88 [15004] 1343768598.516701: Received error from KDC: -1765328359/Additional pre-authentication required [15004] 1343768598.516738: Processing preauth types: 2, 136, 19, 133 [15004] 1343768598.516764: Selected etype info: etype aes256-cts, salt "cI7u&FhS\SFGR:Wx", params "" [15004] 1343768598.516772: Received cookie: MIT Password for admjonesst1 at ODS.VUW.AC.NZ: [15004] 1343768603.746087: AS key obtained for encrypted timestamp: aes256-cts/1392 [15004] 1343768603.746181: Encrypted timestamp (for 1343768603.746110): plain 301AA011180F32303132303733313231303332335AA10502030B627E, encrypted 32717E12866758441D84E1016F92B9ABF31CEACF41021755BDBDEFA410426877A9A489112B99C90F48140DC5308F5ED827496225AD0B24A0 [15004] 1343768603.746204: Produced preauth for next request: 133, 2 [15004] 1343768603.746234: Sending request (278 bytes) to ODS.VUW.AC.NZ (master) [15004] 1343768603.746415: Sending initial UDP request to dgram 10.70.3.12:88 [15004] 1343768603.876746: Received answer from dgram 10.70.3.12:88 [15004] 1343768603.876834: Processing preauth types: 19 [15004] 1343768603.876850: Selected etype info: etype aes256-cts, salt "cI7u&FhS\SFGR:Wx", params "" [15004] 1343768603.876860: Produced preauth for next request: (empty) [15004] 1343768603.876874: AS key determined by preauth: aes256-cts/1392 [15004] 1343768603.876973: Decrypted AS reply; session key is: aes256-cts/8B5A [15004] 1343768603.877006: FAST negotiation: available [15004] 1343768603.877055: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [15004] 1343768621.280853: Creating authenticator for admjonesst1 at ODS.VUW.AC.NZ -> kadmin/changepw at ODS.VUW.AC.NZ, seqnum 0, subkey aes256-cts/6376, session key aes256-cts/8B5A [15004] 1343768621.281181: Sending initial UDP request to dgram 10.70.3.12:464 [15004] 1343768621.293062: Received answer from dgram 10.70.3.12:464 [15004] 1343768621.293168: Read AP-REP, time 1343768621.280874, subkey aes256-cts/6376, seqnum 312851864 kinit: Password change failed while getting initial credentials [root at vuwunicoipam001 log]# ========== Still fails.......... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Martin Kosek [mkosek at redhat.com] Sent: Tuesday, 31 July 2012 7:12 p.m. To: Steven Jones Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] resetting an admin account. On 07/27/2012 12:48 AM, Steven Jones wrote: > I have tried to reset my admin password (admjonesst1) using the admin account toa temp password, > > So I run a kinit admjonesst1 to reset it to a perm one and I get, > > ======== > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ kinit admjonesst1 > Password for admjonesst1 at ODS.VUW.AC.NZ: > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit: Cannot contact any KDC for requested realm while getting initial credentials > [jonesst1 at 8kxl72s ~]$ > ======== > Would a kinit with a trace turned on show anything interesting? # KRB5_TRACE=/dev/stdout kinit admjonesst1 It may get us closer to the root cause of this issue. Martin From simo at redhat.com Tue Jul 31 21:25:58 2012 From: simo at redhat.com (Simo Sorce) Date: Tue, 31 Jul 2012 17:25:58 -0400 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <50182D39.7080407@nixtra.com> References: <5016F0A6.8080607@nixtra.com> <5017955B.6030104@redhat.com> <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> <1343735413.20530.26.camel@willson.li.ssimo.org> <50182D39.7080407@nixtra.com> Message-ID: <1343769958.20530.50.camel@willson.li.ssimo.org> On Tue, 2012-07-31 at 21:08 +0200, Sigbjorn Lie wrote: > On 07/31/2012 01:50 PM, Simo Sorce wrote: > > On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote: > >> On Tue, July 31, 2012 10:20, Petr Spacek wrote: > >>> On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: > >>> > >>>> Hi, > >>>> > >>>> > >>>> I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I > >>>> still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV > >>>> records and is serving almost no clients anymore, but it would seem as my main issues is with > >>>> the kerberos server. > >>>> > >>>> All kerberos services are performing very slowly, and the IPA servers has much > >>>> higher CPU load now then what they had with IPA 2.1. Some services are timing out, like > >>>> kerberized web servers, other kerberized services perform authentication very slowly. I had to > >>>> switch our automounter away from kerberos authentication as it is no longer usable. > >>>> > >>>> Using SSH to log on to SSSD enabled hosts are also very slow, a login takes > >>>> anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. > >>>> > >>>> The IPA web admin interface is definitely not faster than in IPA 2.1. > >>>> > >>>> > >>>> For a comparison, listing out all the folders in an automount map, causing > >>>> them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos > >>>> authentication for the automounter. There are approx 130 folders in that automount map. > >>>> > >>>> After unmounting all the mounted folders, and changing to using a username and > >>>> password authentication with a TLS connection, attempting the same operating again, and it now > >>>> finishes in about 14 seconds for both the lookup from LDAP and the mount operation. > >>>> > >>>> After unmounting all the mounted folders again, changing to username and > >>>> password authentication with a simple unencrypted bind, and then attempting the same operation > >>>> and it now finishes both lookup and mount in just over 5 seconds! > >>>> > >>>> I don't have any timing for kerberized automount pre IPA-2.2, but we we're not > >>>> talking about several minutes to mount all the folders in this automount map. Unfortunately > >>>> mounting all the folders is what happens when the users use konqueror to browse the automount > >>>> maps, so this is a very noticable issue. > >>>> > >>>> Even loading a new gnome-terminal or konsole terminal which causes an > >>>> automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There > >>>> we're no notiable delay when opening a new terminal window pre IPA-2.2. > >>>> > >>>> > >>>> I am not using SSSD for the automounter. > >>>> > >>>> > >>>> I do notice that the dbmodule for the kerberos server has changed from "kldap" > >>>> to "ipadb.so" Perhaps there is some issues with the new library? > >>>> > >>>> > >>>> > >>>> > >>>> Regards, > >>>> Siggi > >>>> > >>> > >>> Hello, > >>> > >>> > >>> I'm not a Kerberos guy, so I can give only general advice: > >>> "Overloaded-CPU-problems" can be troubleshooted with OProfile. > >>> > >>> > >>> Oprofile is lightweight statistic profiler (AFAIK it was designed for > >>> production environment). > >>> > >>> Step-by-step documentation for RHEL 6 is available from: > >>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.ht > >>> ml#ch-OProfile > >>> > >>> As you can see in section 22.5.1., it allows to break whole CPU usage between > >>> processes, libraries and even individual symbols (if proper debuginfos are installed). > >>> > >>> I recommend to run OProfile on problematic system - results from opreport can > >>> provide missing clue to us. > >>> > >>> OProfile gives best results on bare-metal machines. On virtual machines you > >>> has to use timer mode in place of hardware performance counters, please see the documentation. > >>> > >>> > >>> Short getting started guide: > >>> http://oprofile.sourceforge.net/doc/overview.html#getting-started > >>> > >>> > >>> Nice article with theory&& examples: > >>> http://people.redhat.com/wcohen/Oprofile.pdf > >>> > >>> > >>> Homepage with a lot of useful information: > >>> http://oprofile.sourceforge.net/ > >>> > >>> > >>> > >> Thank you. > >> > >> All 3 IPA servers are close to idle now after switching from kerberos to user/pwd bind for the > >> Linux automounter. > >> > >> Still there is an issue with kerberos failing to issue a ticket every now and then and it's > >> responding very slowly. > >> > >> There seem to be low activity on this list just now. Is the kerberos people away on vacation? > > Hi Siggi, > > some people are on vacation, some are busy covering others :-) > > > > Would you be able to take a wireshark trace of an automount going on ? > > I would like to see precise timing of packets on the wire to make a > > first assesment of where is the bottleneck. > > > > We did change from ldap.so to ipadb.so, but the structure of the drivers > > is not much different, so I am surprised it would be much slower, > > however it is possible, I would like to find out what is going on with > > your help. > > > > OK, I will get that done when I'm back in the office tomorrow. I suspect > it will be somewhat better than my first results as the load on the IPA > servers are now much lower when the linux automounters are no longer > using kerberos for authentication. > > It seem like there is a race condition going on as the shit didn't hit > the fan until the week after the upgrade to IPA 2.2 when people returned > to work. The slowness issues then gradually became worse and worse. > > I will send you the captures in a private email. Do you need anything > besides TCP 389, 636 and TCP/UDP 88 ? no need for TCP 636, but it may be intresting to see DNS queries, do you use the IPA integrated DNS or do you use your own infra ? Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Tue Jul 31 21:46:07 2012 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Tue, 31 Jul 2012 23:46:07 +0200 Subject: [Freeipa-users] Very slow kerberos performance after upgrade to IPA 2.2 In-Reply-To: <1343769958.20530.50.camel@willson.li.ssimo.org> References: <5016F0A6.8080607@nixtra.com> <5017955B.6030104@redhat.com> <26024.213.225.75.97.1343724625.squirrel@www.nixtra.com> <1343735413.20530.26.camel@willson.li.ssimo.org> <50182D39.7080407@nixtra.com> <1343769958.20530.50.camel@willson.li.ssimo.org> Message-ID: <5018521F.9020902@nixtra.com> On 07/31/2012 11:25 PM, Simo Sorce wrote: > On Tue, 2012-07-31 at 21:08 +0200, Sigbjorn Lie wrote: >> On 07/31/2012 01:50 PM, Simo Sorce wrote: >>> On Tue, 2012-07-31 at 10:50 +0200, Sigbjorn Lie wrote: >>>> On Tue, July 31, 2012 10:20, Petr Spacek wrote: >>>>> On 07/30/2012 10:37 PM, Sigbjorn Lie wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> I've been having performance issues after I upgraded to RHEL 6.3 / IPA 2.2. I >>>>>> still have a LDAP server having unusual high cpu usage even after it's been removed from the SRV >>>>>> records and is serving almost no clients anymore, but it would seem as my main issues is with >>>>>> the kerberos server. >>>>>> >>>>>> All kerberos services are performing very slowly, and the IPA servers has much >>>>>> higher CPU load now then what they had with IPA 2.1. Some services are timing out, like >>>>>> kerberized web servers, other kerberized services perform authentication very slowly. I had to >>>>>> switch our automounter away from kerberos authentication as it is no longer usable. >>>>>> >>>>>> Using SSH to log on to SSSD enabled hosts are also very slow, a login takes >>>>>> anything from 5 seconds up to 20 seconds. Noticably longer than pre IPA 2.2. >>>>>> >>>>>> The IPA web admin interface is definitely not faster than in IPA 2.1. >>>>>> >>>>>> >>>>>> For a comparison, listing out all the folders in an automount map, causing >>>>>> them to be looked up from LDAP and mounted takes over 5 minutes with IPA 2.2 when using kerberos >>>>>> authentication for the automounter. There are approx 130 folders in that automount map. >>>>>> >>>>>> After unmounting all the mounted folders, and changing to using a username and >>>>>> password authentication with a TLS connection, attempting the same operating again, and it now >>>>>> finishes in about 14 seconds for both the lookup from LDAP and the mount operation. >>>>>> >>>>>> After unmounting all the mounted folders again, changing to username and >>>>>> password authentication with a simple unencrypted bind, and then attempting the same operation >>>>>> and it now finishes both lookup and mount in just over 5 seconds! >>>>>> >>>>>> I don't have any timing for kerberized automount pre IPA-2.2, but we we're not >>>>>> talking about several minutes to mount all the folders in this automount map. Unfortunately >>>>>> mounting all the folders is what happens when the users use konqueror to browse the automount >>>>>> maps, so this is a very noticable issue. >>>>>> >>>>>> Even loading a new gnome-terminal or konsole terminal which causes an >>>>>> automount folder to be mounted takes anything between 5 - 15 seconds after the upgrade. There >>>>>> we're no notiable delay when opening a new terminal window pre IPA-2.2. >>>>>> >>>>>> >>>>>> I am not using SSSD for the automounter. >>>>>> >>>>>> >>>>>> I do notice that the dbmodule for the kerberos server has changed from "kldap" >>>>>> to "ipadb.so" Perhaps there is some issues with the new library? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> Siggi >>>>>> >>>>> Hello, >>>>> >>>>> >>>>> I'm not a Kerberos guy, so I can give only general advice: >>>>> "Overloaded-CPU-problems" can be troubleshooted with OProfile. >>>>> >>>>> >>>>> Oprofile is lightweight statistic profiler (AFAIK it was designed for >>>>> production environment). >>>>> >>>>> Step-by-step documentation for RHEL 6 is available from: >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.ht >>>>> ml#ch-OProfile >>>>> >>>>> As you can see in section 22.5.1., it allows to break whole CPU usage between >>>>> processes, libraries and even individual symbols (if proper debuginfos are installed). >>>>> >>>>> I recommend to run OProfile on problematic system - results from opreport can >>>>> provide missing clue to us. >>>>> >>>>> OProfile gives best results on bare-metal machines. On virtual machines you >>>>> has to use timer mode in place of hardware performance counters, please see the documentation. >>>>> >>>>> >>>>> Short getting started guide: >>>>> http://oprofile.sourceforge.net/doc/overview.html#getting-started >>>>> >>>>> >>>>> Nice article with theory&& examples: >>>>> http://people.redhat.com/wcohen/Oprofile.pdf >>>>> >>>>> >>>>> Homepage with a lot of useful information: >>>>> http://oprofile.sourceforge.net/ >>>>> >>>>> >>>>> >>>> Thank you. >>>> >>>> All 3 IPA servers are close to idle now after switching from kerberos to user/pwd bind for the >>>> Linux automounter. >>>> >>>> Still there is an issue with kerberos failing to issue a ticket every now and then and it's >>>> responding very slowly. >>>> >>>> There seem to be low activity on this list just now. Is the kerberos people away on vacation? >>> Hi Siggi, >>> some people are on vacation, some are busy covering others :-) >>> >>> Would you be able to take a wireshark trace of an automount going on ? >>> I would like to see precise timing of packets on the wire to make a >>> first assesment of where is the bottleneck. >>> >>> We did change from ldap.so to ipadb.so, but the structure of the drivers >>> is not much different, so I am surprised it would be much slower, >>> however it is possible, I would like to find out what is going on with >>> your help. >>> >> OK, I will get that done when I'm back in the office tomorrow. I suspect >> it will be somewhat better than my first results as the load on the IPA >> servers are now much lower when the linux automounters are no longer >> using kerberos for authentication. >> >> It seem like there is a race condition going on as the shit didn't hit >> the fan until the week after the upgrade to IPA 2.2 when people returned >> to work. The slowness issues then gradually became worse and worse. >> >> I will send you the captures in a private email. Do you need anything >> besides TCP 389, 636 and TCP/UDP 88 ? > no need for TCP 636, but it may be intresting to see DNS queries, do you > use the IPA integrated DNS or do you use your own infra ? > > Ok, I'll include DNS requests. I manage the DNS entries with IPA, but I dump the zone contents from LDAP to files and then I run BIND off the files. Rgds, Siggi