From chandank.kumar at gmail.com Mon Apr 1 16:47:31 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 1 Apr 2013 09:47:31 -0700 Subject: [Freeipa-users] Issue while setting up Replication Message-ID: Hello, I am new to FreeIPA so far I have setup the Server and few test clients, all went really smooth. However, I am having hard time in setting up the replication and any help will great!. I am using CentOS 6.4. Package Info ipa-server-3.0.0-26.el6_4.2.x86_64 389-ds-base-1.2.11.15-12.el6_4.x86_64 I followed the steps mentioned in http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html When I try to setup the replica with the replica prepare file from the master with --skip-conneccheck (because krb is not running on UDP ports) ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg --skip-conncheck. At the end I get below error ----------------------------------------- [22/31]: setting up initial replication Starting replication, please wait until this has completed. [ipa01.ma.net] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication ------------------------------------------- On the log file ------------------------------------------- 2013-04-01T16:25:53Z DEBUG retrieving schema for SchemaCache url=ldaps:// ipa01.ma.net:636 conn = 2013-04-01T16:25:54Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installut ils.py", line 614, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 473, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 150, in install_replica_ds pkcs12_info) File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 300, in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 358, in start_creation method() : File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py", line 313, in __setup_replica r_bindpw=self.dm_password) File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py", line 865, in setup_replication raise RuntimeError("Failed to start replication") 2013-04-01T16:25:54Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication ------------------------------------------------ I also find similar error reported while setting up ipa on Fedora 18 at https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html But could not find its resolution. I am able to connect to the 389/636 port from the slave. Firewall is off on both ends and hostnames resolves properly. Thanks -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Apr 1 17:15:13 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 01 Apr 2013 13:15:13 -0400 Subject: [Freeipa-users] Issue while setting up Replication In-Reply-To: References: Message-ID: <5159C0A1.1040202@redhat.com> Chandan Kumar wrote: > Hello, > > I am new to FreeIPA so far I have setup the Server and few test clients, > all went really smooth. However, I am having hard time in setting up the > replication and any help will great!. > > I am using CentOS 6.4. Package Info > > ipa-server-3.0.0-26.el6_4.2.x86_64 > 389-ds-base-1.2.11.15-12.el6_4.x86_64 > > I followed the steps mentioned in > > http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html FYI, these are very out-of-date. > When I try to setup the replica with the replica prepare file from the > master with --skip-conneccheck (because krb is not running on UDP ports) I don't understand, you got an error about KRB not running on the UDP ports? > ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg > --skip-conncheck. > > At the end I get below error > > ----------------------------------------- > [22/31]: setting up initial replication > Starting replication, please wait until this has completed. > [ipa01.ma.net ] reports: Update failed! Status: [-1 > - LDAP error: Can't contact LDAP server] Well, something is blocking the connection, or the server on ipa01 isn't running. This is a really low-level networking error. > > I also find similar error reported while setting up ipa on Fedora 18 at > https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html > > But could not find its resolution. We never heard back from the user. You're saying you see the same error? > I am able to connect to the 389/636 port from the slave. Firewall is off > on both ends and hostnames resolves properly. On ipa02 you might try: $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts You might also try wireshark to monitor the connection request. rob From chandank.kumar at gmail.com Mon Apr 1 22:44:14 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 1 Apr 2013 15:44:14 -0700 Subject: [Freeipa-users] Issue while setting up Replication In-Reply-To: <5159C0A1.1040202@redhat.com> References: <5159C0A1.1040202@redhat.com> Message-ID: Thanks for prompt response. I was wrong in mentioning that krb is not running on UDP port it is running. Now this time, I did not specify --skip-conncheck and ended up with same error. I could see ldap requests are reaching to the Primary IPA server from secondary (both from tshark and directory server logs). #ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg (I tried with/without --setup-ca got same result) I have pasted the directory server (Primary ipa01 machine) logs in the blow paste bin http://pastebin.com/HxAwMiDw And replication logs (on the replica ipa02 machine) http://pastebin.com/QNNRVw2k. I am not using IPA server for DNS, I have separate DNS server and both host names are getting resolved. Connection with ldap search command. It appears the it is not able to connect at secure port (this could be the reason) #ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net Enter LDAP Password: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ----------------------------- Works perfect on non Secure port # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 ----------------- I was under impression that ipa-replica-install does the SSL stuff, may be I am wrong. Thanks Chandan On Monday, April 1, 2013, Rob Crittenden wrote: > Chandan Kumar wrote: > >> Hello, >> >> I am new to FreeIPA so far I have setup the Server and few test clients, >> all went really smooth. However, I am having hard time in setting up the >> replication and any help will great!. >> >> I am using CentOS 6.4. Package Info >> >> ipa-server-3.0.0-26.el6_4.2.**x86_64 >> 389-ds-base-1.2.11.15-12.el6_**4.x86_64 >> >> I followed the steps mentioned in >> >> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/** >> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_** >> up_Multi_Master_Replication.**html >> > > FYI, these are very out-of-date. > > When I try to setup the replica with the replica prepare file from the >> master with --skip-conneccheck (because krb is not running on UDP ports) >> > > I don't understand, you got an error about KRB not running on the UDP > ports? > > ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg >> --skip-conncheck. >> >> At the end I get below error >> >> ------------------------------**----------- >> [22/31]: setting up initial replication >> Starting replication, please wait until this has completed. >> [ipa01.ma.net ] reports: Update failed! Status: [-1 >> - LDAP error: Can't contact LDAP server] >> > > Well, something is blocking the connection, or the server on ipa01 isn't > running. This is a really low-level networking error. > > >> I also find similar error reported while setting up ipa on Fedora 18 at >> https://www.redhat.com/**archives/freeipa-users/2013-** >> February/msg00440.html >> >> But could not find its resolution. >> > > We never heard back from the user. You're saying you see the same error? > > I am able to connect to the 389/636 port from the slave. Firewall is off >> on both ends and hostnames resolves properly. >> > > On ipa02 you might try: > > $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts > > You might also try wireshark to monitor the connection request. > > rob > -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Mon Apr 1 23:33:06 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 1 Apr 2013 16:33:06 -0700 Subject: [Freeipa-users] Issue while setting up Replication In-Reply-To: References: <5159C0A1.1040202@redhat.com> Message-ID: Finally I worked. It must have been some configuration issues at my end. I spin up fresh VMs and followed steps again and it worked like a cake. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html Thank you so much for all help. On Monday, April 1, 2013, Chandan Kumar wrote: > Thanks for prompt response. I was wrong in mentioning that krb is not > running on UDP port it is running. > > Now this time, I did not specify --skip-conncheck and ended up with same > error. I could see ldap requests are reaching to the Primary IPA server > from secondary (both from tshark and directory server logs). > > #ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg > > (I tried with/without --setup-ca got same result) > > I have pasted the directory server (Primary ipa01 machine) logs in the > blow paste bin > > http://pastebin.com/HxAwMiDw > > And replication logs (on the replica ipa02 machine) > > http://pastebin.com/QNNRVw2k. > > I am not using IPA server for DNS, I have separate DNS server and both > host names are getting resolved. > > Connection with ldap search command. > > It appears the it is not able to connect at secure port (this could be the > reason) > > #ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net > Enter LDAP Password: > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > ----------------------------- > Works perfect on non Secure port > > # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <> (default) with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > ----------------- > > I was under impression that ipa-replica-install does the SSL stuff, may be > I am wrong. > > Thanks > Chandan > > On Monday, April 1, 2013, Rob Crittenden wrote: > >> Chandan Kumar wrote: >> >>> Hello, >>> >>> I am new to FreeIPA so far I have setup the Server and few test clients, >>> all went really smooth. However, I am having hard time in setting up the >>> replication and any help will great!. >>> >>> I am using CentOS 6.4. Package Info >>> >>> ipa-server-3.0.0-26.el6_4.2.**x86_64 >>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64 >>> >>> I followed the steps mentioned in >>> >>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/** >>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_** >>> up_Multi_Master_Replication.**html >>> >> >> FYI, these are very out-of-date. >> >> When I try to setup the replica with the replica prepare file from the >>> master with --skip-conneccheck (because krb is not running on UDP >>> ports) >>> >> >> I don't understand, you got an error about KRB not running on the UDP >> ports? >> >> ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg >>> --skip-conncheck. >>> >>> At the end I get below error >>> >>> ------------------------------**----------- >>> [22/31]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> [ipa01.ma.net ] reports: Update failed! Status: [-1 >>> - LDAP error: Can't contact LDAP server] >>> >> >> Well, something is blocking the connection, or the server on ipa01 isn't >> running. This is a really low-level networking error. >> >> >>> I also find similar error reported while setting up ipa on Fedora 18 at >>> https://www.redhat.com/**archives/freeipa-users/2013-** >>> February/msg00440.html >>> >>> But could not find its resolution. >>> >> >> We never heard back from the user. You're saying you see the same error? >> >> I am able to connect to the 389/636 port from the slave. Firewall is off >>> on both ends and hostnames resolves properly. >>> >> >> On ipa02 you might try: >> >> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts >> >> You might also try wireshark to monitor the connection request. >> >> rob >> > > > -- > > -- > http://about.me/chandank > > -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pekka.Panula at sofor.fi Tue Apr 2 05:43:18 2013 From: Pekka.Panula at sofor.fi (Pekka.Panula at sofor.fi) Date: Tue, 2 Apr 2013 08:43:18 +0300 Subject: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users In-Reply-To: <5154CDBD.7040305@redhat.com> References: <20130328090855.GD24620@hendrix.redhat.com> <5154CDBD.7040305@redhat.com> Message-ID: Rob Crittenden wrote on 29.03.2013 01:09:49: > > > Anyhow, you can override the shell on the client using the > > > override_shell directive of sssd.conf. Simply put it into the domain > > > section and restart the SSSD. > > > > Thanks for that tip, will try that one. > > Let me also note that changing the default shell doesn't change the > shell for any existing users (not entirely sure how this applies to > trust users, it might get particularly wonky on different machines as > each machine's sssd cache could have a different shell). It worked when i did override_shell to [nss] section. If i recall right, it did not worked when it was in [domain/domain.com] section. Not worrying me if it forces all to bash, because we all use only it. BTW: is there any place when i can submit feature requests, eg. default shell IPA configuration to be used with AD trusts users also. Regards, Pekka Panula -------------- next part -------------- An HTML attachment was scrubbed... URL: From Pekka.Panula at sofor.fi Tue Apr 2 05:57:03 2013 From: Pekka.Panula at sofor.fi (Pekka.Panula at sofor.fi) Date: Tue, 2 Apr 2013 08:57:03 +0300 Subject: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled? In-Reply-To: <5155FB99.2010706@redhat.com> References: <20130328122716.GG24620@hendrix.redhat.com> <5155FB99.2010706@redhat.com> Message-ID: > From: Dmitri Pal > >> I want also my AD users (from IPA trust) to login inside thru ssh but > >> afaik this seems to have some older SSSD version and same configuration > >> options that goes ok with CentOS 6 ipa-client wont work with CentOS 5. > >> > >> So what should i modify that i can login to my CentOS 5 machine that i can > >> to login AD trust users from IPA? Is there newer SSSD daemon available for > >> centos 5? > >> > > No, it is not and it would be quite hard to build it, I think. You'd > > need pretty recent version of Kerberos to support the PAC responder that > > handles users coming via trusts for instance. > > Yes this is quite a problem with the current solution. Is there any guides for rhel 5.x/centos 5.x when using IPA and if that same system needs also AD users logins enabled, should we just enable some PAM module and all works if SSSD/IPA is also used? > But we are looking for some ways to mitigate that. > Question for you about the older systems: > > What would you prefer: those systems pointing to IPA and IPA having a > way to serve account and authentication or point them directly to AD? > Do you require kerberos authentication and SSO from those machines or > simple LDAP authentication is OK? > Do you have a requirement for all the authentications to actually happen > in AD for audit purposes or they can happen in IPA when users come from > the old clients and in AD with trusts when users access newer clients? > > Thanks for the input! > > Dmitri For me, would be good if all comes from (thru) IPA, but thats not an requirement for me. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Apr 2 07:11:04 2013 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 02 Apr 2013 09:11:04 +0200 Subject: [Freeipa-users] How to submit feature request for FreeIPA In-Reply-To: References: <20130328090855.GD24620@hendrix.redhat.com> <5154CDBD.7040305@redhat.com> Message-ID: <515A8488.8090808@redhat.com> On 2.4.2013 07:43, Pekka.Panula at sofor.fi wrote: > BTW: is there any place when i can submit feature requests, eg. default shell > IPA configuration to be used with AD trusts users also. Go to https://fedorahosted.org/freeipa/newticket and file a new ticket. Please describe all the details and ideas, including use case for the new feature. Please add text '[RFE]' to the beginning of the ticket summary, set ticket type to 'enhancement' and ticket source to 'Upstream'. You will need a Fedora Account: https://fedoraproject.org/wiki/Account_System Free Fedora Account registration: https://fedoraproject.org/wiki/Account_System/NewAccount Have a nice day. -- Petr^2 Spacek From jhrozek at redhat.com Tue Apr 2 09:20:21 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 2 Apr 2013 11:20:21 +0200 Subject: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users In-Reply-To: References: <20130328090855.GD24620@hendrix.redhat.com> <5154CDBD.7040305@redhat.com> Message-ID: <20130402092021.GA14278@hendrix.redhat.com> On Tue, Apr 02, 2013 at 08:43:18AM +0300, Pekka.Panula at sofor.fi wrote: > Rob Crittenden wrote on 29.03.2013 01:09:49: > > > > > Anyhow, you can override the shell on the client using the > > > > override_shell directive of sssd.conf. Simply put it into the > domain > > > > section and restart the SSSD. > > > > > > Thanks for that tip, will try that one. > > > > Let me also note that changing the default shell doesn't change the > > shell for any existing users (not entirely sure how this applies to > > trust users, it might get particularly wonky on different machines as > > each machine's sssd cache could have a different shell). > > It worked when i did override_shell to [nss] section. > If i recall right, it did not worked when it was in [domain/domain.com] > section. > Ah, this part of functionality was added in 1.9.3 I think so it depends on the version you are running. From matthew.joseph at lmco.com Tue Apr 2 16:06:49 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 2 Apr 2013 12:06:49 -0400 Subject: [Freeipa-users] Client Installation Error Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 >From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 2 16:32:12 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 02 Apr 2013 18:32:12 +0200 Subject: [Freeipa-users] Announcing FreeIPA 3.2.0 Prerelease 1 Message-ID: <515B080C.8000600@redhat.com> The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We would like to welcome any early testers of this prerelase to provide us feedback and help us stabilize this feature release which we plan to release as final in the beginning of May 2013. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 Alpha, if it does not appear in your Fedora 19 yet, you can download the build from koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=408311 == Highlights in 3.2.0 Prerelease 1 == === New features === * Support installing FreeIPA without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. [1] * New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page. [2] * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install) [3] * Multiple FreeIPA servers can now be designated as Domain Controllers for trusts with Active Directory [12] * New realmdomains-show and realmdomains-mod command. Manage list of DNS domains associated with FreeIPA realm (realmdomains sommand). This list is primarily used by AD, which can pull all domains managed by FreeIPA and use that list for routing authentication requests for domains which do not match FreeIPA realm name. [4] * Support trusted domain users in HBAC test command (hbactest command). * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5] * Configurable PAC type for services. Service commands can now configure a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service. * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format. [6] [7] * UI now accepts confirmation of cancel of its dialogs via keyboard [11] * Client reenrollment. A host that has been recreated can now be reenrolled to FreeIPA server using a backed up host keytab or admin credentials [8] * Service and Host commands now provide options to add or remove selected Kerberos flags [9] === Prerelease 1 limitations === * List of DNS domains associated with FreeIPA realm currently only works with a special Samba build available for Fedora 18: http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get it working. * Test of trusted domain users in HBAC rules is accessible to only to members of 'Trust Admins' group due to privilege limitations * Same applies to any other trust-specific operations that require translation between user/group name and its security identifier (SID) === Bug fixes === * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances. * Migration process is now also a lot faster and provides more debug output (to httpd error log). * SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance. * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release * Fixed server installation with external CA (--external-ca) * Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help) * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial attribute for replicas which either do not have integrated DNS service enabled to which have disabled SOA serial autoincrement * LDAP lockout plugin has been fixed so that lockout policies are applied consistently both for LDAP binds and Kerberos authentication * ... and many others stabilization fixes, see Detailed changelog for full details == Changes in API or CLI == === Dropped --selfsign option === FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This configured the server with a NSS database based Certificate Authority with a selfsigned CA certificate and limited certificate operation support. This option was always intended for development or testing purposes only and was not intended for use in production. This release drops this option and deprecates the functionality. Current FreeIPA servers installed with --selfsigned option will still work, instructions on how to migrate to supported certificate options will be provided. FreeIPA servers version 3.2.0 and later supports the following 2 flavors of certificate management: * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (--external-ca option) * FreeIPA with no pki-ca installed with certificates signed and provided by an external CA [1] === Dropped CSV support === FreeIPA client CLI supported CSV in some arguments so that multiple values could be added with just one convenient option: ipa permission-add some-perm --permissions=read,write --attrs=sn,cn ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2 CSV parsing however introduces great difficulty when trying to include a value with an embedded space in it. Escaping these values is not intuitive and made it very difficult to add such values. The level of effort in working around the CSV problems has come to the point where the benefits of it are outweighed by the problems which lead to decision to drop CSV support in CLI altogether [10]. There are several ways to workaround lack of CSV: Provide an argument multiple times on the command-line: ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn --attrs=cn ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2 Let BASH do the expansion for you: ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn} ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2} == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Documentation == * [1] http://www.freeipa.org/page/V3/CA-less_install * [2] http://www.freeipa.org/page/V3/Cert_find * [3] http://www.freeipa.org/page/V3/Trust_config_command * [4] http://www.freeipa.org/page/V3/Realm_Domains * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression * [7] http://www.freeipa.org/page/V3/WebUI_build * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment * [9] http://www.freeipa.org/page/V3/Kerberos_Flags * [10] http://www.freeipa.org/page/V3/Drop_CSV * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation * [12] http://www.freeipa.org/page/V3/MultipleTrustServers == Detailed Changelog since 3.1.0 == Alexander Bokovoy (7): * Update plugin to upload CA certificate to LDAP * ipasam: use base scope when fetching domain information about own domain * ipaserver/dcerpc: enforce search_s without schema checks for GC searching * ipa-replica-manage: migrate to single_value after LDAPEntry updates * Process exceptions when talking to Dogtag * ipasam: add enumeration of UPN suffixes based on the realm domains * Enhance ipa-adtrust-install for domains with multiple IPA server Ana Krivokapic (10): * Raise ValidationError for incorrect subtree option. * Add crond as a default HBAC service * Take into consideration services when deleting replicas * Add list of domains associated to our realm to cn=etc * Improve error messages for external group members * Remove check for alphabetic only characters from domain name validation * Fix internal error for ipa show-mappings * Realm Domains page * Use default NETBIOS name in unattended ipa-adtrust-install * Add mkhomedir option to ipa-server-install and ipa-replica-install Brian Cook (1): * Add DNS Setup Prompt to Install JR Aquino (1): * Allow PKI-CA Replica Installs when CRL exceeds default maxber value Jakub Hrozek (1): * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir Jan Cholasta (24): * Pylint cleanup. * Drop ipapython.compat. * Add support for RFC 6594 SSHFP DNS records. * Raise ValidationError on invalid CSV values. * Run interactive_prompt callbacks after CSV values are split. * Add custom mapping object for LDAP entry data. * Add make_entry factory method to LDAPConnection. * Remove the Entity class. * Remove the Entry class. * Use the dn attribute of LDAPEntry to set/get DNs of entries. * Preserve case of attribute names in LDAPEntry. * Aggregate IPASimpleLDAPObject in LDAPEntry. * Support attributes with multiple names in LDAPEntry. * Use full DNs in plugin code. * Remove DN normalization from the baseldap plugin. * Remove support for DN normalization from LDAPClient. * Fix remove while iterating in suppress_netgroup_memberof. * Remove disabled entries from sudoers compat tree. * Fix internal error in output_for_cli method of sudorule_{enable,disable}. * Do not fail if schema cannot be retrieved from LDAP server. * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin. * Allow disabling attribute decoding in LDAPClient and IPAdmin. * Disable schema retrieval and attribute decoding when talking to AD GC. * Add Kerberos ticket flags management to service and host plugins. John Dennis (2): * Cookie Expires date should be locale insensitive * Use secure method to acquire IPA CA certificate Lynn Root (4): * Switch %r specifiers to '%s' in Public errors * Added the ability to do Beta versioning * Fixed the catch of the hostname option during ipa-server-install * Raise ValidationError when CSR does not have a subject hostname Martin Kosek (58): * Add Lynn Root to Contributors.txt * Enable SSSD on client install * Fix delegation-find command --group handling * Do not crash when Kerberos SRV record is not found * permission-find no longer crashes with --targetgroup * Avoid CRL migration error message * Sort LDAP updates properly * Upgrade process should not crash on named restart * Installer should not connect to 127.0.0.1 * Fix migration for openldap DS * Remove unused krbV imports * Use fully qualified CCACHE names * Fix permission_find test error * Add trusconfig-show and trustconfig-mod commands * ipa-kdb: add sentinel for LDAPDerefSpec allocation * ipa-kdb: avoid ENOMEM when all SIDs are filtered out * ipa-kdb: reinitialize LDAP configuration for known realms * Add SID blacklist attributes * ipa-kdb: read SID blacklist from LDAP * ipa-sam: Fill SID blacklist when trust is added * ipa-adtrust-install should ask for SID generation * Test NetBIOS name clash before creating a trust * Generalize AD GC search * Do not hide SID resolver error in group-add-member * Add support for AD users to hbactest command * Fix hbachelp examples formatting * ipa-kdb: remove memory leaks * ipa-kdb: fix retry logic in ipadb_deref_search * Add autodiscovery section in ipa-client-install man pages * Avoid internal error when user is not Trust admin * Use fixed test domain in realmdomains test * Bump FreeIPA version for development branch * Remove ORDERING for IA5 attributeTypes * Fix includedir directive in krb5.conf template * Use new 389-ds-base cleartext password API * Do not hide idrange-add errors when adding trust * Preserve order of servers in ipa-client-install * Avoid multiple client discovery with fixed server list * Update named.conf parser * Use tkey-gssapi-keytab in named.conf * Do not force named connections on upgrades * ipa-client discovery with anonymous access off * Use temporary CCACHE in ipa-client-install * Improve client install LDAP cert retrieval fallback * Configure ipa_dns DS plugin on install and upgrade * Fix structured DNS record output * Bump selinux-policy requires * Clean spec file for Fedora 19 * Remove build warnings * Remove syslog.target from ipa.server * Put pid-file to named.conf * Update mod_wsgi socket directory * Normalize RA agent certificate * Require 389-base-base 1.3.0.5 * Change CNAME and DNAME attributes to single valued * Improve CNAME record validation * Improve DNAME record validation * Become 3.2.0 Prerelease 1 Petr Spacek (1): * Add 389 DS plugin for special idnsSOASerial attribute handling Petr Viktorin (101): * Sort Options and Outputs in API.txt * Add the CA cert to LDAP after the CA install * Better logging for AdminTool and ipa-ldap-updater * Port ipa-replica-prepare to the admintool framework * Make ipapython.dogtag log requests at debug level, not info * Don't add another nsDS5ReplicaId on updates if one already exists * Improve `ipa --help` output * Print help to stderr on error * Store the OptionParser in the API, use it to print unified help messages * Simplify `ipa help topics` output * Add command summary to `ipa COMMAND --help` output * Mention `ipa COMMAND --help` as the preferred way to get command help * Parse command arguments before creating a context * Add tests for the help command & --help options * In topic help text, mention how to get help for commands * Check SSH connection in ipa-replica-conncheck * Use ipauniqueid for the RDN of sudo commands * Prevent a sudo command from being deleted if it is a member of a sudo rule * Update sudocmd ACIs to use targetfilter * Add the version option to all Commands * Add ipalib.messages * Add client capabilities, enable messages * Rename the "messages" Output of the i18n_messages command to "texts" * Fix permission validation and normalization in aci.py * Remove csv_separator and csv_skipspace Param arguments * Drop support for CSV in the CLI client * Update argument docs to reflect dropped CSV support * Update plugin docstrings (topic help) to reflect dropped CSV support * cli: Do interactive prompting after a context is created * Remove some unused imports * Remove unused methods from Entry, Entity, and IPAdmin * Derive Entity class from Entry, and move it to ldapupdate * Use explicit loggers in ldap2 code * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it * Remove connection-creating code from ShemaCache * Move the decision to force schema updates out of IPASimpleLDAPObject * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap * Start LDAPConnection, a common base for ldap2 and IPAdmin * Make IPAdmin not inherit from IPASimpleLDAPObject * Move schema-related methods to LDAPConnection * Move DN handling methods to LDAPConnection * Move filter making methods to LDAPConnection * Move entry finding methods to LDAPConnection * Remove unused proxydn functionality from IPAdmin * Move entry add, update, remove, rename to LDAPConnection * Implement some of IPAdmin's legacy methods in terms of LDAPConnection methods * Replace setValue by keyword arguments when creating entries * Use update_entry with a single entry in adtrustinstance * Replace entry.getValues() by entry.get() * Replace entry.setValue/setValues by item assignment * Replace add_s and delete_s by their newer equivalents * Change {add,update,delete}_entry to take LDAPEntries * Remove unused imports from ipaserver/install * Remove unused bindcert and bindkey arguments to IPAdmin * Turn the LDAPError handler into a context manager * Remove dbdir, binddn, bindpwd from IPAdmin * Remove IPAdmin.updateEntry calls from fix_replica_agreements * Remove IPAdmin.get_dns_sorted_by_length * Replace IPAdmin.checkTask by replication.wait_for_task * Introduce LDAPEntry.single_value for getting single-valued attributes * Remove special-casing for missing and single-valued attributes in LDAPUpdate._entry_to_entity * Replace entry.getValue by entry.single_value * Replace getList by a get_entries method * Remove toTupleList and attrList from LDAPEntry * Rename LDAPConnection to LDAPClient * Replace addEntry with add_entry * Replace deleteEntry with delete_entry * Fix typo and traceback suppression in replication.py * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE) * Inline inactivateEntry in its only caller * Inline waitForEntry in its only caller * Proxy LDAP methods explicitly rather than using __getattr__ * Remove search_s and search_ext_s from IPAdmin * Replace IPAdmin.start_tls_s by an __init__ argument * Remove IPAdmin.sasl_interactive_bind_s * Remove IPAdmin.simple_bind_s * Remove IPAdmin.unbind_s(), keep unbind() * Use ldap instead of _ldap in ipaldap * Do not use global variables in migration.py * Use IPAdmin rather than raw python-ldap in migration.bind * Use IPAdmin rather than raw python-ldap in ipactl * Remove some uses of raw python-ldap * Improve LDAPEntry tests * Fix installing server with external CA * Change DNA magic value to -1 to make UID 999 usable * Move ipaldap to ipapython * Remove ipaserver/ipaldap.py * Use IPAdmin rather than raw python-ldap in ipa-client-install * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py * Remove unneeded python-ldap imports * Don't download the schema in ipadiscovery * ipa-server-install: Make temporary pin files available for the whole installation * ipa-server-install: Remove the --selfsign option * Remove unused ipapython.certdb.CertDB class * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper * Trust CAs from PKCS#12 files even if they don't have Friendly Names * dsinstance, httpinstance: Don't hardcode 'Server-Cert' * Support installing with custom SSL certs, without a CA * Load the CA cert into server NSS databases * Do not call cert-* commands in host plugin if a RA is not available * ipa-client-install: Do not request host certificate if server is CA-less Petr Vobornik (38): * Make confirm_dialog a base class of revoke and restore certificate dialogs * Make confirm_dialog a base class for deleter dialog * Make confirm_dialog a base class for message_dialog * Confirm mixin * Confirm adder dialog by enter * Confirm error dialog by enter * Focus last dialog when some is closed * Confirm association dialogs by enter * Standardize login password reset, user reset password and host set OTP dialogs * Focus first input element after 'Add and Add another' * Enable mod_deflate * Use Uglify.js for JS optimization * Dojo Builder * Config files for builder of FreeIPA UI layer * Minimal Dojo layer * Web UI development environment directory structure and configuration * Web UI Sync development utility * Move of Web UI non AMD dep. libs to libs subdirectory * Move of core Web UI files to AMD directory * Update JavaScript Lint configuration file * AMD config file * Change Web UI sources to simple AMD modules * Updated makefiles to build FreeIPA Web UI layer * Change tests to use AMD loader * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk * Develop.js extended * Allow to specify modules for which builder doesn't raise dependency error * Web UI build profile updated * Combobox keyboard support * Fix dirty state update of editable combobox * Fix handling of no_update flag in Web UI * Web UI: configurable SID blacklists * Web UI:Certificate pages * Web UI:Choose different search option for cert-find * Fixed Web UI build error caused by rhino changes in F19 * Nestable checkbox/radio widget * Added Web UI support for service PAC type option: NONE * Web UI: Disable cert functionality if a CA is not available Rob Crittenden (16): * Convert uniqueMember members into DN objects. * Add Ana Krivokapic to Contributors.txt * Do SSL CA verification and hostname validation. * Don't initialize NSS if we don't have to, clean up unused cert refs * Update anonymous access ACI to protect secret attributes. * Make certmonger a (pre) requires on server, restart it before upgrading * Use new certmonger locking to prevent NSS database corruption. * Improve migration performance * Add LDAP server fallback to client installer * Prevent a crash when no entries are successfully migrated. * Implement the cert-find command for the dogtag CA backend. * Add missing v3 schema on upgrades, fix typo in schema. * Don't base64-encode the CA cert when uploading it during an upgrade. * Extend ipa-replica-manage to be able to manage DNA ranges. * Improve some error handling in ipa-replica-manage * Fix lockout of LDAP bind. Simo Sorce (2): * Log info on failure to connect * Upload CA cert in the directory on install Sumit Bose (17): * ipa-kdb: remove unused variable * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac() * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain() * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c * ipa-lockout: Wrong sizeof argument in ipa_lockout.c * ipa-extdom: Double-free in ipa_extdom_common.c * ipa-pwd: Unchecked return value ipapwd_chpwop() * Revert "MS-PAC: Special case NFS services" * Add NFS specific default for authorization data type * ipa-kdb: Read global defaul ipaKrbAuthzData * ipa-kdb: Read ipaKrbAuthzData with other principal data * ipa-kdb: add PAC only if requested * Add unit test for get_authz_data_types() * Mention PAC issue with NFS in service plugin doc * Allow 'nfs:NONE' in global configuration * Add support for cmocka C-Unit Test framework * ipa-pwd-extop: do not use dn until it is really set Timo Aaltonen (1): * convert the base platform modules into packages Tomas Babej (18): * Relax restriction for leading/trailing whitespaces in *-find commands * Forbid overlapping rid ranges for the same id range * Fix a typo in ipa-adtrust-install help * Prevent integer overflow when setting krbPasswordExpiration * Add option to specify SID using domain name to idrange-add/mod * Prevent changing protected group's name using --setattr * Use default.conf as flag of IPA client being installed * Make sure appropriate exit status is returned in make-test * Make options checks in idrange-add/mod consistent * Add trusted domain range objectclass when using idrange-mod * Perform secondary rid range overlap check for local ranges only * Add support for re-enrolling hosts using keytab * Make sure uninstall script prompts for reboot as last * Remove implicit Str to DN conversion using *-attr * Enforce exact SID match when adding or modifying a ID range * Allow host re-enrollment using delegation * Add logging to join command * Properly handle ipa-replica-install when its zone is not managed by IPA sbose (1): * ipa-kdb: Free talloc autofree context when module is closed -- Martin Kosek Senior Software Engineer - Identity Management Team Red Hat Inc. From rcritten at redhat.com Tue Apr 2 17:58:13 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Apr 2013 13:58:13 -0400 Subject: [Freeipa-users] Client Installation Error In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> Message-ID: <515B1C35.2030605@redhat.com> Joseph, Matthew (EXP) wrote: > Hey, > > I?m trying to add a client to IPA and I?m getting the following error; > > Joining realm failed because of failing XML-RPC request > > This error may be caused by incompatible server/client major versions. > > Client is running Red Hat 6.1 with the following IPA and Curl packages > installed; > > Ipa-*-2.0.0-23 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > Server is running Red Hat 6.3 with the following IPA and Curl Packages > installed; > > Ipa-*-2.2.0-16 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > From what I?ve seen from other people is that the issue is with libcurl > blocking GSSAPI requests. Is that still the case? > > If so what are my options here to get around this problem? I assume I > can downgrade my Curl but will that affect anything major? > > Thanks, > > Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob From matthew.joseph at lmco.com Tue Apr 2 18:00:39 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Tue, 2 Apr 2013 14:00:39 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Client Installation Error In-Reply-To: <515B1C35.2030605@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> <515B1C35.2030605@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E4905E@HCXMSP1.ca.lmco.com> Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: > Hey, > > I'm trying to add a client to IPA and I'm getting the following error; > > Joining realm failed because of failing XML-RPC request > > This error may be caused by incompatible server/client major versions. > > Client is running Red Hat 6.1 with the following IPA and Curl packages > installed; > > Ipa-*-2.0.0-23 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > Server is running Red Hat 6.3 with the following IPA and Curl Packages > installed; > > Ipa-*-2.2.0-16 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > From what I've seen from other people is that the issue is with > libcurl blocking GSSAPI requests. Is that still the case? > > If so what are my options here to get around this problem? I assume I > can downgrade my Curl but will that affect anything major? > > Thanks, > > Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob From rcritten at redhat.com Tue Apr 2 18:33:30 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 02 Apr 2013 14:33:30 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Client Installation Error In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E4905E@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> <515B1C35.2030605@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E25E4905E@HCXMSP1.ca.lmco.com> Message-ID: <515B247A.9050106@redhat.com> Joseph, Matthew (EXP) wrote: > Hey Rob, > > I'm running 2.0.0-23.el6.x86-64. > So if I upgrade to the version you listed below then I should be all good? > > Is this a known problem with just 2.0.0-23 or is it also previous versions? It depends on the mix of curl, xmlrpc-c and ipa-client. The incompatibility was added in libcurl-7.19.7-26.el6_1.1 to address CVE-2011-2192. xmlrpc-c added new delegation support in 1.16.24-1200.1840.el6_1.1 So you either need older versions of all, or newer versions of all. rob > > Thanks, > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Tuesday, April 02, 2013 2:58 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error > > Joseph, Matthew (EXP) wrote: >> Hey, >> >> I'm trying to add a client to IPA and I'm getting the following error; >> >> Joining realm failed because of failing XML-RPC request >> >> This error may be caused by incompatible server/client major versions. >> >> Client is running Red Hat 6.1 with the following IPA and Curl packages >> installed; >> >> Ipa-*-2.0.0-23 >> >> Curl-7.19.7-26 >> >> Libcurl-7.19.7-26 >> >> Server is running Red Hat 6.3 with the following IPA and Curl Packages >> installed; >> >> Ipa-*-2.2.0-16 >> >> Curl-7.19.7-26 >> >> Libcurl-7.19.7-26 >> >> From what I've seen from other people is that the issue is with >> libcurl blocking GSSAPI requests. Is that still the case? >> >> If so what are my options here to get around this problem? I assume I >> can downgrade my Curl but will that affect anything major? >> >> Thanks, >> >> Matt > > Exactly what version of ipa-client do you have installed? You need > 2.0.0-23.el6_1.2 to fix ticket delegation. > > rob > From pspacek at redhat.com Tue Apr 2 18:41:53 2013 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 02 Apr 2013 20:41:53 +0200 Subject: [Freeipa-users] [Freeipa-interest] Announcing bind-dyndb-ldap version 3.0 Message-ID: <515B2671.6070904@redhat.com> The FreeIPA team is proud to announce bind-dyndb-ldap version 3.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/. The new version has also been built for Fedora 19: https://admin.fedoraproject.org/updates/bind-dyndb-ldap-3.0-1.fc19 This release includes several fixes and new features. == Changes in 3.0 == [1] DNAME records are supported. DNAME attribute was changed to single-valued. https://fedorahosted.org/bind-dyndb-ldap/ticket/63 [2] Master and forward zones now have separate object classes: idnsZone and idnsForwardZone. idnsForward* attributes in idnsZone object class will have old semantics for some time. https://fedorahosted.org/bind-dyndb-ldap/ticket/99 [3] Settings system was heavily refactored. From now, unknown options in configuration file cause error. DNS dynamic updates should create slightly lower load on LDAP server because of settings 'cache'. https://fedorahosted.org/bind-dyndb-ldap/ticket/53 https://fedorahosted.org/bind-dyndb-ldap/ticket/81 [4] Deadlock triggered by PTR record synchronization was fixed. https://fedorahosted.org/bind-dyndb-ldap/ticket/113 == Upgrading == An server can be upgraded simply by installing updated rpms. BIND has to be restarted manually after the RPM installation. You will need to clean up configuration file /etc/named.conf if your configuration contains typos or other unsupported options. Downgrading back to any 2.x version is supported under following conditions: - new object class idnsForwardZone is not utilized - DNAME records are not utilized - configured connection count is >= 3 (to prevent deadlocks in 2.x releases) == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Spacek Software engineer Red Hat From stijn.deweirdt at ugent.be Wed Apr 3 08:36:21 2013 From: stijn.deweirdt at ugent.be (Stijn De Weirdt) Date: Wed, 03 Apr 2013 10:36:21 +0200 Subject: [Freeipa-users] Announcing FreeIPA 3.2.0 Prerelease 1 In-Reply-To: <515B080C.8000600@redhat.com> References: <515B080C.8000600@redhat.com> Message-ID: <515BEA05.30104@ugent.be> hi all, what minimal OS is targeted for freeipa 3.2: FC19 or FC18? stijn On 04/02/2013 06:32 PM, Martin Kosek wrote: > The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We > would like to welcome any early testers of this prerelase to provide us > feedback and help us stabilize this feature release which we plan to release as > final in the beginning of May 2013. > > It can be downloaded from http://www.freeipa.org/page/Downloads. The new > version has also been built for Fedora 19 Alpha, if it does not appear in your > Fedora 19 yet, you can download the build from koji: > > http://koji.fedoraproject.org/koji/buildinfo?buildID=408311 > > == Highlights in 3.2.0 Prerelease 1 == > > === New features === > * Support installing FreeIPA without an embedded Certificate Authority, with > user-provided SSL certificates for the HTTP and Directory servers. [1] > * New cert-find command. Search certificates in the Dogtag database based on > their serial number, validity or revocation details. This feature is available > both as a CLI command and Web UI page. [2] > * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust > settings generated during AD Trust installation (ipa-adtrust-install) [3] > * Multiple FreeIPA servers can now be designated as Domain Controllers for > trusts with Active Directory [12] > * New realmdomains-show and realmdomains-mod command. Manage list of DNS > domains associated with FreeIPA realm (realmdomains sommand). This list is > primarily used by AD, which can pull all domains managed by FreeIPA and use > that list for routing authentication requests for domains which do not match > FreeIPA realm name. [4] > * Support trusted domain users in HBAC test command (hbactest command). > * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5] > * Configurable PAC type for services. Service commands can now configure a set > of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service. > * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized > format. FreeIPA web server is now also able to transmit data in compressed > format. [6] [7] > * UI now accepts confirmation of cancel of its dialogs via keyboard [11] > * Client reenrollment. A host that has been recreated can now be reenrolled to > FreeIPA server using a backed up host keytab or admin credentials [8] > * Service and Host commands now provide options to add or remove selected > Kerberos flags [9] > > === Prerelease 1 limitations === > > * List of DNS domains associated with FreeIPA realm currently only works with a > special Samba build available for Fedora 18: > http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to > rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get > it working. > * Test of trusted domain users in HBAC rules is accessible to only to members > of 'Trust Admins' group due to privilege limitations > * Same applies to any other trust-specific operations that require translation > between user/group name and its security identifier (SID) > > === Bug fixes === > > * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and > groups from OpenLDAP database instances. > * Migration process is now also a lot faster and provides more debug output (to > httpd error log). > * SUDO rules disabled by sudorule-disable command are now removed from > ou=sudoers compat tree without a need to restart 389 Directory Server instance. > * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release > * Fixed server installation with external CA (--external-ca) > * Consolidate on-line help system, show help without need of valid Kerberos > credentials (ipa help) > * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial > attribute for replicas which either do not have integrated DNS service enabled > to which have disabled SOA serial autoincrement > * LDAP lockout plugin has been fixed so that lockout policies are applied > consistently both for LDAP binds and Kerberos authentication > * ... and many others stabilization fixes, see Detailed changelog for full details > > == Changes in API or CLI == > === Dropped --selfsign option === > FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This > configured the server with a NSS database based Certificate Authority with a > selfsigned CA certificate and limited certificate operation support. > > This option was always intended for development or testing purposes only and > was not intended for use in production. This release drops this option and > deprecates the functionality. Current FreeIPA servers installed with > --selfsigned option will still work, instructions on how to migrate to > supported certificate options will be provided. > > FreeIPA servers version 3.2.0 and later supports the following 2 flavors of > certificate management: > * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a > certificate signed by external CA (--external-ca option) > * FreeIPA with no pki-ca installed with certificates signed and provided by an > external CA [1] > > === Dropped CSV support === > FreeIPA client CLI supported CSV in some arguments so that multiple values > could be added with just one convenient option: > > ipa permission-add some-perm --permissions=read,write --attrs=sn,cn > ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2 > > CSV parsing however introduces great difficulty when trying to include a value > with an embedded space in it. Escaping these values is not intuitive and made > it very difficult to add such values. The level of effort in working around the > CSV problems has come to the point where the benefits of it are outweighed by > the problems which lead to decision to drop CSV support in CLI altogether [10]. > > There are several ways to workaround lack of CSV: > > Provide an argument multiple times on the command-line: > > ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn > --attrs=cn > ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2 > > Let BASH do the expansion for you: > > ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn} > ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2} > > == Upgrading == > > An IPA server can be upgraded simply by installing updated rpms. The server > does not need to be shut down in advance. > > Please note, that the referential integrity extension requires an extended set > of indexes to be configured. RPM update for an IPA server with a excessive > number of hosts, SUDO or HBAC entries may require several minutes to finish. > > If you have multiple servers you may upgrade them one at a time. It is expected > that all servers will be upgraded in a relatively short period (days or weeks > not months). They should be able to co-exist peacefully but new features will > not be available on old servers and enrolling a new client against an old > server will result in the SSH keys not being uploaded. > > Downgrading a server once upgraded is not supported. > > Upgrading from 2.2.0 and later versions is supported. Upgrading from previous > versions is not supported and has not been tested. > > An enrolled client does not need the new packages installed unless you want to > re-enroll it. SSH keys for already installed clients are not uploaded, you will > have to re-enroll the client or manually upload the keys. > > == Feedback == > > Please provide comments, bugs and other feedback via the freeipa-users mailing > list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel > on Freenode. > > == Documentation == > * [1] http://www.freeipa.org/page/V3/CA-less_install > * [2] http://www.freeipa.org/page/V3/Cert_find > * [3] http://www.freeipa.org/page/V3/Trust_config_command > * [4] http://www.freeipa.org/page/V3/Realm_Domains > * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists > * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression > * [7] http://www.freeipa.org/page/V3/WebUI_build > * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment > * [9] http://www.freeipa.org/page/V3/Kerberos_Flags > * [10] http://www.freeipa.org/page/V3/Drop_CSV > * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation > * [12] http://www.freeipa.org/page/V3/MultipleTrustServers > > == Detailed Changelog since 3.1.0 == > Alexander Bokovoy (7): > * Update plugin to upload CA certificate to LDAP > * ipasam: use base scope when fetching domain information about own domain > * ipaserver/dcerpc: enforce search_s without schema checks for GC searching > * ipa-replica-manage: migrate to single_value after LDAPEntry updates > * Process exceptions when talking to Dogtag > * ipasam: add enumeration of UPN suffixes based on the realm domains > * Enhance ipa-adtrust-install for domains with multiple IPA server > > Ana Krivokapic (10): > * Raise ValidationError for incorrect subtree option. > * Add crond as a default HBAC service > * Take into consideration services when deleting replicas > * Add list of domains associated to our realm to cn=etc > * Improve error messages for external group members > * Remove check for alphabetic only characters from domain name validation > * Fix internal error for ipa show-mappings > * Realm Domains page > * Use default NETBIOS name in unattended ipa-adtrust-install > * Add mkhomedir option to ipa-server-install and ipa-replica-install > > Brian Cook (1): > * Add DNS Setup Prompt to Install > > JR Aquino (1): > * Allow PKI-CA Replica Installs when CRL exceeds default maxber value > > Jakub Hrozek (1): > * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir > > Jan Cholasta (24): > * Pylint cleanup. > * Drop ipapython.compat. > * Add support for RFC 6594 SSHFP DNS records. > * Raise ValidationError on invalid CSV values. > * Run interactive_prompt callbacks after CSV values are split. > * Add custom mapping object for LDAP entry data. > * Add make_entry factory method to LDAPConnection. > * Remove the Entity class. > * Remove the Entry class. > * Use the dn attribute of LDAPEntry to set/get DNs of entries. > * Preserve case of attribute names in LDAPEntry. > * Aggregate IPASimpleLDAPObject in LDAPEntry. > * Support attributes with multiple names in LDAPEntry. > * Use full DNs in plugin code. > * Remove DN normalization from the baseldap plugin. > * Remove support for DN normalization from LDAPClient. > * Fix remove while iterating in suppress_netgroup_memberof. > * Remove disabled entries from sudoers compat tree. > * Fix internal error in output_for_cli method of sudorule_{enable,disable}. > * Do not fail if schema cannot be retrieved from LDAP server. > * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin. > * Allow disabling attribute decoding in LDAPClient and IPAdmin. > * Disable schema retrieval and attribute decoding when talking to AD GC. > * Add Kerberos ticket flags management to service and host plugins. > > John Dennis (2): > * Cookie Expires date should be locale insensitive > * Use secure method to acquire IPA CA certificate > > Lynn Root (4): > * Switch %r specifiers to '%s' in Public errors > * Added the ability to do Beta versioning > * Fixed the catch of the hostname option during ipa-server-install > * Raise ValidationError when CSR does not have a subject hostname > > Martin Kosek (58): > * Add Lynn Root to Contributors.txt > * Enable SSSD on client install > * Fix delegation-find command --group handling > * Do not crash when Kerberos SRV record is not found > * permission-find no longer crashes with --targetgroup > * Avoid CRL migration error message > * Sort LDAP updates properly > * Upgrade process should not crash on named restart > * Installer should not connect to 127.0.0.1 > * Fix migration for openldap DS > * Remove unused krbV imports > * Use fully qualified CCACHE names > * Fix permission_find test error > * Add trusconfig-show and trustconfig-mod commands > * ipa-kdb: add sentinel for LDAPDerefSpec allocation > * ipa-kdb: avoid ENOMEM when all SIDs are filtered out > * ipa-kdb: reinitialize LDAP configuration for known realms > * Add SID blacklist attributes > * ipa-kdb: read SID blacklist from LDAP > * ipa-sam: Fill SID blacklist when trust is added > * ipa-adtrust-install should ask for SID generation > * Test NetBIOS name clash before creating a trust > * Generalize AD GC search > * Do not hide SID resolver error in group-add-member > * Add support for AD users to hbactest command > * Fix hbachelp examples formatting > * ipa-kdb: remove memory leaks > * ipa-kdb: fix retry logic in ipadb_deref_search > * Add autodiscovery section in ipa-client-install man pages > * Avoid internal error when user is not Trust admin > * Use fixed test domain in realmdomains test > * Bump FreeIPA version for development branch > * Remove ORDERING for IA5 attributeTypes > * Fix includedir directive in krb5.conf template > * Use new 389-ds-base cleartext password API > * Do not hide idrange-add errors when adding trust > * Preserve order of servers in ipa-client-install > * Avoid multiple client discovery with fixed server list > * Update named.conf parser > * Use tkey-gssapi-keytab in named.conf > * Do not force named connections on upgrades > * ipa-client discovery with anonymous access off > * Use temporary CCACHE in ipa-client-install > * Improve client install LDAP cert retrieval fallback > * Configure ipa_dns DS plugin on install and upgrade > * Fix structured DNS record output > * Bump selinux-policy requires > * Clean spec file for Fedora 19 > * Remove build warnings > * Remove syslog.target from ipa.server > * Put pid-file to named.conf > * Update mod_wsgi socket directory > * Normalize RA agent certificate > * Require 389-base-base 1.3.0.5 > * Change CNAME and DNAME attributes to single valued > * Improve CNAME record validation > * Improve DNAME record validation > * Become 3.2.0 Prerelease 1 > > Petr Spacek (1): > * Add 389 DS plugin for special idnsSOASerial attribute handling > > Petr Viktorin (101): > * Sort Options and Outputs in API.txt > * Add the CA cert to LDAP after the CA install > * Better logging for AdminTool and ipa-ldap-updater > * Port ipa-replica-prepare to the admintool framework > * Make ipapython.dogtag log requests at debug level, not info > * Don't add another nsDS5ReplicaId on updates if one already exists > * Improve `ipa --help` output > * Print help to stderr on error > * Store the OptionParser in the API, use it to print unified help messages > * Simplify `ipa help topics` output > * Add command summary to `ipa COMMAND --help` output > * Mention `ipa COMMAND --help` as the preferred way to get command help > * Parse command arguments before creating a context > * Add tests for the help command & --help options > * In topic help text, mention how to get help for commands > * Check SSH connection in ipa-replica-conncheck > * Use ipauniqueid for the RDN of sudo commands > * Prevent a sudo command from being deleted if it is a member of a sudo rule > * Update sudocmd ACIs to use targetfilter > * Add the version option to all Commands > * Add ipalib.messages > * Add client capabilities, enable messages > * Rename the "messages" Output of the i18n_messages command to "texts" > * Fix permission validation and normalization in aci.py > * Remove csv_separator and csv_skipspace Param arguments > * Drop support for CSV in the CLI client > * Update argument docs to reflect dropped CSV support > * Update plugin docstrings (topic help) to reflect dropped CSV support > * cli: Do interactive prompting after a context is created > * Remove some unused imports > * Remove unused methods from Entry, Entity, and IPAdmin > * Derive Entity class from Entry, and move it to ldapupdate > * Use explicit loggers in ldap2 code > * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it > * Remove connection-creating code from ShemaCache > * Move the decision to force schema updates out of IPASimpleLDAPObject > * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap > * Start LDAPConnection, a common base for ldap2 and IPAdmin > * Make IPAdmin not inherit from IPASimpleLDAPObject > * Move schema-related methods to LDAPConnection > * Move DN handling methods to LDAPConnection > * Move filter making methods to LDAPConnection > * Move entry finding methods to LDAPConnection > * Remove unused proxydn functionality from IPAdmin > * Move entry add, update, remove, rename to LDAPConnection > * Implement some of IPAdmin's legacy methods in terms of LDAPConnection methods > * Replace setValue by keyword arguments when creating entries > * Use update_entry with a single entry in adtrustinstance > * Replace entry.getValues() by entry.get() > * Replace entry.setValue/setValues by item assignment > * Replace add_s and delete_s by their newer equivalents > * Change {add,update,delete}_entry to take LDAPEntries > * Remove unused imports from ipaserver/install > * Remove unused bindcert and bindkey arguments to IPAdmin > * Turn the LDAPError handler into a context manager > * Remove dbdir, binddn, bindpwd from IPAdmin > * Remove IPAdmin.updateEntry calls from fix_replica_agreements > * Remove IPAdmin.get_dns_sorted_by_length > * Replace IPAdmin.checkTask by replication.wait_for_task > * Introduce LDAPEntry.single_value for getting single-valued attributes > * Remove special-casing for missing and single-valued attributes in > LDAPUpdate._entry_to_entity > * Replace entry.getValue by entry.single_value > * Replace getList by a get_entries method > * Remove toTupleList and attrList from LDAPEntry > * Rename LDAPConnection to LDAPClient > * Replace addEntry with add_entry > * Replace deleteEntry with delete_entry > * Fix typo and traceback suppression in replication.py > * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE) > * Inline inactivateEntry in its only caller > * Inline waitForEntry in its only caller > * Proxy LDAP methods explicitly rather than using __getattr__ > * Remove search_s and search_ext_s from IPAdmin > * Replace IPAdmin.start_tls_s by an __init__ argument > * Remove IPAdmin.sasl_interactive_bind_s > * Remove IPAdmin.simple_bind_s > * Remove IPAdmin.unbind_s(), keep unbind() > * Use ldap instead of _ldap in ipaldap > * Do not use global variables in migration.py > * Use IPAdmin rather than raw python-ldap in migration.bind > * Use IPAdmin rather than raw python-ldap in ipactl > * Remove some uses of raw python-ldap > * Improve LDAPEntry tests > * Fix installing server with external CA > * Change DNA magic value to -1 to make UID 999 usable > * Move ipaldap to ipapython > * Remove ipaserver/ipaldap.py > * Use IPAdmin rather than raw python-ldap in ipa-client-install > * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py > * Remove unneeded python-ldap imports > * Don't download the schema in ipadiscovery > * ipa-server-install: Make temporary pin files available for the whole installation > * ipa-server-install: Remove the --selfsign option > * Remove unused ipapython.certdb.CertDB class > * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil wrapper > * Trust CAs from PKCS#12 files even if they don't have Friendly Names > * dsinstance, httpinstance: Don't hardcode 'Server-Cert' > * Support installing with custom SSL certs, without a CA > * Load the CA cert into server NSS databases > * Do not call cert-* commands in host plugin if a RA is not available > * ipa-client-install: Do not request host certificate if server is CA-less > > Petr Vobornik (38): > * Make confirm_dialog a base class of revoke and restore certificate dialogs > * Make confirm_dialog a base class for deleter dialog > * Make confirm_dialog a base class for message_dialog > * Confirm mixin > * Confirm adder dialog by enter > * Confirm error dialog by enter > * Focus last dialog when some is closed > * Confirm association dialogs by enter > * Standardize login password reset, user reset password and host set OTP dialogs > * Focus first input element after 'Add and Add another' > * Enable mod_deflate > * Use Uglify.js for JS optimization > * Dojo Builder > * Config files for builder of FreeIPA UI layer > * Minimal Dojo layer > * Web UI development environment directory structure and configuration > * Web UI Sync development utility > * Move of Web UI non AMD dep. libs to libs subdirectory > * Move of core Web UI files to AMD directory > * Update JavaScript Lint configuration file > * AMD config file > * Change Web UI sources to simple AMD modules > * Updated makefiles to build FreeIPA Web UI layer > * Change tests to use AMD loader > * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk > * Develop.js extended > * Allow to specify modules for which builder doesn't raise dependency error > * Web UI build profile updated > * Combobox keyboard support > * Fix dirty state update of editable combobox > * Fix handling of no_update flag in Web UI > * Web UI: configurable SID blacklists > * Web UI:Certificate pages > * Web UI:Choose different search option for cert-find > * Fixed Web UI build error caused by rhino changes in F19 > * Nestable checkbox/radio widget > * Added Web UI support for service PAC type option: NONE > * Web UI: Disable cert functionality if a CA is not available > > Rob Crittenden (16): > * Convert uniqueMember members into DN objects. > * Add Ana Krivokapic to Contributors.txt > * Do SSL CA verification and hostname validation. > * Don't initialize NSS if we don't have to, clean up unused cert refs > * Update anonymous access ACI to protect secret attributes. > * Make certmonger a (pre) requires on server, restart it before upgrading > * Use new certmonger locking to prevent NSS database corruption. > * Improve migration performance > * Add LDAP server fallback to client installer > * Prevent a crash when no entries are successfully migrated. > * Implement the cert-find command for the dogtag CA backend. > * Add missing v3 schema on upgrades, fix typo in schema. > * Don't base64-encode the CA cert when uploading it during an upgrade. > * Extend ipa-replica-manage to be able to manage DNA ranges. > * Improve some error handling in ipa-replica-manage > * Fix lockout of LDAP bind. > > Simo Sorce (2): > * Log info on failure to connect > * Upload CA cert in the directory on install > > Sumit Bose (17): > * ipa-kdb: remove unused variable > * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac() > * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain() > * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c > * ipa-lockout: Wrong sizeof argument in ipa_lockout.c > * ipa-extdom: Double-free in ipa_extdom_common.c > * ipa-pwd: Unchecked return value ipapwd_chpwop() > * Revert "MS-PAC: Special case NFS services" > * Add NFS specific default for authorization data type > * ipa-kdb: Read global defaul ipaKrbAuthzData > * ipa-kdb: Read ipaKrbAuthzData with other principal data > * ipa-kdb: add PAC only if requested > * Add unit test for get_authz_data_types() > * Mention PAC issue with NFS in service plugin doc > * Allow 'nfs:NONE' in global configuration > * Add support for cmocka C-Unit Test framework > * ipa-pwd-extop: do not use dn until it is really set > > Timo Aaltonen (1): > * convert the base platform modules into packages > > Tomas Babej (18): > * Relax restriction for leading/trailing whitespaces in *-find commands > * Forbid overlapping rid ranges for the same id range > * Fix a typo in ipa-adtrust-install help > * Prevent integer overflow when setting krbPasswordExpiration > * Add option to specify SID using domain name to idrange-add/mod > * Prevent changing protected group's name using --setattr > * Use default.conf as flag of IPA client being installed > * Make sure appropriate exit status is returned in make-test > * Make options checks in idrange-add/mod consistent > * Add trusted domain range objectclass when using idrange-mod > * Perform secondary rid range overlap check for local ranges only > * Add support for re-enrolling hosts using keytab > * Make sure uninstall script prompts for reboot as last > * Remove implicit Str to DN conversion using *-attr > * Enforce exact SID match when adding or modifying a ID range > * Allow host re-enrollment using delegation > * Add logging to join command > * Properly handle ipa-replica-install when its zone is not managed by IPA > > sbose (1): > * ipa-kdb: Free talloc autofree context when module is closed > From mkosek at redhat.com Wed Apr 3 08:51:03 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 03 Apr 2013 10:51:03 +0200 Subject: [Freeipa-users] Announcing FreeIPA 3.2.0 Prerelease 1 In-Reply-To: <515BEA05.30104@ugent.be> References: <515B080C.8000600@redhat.com> <515BEA05.30104@ugent.be> Message-ID: <515BED77.4070401@redhat.com> Hello Stijn, We plan to release FreeIPA 3.2.0 to Fedora 19 only (the Prerelease 1 should be already in its repos). Fedora 18 should receive only stabilization releases of FreeIPA 3.1 branch (FreeIPA 3.1.3 build is currently in Fedora 18 updates-testing repo). HTH, Martin On 04/03/2013 10:36 AM, Stijn De Weirdt wrote: > hi all, > > what minimal OS is targeted for freeipa 3.2: FC19 or FC18? > > > stijn > > On 04/02/2013 06:32 PM, Martin Kosek wrote: >> The FreeIPA team is proud to announce a first PRERELEASE of FreeIPA v3.2.0. We >> would like to welcome any early testers of this prerelase to provide us >> feedback and help us stabilize this feature release which we plan to release as >> final in the beginning of May 2013. >> >> It can be downloaded from http://www.freeipa.org/page/Downloads. The new >> version has also been built for Fedora 19 Alpha, if it does not appear in your >> Fedora 19 yet, you can download the build from koji: >> >> http://koji.fedoraproject.org/koji/buildinfo?buildID=408311 >> >> == Highlights in 3.2.0 Prerelease 1 == >> >> === New features === >> * Support installing FreeIPA without an embedded Certificate Authority, with >> user-provided SSL certificates for the HTTP and Directory servers. [1] >> * New cert-find command. Search certificates in the Dogtag database based on >> their serial number, validity or revocation details. This feature is available >> both as a CLI command and Web UI page. [2] >> * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust >> settings generated during AD Trust installation (ipa-adtrust-install) [3] >> * Multiple FreeIPA servers can now be designated as Domain Controllers for >> trusts with Active Directory [12] >> * New realmdomains-show and realmdomains-mod command. Manage list of DNS >> domains associated with FreeIPA realm (realmdomains sommand). This list is >> primarily used by AD, which can pull all domains managed by FreeIPA and use >> that list for routing authentication requests for domains which do not match >> FreeIPA realm name. [4] >> * Support trusted domain users in HBAC test command (hbactest command). >> * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). >> [5] >> * Configurable PAC type for services. Service commands can now configure a set >> of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the >> service. >> * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized >> format. FreeIPA web server is now also able to transmit data in compressed >> format. [6] [7] >> * UI now accepts confirmation of cancel of its dialogs via keyboard [11] >> * Client reenrollment. A host that has been recreated can now be reenrolled to >> FreeIPA server using a backed up host keytab or admin credentials [8] >> * Service and Host commands now provide options to add or remove selected >> Kerberos flags [9] >> >> === Prerelease 1 limitations === >> >> * List of DNS domains associated with FreeIPA realm currently only works with a >> special Samba build available for Fedora 18: >> http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to >> rebuild FreeIPA 3.2.0 prerelease 1 against this Samba version in order to get >> it working. >> * Test of trusted domain users in HBAC rules is accessible to only to members >> of 'Trust Admins' group due to privilege limitations >> * Same applies to any other trust-specific operations that require translation >> between user/group name and its security identifier (SID) >> >> === Bug fixes === >> >> * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and >> groups from OpenLDAP database instances. >> * Migration process is now also a lot faster and provides more debug output (to >> httpd error log). >> * SUDO rules disabled by sudorule-disable command are now removed from >> ou=sudoers compat tree without a need to restart 389 Directory Server instance. >> * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release >> * Fixed server installation with external CA (--external-ca) >> * Consolidate on-line help system, show help without need of valid Kerberos >> credentials (ipa help) >> * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial >> attribute for replicas which either do not have integrated DNS service enabled >> to which have disabled SOA serial autoincrement >> * LDAP lockout plugin has been fixed so that lockout policies are applied >> consistently both for LDAP binds and Kerberos authentication >> * ... and many others stabilization fixes, see Detailed changelog for full >> details >> >> == Changes in API or CLI == >> === Dropped --selfsign option === >> FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This >> configured the server with a NSS database based Certificate Authority with a >> selfsigned CA certificate and limited certificate operation support. >> >> This option was always intended for development or testing purposes only and >> was not intended for use in production. This release drops this option and >> deprecates the functionality. Current FreeIPA servers installed with >> --selfsigned option will still work, instructions on how to migrate to >> supported certificate options will be provided. >> >> FreeIPA servers version 3.2.0 and later supports the following 2 flavors of >> certificate management: >> * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a >> certificate signed by external CA (--external-ca option) >> * FreeIPA with no pki-ca installed with certificates signed and provided by an >> external CA [1] >> >> === Dropped CSV support === >> FreeIPA client CLI supported CSV in some arguments so that multiple values >> could be added with just one convenient option: >> >> ipa permission-add some-perm --permissions=read,write --attrs=sn,cn >> ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2 >> >> CSV parsing however introduces great difficulty when trying to include a value >> with an embedded space in it. Escaping these values is not intuitive and made >> it very difficult to add such values. The level of effort in working around the >> CSV problems has come to the point where the benefits of it are outweighed by >> the problems which lead to decision to drop CSV support in CLI altogether [10]. >> >> There are several ways to workaround lack of CSV: >> >> Provide an argument multiple times on the command-line: >> >> ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn >> --attrs=cn >> ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2 >> >> Let BASH do the expansion for you: >> >> ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn} >> ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2} >> >> == Upgrading == >> >> An IPA server can be upgraded simply by installing updated rpms. The server >> does not need to be shut down in advance. >> >> Please note, that the referential integrity extension requires an extended set >> of indexes to be configured. RPM update for an IPA server with a excessive >> number of hosts, SUDO or HBAC entries may require several minutes to finish. >> >> If you have multiple servers you may upgrade them one at a time. It is expected >> that all servers will be upgraded in a relatively short period (days or weeks >> not months). They should be able to co-exist peacefully but new features will >> not be available on old servers and enrolling a new client against an old >> server will result in the SSH keys not being uploaded. >> >> Downgrading a server once upgraded is not supported. >> >> Upgrading from 2.2.0 and later versions is supported. Upgrading from previous >> versions is not supported and has not been tested. >> >> An enrolled client does not need the new packages installed unless you want to >> re-enroll it. SSH keys for already installed clients are not uploaded, you will >> have to re-enroll the client or manually upload the keys. >> >> == Feedback == >> >> Please provide comments, bugs and other feedback via the freeipa-users mailing >> list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel >> on Freenode. >> >> == Documentation == >> * [1] http://www.freeipa.org/page/V3/CA-less_install >> * [2] http://www.freeipa.org/page/V3/Cert_find >> * [3] http://www.freeipa.org/page/V3/Trust_config_command >> * [4] http://www.freeipa.org/page/V3/Realm_Domains >> * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists >> * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression >> * [7] http://www.freeipa.org/page/V3/WebUI_build >> * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment >> * [9] http://www.freeipa.org/page/V3/Kerberos_Flags >> * [10] http://www.freeipa.org/page/V3/Drop_CSV >> * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation >> * [12] http://www.freeipa.org/page/V3/MultipleTrustServers >> >> == Detailed Changelog since 3.1.0 == >> Alexander Bokovoy (7): >> * Update plugin to upload CA certificate to LDAP >> * ipasam: use base scope when fetching domain information about own domain >> * ipaserver/dcerpc: enforce search_s without schema checks for GC searching >> * ipa-replica-manage: migrate to single_value after LDAPEntry updates >> * Process exceptions when talking to Dogtag >> * ipasam: add enumeration of UPN suffixes based on the realm domains >> * Enhance ipa-adtrust-install for domains with multiple IPA server >> >> Ana Krivokapic (10): >> * Raise ValidationError for incorrect subtree option. >> * Add crond as a default HBAC service >> * Take into consideration services when deleting replicas >> * Add list of domains associated to our realm to cn=etc >> * Improve error messages for external group members >> * Remove check for alphabetic only characters from domain name validation >> * Fix internal error for ipa show-mappings >> * Realm Domains page >> * Use default NETBIOS name in unattended ipa-adtrust-install >> * Add mkhomedir option to ipa-server-install and ipa-replica-install >> >> Brian Cook (1): >> * Add DNS Setup Prompt to Install >> >> JR Aquino (1): >> * Allow PKI-CA Replica Installs when CRL exceeds default maxber value >> >> Jakub Hrozek (1): >> * Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir >> >> Jan Cholasta (24): >> * Pylint cleanup. >> * Drop ipapython.compat. >> * Add support for RFC 6594 SSHFP DNS records. >> * Raise ValidationError on invalid CSV values. >> * Run interactive_prompt callbacks after CSV values are split. >> * Add custom mapping object for LDAP entry data. >> * Add make_entry factory method to LDAPConnection. >> * Remove the Entity class. >> * Remove the Entry class. >> * Use the dn attribute of LDAPEntry to set/get DNs of entries. >> * Preserve case of attribute names in LDAPEntry. >> * Aggregate IPASimpleLDAPObject in LDAPEntry. >> * Support attributes with multiple names in LDAPEntry. >> * Use full DNs in plugin code. >> * Remove DN normalization from the baseldap plugin. >> * Remove support for DN normalization from LDAPClient. >> * Fix remove while iterating in suppress_netgroup_memberof. >> * Remove disabled entries from sudoers compat tree. >> * Fix internal error in output_for_cli method of sudorule_{enable,disable}. >> * Do not fail if schema cannot be retrieved from LDAP server. >> * Allow disabling LDAP schema retrieval in LDAPClient and IPAdmin. >> * Allow disabling attribute decoding in LDAPClient and IPAdmin. >> * Disable schema retrieval and attribute decoding when talking to AD GC. >> * Add Kerberos ticket flags management to service and host plugins. >> >> John Dennis (2): >> * Cookie Expires date should be locale insensitive >> * Use secure method to acquire IPA CA certificate >> >> Lynn Root (4): >> * Switch %r specifiers to '%s' in Public errors >> * Added the ability to do Beta versioning >> * Fixed the catch of the hostname option during ipa-server-install >> * Raise ValidationError when CSR does not have a subject hostname >> >> Martin Kosek (58): >> * Add Lynn Root to Contributors.txt >> * Enable SSSD on client install >> * Fix delegation-find command --group handling >> * Do not crash when Kerberos SRV record is not found >> * permission-find no longer crashes with --targetgroup >> * Avoid CRL migration error message >> * Sort LDAP updates properly >> * Upgrade process should not crash on named restart >> * Installer should not connect to 127.0.0.1 >> * Fix migration for openldap DS >> * Remove unused krbV imports >> * Use fully qualified CCACHE names >> * Fix permission_find test error >> * Add trusconfig-show and trustconfig-mod commands >> * ipa-kdb: add sentinel for LDAPDerefSpec allocation >> * ipa-kdb: avoid ENOMEM when all SIDs are filtered out >> * ipa-kdb: reinitialize LDAP configuration for known realms >> * Add SID blacklist attributes >> * ipa-kdb: read SID blacklist from LDAP >> * ipa-sam: Fill SID blacklist when trust is added >> * ipa-adtrust-install should ask for SID generation >> * Test NetBIOS name clash before creating a trust >> * Generalize AD GC search >> * Do not hide SID resolver error in group-add-member >> * Add support for AD users to hbactest command >> * Fix hbachelp examples formatting >> * ipa-kdb: remove memory leaks >> * ipa-kdb: fix retry logic in ipadb_deref_search >> * Add autodiscovery section in ipa-client-install man pages >> * Avoid internal error when user is not Trust admin >> * Use fixed test domain in realmdomains test >> * Bump FreeIPA version for development branch >> * Remove ORDERING for IA5 attributeTypes >> * Fix includedir directive in krb5.conf template >> * Use new 389-ds-base cleartext password API >> * Do not hide idrange-add errors when adding trust >> * Preserve order of servers in ipa-client-install >> * Avoid multiple client discovery with fixed server list >> * Update named.conf parser >> * Use tkey-gssapi-keytab in named.conf >> * Do not force named connections on upgrades >> * ipa-client discovery with anonymous access off >> * Use temporary CCACHE in ipa-client-install >> * Improve client install LDAP cert retrieval fallback >> * Configure ipa_dns DS plugin on install and upgrade >> * Fix structured DNS record output >> * Bump selinux-policy requires >> * Clean spec file for Fedora 19 >> * Remove build warnings >> * Remove syslog.target from ipa.server >> * Put pid-file to named.conf >> * Update mod_wsgi socket directory >> * Normalize RA agent certificate >> * Require 389-base-base 1.3.0.5 >> * Change CNAME and DNAME attributes to single valued >> * Improve CNAME record validation >> * Improve DNAME record validation >> * Become 3.2.0 Prerelease 1 >> >> Petr Spacek (1): >> * Add 389 DS plugin for special idnsSOASerial attribute handling >> >> Petr Viktorin (101): >> * Sort Options and Outputs in API.txt >> * Add the CA cert to LDAP after the CA install >> * Better logging for AdminTool and ipa-ldap-updater >> * Port ipa-replica-prepare to the admintool framework >> * Make ipapython.dogtag log requests at debug level, not info >> * Don't add another nsDS5ReplicaId on updates if one already exists >> * Improve `ipa --help` output >> * Print help to stderr on error >> * Store the OptionParser in the API, use it to print unified help messages >> * Simplify `ipa help topics` output >> * Add command summary to `ipa COMMAND --help` output >> * Mention `ipa COMMAND --help` as the preferred way to get command help >> * Parse command arguments before creating a context >> * Add tests for the help command & --help options >> * In topic help text, mention how to get help for commands >> * Check SSH connection in ipa-replica-conncheck >> * Use ipauniqueid for the RDN of sudo commands >> * Prevent a sudo command from being deleted if it is a member of a sudo rule >> * Update sudocmd ACIs to use targetfilter >> * Add the version option to all Commands >> * Add ipalib.messages >> * Add client capabilities, enable messages >> * Rename the "messages" Output of the i18n_messages command to "texts" >> * Fix permission validation and normalization in aci.py >> * Remove csv_separator and csv_skipspace Param arguments >> * Drop support for CSV in the CLI client >> * Update argument docs to reflect dropped CSV support >> * Update plugin docstrings (topic help) to reflect dropped CSV support >> * cli: Do interactive prompting after a context is created >> * Remove some unused imports >> * Remove unused methods from Entry, Entity, and IPAdmin >> * Derive Entity class from Entry, and move it to ldapupdate >> * Use explicit loggers in ldap2 code >> * Move LDAPEntry to ipaserver.ipaldap and derive Entry from it >> * Remove connection-creating code from ShemaCache >> * Move the decision to force schema updates out of IPASimpleLDAPObject >> * Move SchemaCache and IPASimpleLDAPObject to ipaserver.ipaldap >> * Start LDAPConnection, a common base for ldap2 and IPAdmin >> * Make IPAdmin not inherit from IPASimpleLDAPObject >> * Move schema-related methods to LDAPConnection >> * Move DN handling methods to LDAPConnection >> * Move filter making methods to LDAPConnection >> * Move entry finding methods to LDAPConnection >> * Remove unused proxydn functionality from IPAdmin >> * Move entry add, update, remove, rename to LDAPConnection >> * Implement some of IPAdmin's legacy methods in terms of LDAPConnection methods >> * Replace setValue by keyword arguments when creating entries >> * Use update_entry with a single entry in adtrustinstance >> * Replace entry.getValues() by entry.get() >> * Replace entry.setValue/setValues by item assignment >> * Replace add_s and delete_s by their newer equivalents >> * Change {add,update,delete}_entry to take LDAPEntries >> * Remove unused imports from ipaserver/install >> * Remove unused bindcert and bindkey arguments to IPAdmin >> * Turn the LDAPError handler into a context manager >> * Remove dbdir, binddn, bindpwd from IPAdmin >> * Remove IPAdmin.updateEntry calls from fix_replica_agreements >> * Remove IPAdmin.get_dns_sorted_by_length >> * Replace IPAdmin.checkTask by replication.wait_for_task >> * Introduce LDAPEntry.single_value for getting single-valued attributes >> * Remove special-casing for missing and single-valued attributes in >> LDAPUpdate._entry_to_entity >> * Replace entry.getValue by entry.single_value >> * Replace getList by a get_entries method >> * Remove toTupleList and attrList from LDAPEntry >> * Rename LDAPConnection to LDAPClient >> * Replace addEntry with add_entry >> * Replace deleteEntry with delete_entry >> * Fix typo and traceback suppression in replication.py >> * replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE) >> * Inline inactivateEntry in its only caller >> * Inline waitForEntry in its only caller >> * Proxy LDAP methods explicitly rather than using __getattr__ >> * Remove search_s and search_ext_s from IPAdmin >> * Replace IPAdmin.start_tls_s by an __init__ argument >> * Remove IPAdmin.sasl_interactive_bind_s >> * Remove IPAdmin.simple_bind_s >> * Remove IPAdmin.unbind_s(), keep unbind() >> * Use ldap instead of _ldap in ipaldap >> * Do not use global variables in migration.py >> * Use IPAdmin rather than raw python-ldap in migration.bind >> * Use IPAdmin rather than raw python-ldap in ipactl >> * Remove some uses of raw python-ldap >> * Improve LDAPEntry tests >> * Fix installing server with external CA >> * Change DNA magic value to -1 to make UID 999 usable >> * Move ipaldap to ipapython >> * Remove ipaserver/ipaldap.py >> * Use IPAdmin rather than raw python-ldap in ipa-client-install >> * Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.py >> * Remove unneeded python-ldap imports >> * Don't download the schema in ipadiscovery >> * ipa-server-install: Make temporary pin files available for the whole >> installation >> * ipa-server-install: Remove the --selfsign option >> * Remove unused ipapython.certdb.CertDB class >> * ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil >> wrapper >> * Trust CAs from PKCS#12 files even if they don't have Friendly Names >> * dsinstance, httpinstance: Don't hardcode 'Server-Cert' >> * Support installing with custom SSL certs, without a CA >> * Load the CA cert into server NSS databases >> * Do not call cert-* commands in host plugin if a RA is not available >> * ipa-client-install: Do not request host certificate if server is CA-less >> >> Petr Vobornik (38): >> * Make confirm_dialog a base class of revoke and restore certificate dialogs >> * Make confirm_dialog a base class for deleter dialog >> * Make confirm_dialog a base class for message_dialog >> * Confirm mixin >> * Confirm adder dialog by enter >> * Confirm error dialog by enter >> * Focus last dialog when some is closed >> * Confirm association dialogs by enter >> * Standardize login password reset, user reset password and host set OTP dialogs >> * Focus first input element after 'Add and Add another' >> * Enable mod_deflate >> * Use Uglify.js for JS optimization >> * Dojo Builder >> * Config files for builder of FreeIPA UI layer >> * Minimal Dojo layer >> * Web UI development environment directory structure and configuration >> * Web UI Sync development utility >> * Move of Web UI non AMD dep. libs to libs subdirectory >> * Move of core Web UI files to AMD directory >> * Update JavaScript Lint configuration file >> * AMD config file >> * Change Web UI sources to simple AMD modules >> * Updated makefiles to build FreeIPA Web UI layer >> * Change tests to use AMD loader >> * Fix BuildRequires: rhino replaced with java-1.7.0-openjdk >> * Develop.js extended >> * Allow to specify modules for which builder doesn't raise dependency error >> * Web UI build profile updated >> * Combobox keyboard support >> * Fix dirty state update of editable combobox >> * Fix handling of no_update flag in Web UI >> * Web UI: configurable SID blacklists >> * Web UI:Certificate pages >> * Web UI:Choose different search option for cert-find >> * Fixed Web UI build error caused by rhino changes in F19 >> * Nestable checkbox/radio widget >> * Added Web UI support for service PAC type option: NONE >> * Web UI: Disable cert functionality if a CA is not available >> >> Rob Crittenden (16): >> * Convert uniqueMember members into DN objects. >> * Add Ana Krivokapic to Contributors.txt >> * Do SSL CA verification and hostname validation. >> * Don't initialize NSS if we don't have to, clean up unused cert refs >> * Update anonymous access ACI to protect secret attributes. >> * Make certmonger a (pre) requires on server, restart it before upgrading >> * Use new certmonger locking to prevent NSS database corruption. >> * Improve migration performance >> * Add LDAP server fallback to client installer >> * Prevent a crash when no entries are successfully migrated. >> * Implement the cert-find command for the dogtag CA backend. >> * Add missing v3 schema on upgrades, fix typo in schema. >> * Don't base64-encode the CA cert when uploading it during an upgrade. >> * Extend ipa-replica-manage to be able to manage DNA ranges. >> * Improve some error handling in ipa-replica-manage >> * Fix lockout of LDAP bind. >> >> Simo Sorce (2): >> * Log info on failure to connect >> * Upload CA cert in the directory on install >> >> Sumit Bose (17): >> * ipa-kdb: remove unused variable >> * ipa-kdb: Uninitialized scalar variable in ipadb_reinit_mspac() >> * ipa-sam: Array compared against 0 in ipasam_set_trusted_domain() >> * ipa-kdb: Dereference after null check in ipa_kdb_mspac.c >> * ipa-lockout: Wrong sizeof argument in ipa_lockout.c >> * ipa-extdom: Double-free in ipa_extdom_common.c >> * ipa-pwd: Unchecked return value ipapwd_chpwop() >> * Revert "MS-PAC: Special case NFS services" >> * Add NFS specific default for authorization data type >> * ipa-kdb: Read global defaul ipaKrbAuthzData >> * ipa-kdb: Read ipaKrbAuthzData with other principal data >> * ipa-kdb: add PAC only if requested >> * Add unit test for get_authz_data_types() >> * Mention PAC issue with NFS in service plugin doc >> * Allow 'nfs:NONE' in global configuration >> * Add support for cmocka C-Unit Test framework >> * ipa-pwd-extop: do not use dn until it is really set >> >> Timo Aaltonen (1): >> * convert the base platform modules into packages >> >> Tomas Babej (18): >> * Relax restriction for leading/trailing whitespaces in *-find commands >> * Forbid overlapping rid ranges for the same id range >> * Fix a typo in ipa-adtrust-install help >> * Prevent integer overflow when setting krbPasswordExpiration >> * Add option to specify SID using domain name to idrange-add/mod >> * Prevent changing protected group's name using --setattr >> * Use default.conf as flag of IPA client being installed >> * Make sure appropriate exit status is returned in make-test >> * Make options checks in idrange-add/mod consistent >> * Add trusted domain range objectclass when using idrange-mod >> * Perform secondary rid range overlap check for local ranges only >> * Add support for re-enrolling hosts using keytab >> * Make sure uninstall script prompts for reboot as last >> * Remove implicit Str to DN conversion using *-attr >> * Enforce exact SID match when adding or modifying a ID range >> * Allow host re-enrollment using delegation >> * Add logging to join command >> * Properly handle ipa-replica-install when its zone is not managed by IPA >> >> sbose (1): >> * ipa-kdb: Free talloc autofree context when module is closed >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matthew.joseph at lmco.com Wed Apr 3 11:35:27 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 3 Apr 2013 07:35:27 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Client Installation Error References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> <515B1C35.2030605@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49205@HCXMSP1.ca.lmco.com> Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, admin at DOMAIN.CA for HTTP/IPA_Server at DOMAIN.CA, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? Thanks, Matt -----Original Message----- From: Joseph, Matthew (EXP) Sent: Tuesday, April 02, 2013 3:01 PM To: 'Rob Crittenden'; freeipa-users at redhat.com Subject: RE: EXTERNAL: Re: [Freeipa-users] Client Installation Error Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: > Hey, > > I'm trying to add a client to IPA and I'm getting the following error; > > Joining realm failed because of failing XML-RPC request > > This error may be caused by incompatible server/client major versions. > > Client is running Red Hat 6.1 with the following IPA and Curl packages > installed; > > Ipa-*-2.0.0-23 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > Server is running Red Hat 6.3 with the following IPA and Curl Packages > installed; > > Ipa-*-2.2.0-16 > > Curl-7.19.7-26 > > Libcurl-7.19.7-26 > > From what I've seen from other people is that the issue is with > libcurl blocking GSSAPI requests. Is that still the case? > > If so what are my options here to get around this problem? I assume I > can downgrade my Curl but will that affect anything major? > > Thanks, > > Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob From rcritten at redhat.com Wed Apr 3 13:13:54 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 03 Apr 2013 09:13:54 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Client Installation Error In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49205@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> <515B1C35.2030605@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49205@HCXMSP1.ca.lmco.com> Message-ID: <515C2B12.4030809@redhat.com> Joseph, Matthew (EXP) wrote: > Hey Rob, > > I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. > I am now getting the following error; > > Joining realm failed: HTTP response code is 401, not 200 > > On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; > > IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, admin at DOMAIN.CA for HTTP/IPA_Server at DOMAIN.CA, Server not found in Kerberos Database. > > I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. > > Any ideas? Any other logs/information I can provide you? It may be your obfuscation, but is it a FQDN in the HTTP service principal? It should be. If you're using /etc/hosts be sure that the FQDN version is first (so "foo.example.com foo" rather than "foo foo.example.com"). rob From matthew.joseph at lmco.com Wed Apr 3 13:24:17 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 3 Apr 2013 09:24:17 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Client Installation Error In-Reply-To: <515C2B12.4030809@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E48F6B@HCXMSP1.ca.lmco.com> <515B1C35.2030605@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49205@HCXMSP1.ca.lmco.com> <515C2B12.4030809@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49312@HCXMSP1.ca.lmco.com> Awesome that was the issue Rob. Thanks! Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, April 03, 2013 10:14 AM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: > Hey Rob, > > I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. > I am now getting the following error; > > Joining realm failed: HTTP response code is 401, not 200 > > On the server I looked at the krb5kdc.log to see if there was any > errors and I'm getting the following error; > > IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, admin at DOMAIN.CA for HTTP/IPA_Server at DOMAIN.CA, Server not found in Kerberos Database. > > I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. > > Any ideas? Any other logs/information I can provide you? It may be your obfuscation, but is it a FQDN in the HTTP service principal? It should be. If you're using /etc/hosts be sure that the FQDN version is first (so "foo.example.com foo" rather than "foo foo.example.com"). rob From sigbjorn at nixtra.com Wed Apr 3 15:06:46 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Wed, 3 Apr 2013 17:06:46 +0200 (CEST) Subject: [Freeipa-users] User admins for different groups In-Reply-To: <5155F8C7.7020408@redhat.com> References: <5150E042.6090708@redhat.com> <515179C2.20407@linbit.com> <5151AC38.4020609@redhat.com> <5151B905.4040402@redhat.com> <5151C4DB.8050809@redhat.com> <9AF0057F-07CE-4B1E-87D5-2A7F37EFCB37@linbit.com> <51540935.7060303@redhat.com> <5155D92C.2050500@redhat.com> <44236.192.168.203.170.1364583599.squirrel@www.nixtra.com> <5155F8C7.7020408@redhat.com> Message-ID: <22103.213.225.75.97.1365001606.squirrel@www.nixtra.com> On Fri, March 29, 2013 22:25, Dmitri Pal wrote: > On 03/29/2013 02:59 PM, Sigbjorn Lie wrote: > >> >> >> On Fri, March 29, 2013 19:10, Dmitri Pal wrote: >> >>> On 03/28/2013 05:11 AM, Petr Spacek wrote: >>> >>> >>>> On 28.3.2013 09:38, Philipp Richter wrote: >>>> >>>> >>>>> Am 26.03.2013 um 16:55 schrieb Rob Crittenden : >>>>> >>>>> >>>>> >>>>>> Petr Spacek wrote: >>>>>> >>>>>> >>>>>>> On 26.3.2013 15:10, Rob Crittenden wrote: >>>>>>> >>>>>>> >>>>>>>> Philipp Richter wrote: >>>>>>>> >>>>>>>> >>>>>>>>> On 03/26/2013 12:39 AM, Dmitri Pal wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> I am trying to do the following: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> We have some branch offices at different locations. We want to use >>>>>>>>>>> one ipa-server with replicas in each branch office. Each branch office should >>>>>>>>>>> have it's own set of administrators who should be able to create/modify/delete >>>>>>>>>>> users for its own branch but should not be allowed to change users from other >>>>>>>>>>> branches. every member of admin-at should be forced to create/modify/delete >>>>>>>>>>> only users in branch-at. The same applies for admin-us/branch-us. >>>>>>>>>>> >>>>>>>>>>> at first, i thought of a combination of (a) new role(s), with write/delete >>>>>>>>>>> permissions set for the branch-at group, as well as an automember rule but it >>>>>>>>>>> seems there is no way to filter for the creator of an entry, which would be >>>>>>>>>>> needed for the group membership.. >>>>>>>>>>> >>>>>>>>>>> am i missing anything? >>>>>>>>>> This might help >>>>>>>>>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html-s >>>>>>>>>> ingl e/Identity_Management_Guide/index.html#delegating-users >>>>>>>>>> >>>>>>>>> Yes, I read the whole document but as far as I understand >>>>>>>>> delegates are only helpful for editing existing records. I want admins of one >>>>>>>>> branch to be able the also create users, but only in the assigned branch. >>>>>>>>> >>>>>>>>> Currently we use standard openldap with different ou's for the >>>>>>>>> branches. Each branch admin has full ldap permissions for it's own ou-subtree. >>>>>>>>> >>>>>>>> IPA uses a flat DIT so here is no way to control adding users in a >>>>>>>> given branch office. >>>>>>>> >>>>>>>> The most you'd be able to do is delegae management (delete/modify) a >>>>>>>> subset of users who are members of a group that represents that branch office. Any >>>>>>>> new users added would need to be added to the appropriate branch group by the admin >>>>>>>> adding them. >>>>>>> This sounds like big deficiency to me... >>>>>>> Is it possible to hack automember plugin to enforce some group >>>>>>> assignment based on creator's group/name as proposed above? It should allow users to >>>>>>> prepare some hand crafted ACIs, I guess. >>>>>>> >>>>>>> (Sorry, I don't have any knowledge about automember internals :-) >>>>>>> >>>>>>> >>>>>> Using automember doesn't prevent an admin from adding a user outside >>>>>> of the branch. It would just automatically assign that new user to the correct branch >>>>>> based on the automember rules AND assuming that the admin that added the user included >>>>>> the right information for the rules. >>>>>> >>>>>> ACIs control add at the subtree level, so for us it is a binary. >>>>>> Either you can add users or you can't. >>>>>> >>>>>> >>>>> In our current ldap implementation (openldap) there are some >>>>> attributes which are implicitly set. I think these are creation/modification time and >>>>> creator's name. So if these attributes would exist in ipa one could set up automember >>>>> rules based on the creators name. >>>>> >>>>> Is there a way to switch such attributes on? >>>>> >>>>> >>>> creatorsname is present, but is not returned from search if you didn't require it >>>> explicitly: >>>> >>>> >>>> $ ldapsearch -Y GSSAPI 'creatorsname' >>>> [...] >>>> creatorsname: uid=admin,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> >>>> >>> So does that mean that automembership plugin can be configured to place >>> users into the right groups based on the value of this attribute? That would be really >>> awesome! >>> >>> >> It looks like that works just fine! I've been looking for a solution for this too! Awesome! :) >> >> >> ipa automember-add-condition usergroupname --inclusive-regex="uid=creatorusername.*" >> --key=creatorsname --type=group >> -------------------------------- >> Added condition(s) to "usergroupname" >> -------------------------------- >> Automember Rule: usergroupname >> Inclusive Regex: creatorsname=uid=creatorusername.* >> >> >> >> # ipa user-add atest2 >> ---snip--- >> >> >> # ipa group-show usergroupname >> Group name: usergroupname >> Description: Created by creatorsname >> Member users: atest2 >> >> >> >> Is there any reason not to use the creatorsname attribute? Is there a reason it does not exist >> as a selectable key in the webui? > > > I do not see a reason. > Seems like a valid use case > Can you please create an RFE ticket? > > https://fedorahosted.org/freeipa/ticket/3546 From bclark at tendrilinc.com Wed Apr 3 16:15:15 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Wed, 3 Apr 2013 10:15:15 -0600 Subject: [Freeipa-users] Replication Issue Message-ID: I have set up 2 IPA servers. I followed the docs on Redhat site to do so. Everything went smooth and the replica was able to pull everything from the master. I was able to import data from an LDAP server and all my users and groups show up fine. I changed my user id password in the GUI on the replica and it did not propagate to the master. As I tried to login to the master server with the new password and it error-ed. It did take the old password. So I think it didn't replicate the password change. In addition, I also cannot login to the replica using my user id anymore with either the old or new password. Any thoughts/help is appreciated. My set up is CentOS 6.3 with ipa-server-2.2.0-17. -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog [image: Tendril] This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Wed Apr 3 20:27:51 2013 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Wed, 3 Apr 2013 20:27:51 +0000 Subject: [Freeipa-users] Replication Issue In-Reply-To: References: Message-ID: <833D8E48405E064EBC54C84EC6B36E4073170F21@STAWINCOX10MBX1.staff.vuw.ac.nz> does the admin account still work? Login as root and on both run, kinit admin ipa-replica-manage list -v followed by, ipa-replica-manage list ipa1.example.com -v (or 2 for 2) regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Brent Clark [bclark at tendrilinc.com] Sent: Thursday, 4 April 2013 5:15 a.m. To: freeipa-users at redhat.com Subject: [Freeipa-users] Replication Issue I have set up 2 IPA servers. I followed the docs on Redhat site to do so. Everything went smooth and the replica was able to pull everything from the master. I was able to import data from an LDAP server and all my users and groups show up fine. I changed my user id password in the GUI on the replica and it did not propagate to the master. As I tried to login to the master server with the new password and it error-ed. It did take the old password. So I think it didn't replicate the password change. In addition, I also cannot login to the replica using my user id anymore with either the old or new password. Any thoughts/help is appreciated. My set up is CentOS 6.3 with ipa-server-2.2.0-17. -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog [Tendril] This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 3 22:25:54 2013 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Apr 2013 18:25:54 -0400 Subject: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled? In-Reply-To: References: <20130328122716.GG24620@hendrix.redhat.com> <5155FB99.2010706@redhat.com> Message-ID: <515CAC72.3030006@redhat.com> On 04/02/2013 01:57 AM, Pekka.Panula at sofor.fi wrote: > > From: Dmitri Pal > > >> I want also my AD users (from IPA trust) to login inside thru ssh > but > > >> afaik this seems to have some older SSSD version and same > configuration > > >> options that goes ok with CentOS 6 ipa-client wont work with > CentOS 5. > > >> > > >> So what should i modify that i can login to my CentOS 5 machine > that i can > > >> to login AD trust users from IPA? Is there newer SSSD daemon > available for > > >> centos 5? > > >> > > > No, it is not and it would be quite hard to build it, I think. You'd > > > need pretty recent version of Kerberos to support the PAC > responder that > > > handles users coming via trusts for instance. > > > > Yes this is quite a problem with the current solution. > > Is there any guides for rhel 5.x/centos 5.x when using IPA and if that > same > system needs also AD users logins enabled, should we just enable some > PAM module > and all works if SSSD/IPA is also used? You would need to backport 1.9 to rhel 5/centos 5 AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built on RHEL5) but you also need to build all the dependencies (samba, kerberos etc. and those would be quite a challenge). Ping jhrozek on #sssd on free node if you need more details, but it is a big endeavor so be prepared for a tough journey. > > > But we are looking for some ways to mitigate that. > > Question for you about the older systems: > > > > What would you prefer: those systems pointing to IPA and IPA having a > > way to serve account and authentication or point them directly to AD? > > Do you require kerberos authentication and SSO from those machines or > > simple LDAP authentication is OK? > > Do you have a requirement for all the authentications to actually happen > > in AD for audit purposes or they can happen in IPA when users come from > > the old clients and in AD with trusts when users access newer clients? > > > > Thanks for the input! > > > > Dmitri > > For me, would be good if all comes from (thru) IPA, but thats not > an requirement for me. > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 3 22:31:15 2013 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 03 Apr 2013 18:31:15 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: References: Message-ID: <515CADB3.7080300@redhat.com> On 04/03/2013 12:15 PM, Brent Clark wrote: > I have set up 2 IPA servers. I followed the docs on Redhat site to do > so. Everything went smooth and the replica was able to pull everything > from the master. I was able to import data from an LDAP server and all > my users and groups show up fine. > > I changed my user id password in the GUI on the replica and it did not > propagate to the master. As I tried to login to the master server with > the new password and it error-ed. It did take the old password. So I > think it didn't replicate the password change. > > In addition, I also cannot login to the replica using my user id > anymore with either the old or new password. > > Any thoughts/help is appreciated. > > My set up is CentOS 6.3 with ipa-server-2.2.0-17. Is the replication generally running? Are other changes making across both ways? > > -- > Brent S. Clark > NOC Engineer > > 2580 55th St. | Boulder, Colorado 80301 > www.tendrilinc.com | blog > > Tendril > > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. > Finally, the recipient should check this email and any attachments for the presence of viruses. > The company accepts no liability for any damage caused by any virus transmitted by this email. > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu Apr 4 09:13:08 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 4 Apr 2013 11:13:08 +0200 Subject: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled? In-Reply-To: <515CAC72.3030006@redhat.com> References: <20130328122716.GG24620@hendrix.redhat.com> <5155FB99.2010706@redhat.com> <515CAC72.3030006@redhat.com> Message-ID: <20130404091308.GJ17395@hendrix.brq.redhat.com> On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote: > On 04/02/2013 01:57 AM, Pekka.Panula at sofor.fi wrote: > > > From: Dmitri Pal > > > >> I want also my AD users (from IPA trust) to login inside thru ssh > > but > > > >> afaik this seems to have some older SSSD version and same > > configuration > > > >> options that goes ok with CentOS 6 ipa-client wont work with > > CentOS 5. > > > >> > > > >> So what should i modify that i can login to my CentOS 5 machine > > that i can > > > >> to login AD trust users from IPA? Is there newer SSSD daemon > > available for > > > >> centos 5? > > > >> > > > > No, it is not and it would be quite hard to build it, I think. You'd > > > > need pretty recent version of Kerberos to support the PAC > > responder that > > > > handles users coming via trusts for instance. > > > > > > Yes this is quite a problem with the current solution. > > > > Is there any guides for rhel 5.x/centos 5.x when using IPA and if that > > same > > system needs also AD users logins enabled, should we just enable some > > PAM module > > and all works if SSSD/IPA is also used? > > You would need to backport 1.9 to rhel 5/centos 5 > AFAIR you can still build those for RHEL5 (I mean 1.9 can still be built > on RHEL5) but you also need to build all the dependencies (samba, > kerberos etc. and those would be quite a challenge). > > Ping jhrozek on #sssd on free node if you need more details, but it is a > big endeavor so be prepared for a tough journey. > You can build the "core SSSD" with no problems and you'll get the fast cache, AD provider and other improvements but the PAC responder needed for trusts needs the latest Kerberos (1.10+) and unless I'm wrong also samba4. You'd have to compile these yourself. > > > > > But we are looking for some ways to mitigate that. > > > Question for you about the older systems: > > > > > > What would you prefer: those systems pointing to IPA and IPA having a > > > way to serve account and authentication or point them directly to AD? > > > Do you require kerberos authentication and SSO from those machines or > > > simple LDAP authentication is OK? > > > Do you have a requirement for all the authentications to actually happen > > > in AD for audit purposes or they can happen in IPA when users come from > > > the old clients and in AD with trusts when users access newer clients? > > > > > > Thanks for the input! > > > > > > Dmitri > > > > For me, would be good if all comes from (thru) IPA, but thats not > > an requirement for me. > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From matthew.joseph at lmco.com Thu Apr 4 14:14:51 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 4 Apr 2013 10:14:51 -0400 Subject: [Freeipa-users] ipa-replica-install errors Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); ------------------------ IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg ------------------------------ Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Thu Apr 4 15:26:34 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Thu, 4 Apr 2013 08:26:34 -0700 Subject: [Freeipa-users] Shadow/Unix Password Import/Migrate Message-ID: Hello, I am setting up IPA server for our all Linux Machines mostly CentOS 5/6. As of now all user shadow passwords are managed by puppet. And as part of moving to IPA I could not find a way to import all passwords to IPA without forcing users to reset the password. Thanks Chandan -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Thu Apr 4 17:40:52 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 4 Apr 2013 13:40:52 -0400 Subject: [Freeipa-users] NIS Compat Password Issues Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a "NIS" Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 4 17:59:34 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Apr 2013 13:59:34 -0400 Subject: [Freeipa-users] Shadow/Unix Password Import/Migrate In-Reply-To: References: Message-ID: <515DBF86.2080400@redhat.com> Chandan Kumar wrote: > Hello, > > I am setting up IPA server for our all Linux Machines mostly CentOS 5/6. > As of now all user shadow passwords are managed by puppet. > > And as part of moving to IPA I could not find a way to import all > passwords to IPA without forcing users to reset the password. To close the loop on this, we discussed this in #freeipa and if you enable migration mode and set the password using the hash and {CRYPT} then it should work fine. Something like: user-add --first=Tim --last=User --setattr userPassword={CRYPT}hash tim_user rob From rcritten at redhat.com Thu Apr 4 18:05:07 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Apr 2013 14:05:07 -0400 Subject: [Freeipa-users] NIS Compat Password Issues In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> Message-ID: <515DC0D3.3080003@redhat.com> Joseph, Matthew (EXP) wrote: > Hello, > > I?ve having issues with trying to login to our NIS clients that are > looking at IPA as a ?NIS? Server. > > The NIS Client can view all of the usernames when I do a ypcat passwd > but when I try to login a with a user account it will not accept the > password. I?ve even tried setting it as simple as Password123 and still > nothing. > > I don?t see anything NIS related in the error logs on the IPA server. > > Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob From taaj.shawn at gmail.com Thu Apr 4 19:27:37 2013 From: taaj.shawn at gmail.com (Shawn) Date: Thu, 4 Apr 2013 15:27:37 -0400 Subject: [Freeipa-users] Issues after setup Message-ID: Hi, I have configured a ipa-server, replica and client. In the GUI I can see that all hosts are in the "hosts" list.. I have created a single user as well and attached that user to the client. When trying to login as the user to the client, I see this in the secure.log. fatal: Access denied for user by PAM account configuration. any suggestions on steps to troubleshoot this? Thanks -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From bclark at tendrilinc.com Thu Apr 4 19:40:18 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Thu, 4 Apr 2013 13:40:18 -0600 Subject: [Freeipa-users] Replication Issue Message-ID: Ok, I have done as Steven Jones requested... here is the output from the replica I am able to kinit to admin using the password. issuing the ipa-replica-manage command on the replica for the replica replcia.mydomain.com: replica last init status: None last init ended: None last update status: -2 - System error last update ended: None Same command but for the master Failed to get data from 'master.example.com': {'info': SASL (-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc':'Local error'} I can ping, telnet on all the IPA ports and ssh to the main server from the replica. So... im confused. Also on a whim, I was able to add a server to the replica and that host info did make it to the master. -- Brent S. Clark This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 4 20:50:11 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Apr 2013 16:50:11 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: <515DE783.9050206@redhat.com> Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI I can see that all hosts are in the "hosts" list.. I have > created a single user as well and attached that user to the client. > > When trying to login as the user to the client, I see this in the > secure.log. > > fatal: Access denied for user by PAM account configuration. Did you disable or remove the default allow_all HBAC rule? rob From taaj.shawn at gmail.com Thu Apr 4 20:50:50 2013 From: taaj.shawn at gmail.com (Shawn) Date: Thu, 4 Apr 2013 16:50:50 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: I am able to login to my replica and master with users no problem, just having issues with clients.. On Thu, Apr 4, 2013 at 3:27 PM, Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI I can see that all hosts are in the "hosts" list.. I have > created a single user as well and attached that user to the client. > > When trying to login as the user to the client, I see this in the > secure.log. > > fatal: Access denied for user by PAM account configuration. > > any suggestions on steps to troubleshoot this? > > Thanks > > > -- > *- Shawn Taaj* > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From taaj.shawn at gmail.com Thu Apr 4 20:51:35 2013 From: taaj.shawn at gmail.com (Shawn) Date: Thu, 4 Apr 2013 16:51:35 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: <515DE783.9050206@redhat.com> References: <515DE783.9050206@redhat.com> Message-ID: Rob, Nope that's still enabled. On Thu, Apr 4, 2013 at 4:50 PM, Rob Crittenden wrote: > Shawn wrote: > >> Hi, >> >> I have configured a ipa-server, replica and client. >> >> In the GUI I can see that all hosts are in the "hosts" list.. I have >> created a single user as well and attached that user to the client. >> >> When trying to login as the user to the client, I see this in the >> secure.log. >> >> fatal: Access denied for user by PAM account configuration. >> > > Did you disable or remove the default allow_all HBAC rule? > > rob > > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 4 20:51:47 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 04 Apr 2013 16:51:47 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: References: Message-ID: <515DE7E3.4070902@redhat.com> Brent Clark wrote: > Ok, I have done as Steven Jones requested... here is the output from the > replica > > I am able to kinit to admin using the password. > > issuing the ipa-replica-manage command on the replica for the replica > > replcia.mydomain.com : replica > last init status: None > last init ended: None > last update status: -2 - System error > last update ended: None > > Same command but for the master > Failed to get data from 'master.example.com > ': {'info': SASL (-1): generic failure: > GSSAPI Error: An invalid name was supplied (Cannot determine realm for > numeric host address)', 'desc':'Local error'} > > I can ping, telnet on all the IPA ports and ssh to the main server from > the replica. > > So... im confused. > > Also on a whim, I was able to add a server to the replica and that host > info did make it to the master. Sounds like a DNS issue. Make sure forward and reverse DNS works for master.example.com. rob From jhrozek at redhat.com Thu Apr 4 20:53:44 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 4 Apr 2013 22:53:44 +0200 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: <20130404205344.GU17395@hendrix.brq.redhat.com> On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI I can see that all hosts are in the "hosts" list.. I have > created a single user as well and attached that user to the client. > > When trying to login as the user to the client, I see this in the > secure.log. > > fatal: Access denied for user by PAM account configuration. > > any suggestions on steps to troubleshoot this? Hi Shawn, I would start with checking the HBAC rules using the ipa hbactest command. $ ipa hbactest --help might get you started. From nkinder at redhat.com Thu Apr 4 20:59:43 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 04 Apr 2013 13:59:43 -0700 Subject: [Freeipa-users] ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> Message-ID: <515DE9BF.8020908@redhat.com> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I'm trying to setup a replica server with ipa-2.2.0-16 on both the > Server and the Replica Server. > > Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); > > ------------------------ > > *IPA_Server:* > > ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 > > scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ > ipareplica:/var/lib/ipa/ > > *IPA_Replica:* > > ipa-replica-install --setup-ca --setup-dns > /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg > > ------------------------------ > > Below is the error I am getting when running ipa-replica-install; > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'IPA_Server.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > admin at domain.ca password: > > Execute check on remote master > > Check connection from master to remote replica 'IPA_Replica.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > Configuring directory server for the CA: Estimated time 30 seconds > > [1/3]: creating directory server user > > [2/3]: creating directory server instance > > [3/3]: restarting directory server > > done configuring pkids. > > Configuring certificate server: Estimated time 3 minutes 30 seconds > > [1/13]: creating certificate server user > > [2/13]: creating pki-ca instance > > [3/13]: configuring certificate server instance > > [4/13]: disabling nonces > > [5/13]: creating RA agent certificate database > > [6/13]: importing CA chain to RA certificate database > > [7/13]: fixing RA database permissions > > [8/13]: setting up signing cert profile > > [9/13]: set up CRL publishing > > [10/13]: set certificate subject base > > [11/13]: enabling Subject Key Identifier > > [12/13]: configuring certificate server to start on boot > > [13/13]: Configure HTTP to proxy connections > > done configuring pki-cad. > > Restarting the directory and certificate servers > > Configuring directory server: Estimated time 1 minute > > [1/30]: creating directory server user > > [2/30]: creating directory server instance > > [3/30]: adding default schema > > [4/30]: enabling memberof plugin > > [5/30]: enabling referential integrity plugin > > [6/30]: enabling winsync plugin > > [7/30]: configuring replication version plugin > > [8/30]: enabling IPA enrollment plugin > > [9/30]: enabling ldapi > > [10/30]: configuring uniqueness plugin > > [11/30]: configuring uuid plugin > > [12/30]: configuring modrdn plugin > > [13/30]: enabling entryUSN plugin > > [14/30]: configuring lockout plugin > > [15/30]: creating indices > > [16/30]: configuring ssl for ds instance > > [17/30]: configuring certmap.conf > > [18/30]: configure autobind for root > > [19/30]: configure new location for managed entries > > [20/30]: restarting directory server > > [21/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System > error] > > creation of replica failed: Failed to start replication > > Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the > following error; > > NSMMReplicationPlugin -- agmt="cn=metoIPA_Server.domain.ca" > (ipa_server:389): Replica has a different generation ID than the local > data. > This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. > > Any thoughts or ideas on this issue? Searching google I don't see > anyone getting the Status:-11 -- System Error. > There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager": ------------------------------------------ dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ------------------------------------------ When you are finished debugging the issue, don't forget to change the log level back to "0". -NGK > > Thanks, > > Matt > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sakodak at gmail.com Thu Apr 4 21:06:23 2013 From: sakodak at gmail.com (KodaK) Date: Thu, 4 Apr 2013 16:06:23 -0500 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: Run an hbactest: ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd Make sure that works, if it does, then you can move on to troubleshooting the host itself. On Thu, Apr 4, 2013 at 2:27 PM, Shawn wrote: > Hi, > > I have configured a ipa-server, replica and client. > > In the GUI I can see that all hosts are in the "hosts" list.. I have > created a single user as well and attached that user to the client. > > When trying to login as the user to the client, I see this in the > secure.log. > > fatal: Access denied for user by PAM account configuration. > > any suggestions on steps to troubleshoot this? > > Thanks > > > -- > *- Shawn Taaj* > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Fri Apr 5 09:40:06 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 05:40:06 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <515DC0D3.3080003@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > Hello, > > I've having issues with trying to login to our NIS clients that are > looking at IPA as a "NIS" Server. > > The NIS Client can view all of the usernames when I do a ypcat passwd > but when I try to login a with a user account it will not accept the > password. I've even tried setting it as simple as Password123 and > still nothing. > > I don't see anything NIS related in the error logs on the IPA server. > > Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob From matthew.joseph at lmco.com Fri Apr 5 11:14:18 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 07:14:18 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > Hello, > > I've having issues with trying to login to our NIS clients that are > looking at IPA as a "NIS" Server. > > The NIS Client can view all of the usernames when I do a ypcat passwd > but when I try to login a with a user account it will not accept the > password. I've even tried setting it as simple as Password123 and > still nothing. > > I don't see anything NIS related in the error logs on the IPA server. > > Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From matthew.joseph at lmco.com Fri Apr 5 11:53:52 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 07:53:52 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C8F@HCXMSP1.ca.lmco.com> It looks like I missed a step in setting up my IPA server for NIS compatability. [root at server ~]# ldapmodify -D "cn=directory server" -w secret -p 389 -h ipaserver.example.com dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: crypt When I try to run that command I get the following error; Ldap_bind: No Such Object (32) I can manually add that to the dse.ldif right? If so where would it go? Thanks, Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 8:14 AM To: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > Hello, > > I've having issues with trying to login to our NIS clients that are > looking at IPA as a "NIS" Server. > > The NIS Client can view all of the usernames when I do a ypcat passwd > but when I try to login a with a user account it will not accept the > password. I've even tried setting it as simple as Password123 and > still nothing. > > I don't see anything NIS related in the error logs on the IPA server. > > Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From janfrode at tanso.net Fri Apr 5 12:00:58 2013 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 5 Apr 2013 14:00:58 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130322174307.GA15697@dibs.tanso.net> References: <20130319210116.GE16767@hendrix.redhat.com> <20130319220514.GA32027@dibs.tanso.net> <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> Message-ID: <20130405120058.GA24411@dibs.tanso.net> On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: > > > > > Does the problem go away if you set: > > selinux_provider = none Sorry, no. Also the "No SELinux user maps found!" didn't go away. At "Apr 5 13:46:22" I was denied access again by pam_access, and then seconds later I could log in: Apr 5 13:46:22 ipa2 sshd[15417]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.com' Apr 5 13:46:29 ipa2 sshd[15423]: pam_unix(sshd:session): session opened for user janfrode by (uid=0) Apr 5 13:46:33 ipa2 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019) debug=6 logs attached. Any other suggestions? -jf -------------- next part -------------- A non-text attachment was scrubbed... Name: sssd-logs.tar.bz2 Type: application/x-bzip2 Size: 11366 bytes Desc: not available URL: From dpal at redhat.com Fri Apr 5 12:19:21 2013 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 05 Apr 2013 08:19:21 -0400 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130405120058.GA24411@dibs.tanso.net> References: <20130319210116.GE16767@hendrix.redhat.com> <20130319220514.GA32027@dibs.tanso.net> <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> Message-ID: <515EC149.5030709@redhat.com> On 04/05/2013 08:00 AM, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: >>> Does the problem go away if you set: >>> selinux_provider = none > Sorry, no. Also the "No SELinux user maps found!" didn't go away. > > At "Apr 5 13:46:22" I was denied access again by pam_access, and then > seconds later I could log in: > > Apr 5 13:46:22 ipa2 sshd[15417]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.com' > Apr 5 13:46:29 ipa2 sshd[15423]: pam_unix(sshd:session): session opened for user janfrode by (uid=0) > Apr 5 13:46:33 ipa2 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019) > > debug=6 logs attached. Any other suggestions? SELinux seems to be OK but the log definitely showing that not all users are successfully stored in a group. > > -jf > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri Apr 5 12:36:54 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 Apr 2013 14:36:54 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130405120058.GA24411@dibs.tanso.net> References: <20130319220514.GA32027@dibs.tanso.net> <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> Message-ID: <20130405123654.GI3708@hendrix.redhat.com> On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: > > > > > > > > Does the problem go away if you set: > > > selinux_provider = none > > Sorry, no. Also the "No SELinux user maps found!" didn't go away. > > At "Apr 5 13:46:22" I was denied access again by pam_access, and then > seconds later I could log in: > > Apr 5 13:46:22 ipa2 sshd[15417]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.com' > Apr 5 13:46:29 ipa2 sshd[15423]: pam_unix(sshd:session): session opened for user janfrode by (uid=0) > Apr 5 13:46:33 ipa2 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019) > > debug=6 logs attached. Any other suggestions? It's still the same error. I would expect not to see this function: [sssd[be[example]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping being called at all if selinux_provider is set to none. I will test this case locally again with the same version as you do. A definite workaround would be to create the SELinux config object on the server side. From janfrode at tanso.net Fri Apr 5 12:42:33 2013 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 5 Apr 2013 14:42:33 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <515EC149.5030709@redhat.com> References: <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> <515EC149.5030709@redhat.com> Message-ID: <20130405124232.GA25210@dibs.tanso.net> On Fri, Apr 05, 2013 at 08:19:21AM -0400, Dmitri Pal wrote: > > SELinux seems to be OK but the log definitely showing that not all users > are successfully stored in a group. Hmm.. I've noticed that in cn=$groupname,cn=groups,cn=accounts we have both "member" and "memberUid", but "member" often contains more entries than "memberUid". I've assumed that the "memberUid" was a legacy thing, and just not maintained anymore.. Is this what you're referring to ? Or is it the storing of groups in the sssd-database that isn't successful ? Is this the intereseting entries? : (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sdap_save_group] (0x0400): Storing info for group sos (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sysdb_search_group_by_gid] (0x0400): No such entry -jf From jhrozek at redhat.com Fri Apr 5 13:02:53 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 Apr 2013 15:02:53 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130405124232.GA25210@dibs.tanso.net> References: <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> <515EC149.5030709@redhat.com> <20130405124232.GA25210@dibs.tanso.net> Message-ID: <20130405130252.GJ3708@hendrix.redhat.com> On Fri, Apr 05, 2013 at 02:42:33PM +0200, Jan-Frode Myklebust wrote: > On Fri, Apr 05, 2013 at 08:19:21AM -0400, Dmitri Pal wrote: > > > > SELinux seems to be OK but the log definitely showing that not all users > > are successfully stored in a group. > > Hmm.. I've noticed that in cn=$groupname,cn=groups,cn=accounts we have > both "member" and "memberUid", but "member" often contains more entries > than "memberUid". I've assumed that the "memberUid" was a legacy thing, > and just not maintained anymore.. Is this what you're referring to ? > Are you referring to the entries in LDAP or the cache on disk? > Or is it the storing of groups in the sssd-database that isn't > successful ? Is this the intereseting entries? : > > (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sdap_save_group] (0x0400): Storing info for group sos > (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 5 13:46:09 2013) [sssd[be[example]]] [sysdb_search_group_by_gid] (0x0400): No such entry You can safely ignore the warnings, the SSSD simply tries to find the group by both name and GID before saving the entry to determine if the entry needs to be saved anew or updated. From janfrode at tanso.net Fri Apr 5 13:27:43 2013 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 5 Apr 2013 15:27:43 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130405130252.GJ3708@hendrix.redhat.com> References: <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> <515EC149.5030709@redhat.com> <20130405124232.GA25210@dibs.tanso.net> <20130405130252.GJ3708@hendrix.redhat.com> Message-ID: <20130405132743.GA28455@dibs.tanso.net> On Fri, Apr 05, 2013 at 03:02:53PM +0200, Jakub Hrozek wrote: > > Hmm.. I've noticed that in cn=$groupname,cn=groups,cn=accounts we have > > both "member" and "memberUid", but "member" often contains more entries > > than "memberUid". I've assumed that the "memberUid" was a legacy thing, > > and just not maintained anymore.. Is this what you're referring to ? > > > > Are you referring to the entries in LDAP or the cache on disk? LDAP. -jf From rcritten at redhat.com Fri Apr 5 13:36:29 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Apr 2013 09:36:29 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> Message-ID: <515ED35D.6020807@redhat.com> Joseph, Matthew (EXP) wrote: > My old NIS server we used shadow passwords. > When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. > > Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? > Is there a better way to get around this? This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. What kind of client are you configuring, and do you need it to be pure NIS? rob > > Matt > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP) > Sent: Friday, April 05, 2013 6:40 AM > To: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues > > Hey Rob, > > The passwd section of nsswitch.conf is the following; > > Passwd: files nis > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, April 04, 2013 3:05 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues > > Joseph, Matthew (EXP) wrote: >> Hello, >> >> I've having issues with trying to login to our NIS clients that are >> looking at IPA as a "NIS" Server. >> >> The NIS Client can view all of the usernames when I do a ypcat passwd >> but when I try to login a with a user account it will not accept the >> password. I've even tried setting it as simple as Password123 and >> still nothing. >> >> I don't see anything NIS related in the error logs on the IPA server. >> >> Can someone point me in the right direction for this? > > What does your nsswitch.conf look like? > > Note that IPA does not provide the shadow map (because it sends hashes in the clear). > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From matthew.joseph at lmco.com Fri Apr 5 13:39:36 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 09:39:36 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <515ED35D.6020807@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> <515ED35D.6020807@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6D46@HCXMSP1.ca.lmco.com> Hey Rob, The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. What do you think the best course of action would be for my situation? Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, April 05, 2013 10:36 AM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > My old NIS server we used shadow passwords. > When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. > > Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? > Is there a better way to get around this? This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. What kind of client are you configuring, and do you need it to be pure NIS? rob > > Matt > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew > (EXP) > Sent: Friday, April 05, 2013 6:40 AM > To: Rob Crittenden; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues > > Hey Rob, > > The passwd section of nsswitch.conf is the following; > > Passwd: files nis > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, April 04, 2013 3:05 PM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues > > Joseph, Matthew (EXP) wrote: >> Hello, >> >> I've having issues with trying to login to our NIS clients that are >> looking at IPA as a "NIS" Server. >> >> The NIS Client can view all of the usernames when I do a ypcat passwd >> but when I try to login a with a user account it will not accept the >> password. I've even tried setting it as simple as Password123 and >> still nothing. >> >> I don't see anything NIS related in the error logs on the IPA server. >> >> Can someone point me in the right direction for this? > > What does your nsswitch.conf look like? > > Note that IPA does not provide the shadow map (because it sends hashes in the clear). > > rob > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Fri Apr 5 14:07:14 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Apr 2013 10:07:14 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6D46@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> <515ED35D.6020807@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6D46@HCXMSP1.ca.lmco.com> Message-ID: <515EDA92.3070601@redhat.com> Joseph, Matthew (EXP) wrote: > Hey Rob, > > The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. > These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. > > What do you think the best course of action would be for my situation? You have two choices. You can try the instructions at http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for authentication. We haven't tested this for many moons but it should still work. Or you can proceed and try to use crypt passwords which will be sent in the passwd entry. The LDIF you provided should have worked fine, I'm not sure why it didn't, particularly the error it returned. If you do it on the IPA server you shoudl just need: ldapmodify -x -D 'cn=directory manager' -W dn: ... As for migrating existing passwords, you need to enable migration mode (ipa config-mod --enable-migration=true) and set the password when the user is added. ipa user-add --first=Rob --last=Crittenden rcritten --setattr userPassword='{CRYPT}hash' ypcat passwd should confirm that the password is visible. We don't recommend this. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, April 05, 2013 10:36 AM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues > > Joseph, Matthew (EXP) wrote: >> My old NIS server we used shadow passwords. >> When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. >> >> Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? >> Is there a better way to get around this? > > This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. > > It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. > > What kind of client are you configuring, and do you need it to be pure NIS? > > rob > >> >> Matt >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew >> (EXP) >> Sent: Friday, April 05, 2013 6:40 AM >> To: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues >> >> Hey Rob, >> >> The passwd section of nsswitch.conf is the following; >> >> Passwd: files nis >> >> Matt >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Thursday, April 04, 2013 3:05 PM >> To: Joseph, Matthew (EXP); freeipa-users at redhat.com >> Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues >> >> Joseph, Matthew (EXP) wrote: >>> Hello, >>> >>> I've having issues with trying to login to our NIS clients that are >>> looking at IPA as a "NIS" Server. >>> >>> The NIS Client can view all of the usernames when I do a ypcat passwd >>> but when I try to login a with a user account it will not accept the >>> password. I've even tried setting it as simple as Password123 and >>> still nothing. >>> >>> I don't see anything NIS related in the error logs on the IPA server. >>> >>> Can someone point me in the right direction for this? >> >> What does your nsswitch.conf look like? >> >> Note that IPA does not provide the shadow map (because it sends hashes in the clear). >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From bclark at tendrilinc.com Fri Apr 5 14:30:14 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Fri, 5 Apr 2013 08:30:14 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515DE7E3.4070902@redhat.com> References: <515DE7E3.4070902@redhat.com> Message-ID: You were correct, my reverse DNS entries for the master and replica were missing. Odd, since they both existed at one point. Running the same commands again results in the following On the Replica system ipa-replica-manage list replica.example.com -v master.example.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2013-04-05 14:18:11+00:00 ipa-replica-manage list master.example.com -v Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info': 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)', 'desc': 'Local error'} =========== On the master system ipa-replica-manage list replica.example.com -v master.example.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2013-04-05 14:19:39+00:00 ipa-replica-manage list master.example.tni01.com -v replica.example.com: replica last init status: 0 Total update succeeded last init ended: 2013-04-04 20:06:44+00:00 last update status: 49 - LDAP error: Invalid credentials last update ended: 2013-04-04 20:06:55+00:00 On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden wrote: > Brent Clark wrote: > >> Ok, I have done as Steven Jones requested... here is the output from the >> replica >> >> I am able to kinit to admin using the password. >> >> issuing the ipa-replica-manage command on the replica for the replica >> >> replcia.mydomain.com : replica >> >> last init status: None >> last init ended: None >> last update status: -2 - System error >> last update ended: None >> >> Same command but for the master >> Failed to get data from 'master.example.com >> ': {'info': SASL (-1): generic failure: >> >> GSSAPI Error: An invalid name was supplied (Cannot determine realm for >> numeric host address)', 'desc':'Local error'} >> >> I can ping, telnet on all the IPA ports and ssh to the main server from >> the replica. >> >> So... im confused. >> >> Also on a whim, I was able to add a server to the replica and that host >> info did make it to the master. >> > > Sounds like a DNS issue. Make sure forward and reverse DNS works for > master.example.com. > > rob > > -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog [image: Tendril] This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri Apr 5 14:41:37 2013 From: simo at redhat.com (Simo Sorce) Date: Fri, 05 Apr 2013 10:41:37 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: References: <515DE7E3.4070902@redhat.com> Message-ID: <1365172897.2660.1358.camel@willson.li.ssimo.org> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > You were correct, my reverse DNS entries for the master and replica > were missing. Odd, since they both existed at one point. Rob, I think we should open a ticket against 389ds, we should never depend on PTR records. In this case I believe the ldap libraries are at fault since they now force SASL canonicalization on which is know to be broken for gssapi as it causes reverse resolution. Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? Simo. > > Running the same commands again results in the following > On the Replica system > > > ipa-replica-manage list replica.example.com -v > > master.example.com: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2013-04-05 14:18:11+00:00 > > > ipa-replica-manage list master.example.com -v > > Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info': > 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied > (Cannot determine realm for numeric host address)', 'desc': 'Local > error'} > =========== > On the master system > > > ipa-replica-manage list replica.example.com -v > master.example.com: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental > update succeeded > last update ended: 2013-04-05 14:19:39+00:00 > > > ipa-replica-manage list master.example.tni01.com -v > replica.example.com: replica > last init status: 0 Total update succeeded > last init ended: 2013-04-04 20:06:44+00:00 > last update status: 49 - LDAP error: Invalid credentials > last update ended: 2013-04-04 20:06:55+00:00 > > > > > On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden > wrote: > Brent Clark wrote: > Ok, I have done as Steven Jones requested... here is > the output from the > replica > > I am able to kinit to admin using the password. > > issuing the ipa-replica-manage command on the replica > for the replica > > > replcia.mydomain.com : > replica > > last init status: None > last init ended: None > last update status: -2 - System error > last update ended: None > > Same command but for the master > Failed to get data from 'master.example.com > > ': {'info': SASL (-1): > generic failure: > > GSSAPI Error: An invalid name was supplied (Cannot > determine realm for > numeric host address)', 'desc':'Local error'} > > I can ping, telnet on all the IPA ports and ssh to the > main server from > the replica. > > So... im confused. > > Also on a whim, I was able to add a server to the > replica and that host > info did make it to the master. > > > Sounds like a DNS issue. Make sure forward and reverse DNS > works for master.example.com. > > rob > > > > > > -- > Brent S. Clark > NOC Engineer > > 2580 55th St. | Boulder, Colorado 80301 > www.tendrilinc.com | blog > Tendril > > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. > Finally, the recipient should check this email and any attachments for the presence of viruses. > The company accepts no liability for any damage caused by any virus transmitted by this email. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York From matthew.joseph at lmco.com Fri Apr 5 14:52:42 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 10:52:42 -0400 Subject: [Freeipa-users] Active Directory --> IPA Password Sync Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6DF5@HCXMSP1.ca.lmco.com> Hello, I imagine this is a common issue/question when trying to implement the password sync between AD and IPA. We have two Windows 2003 domain controllers (for redundancy) so when a user issues a password change on the Windows side there is no primary domain controller that it will always use for password changes. So right now IPA is only getting 50% of the Password changes that are done through Windows due to password changes going through both domain controllers. Looking through the documentation IPA will only allow a password sync agreement between 1 AD and 1 IPA server. Is there a solution for this issue? How are people getting around this? Thanks, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 5 14:56:26 2013 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 05 Apr 2013 10:56:26 -0400 Subject: [Freeipa-users] Active Directory --> IPA Password Sync In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6DF5@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6DF5@HCXMSP1.ca.lmco.com> Message-ID: <515EE61A.6000406@redhat.com> On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > > > I imagine this is a common issue/question when trying to implement the > password sync between AD and IPA. > > > > We have two Windows 2003 domain controllers (for redundancy) so when a > user issues a password change on the Windows side there is no primary > domain controller that it will always use for password changes. > > So right now IPA is only getting 50% of the Password changes that are > done through Windows due to password changes going through both domain > controllers. > > Looking through the documentation IPA will only allow a password sync > agreement between 1 AD and 1 IPA server. > > > > Is there a solution for this issue? How are people getting around this? > One winsync agreement but passsync should be installed on both DCs. > > > > Thanks, > > > Matt > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Fri Apr 5 15:11:30 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 11:11:30 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Active Directory --> IPA Password Sync In-Reply-To: <515EE61A.6000406@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6DF5@HCXMSP1.ca.lmco.com> <515EE61A.6000406@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6E1E@HCXMSP1.ca.lmco.com> Thank you very much for that. Works like a charm. How does this work though? You setup the winsync agreement between your IPA Server and AD server using the hostname. How does IPA know that it can trust a second DC? Matt From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Friday, April 05, 2013 11:56 AM To: freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Active Directory --> IPA Password Sync On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote: Hello, I imagine this is a common issue/question when trying to implement the password sync between AD and IPA. We have two Windows 2003 domain controllers (for redundancy) so when a user issues a password change on the Windows side there is no primary domain controller that it will always use for password changes. So right now IPA is only getting 50% of the Password changes that are done through Windows due to password changes going through both domain controllers. Looking through the documentation IPA will only allow a password sync agreement between 1 AD and 1 IPA server. Is there a solution for this issue? How are people getting around this? One winsync agreement but passsync should be installed on both DCs. Thanks, Matt _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 5 15:18:05 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 05 Apr 2013 11:18:05 -0400 Subject: [Freeipa-users] EXTERNAL: Re: Active Directory --> IPA Password Sync In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6E1E@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6DF5@HCXMSP1.ca.lmco.com> <515EE61A.6000406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6E1E@HCXMSP1.ca.lmco.com> Message-ID: <515EEB2D.2050502@redhat.com> Joseph, Matthew (EXP) wrote: > Thank you very much for that. Works like a charm. > > How does this work though? You setup the winsync agreement between your > IPA Server and AD server using the hostname. > > How does IPA know that it can trust a second DC? Via the passsync user that you config on the Windows side. It authenticates as this user and 389-ds accepts the password change. rob > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal > *Sent:* Friday, April 05, 2013 11:56 AM > *To:* freeipa-users at redhat.com > *Subject:* EXTERNAL: Re: [Freeipa-users] Active Directory --> IPA > Password Sync > > On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I imagine this is a common issue/question when trying to implement the > password sync between AD and IPA. > > We have two Windows 2003 domain controllers (for redundancy) so when a > user issues a password change on the Windows side there is no primary > domain controller that it will always use for password changes. > > So right now IPA is only getting 50% of the Password changes that are > done through Windows due to password changes going through both domain > controllers. > > Looking through the documentation IPA will only allow a password sync > agreement between 1 AD and 1 IPA server. > > Is there a solution for this issue? How are people getting around this? > > > One winsync agreement but passsync should be installed on both DCs. > > Thanks, > > > Matt > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rmeggins at redhat.com Fri Apr 5 15:51:30 2013 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Apr 2013 09:51:30 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <1365172897.2660.1358.camel@willson.li.ssimo.org> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> Message-ID: <515EF302.3020701@redhat.com> On 04/05/2013 08:41 AM, Simo Sorce wrote: > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >> You were correct, my reverse DNS entries for the master and replica >> were missing. Odd, since they both existed at one point. > > Rob, > I think we should open a ticket against 389ds, we should never depend on > PTR records. > > In this case I believe the ldap libraries are at fault since they now > force SASL canonicalization on which is know to be broken for gssapi as > it causes reverse resolution. > > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? Yes. ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); Should this be off by default? Should this be configurable? > > Simo. >> Running the same commands again results in the following >> On the Replica system >> >> >> ipa-replica-manage list replica.example.com -v >> >> master.example.com: replica >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> last update ended: 2013-04-05 14:18:11+00:00 >> >> >> ipa-replica-manage list master.example.com -v >> >> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info': >> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied >> (Cannot determine realm for numeric host address)', 'desc': 'Local >> error'} >> =========== >> On the master system >> >> >> ipa-replica-manage list replica.example.com -v >> master.example.com: replica >> last init status: None >> last init ended: None >> last update status: 0 Replica acquired successfully: Incremental >> update succeeded >> last update ended: 2013-04-05 14:19:39+00:00 >> >> >> ipa-replica-manage list master.example.tni01.com -v >> replica.example.com: replica >> last init status: 0 Total update succeeded >> last init ended: 2013-04-04 20:06:44+00:00 >> last update status: 49 - LDAP error: Invalid credentials >> last update ended: 2013-04-04 20:06:55+00:00 >> >> >> >> >> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden >> wrote: >> Brent Clark wrote: >> Ok, I have done as Steven Jones requested... here is >> the output from the >> replica >> >> I am able to kinit to admin using the password. >> >> issuing the ipa-replica-manage command on the replica >> for the replica >> >> >> replcia.mydomain.com : >> replica >> >> last init status: None >> last init ended: None >> last update status: -2 - System error >> last update ended: None >> >> Same command but for the master >> Failed to get data from 'master.example.com >> >> ': {'info': SASL (-1): >> generic failure: >> >> GSSAPI Error: An invalid name was supplied (Cannot >> determine realm for >> numeric host address)', 'desc':'Local error'} >> >> I can ping, telnet on all the IPA ports and ssh to the >> main server from >> the replica. >> >> So... im confused. >> >> Also on a whim, I was able to add a server to the >> replica and that host >> info did make it to the master. >> >> >> Sounds like a DNS issue. Make sure forward and reverse DNS >> works for master.example.com. >> >> rob >> >> >> >> >> >> -- >> Brent S. Clark >> NOC Engineer >> >> 2580 55th St. | Boulder, Colorado 80301 >> www.tendrilinc.com | blog >> Tendril >> >> >> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. >> If you have received this email in error please notify the sender. >> Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. >> Finally, the recipient should check this email and any attachments for the presence of viruses. >> The company accepts no liability for any damage caused by any virus transmitted by this email. >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From matthew.joseph at lmco.com Fri Apr 5 16:51:54 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 12:51:54 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <515EDA92.3070601@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> <515ED35D.6020807@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6D46@HCXMSP1.ca.lmco.com> <515EDA92.3070601@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6EBB@HCXMSP1.ca.lmco.com> Hey Rob, I was able to get NIS passwords working. I had a space at the end of dn: cn=config (stupid me). Thanks for the help! Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, April 05, 2013 11:07 AM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > Hey Rob, > > The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. > These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. > > What do you think the best course of action would be for my situation? You have two choices. You can try the instructions at http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for authentication. We haven't tested this for many moons but it should still work. Or you can proceed and try to use crypt passwords which will be sent in the passwd entry. The LDIF you provided should have worked fine, I'm not sure why it didn't, particularly the error it returned. If you do it on the IPA server you shoudl just need: ldapmodify -x -D 'cn=directory manager' -W dn: ... As for migrating existing passwords, you need to enable migration mode (ipa config-mod --enable-migration=true) and set the password when the user is added. ipa user-add --first=Rob --last=Crittenden rcritten --setattr userPassword='{CRYPT}hash' ypcat passwd should confirm that the password is visible. We don't recommend this. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, April 05, 2013 10:36 AM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues > > Joseph, Matthew (EXP) wrote: >> My old NIS server we used shadow passwords. >> When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. >> >> Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? >> Is there a better way to get around this? > > This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. > > It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. > > What kind of client are you configuring, and do you need it to be pure NIS? > > rob > >> >> Matt >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew >> (EXP) >> Sent: Friday, April 05, 2013 6:40 AM >> To: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues >> >> Hey Rob, >> >> The passwd section of nsswitch.conf is the following; >> >> Passwd: files nis >> >> Matt >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Thursday, April 04, 2013 3:05 PM >> To: Joseph, Matthew (EXP); freeipa-users at redhat.com >> Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues >> >> Joseph, Matthew (EXP) wrote: >>> Hello, >>> >>> I've having issues with trying to login to our NIS clients that are >>> looking at IPA as a "NIS" Server. >>> >>> The NIS Client can view all of the usernames when I do a ypcat passwd >>> but when I try to login a with a user account it will not accept the >>> password. I've even tried setting it as simple as Password123 and >>> still nothing. >>> >>> I don't see anything NIS related in the error logs on the IPA server. >>> >>> Can someone point me in the right direction for this? >> >> What does your nsswitch.conf look like? >> >> Note that IPA does not provide the shadow map (because it sends hashes in the clear). >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From bclark at tendrilinc.com Fri Apr 5 16:53:07 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Fri, 5 Apr 2013 10:53:07 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515EF302.3020701@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> Message-ID: Thanks for all the help! After fixing the DNS issues, I then solved the LDAP error by rebooting the master and replica. Something I hadnt done since installing IPA on both of them and setting them up. On Fri, Apr 5, 2013 at 9:51 AM, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > >> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >> >>> You were correct, my reverse DNS entries for the master and replica >>> were missing. Odd, since they both existed at one point. >>> >> >> Rob, >> I think we should open a ticket against 389ds, we should never depend on >> PTR records. >> >> In this case I believe the ldap libraries are at fault since they now >> force SASL canonicalization on which is know to be broken for gssapi as >> it causes reverse resolution. >> >> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >> > Yes. > ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, > LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); > > Should this be off by default? Should this be configurable? > > > >> Simo. >> >>> Running the same commands again results in the following >>> On the Replica system >>> >>> >>> ipa-replica-manage list replica.example.com -v >>> >>> master.example.com: replica >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2013-04-05 14:18:11+00:00 >>> >>> >>> ipa-replica-manage list master.example.com -v >>> >>> Failed to get data from 'dpu-inf-ldap01.tni01.com': {'info': >>> 'SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied >>> (Cannot determine realm for numeric host address)', 'desc': 'Local >>> error'} >>> =========== >>> On the master system >>> >>> >>> ipa-replica-manage list replica.example.com -v >>> master.example.com: replica >>> last init status: None >>> last init ended: None >>> last update status: 0 Replica acquired successfully: Incremental >>> update succeeded >>> last update ended: 2013-04-05 14:19:39+00:00 >>> >>> >>> ipa-replica-manage list master.example.tni01.com -v >>> replica.example.com: replica >>> last init status: 0 Total update succeeded >>> last init ended: 2013-04-04 20:06:44+00:00 >>> last update status: 49 - LDAP error: Invalid credentials >>> last update ended: 2013-04-04 20:06:55+00:00 >>> >>> >>> >>> >>> On Thu, Apr 4, 2013 at 2:51 PM, Rob Crittenden >>> wrote: >>> Brent Clark wrote: >>> Ok, I have done as Steven Jones requested... here is >>> the output from the >>> replica >>> I am able to kinit to admin using the >>> password. >>> issuing the ipa-replica-manage command >>> on the replica >>> for the replica >>> replcia.mydomain.com< >>> http://replcia.mydomain.com>: >>> replica >>> last init status: None >>> last init ended: None >>> last update status: -2 - System error >>> last update ended: None >>> Same command but for the master >>> Failed to get data from 'master.example.com >>> ': >>> {'info': SASL (-1): >>> generic failure: >>> GSSAPI Error: An invalid name was >>> supplied (Cannot >>> determine realm for >>> numeric host address)', 'desc':'Local error'} >>> I can ping, telnet on all the IPA >>> ports and ssh to the >>> main server from >>> the replica. >>> So... im confused. >>> Also on a whim, I was able to add a >>> server to the >>> replica and that host >>> info did make it to the master. >>> Sounds like a DNS issue. Make sure >>> forward and reverse DNS >>> works for master.example.com. >>> rob >>> >>> >>> >>> >>> -- >>> Brent S. Clark >>> NOC Engineer >>> >>> 2580 55th St. | Boulder, Colorado 80301 >>> www.tendrilinc.com | blog >>> Tendril >>> >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. >>> If you have received this email in error please notify the sender. >>> Please note that any views or opinions presented in this email are >>> solely those of the author and do not necessarily represent those of the >>> company. >>> Finally, the recipient should check this email and any attachments for >>> the presence of viruses. >>> The company accepts no liability for any damage caused by any virus >>> transmitted by this email. >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users >>> >> >> > -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog [image: Tendril] This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Fri Apr 5 16:30:12 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 5 Apr 2013 12:30:12 -0400 Subject: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues In-Reply-To: <515EDA92.3070601@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E49AC5@HCXMSP1.ca.lmco.com> <515DC0D3.3080003@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C46@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6C6E@HCXMSP1.ca.lmco.com> <515ED35D.6020807@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6D46@HCXMSP1.ca.lmco.com> <515EDA92.3070601@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB6EA1@HCXMSP1.ca.lmco.com> Hey Rob, I modified the command but now I am getting the following; Ldapmodify: wrong attributeType at line 4, entry "cn=config" Looking at the command I don't see any entry in my dse.ldif for "passwordStorageScheme". I'm assuming it should be a changetype: add instead of modify. But it's not complaining about that. It can't seem to find the dn: cn=config which is weird since I see it in the file. Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Friday, April 05, 2013 11:07 AM To: Joseph, Matthew (EXP); freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: > Hey Rob, > > The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. > These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. > > What do you think the best course of action would be for my situation? You have two choices. You can try the instructions at http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for authentication. We haven't tested this for many moons but it should still work. Or you can proceed and try to use crypt passwords which will be sent in the passwd entry. The LDIF you provided should have worked fine, I'm not sure why it didn't, particularly the error it returned. If you do it on the IPA server you shoudl just need: ldapmodify -x -D 'cn=directory manager' -W dn: ... As for migrating existing passwords, you need to enable migration mode (ipa config-mod --enable-migration=true) and set the password when the user is added. ipa user-add --first=Rob --last=Crittenden rcritten --setattr userPassword='{CRYPT}hash' ypcat passwd should confirm that the password is visible. We don't recommend this. rob > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Friday, April 05, 2013 10:36 AM > To: Joseph, Matthew (EXP); freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues > > Joseph, Matthew (EXP) wrote: >> My old NIS server we used shadow passwords. >> When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the "x" to point it towards a shadow file. >> >> Would I need to remove the "x" from the nis passwd file and re-migrate it to IPA? >> Is there a better way to get around this? > > This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. > > It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. > > What kind of client are you configuring, and do you need it to be pure NIS? > > rob > >> >> Matt >> >> -----Original Message----- >> From: freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew >> (EXP) >> Sent: Friday, April 05, 2013 6:40 AM >> To: Rob Crittenden; freeipa-users at redhat.com >> Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues >> >> Hey Rob, >> >> The passwd section of nsswitch.conf is the following; >> >> Passwd: files nis >> >> Matt >> >> -----Original Message----- >> From: Rob Crittenden [mailto:rcritten at redhat.com] >> Sent: Thursday, April 04, 2013 3:05 PM >> To: Joseph, Matthew (EXP); freeipa-users at redhat.com >> Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues >> >> Joseph, Matthew (EXP) wrote: >>> Hello, >>> >>> I've having issues with trying to login to our NIS clients that are >>> looking at IPA as a "NIS" Server. >>> >>> The NIS Client can view all of the usernames when I do a ypcat passwd >>> but when I try to login a with a user account it will not accept the >>> password. I've even tried setting it as simple as Password123 and >>> still nothing. >>> >>> I don't see anything NIS related in the error logs on the IPA server. >>> >>> Can someone point me in the right direction for this? >> >> What does your nsswitch.conf look like? >> >> Note that IPA does not provide the shadow map (because it sends hashes in the clear). >> >> rob >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From simo at redhat.com Fri Apr 5 17:49:13 2013 From: simo at redhat.com (Simo Sorce) Date: Fri, 05 Apr 2013 13:49:13 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515EF302.3020701@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> Message-ID: <1365184153.2660.1360.camel@willson.li.ssimo.org> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > >> You were correct, my reverse DNS entries for the master and replica > >> were missing. Odd, since they both existed at one point. > > > > Rob, > > I think we should open a ticket against 389ds, we should never depend on > > PTR records. > > > > In this case I believe the ldap libraries are at fault since they now > > force SASL canonicalization on which is know to be broken for gssapi as > > it causes reverse resolution. > > > > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? > Yes. > ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, > LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); > > Should this be off by default? Should this be configurable? On by default (meaning no canonicalization is performed) is the coreect behavior. I do not think we need it to be configurable for now. But it puzles me then as to why Brent sees a failure w/o ptr records. Does DS do reverse resolution of replication peers somewhere ? Simo. -- Simo Sorce * Red Hat, Inc * New York From rmeggins at redhat.com Fri Apr 5 17:50:18 2013 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Apr 2013 11:50:18 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <1365184153.2660.1360.camel@willson.li.ssimo.org> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365184153.2660.1360.camel@willson.li.ssimo.org> Message-ID: <515F0EDA.3040407@redhat.com> On 04/05/2013 11:49 AM, Simo Sorce wrote: > On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>> You were correct, my reverse DNS entries for the master and replica >>>> were missing. Odd, since they both existed at one point. >>> Rob, >>> I think we should open a ticket against 389ds, we should never depend on >>> PTR records. >>> >>> In this case I believe the ldap libraries are at fault since they now >>> force SASL canonicalization on which is know to be broken for gssapi as >>> it causes reverse resolution. >>> >>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >> Yes. >> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >> >> Should this be off by default? Should this be configurable? > On by default (meaning no canonicalization is performed) is the coreect > behavior. > > I do not think we need it to be configurable for now. > > But it puzles me then as to why Brent sees a failure w/o ptr records. > > Does DS do reverse resolution of replication peers somewhere ? Not explicitly, no, but probably somewhere inside openldap. > > Simo. > From dpal at redhat.com Fri Apr 5 18:40:38 2013 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 05 Apr 2013 14:40:38 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515F0EDA.3040407@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365184153.2660.1360.camel@willson.li.ssimo.org> <515F0EDA.3040407@redhat.com> Message-ID: <515F1AA6.2030308@redhat.com> On 04/05/2013 01:50 PM, Rich Megginson wrote: > On 04/05/2013 11:49 AM, Simo Sorce wrote: >> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >>> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>>> You were correct, my reverse DNS entries for the master and replica >>>>> were missing. Odd, since they both existed at one point. >>>> Rob, >>>> I think we should open a ticket against 389ds, we should never >>>> depend on >>>> PTR records. >>>> >>>> In this case I believe the ldap libraries are at fault since they now >>>> force SASL canonicalization on which is know to be broken for >>>> gssapi as >>>> it causes reverse resolution. >>>> >>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >>> Yes. >>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >>> >>> Should this be off by default? Should this be configurable? >> On by default (meaning no canonicalization is performed) is the coreect >> behavior. >> >> I do not think we need it to be configurable for now. >> >> But it puzles me then as to why Brent sees a failure w/o ptr records. >> >> Does DS do reverse resolution of replication peers somewhere ? > Not explicitly, no, but probably somewhere inside openldap. Can it be that SASL layer does it? > >> >> Simo. >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Fri Apr 5 19:14:56 2013 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Apr 2013 13:14:56 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515F1AA6.2030308@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365184153.2660.1360.camel@willson.li.ssimo.org> <515F0EDA.3040407@redhat.com> <515F1AA6.2030308@redhat.com> Message-ID: <515F22B0.6030407@redhat.com> On 04/05/2013 12:40 PM, Dmitri Pal wrote: > On 04/05/2013 01:50 PM, Rich Megginson wrote: >> On 04/05/2013 11:49 AM, Simo Sorce wrote: >>> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >>>> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>>>> You were correct, my reverse DNS entries for the master and replica >>>>>> were missing. Odd, since they both existed at one point. >>>>> Rob, >>>>> I think we should open a ticket against 389ds, we should never >>>>> depend on >>>>> PTR records. >>>>> >>>>> In this case I believe the ldap libraries are at fault since they now >>>>> force SASL canonicalization on which is know to be broken for >>>>> gssapi as >>>>> it causes reverse resolution. >>>>> >>>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >>>> Yes. >>>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >>>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >>>> >>>> Should this be off by default? Should this be configurable? >>> On by default (meaning no canonicalization is performed) is the coreect >>> behavior. >>> >>> I do not think we need it to be configurable for now. >>> >>> But it puzles me then as to why Brent sees a failure w/o ptr records. >>> >>> Does DS do reverse resolution of replication peers somewhere ? >> Not explicitly, no, but probably somewhere inside openldap. > Can it be that SASL layer does it? Yes, since openldap has to call into sasl. > >>> Simo. >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From abokovoy at redhat.com Fri Apr 5 19:16:09 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Apr 2013 22:16:09 +0300 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515F1AA6.2030308@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365184153.2660.1360.camel@willson.li.ssimo.org> <515F0EDA.3040407@redhat.com> <515F1AA6.2030308@redhat.com> Message-ID: <20130405191609.GB6823@redhat.com> On Fri, 05 Apr 2013, Dmitri Pal wrote: >On 04/05/2013 01:50 PM, Rich Megginson wrote: >> On 04/05/2013 11:49 AM, Simo Sorce wrote: >>> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >>>> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>>>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>>>> You were correct, my reverse DNS entries for the master and replica >>>>>> were missing. Odd, since they both existed at one point. >>>>> Rob, >>>>> I think we should open a ticket against 389ds, we should never >>>>> depend on >>>>> PTR records. >>>>> >>>>> In this case I believe the ldap libraries are at fault since they now >>>>> force SASL canonicalization on which is know to be broken for >>>>> gssapi as >>>>> it causes reverse resolution. >>>>> >>>>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >>>> Yes. >>>> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >>>> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >>>> >>>> Should this be off by default? Should this be configurable? >>> On by default (meaning no canonicalization is performed) is the coreect >>> behavior. >>> >>> I do not think we need it to be configurable for now. >>> >>> But it puzles me then as to why Brent sees a failure w/o ptr records. >>> >>> Does DS do reverse resolution of replication peers somewhere ? >> Not explicitly, no, but probably somewhere inside openldap. > >Can it be that SASL layer does it? By default libldap does canonicalization of hostnames. Disabling canonicalization is a boolean option which has to be set and by default libldap initializes all boolean options to false except referrals handling. If LDAP_OPT_X_SASL_NOCANON is not set explicitly, it is never set by libldap itself. -- / Alexander Bokovoy From abokovoy at redhat.com Fri Apr 5 19:24:31 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 5 Apr 2013 22:24:31 +0300 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515F22B0.6030407@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365184153.2660.1360.camel@willson.li.ssimo.org> <515F0EDA.3040407@redhat.com> <515F1AA6.2030308@redhat.com> <515F22B0.6030407@redhat.com> Message-ID: <20130405192431.GC6823@redhat.com> On Fri, 05 Apr 2013, Rich Megginson wrote: >>>>>>Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >>>>>Yes. >>>>>ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >>>>>LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); >>>>> >>>>>Should this be off by default? Should this be configurable? >>>>On by default (meaning no canonicalization is performed) is the coreect >>>>behavior. >>>> >>>>I do not think we need it to be configurable for now. >>>> >>>>But it puzles me then as to why Brent sees a failure w/o ptr records. >>>> >>>>Does DS do reverse resolution of replication peers somewhere ? >>>Not explicitly, no, but probably somewhere inside openldap. >>Can it be that SASL layer does it? > >Yes, since openldap has to call into sasl. libldap performs canonicalization before calling into SASL. SASL itself does nothing related to canonicalization, it is libldap simply pushing a different host name string to sasl_client_new() if canonicalization was not inhibited. -- / Alexander Bokovoy From simo at redhat.com Sat Apr 6 02:53:23 2013 From: simo at redhat.com (Simo Sorce) Date: Fri, 05 Apr 2013 22:53:23 -0400 Subject: [Freeipa-users] Replication Issue In-Reply-To: <515EF302.3020701@redhat.com> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> Message-ID: <1365216803.20560.4.camel@willson.li.ssimo.org> On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: > On 04/05/2013 08:41 AM, Simo Sorce wrote: > > On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: > >> You were correct, my reverse DNS entries for the master and replica > >> were missing. Odd, since they both existed at one point. > > > > Rob, > > I think we should open a ticket against 389ds, we should never depend on > > PTR records. > > > > In this case I believe the ldap libraries are at fault since they now > > force SASL canonicalization on which is know to be broken for gssapi as > > it causes reverse resolution. > > > > Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? > Yes. > ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, > LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); I looked at the code, and this is called only if the env variable HACK_SASL_NOCANON is set. I think this should be the default instead. > Should this be off by default? Should this be configurable? Maybe make it configurable, I do not have a strong love for 1M knobs, but it should be on by default, relying on reverse resolution defeats mutual authentication through very simple DNS attacks. See this blog post for details: http://ssimo.org/blog/id_015.html Simo. -- Simo Sorce * Red Hat, Inc * New York From sigbjorn at nixtra.com Sat Apr 6 17:38:14 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 06 Apr 2013 19:38:14 +0200 Subject: [Freeipa-users] Auto discover of the IPA server failing with LDAP anonymous binds off Message-ID: <51605D86.60808@nixtra.com> Hi, I am trying to install the IPA client on a CentOS 6.4 host, however the auto discovery of the IPA server is failing, from what seem to be caused by my IPA servers having anonymous binds switched off. Is this expected behaviour? # rpm -qa|grep ^ipa|sort ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 # ipa-client-install -U --domain=unix.nuexample.com --password='somepassword' --enable-dns-updates -d /usr/sbin/ipa-client-install was invoked with options: {'domain': 'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'realm_name': None, 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=unix.nuexample.com, servers=None, hostname=clienthost.unix.nuexample.com Search for LDAP SRV record in unix.nuexample.com Search DNS for SRV record of _ldap._tcp.unix.nuexample.com. DNS record found: DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.} DNS record found: DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.} DNS record found: DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.} [Kerberos realm search] Search DNS for TXT record of _kerberos.unix.nuexample.com. DNS record found: DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM} Search DNS for SRV record of _kerberos._udp.unix.nuexample.com. DNS record found: DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.} DNS record found: DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.} DNS record found: DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.} [LDAP server check] Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an IPA server Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=unix,dc=nuexample,dc=com (sub) LDAP Error: Anonymous access not allowed Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=unix.nuexample.com, kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com, basedn=dc=unix,dc=nuexample,dc=com Validated servers: ipa01.unix.nuexample.com will use discovered domain: unix.nuexample.com IPA Server not found Unable to find IPA Server to join Installation failed. Rolling back changes. IPA client is not configured on this system. Regards, Siggi From sigbjorn at nixtra.com Sat Apr 6 17:45:47 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 06 Apr 2013 19:45:47 +0200 Subject: [Freeipa-users] ipa-client-automount - Unknown line format /etc/nsswitch.conf Message-ID: <51605F4B.4070901@nixtra.com> Hi, I am having some issues with the new ipa-client-automount utility. It complains that my nsswitch.conf is in an unknown format. Not sure what format that is? ipa-client-automount --location=svg1 -U Searching for IPA server... IPA server: DNS discovery Location: svg1 Installation failed. Rolling back changes. Restoring configuration ipa-client-automount --location=svg1 -U --debug --------------------snip-------------------------- stderr= args=keyctl pupdate 151012975 stdout= stderr= Backing up system configuration file '/etc/nsswitch.conf' Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' Raised exception Syntax Error: Unknown line format Installation failed. Rolling back changes. Restoring configuration Restoring system configuration file '/etc/nsswitch.conf' args=/usr/sbin/selinuxenabled stdout= stderr= Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' My nsswitch.conf file: passwd: files sss group: files sss shadow: files sss hosts: files dns ipnodes: files dns networks: files protocols: db files services: files sss rpc: db files ethers: files ldap netmasks: files bootparams files aliases: files ldap printers: files netgroup: files sss automount: files sudoers: files ldap Regards, Siggi From dpal at redhat.com Sat Apr 6 18:49:11 2013 From: dpal at redhat.com (Dmitri Pal) Date: Sat, 06 Apr 2013 14:49:11 -0400 Subject: [Freeipa-users] ipa-client-automount - Unknown line format /etc/nsswitch.conf In-Reply-To: <51605F4B.4070901@nixtra.com> References: <51605F4B.4070901@nixtra.com> Message-ID: <51606E27.1050806@redhat.com> On 04/06/2013 01:45 PM, Sigbjorn Lie wrote: > Hi, > > I am having some issues with the new ipa-client-automount utility. It > complains that my nsswitch.conf is in an unknown format. Not sure what > format that is? > > ipa-client-automount --location=svg1 -U > Searching for IPA server... > IPA server: DNS discovery > Location: svg1 > Installation failed. Rolling back changes. > Restoring configuration > > > ipa-client-automount --location=svg1 -U --debug > --------------------snip-------------------------- > stderr= > args=keyctl pupdate 151012975 > stdout= > stderr= > Backing up system configuration file '/etc/nsswitch.conf' > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > Raised exception Syntax Error: Unknown line format > Installation failed. Rolling back changes. > Restoring configuration > Restoring system configuration file '/etc/nsswitch.conf' > args=/usr/sbin/selinuxenabled > stdout= > stderr= > Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' > > > > My nsswitch.conf file: > passwd: files sss > group: files sss > shadow: files sss > > hosts: files dns > ipnodes: files dns > networks: files > > protocols: db files > services: files sss > rpc: db files > ethers: files ldap > netmasks: files > bootparams files I do not know whether it is the reason but this line misses a column after "bootparams". > aliases: files ldap > printers: files > > netgroup: files sss > automount: files > > sudoers: files ldap > > > > Regards, > Siggi > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From simon.williams at thehelpfulcat.com Sun Apr 7 09:44:24 2013 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Sun, 7 Apr 2013 10:44:24 +0100 Subject: [Freeipa-users] Where has my LDAP server gone! In-Reply-To: References: Message-ID: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sun Apr 7 10:29:10 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sun, 07 Apr 2013 12:29:10 +0200 Subject: [Freeipa-users] ipa-client-automount - Unknown line format /etc/nsswitch.conf In-Reply-To: <51606E27.1050806@redhat.com> References: <51605F4B.4070901@nixtra.com> <51606E27.1050806@redhat.com> Message-ID: <51614A76.1050200@nixtra.com> On 04/06/2013 08:49 PM, Dmitri Pal wrote: > On 04/06/2013 01:45 PM, Sigbjorn Lie wrote: >> Hi, >> >> I am having some issues with the new ipa-client-automount utility. It >> complains that my nsswitch.conf is in an unknown format. Not sure what >> format that is? >> >> ipa-client-automount --location=svg1 -U >> Searching for IPA server... >> IPA server: DNS discovery >> Location: svg1 >> Installation failed. Rolling back changes. >> Restoring configuration >> >> >> ipa-client-automount --location=svg1 -U --debug >> --------------------snip-------------------------- >> stderr= >> args=keyctl pupdate 151012975 >> stdout= >> stderr= >> Backing up system configuration file '/etc/nsswitch.conf' >> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' >> Raised exception Syntax Error: Unknown line format >> Installation failed. Rolling back changes. >> Restoring configuration >> Restoring system configuration file '/etc/nsswitch.conf' >> args=/usr/sbin/selinuxenabled >> stdout= >> stderr= >> Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' >> >> >> >> My nsswitch.conf file: >> passwd: files sss >> group: files sss >> shadow: files sss >> >> hosts: files dns >> ipnodes: files dns >> networks: files >> >> protocols: db files >> services: files sss >> rpc: db files >> ethers: files ldap >> netmasks: files >> bootparams files > I do not know whether it is the reason but this line misses a column > after "bootparams". > You are absolutely correct! It was a typo in there. :) It's working just fine now. Thanks. Regards, Siggi From dpal at redhat.com Sun Apr 7 19:20:57 2013 From: dpal at redhat.com (Dmitri Pal) Date: Sun, 07 Apr 2013 15:20:57 -0400 Subject: [Freeipa-users] Where has my LDAP server gone! In-Reply-To: References: Message-ID: <5161C719.6060801@redhat.com> On 04/07/2013 05:44 AM, Simon Williams wrote: > > Hi > > I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of > days ago and it upgraded FreeIPA to version 3. I use a couple of web > applications that cannot use Kerberos, but can use LDAP to > authenticate. These stopped working. When I investigated the issue, I > discovered that the LDAP server wasn't there any more. Google searches > have proved fruitless and I can't find any documentation for v3. Can > anyone tell me how to get my LDAP server back? > > Regards > > Simon > > Hello Simon, Can you please clarify: Did you have an earlier version of the apps that used IPA via LDAP or you had a different LDAP instance and FreeIPA now took over the whole machine and you do not have access to those instances? I assume you had 389 DS, right? Or OpenLDAP? What is the general goal? Do you want to have the apps be able to access IPA data via LDAP or you want to be able to use different LDAP databases on the same machine? If the apps you mention used to work against IPA and now they do not I would suggest checking the logs from those applications to see what is failing. It might be that they have been using an insecure way to authenticate and the upgraded bits enforce a higher security standard. If this is the case you either need to lower the authentication requirements on the server (not recommended) or provide a more secure way to authenticate from those apps (recommended). > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon.williams at thehelpfulcat.com Sun Apr 7 20:15:57 2013 From: simon.williams at thehelpfulcat.com (simon.williams at thehelpfulcat.com) Date: Sun, 7 Apr 2013 20:15:57 +0000 Subject: [Freeipa-users] =?utf-8?q?Where_has_my_LDAP_server_gone!?= In-Reply-To: <5161C719.6060801@redhat.com> References: , <5161C719.6060801@redhat.com> Message-ID: <5161daf0.e724b40a.40b3.4e22@mx.google.com> Sorry, I didn?t include much in the way of specifics did I?! Before yum updated my IPA server from 2.2 to 3, FreeIPA provided (or appeared to provide) an instance of an LDAP server that was accessible locally on port 389. The web applications I am concerned with is Atlassian Crowd, which I use to authenticate to Jira, Confluence, Bamboo and Fisheye on the local network and also Google Apps. Crowd is on the same server as FreeIPA so as to allow me to keep port 389 behind the server?s firewall. Crowd was configured to treat the LDAP server as a read only 389 DS server as experimentation showed that that worked, but I did not install or configure any LDAP software myself. The LDAP server had been installed as part of the FreeIPA installation. Crowd is failing since the update as there is no server listening on port 389. It gets a ?connection refused? message. Netstat confirms that there is no server listening on port 389 and also shows that there is nothing listening on port 636. Prior to the upgrade, FreeIPA had been running with default settings, I had done nothing to reduce security. Regards Simon From: Dmitri Pal Sent: ?Sunday?, ?7? ?April? ?2013 ?20?:?20 To: freeipa-users at redhat.com On 04/07/2013 05:44 AM, Simon Williams wrote: Hi I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of days ago and it upgraded FreeIPA to version 3. I use a couple of web applications that cannot use Kerberos, but can use LDAP to authenticate. These stopped working. When I investigated the issue, I discovered that the LDAP server wasn't there any more. Google searches have proved fruitless and I can't find any documentation for v3. Can anyone tell me how to get my LDAP server back? Regards Simon Hello Simon, Can you please clarify: Did you have an earlier version of the apps that used IPA via LDAP or you had a different LDAP instance and FreeIPA now took over the whole machine and you do not have access to those instances? I assume you had 389 DS, right? Or OpenLDAP? What is the general goal? Do you want to have the apps be able to access IPA data via LDAP or you want to be able to use different LDAP databases on the same machine? If the apps you mention used to work against IPA and now they do not I would suggest checking the logs from those applications to see what is failing. It might be that they have been using an insecure way to authenticate and the upgraded bits enforce a higher security standard. If this is the case you either need to lower the authentication requirements on the server (not recommended) or provide a more secure way to authenticate from those apps (recommended). _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sun Apr 7 20:47:28 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 07 Apr 2013 16:47:28 -0400 Subject: [Freeipa-users] Where has my LDAP server gone! In-Reply-To: References: Message-ID: <5161DB60.3010600@redhat.com> Simon Williams wrote: > Hi > > I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of > days ago and it upgraded FreeIPA to version 3. I use a couple of web > applications that cannot use Kerberos, but can use LDAP to > authenticate. These stopped working. When I investigated the issue, I > discovered that the LDAP server wasn't there any more. Google searches > have proved fruitless and I can't find any documentation for v3. Can > anyone tell me how to get my LDAP server back? There is a bug in 389-ds that is affecting some IPA upgrades. It causes the upgrade process to hang and breaking out of it leaves the LDAP server not listening to anything (note that if the upgrade outright fails we do restore things). What you want to do is this: 1. service dirsrv stop (you MUST do this before editing dse.ldif) 2. edit dse.ldif and set nsslapd-port: 389 nsslapd-security: on 3. service dirsrv start 4. as root, ipa-ldap-updater --ldapi Updated 389-ds packages are being worked on. rob From mkosek at redhat.com Mon Apr 8 09:10:34 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 08 Apr 2013 11:10:34 +0200 Subject: [Freeipa-users] Auto discover of the IPA server failing with LDAP anonymous binds off In-Reply-To: <51605D86.60808@nixtra.com> References: <51605D86.60808@nixtra.com> Message-ID: <5162898A.1010308@redhat.com> On 04/06/2013 07:38 PM, Sigbjorn Lie wrote: > Hi, > > I am trying to install the IPA client on a CentOS 6.4 host, however the auto > discovery of the IPA server is failing, from what seem to be caused by my IPA > servers having anonymous binds switched off. > > Is this expected behaviour? > > > # rpm -qa|grep ^ipa|sort > ipa-client-3.0.0-26.el6_4.2.x86_64 > ipa-python-3.0.0-26.el6_4.2.x86_64 > > > # ipa-client-install -U --domain=unix.nuexample.com --password='somepassword' > --enable-dns-updates -d > /usr/sbin/ipa-client-install was invoked with options: {'domain': > 'unix.nuexample.com', 'force': False, 'krb5_offline_passwords': True, > 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, > 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, > 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': True, > 'sssd': True, 'trust_sshfp': False, 'dns_updates': True, 'realm_name': None, > 'conf_ssh': True, 'server': None, 'prompt_password': False, 'permit': False, > 'debug': True, 'preserve_sssd': False, 'uninstall': False} > missing options might be asked for interactively later > Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' > Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' > [IPA Discovery] > Starting IPA discovery with domain=unix.nuexample.com, servers=None, > hostname=clienthost.unix.nuexample.com > Search for LDAP SRV record in unix.nuexample.com > Search DNS for SRV record of _ldap._tcp.unix.nuexample.com. > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa01.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:ipa02.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_ldap._tcp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:389,weight:100,server:ipa03.unix.nuexample.com.} > > [Kerberos realm search] > Search DNS for TXT record of _kerberos.unix.nuexample.com. > DNS record found: > DNSResult::name:_kerberos.unix.nuexample.com.,type:16,class:1,rdata={data:UNIX.NUEXAMPLE.COM} > > Search DNS for SRV record of _kerberos._udp.unix.nuexample.com. > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa02.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:5,port:88,weight:100,server:ipa03.unix.nuexample.com.} > > DNS record found: > DNSResult::name:_kerberos._udp.unix.nuexample.com.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:ipa01.unix.nuexample.com.} > > [LDAP server check] > Verifying that ipa01.unix.nuexample.com (realm UNIX.NUEXAMPLE.COM) is an IPA > server > Init LDAP connection with: ldap://ipa01.unix.nuexample.com:389 > Search LDAP server for IPA base DN > Check if naming context 'dc=unix,dc=nuexample,dc=com' is for IPA > Naming context 'dc=unix,dc=nuexample,dc=com' is a valid IPA context > Search for (objectClass=krbRealmContainer) in dc=unix,dc=nuexample,dc=com (sub) > LDAP Error: Anonymous access not allowed > Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=unix.nuexample.com, > kdc=ipa02.unix.nuexample.com,ipa03.unix.nuexample.com,ipa01.unix.nuexample.com, > basedn=dc=unix,dc=nuexample,dc=com > Validated servers: ipa01.unix.nuexample.com > will use discovered domain: unix.nuexample.com > IPA Server not found > Unable to find IPA Server to join > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > > > > Regards, > Siggi > Hello Sigbjorn, This is caused by an unfortunate regression in RHEL-6.4 client which emerges when cn=config's nsslapd-allow-anonymous-access is set to "rootdse". This was already fixed upstream (ticket 3519) and there is a bugzilla filed for RHEL-6.5: https://bugzilla.redhat.com/show_bug.cgi?id=922843 If this is not satisfactory, you can contact your customer service and we will look for alternative solutions for you. Thanks, Martin From jhrozek at redhat.com Mon Apr 8 10:26:43 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 8 Apr 2013 12:26:43 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130405120058.GA24411@dibs.tanso.net> References: <20130319220514.GA32027@dibs.tanso.net> <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> Message-ID: <20130408102643.GF4444@hendrix.brq.redhat.com> On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote: > On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote: > > > > > > > > Does the problem go away if you set: > > > selinux_provider = none > > Sorry, no. Also the "No SELinux user maps found!" didn't go away. > > At "Apr 5 13:46:22" I was denied access again by pam_access, and then > seconds later I could log in: > > Apr 5 13:46:22 ipa2 sshd[15417]: pam_access(sshd:account): access denied for user `janfrode' from `login2.example.com' > Apr 5 13:46:29 ipa2 sshd[15423]: pam_unix(sshd:session): session opened for user janfrode by (uid=0) > Apr 5 13:46:33 ipa2 su: pam_unix(su-l:session): session opened for user root by janfrode(uid=15019) > > debug=6 logs attached. Any other suggestions? I tried a similar case locally and everything worked for me. In the domain log I saw: [sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it when I set selinux_provider=none. What exact SSSD version is this? Can you paste the domain section of the sssd.conf? From janfrode at tanso.net Mon Apr 8 10:40:53 2013 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 8 Apr 2013 12:40:53 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130408102643.GF4444@hendrix.brq.redhat.com> References: <20130320094410.GJ16767@hendrix.redhat.com> <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> <20130408102643.GF4444@hendrix.brq.redhat.com> Message-ID: <20130408104053.GA8031@dibs.tanso.net> On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote: > > I tried a similar case locally and everything worked for me. In the > domain log I saw: > > [sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it > > when I set selinux_provider=none. > > What exact SSSD version is this? sssd-1.8.0-32.el6.x86_64 > Can you paste the domain section of the sssd.conf? [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = EXAMPLE.NET ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa #ipa_server = ipa1.example.net ipa_server = _srv_, ipa1.example.net #ipa_server = ipa2.example.net, ipa1.example.net ldap_tls_cacert = /etc/ipa/ca.crt enumerate = false selinux_provider = none debug_level = 6 I know fixed the schema problem we had in 60ipaconfig.ldif. We were missing ipaSELinuxUserMapDefault and ipaSELinuxUserMapOrder in the ipaGuiConfig object class. But after fixing this I still see "No SELinux user maps found!" messages..: (Mon Apr 8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net (Mon Apr 8 12:23:08 2013) [sssd[be[example.net]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=example,dc=net (Mon Apr 8 12:23:27 2013) [sssd[be[example.net]]] [ipa_get_selinux_send] (0x0400): Retrieving SELinux user mapping (Mon Apr 8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_next] (0x0400): Trying to fetch SELinux maps with following parameters: [2][(null)][cn=selinux,dc=example,dc=net] (Mon Apr 8 12:23:27 2013) [sssd[be[example.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=example,dc=net]. (Mon Apr 8 12:23:27 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found! Should this be the full cn=selinux,dc=example,dc=net ? ----------------------------------------------------------- dn: cn=selinux,dc=example,dc=net objectClass: top objectClass: nsContainer cn: selinux dn: cn=usermap,cn=selinux,dc=example,dc=net objectClass: top objectClass: nsContainer cn: usermap ----------------------------------------------------------- -jf From jhrozek at redhat.com Mon Apr 8 12:31:13 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 8 Apr 2013 14:31:13 +0200 Subject: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ? In-Reply-To: <20130408104053.GA8031@dibs.tanso.net> References: <20130320130424.GA9236@dibs.tanso.net> <20130320132907.GO16767@hendrix.redhat.com> <20130321104355.GA24892@dibs.tanso.net> <20130321142938.GR16767@hendrix.redhat.com> <20130321205750.GA984@dibs.tanso.net> <20130322151939.GR16767@hendrix.redhat.com> <20130322174307.GA15697@dibs.tanso.net> <20130405120058.GA24411@dibs.tanso.net> <20130408102643.GF4444@hendrix.brq.redhat.com> <20130408104053.GA8031@dibs.tanso.net> Message-ID: <20130408123113.GD11085@hendrix.brq.redhat.com> On Mon, Apr 08, 2013 at 12:40:53PM +0200, Jan-Frode Myklebust wrote: > On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote: > > > > I tried a similar case locally and everything worked for me. In the > > domain log I saw: > > > > [sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not sending the request to it > > > > when I set selinux_provider=none. > > > > What exact SSSD version is this? > > sssd-1.8.0-32.el6.x86_64 > Gotcha. For some reason I suspected that you were running 6.4. The selinux handling was completely broken in 6.3, it simply doesn't work. I haven't tried setting selinux_provider = none with the 6.3 packages, but I wouldn't be surprised if that was broken as well. Please upgrade (at least the SSSD if not the whole system) to 6.4, the issue is fixed there. From matthew.joseph at lmco.com Mon Apr 8 14:16:10 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Mon, 8 Apr 2013 10:16:10 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <515DE9BF.8020908@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Matt From: Nathan Kinder [mailto:nkinder at redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); ------------------------ IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg ------------------------------ Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager": ------------------------------------------ dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ------------------------------------------ When you are finished debugging the issue, don't forget to change the log level back to "0". -NGK Thanks, Matt _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Apr 8 15:27:51 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 08 Apr 2013 08:27:51 -0700 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> Message-ID: <5162E1F7.10406@redhat.com> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: > > Hey, > > So on the IPA server under the access logs I am getting the following > error. > > Error: could not send startTLS request: Error -11 (connect error) > errno 0 (success) > > Any ideas? > Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-/access. -NGK > > Matt > > *From:*Nathan Kinder [mailto:nkinder at redhat.com] > *Sent:* Thursday, April 04, 2013 6:00 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users at redhat.com > *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors > > On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I'm trying to setup a replica server with ipa-2.2.0-16 on both the > Server and the Replica Server. > > Here are the steps I ran (From the Red Hat 6.3 IdM Administration > Guide); > > ------------------------ > > *IPA_Server:* > > ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 > > scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ > ipareplica:/var/lib/ipa/ > > *IPA_Replica:* > > ipa-replica-install --setup-ca --setup-dns > /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg > > ------------------------------ > > Below is the error I am getting when running ipa-replica-install; > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'IPA_Server.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > admin at domain.ca password: > > Execute check on remote master > > Check connection from master to remote replica > 'IPA_Replica.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > Configuring directory server for the CA: Estimated time 30 seconds > > [1/3]: creating directory server user > > [2/3]: creating directory server instance > > [3/3]: restarting directory server > > done configuring pkids. > > Configuring certificate server: Estimated time 3 minutes 30 seconds > > [1/13]: creating certificate server user > > [2/13]: creating pki-ca instance > > [3/13]: configuring certificate server instance > > [4/13]: disabling nonces > > [5/13]: creating RA agent certificate database > > [6/13]: importing CA chain to RA certificate database > > [7/13]: fixing RA database permissions > > [8/13]: setting up signing cert profile > > [9/13]: set up CRL publishing > > [10/13]: set certificate subject base > > [11/13]: enabling Subject Key Identifier > > [12/13]: configuring certificate server to start on boot > > [13/13]: Configure HTTP to proxy connections > > done configuring pki-cad. > > Restarting the directory and certificate servers > > Configuring directory server: Estimated time 1 minute > > [1/30]: creating directory server user > > [2/30]: creating directory server instance > > [3/30]: adding default schema > > [4/30]: enabling memberof plugin > > [5/30]: enabling referential integrity plugin > > [6/30]: enabling winsync plugin > > [7/30]: configuring replication version plugin > > [8/30]: enabling IPA enrollment plugin > > [9/30]: enabling ldapi > > [10/30]: configuring uniqueness plugin > > [11/30]: configuring uuid plugin > > [12/30]: configuring modrdn plugin > > [13/30]: enabling entryUSN plugin > > [14/30]: configuring lockout plugin > > [15/30]: creating indices > > [16/30]: configuring ssl for ds instance > > [17/30]: configuring certmap.conf > > [18/30]: configure autobind for root > > [19/30]: configure new location for managed entries > > [20/30]: restarting directory server > > [21/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - > System error] > > creation of replica failed: Failed to start replication > > Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is > the following error; > > NSMMReplicationPlugin -- agmt="cn=metoIPA_Server.domain.ca" > (ipa_server:389): Replica has a different generation ID than the > local data. > > This is probably just fallout from the replica initialization > failure. If a replica is never initialized, it will get a generation > ID mismatch error when the master contacts it. > > Any thoughts or ideas on this issue? Searching google I don't see > anyone getting the Status:-11 -- System Error. > > There was a bug in 389-ds-base that was fixed a while back where > negative LDAP error codes were all printed as "System Error". The -11 > is a connection error. Here is how it is defined in /usr/include/ldap.h: > > #define LDAP_CONNECT_ERROR (-11) > > It sounds like this connection error is occurring when it tries to > initialize the replica. It might help to enable replication level > logging on the master, then trying to run ipa-replica-install again. > The errors in the 389 DS errors log might point to the problem. To > enable replication level logging, you can perform the following > operation with ldapmodify as "cn=Directory Manager": > > ------------------------------------------ > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > ------------------------------------------ > > When you are finished debugging the issue, don't forget to change the > log level back to "0". > > -NGK > > Thanks, > > Matt > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.joseph at lmco.com Mon Apr 8 15:29:31 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Mon, 8 Apr 2013 11:29:31 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <5162E1F7.10406@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt From: Nathan Kinder [mailto:nkinder at redhat.com] Sent: Monday, April 08, 2013 12:28 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-/access. -NGK Matt From: Nathan Kinder [mailto:nkinder at redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); ------------------------ IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg ------------------------------ Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager": ------------------------------------------ dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ------------------------------------------ When you are finished debugging the issue, don't forget to change the log level back to "0". -NGK Thanks, Matt _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Apr 8 15:52:40 2013 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Apr 2013 09:52:40 -0600 Subject: [Freeipa-users] Replication Issue In-Reply-To: <1365216803.20560.4.camel@willson.li.ssimo.org> References: <515DE7E3.4070902@redhat.com> <1365172897.2660.1358.camel@willson.li.ssimo.org> <515EF302.3020701@redhat.com> <1365216803.20560.4.camel@willson.li.ssimo.org> Message-ID: <5162E7C8.3030408@redhat.com> On 04/05/2013 08:53 PM, Simo Sorce wrote: > On Fri, 2013-04-05 at 09:51 -0600, Rich Megginson wrote: >> On 04/05/2013 08:41 AM, Simo Sorce wrote: >>> On Fri, 2013-04-05 at 08:30 -0600, Brent Clark wrote: >>>> You were correct, my reverse DNS entries for the master and replica >>>> were missing. Odd, since they both existed at one point. >>> Rob, >>> I think we should open a ticket against 389ds, we should never depend on >>> PTR records. >>> >>> In this case I believe the ldap libraries are at fault since they now >>> force SASL canonicalization on which is know to be broken for gssapi as >>> it causes reverse resolution. >>> >>> Rich do you set LDAP_OPT_X_SASL_NOCANON in 389ds code at all ? >> Yes. >> ldap/servers/slapd/ldaputil.c: ldap_set_option(ld, >> LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON); > I looked at the code, and this is called only if the env variable > HACK_SASL_NOCANON is set. > > I think this should be the default instead. > >> Should this be off by default? Should this be configurable? > Maybe make it configurable, I do not have a strong love for 1M knobs, > but it should be on by default, relying on reverse resolution defeats > mutual authentication through very simple DNS attacks. See this blog > post for details: http://ssimo.org/blog/id_015.html https://fedorahosted.org/389/ticket/47317 > > Simo. > From simon.williams at thehelpfulcat.com Mon Apr 8 22:21:35 2013 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Mon, 8 Apr 2013 23:21:35 +0100 Subject: [Freeipa-users] Where has my LDAP server gone! In-Reply-To: <5161DB60.3010600@redhat.com> References: <5161DB60.3010600@redhat.com> Message-ID: Thank you, that has solved the issue wonderfully! I do remember the update hanging now you mention it, but I didn't put two and two together! Regards Simon On 7 Apr 2013 21:47, "Rob Crittenden" wrote: > Simon Williams wrote: > >> Hi >> >> I ran a yum update on my CentOS 6 server that runs FreeIPA a couple of >> days ago and it upgraded FreeIPA to version 3. I use a couple of web >> applications that cannot use Kerberos, but can use LDAP to >> authenticate. These stopped working. When I investigated the issue, I >> discovered that the LDAP server wasn't there any more. Google searches >> have proved fruitless and I can't find any documentation for v3. Can >> anyone tell me how to get my LDAP server back? >> > > There is a bug in 389-ds that is affecting some IPA upgrades. It causes > the upgrade process to hang and breaking out of it leaves the LDAP server > not listening to anything (note that if the upgrade outright fails we do > restore things). > > What you want to do is this: > > 1. service dirsrv stop (you MUST do this before editing dse.ldif) > 2. edit dse.ldif and set > nsslapd-port: 389 > nsslapd-security: on > 3. service dirsrv start > 4. as root, ipa-ldap-updater --ldapi > > Updated 389-ds packages are being worked on. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue Apr 9 11:28:06 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 09 Apr 2013 13:28:06 +0200 Subject: [Freeipa-users] Heads up: OCSP/CRL certificate validation issue Message-ID: <5163FB46.3060104@redhat.com> Hello FreeIPA users! We would like to give you a heads up about a OCSP/CRL certificate validation issue introduced in FreeIPA 3.1 release (ticket 3074) we have discovered. ISSUE: Certificates issued by FreeIPA server 3.1 and later contains 2 CRL/OCSP URIs server by Dogtag CA configured by FreeIPA: Certificate: Data: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Apr 8 10:16:15 2013 GMT Not After : Apr 9 10:16:15 2015 GMT Subject: O=EXAMPLE.COM, CN=testcert.example.com ... X509v3 extensions: X509v3 Authority Key Identifier: keyid:9F:25:93:2F:20:2A:79:9A:A8:88:CF:CC:EB:D0:F5:43:E7:3B:B1:EE Authority Information Access: OCSP - URI:https://ipa-ca.example.com/ca/ocsp OCSP - URI:https://server1.example.com/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:https://ipa-ca.example.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority Full Name: URI:https://server1.example.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority ... One OCSP/CRL URI points to the original CA issuing the certificate and one points to a general URL (managed by FreeIPA) pointing to any other FreeIPA CA via CNAME/A DNS record that can serve the OCSP/CRL URI in case if the original FreeIPA CA was decommissioned or unavailable at the moment. However, we have discovered that there are 2 issues related to this change: 1) Having https in the URIs requires client (e.g. a web browser) validating the request to validate the machine serving the CRL/OCSP response itself even though the CRL/OCSP response is already signed by the CA and thus verifiable. Clients will fail to retrieve the CRL/OCSP in case of the general address as it is just a CNAME for a FreeIPA server whose certificate does not allow it to serve this address. 2) Even though we have 2 OCSP URIs in the certificate, the Firefox browser will not fail over to the general URI due to limitation in NSS which only tries the last OCSP and then fail when it is not available. HOW WE WANT TO FIX THE SITUATION: Issue 1) is being fixed by converting https in OCSP/CRL URIs to plain http as the responses are already signed and verifiable. This will allow FreeIPA CAs to serve the general URI ipa-ca.example.com. Relevant upstream tickets: https://fedorahosted.org/freeipa/ticket/3547 https://fedorahosted.org/freeipa/ticket/3552 When the issue is fixed in FreeIPA server, client certificates containing a wrong OCSP/CRL URIs can be fixed by requesting new certificates from FreeIPA CA. This task can be simplified by asking certmonger to request a new certificate for given service ("ipa-getcert resubmit" command). We plan to prepare a script automating this task on clients for your convenience. Issue 2) is more difficult to fix as it requires an enhancement to Firefox and NSS to support an OCSP fail over when a certificates contains multiple OCSP URIs. There is an open Mozilla Bugzilla with a request for this feature: https://bugzilla.mozilla.org/show_bug.cgi?id=797815 You are welcome to support our case and add your comments or use cases to this Bugzilla. If you have concerns or a question about this plan, please just add a comment. We will inform you about our next steps. Thank you. -- Martin Kosek Senior Software Engineer - Identity Management Team Red Hat Inc. From luke at kearney.jp Tue Apr 9 12:47:30 2013 From: luke at kearney.jp (Luke Kearney) Date: Tue, 9 Apr 2013 21:47:30 +0900 Subject: [Freeipa-users] Upgrading 2.2 to 3.0 Message-ID: <531BD68E-BDD4-422F-B79F-29ADFC2AB7ED@kearney.jp> Hello, I was upgrading from 2.2 to 3 and it would appear that the GUI fails to restart with apache complaining about its config files. Is this a known issue? [Tue Apr 09 21:26:30 2013] [notice] caught SIGTERM, shutting down [Tue Apr 09 21:26:31 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Apr 09 21:26:31 2013] [warn] Init: (dirsrv.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Apr 09 21:31:16 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Apr 09 21:31:17 2013] [warn] Init: (dirsrv.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Apr 09 21:41:27 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Apr 09 21:41:28 2013] [warn] Init: (dirsrv.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [Tue Apr 09 21:42:18 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Apr 09 21:42:18 2013] [warn] Init: (dirsrv.example.com:443) You configured HTTP(80) on the standard HTTPS(443) port! [root at dirsrv conf.d]# An extremely cursory google search did not reveal any threads on this. Kind Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 9 14:49:20 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 09 Apr 2013 10:49:20 -0400 Subject: [Freeipa-users] Upgrading 2.2 to 3.0 In-Reply-To: <531BD68E-BDD4-422F-B79F-29ADFC2AB7ED@kearney.jp> References: <531BD68E-BDD4-422F-B79F-29ADFC2AB7ED@kearney.jp> Message-ID: <51642A70.2020207@redhat.com> Luke Kearney wrote: > Hello, > I was upgrading from 2.2 to 3 and it would appear that the GUI fails to > restart with apache complaining about its config files. Is this a known > issue? > > [Tue Apr 09 21:26:30 2013] [notice] caught SIGTERM, shutting down > [Tue Apr 09 21:26:31 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Apr 09 21:26:31 2013] [warn] Init: (dirsrv.example.com > :443) You configured HTTP(80) on the standard > HTTPS(443) port! > [Tue Apr 09 21:31:16 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Apr 09 21:31:17 2013] [warn] Init: (dirsrv.example.com > :443) You configured HTTP(80) on the standard > HTTPS(443) port! > [Tue Apr 09 21:41:27 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Apr 09 21:41:28 2013] [warn] Init: (dirsrv.example.com > :443) You configured HTTP(80) on the standard > HTTPS(443) port! > [Tue Apr 09 21:42:18 2013] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Apr 09 21:42:18 2013] [warn] Init: (dirsrv.example.com > :443) You configured HTTP(80) on the standard > HTTPS(443) port! > [root at dirsrv conf.d]# > > An extremely cursory google search did not reveal any threads on this. Hmm. I think we'd need to see your nss.conf, at least. You didn't do any manual changes to the Apache configs after updating did you? What distro is this? rob From mkosek at redhat.com Wed Apr 10 08:05:38 2013 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 10 Apr 2013 10:05:38 +0200 Subject: [Freeipa-users] Heads up: OCSP/CRL certificate validation issue In-Reply-To: <5163FB46.3060104@redhat.com> References: <5163FB46.3060104@redhat.com> Message-ID: <51651D52.2000106@redhat.com> On 04/09/2013 01:28 PM, Martin Kosek wrote: > Hello FreeIPA users! > > We would like to give you a heads up about a OCSP/CRL certificate validation > issue introduced in FreeIPA 3.1 release (ticket 3074) we have discovered. > > ISSUE: > Certificates issued by FreeIPA server 3.1 and later contains 2 CRL/OCSP URIs > server by Dogtag CA configured by FreeIPA: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 17 (0x11) > Signature Algorithm: sha256WithRSAEncryption > Issuer: O=EXAMPLE.COM, CN=Certificate Authority > Validity > Not Before: Apr 8 10:16:15 2013 GMT > Not After : Apr 9 10:16:15 2015 GMT > Subject: O=EXAMPLE.COM, CN=testcert.example.com > ... > X509v3 extensions: > X509v3 Authority Key Identifier: > keyid:9F:25:93:2F:20:2A:79:9A:A8:88:CF:CC:EB:D0:F5:43:E7:3B:B1:EE > > Authority Information Access: > OCSP - URI:https://ipa-ca.example.com/ca/ocsp > OCSP - URI:https://server1.example.com/ca/ocsp > > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment, Data > Encipherment > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client Authentication > X509v3 CRL Distribution Points: > > Full Name: > URI:https://ipa-ca.example.com/ipa/crl/MasterCRL.bin > CRL Issuer: > DirName: O = ipaca, CN = Certificate Authority > > Full Name: > URI:https://server1.example.com/ipa/crl/MasterCRL.bin > CRL Issuer: > DirName: O = ipaca, CN = Certificate Authority > ... > > > One OCSP/CRL URI points to the original CA issuing the certificate and one > points to a general URL (managed by FreeIPA) pointing to any other FreeIPA CA > via CNAME/A DNS record that can serve the OCSP/CRL URI in case if the original > FreeIPA CA was decommissioned or unavailable at the moment. > > However, we have discovered that there are 2 issues related to this change: > 1) Having https in the URIs requires client (e.g. a web browser) validating the > request to validate the machine serving the CRL/OCSP response itself even > though the CRL/OCSP response is already signed by the CA and thus verifiable. > > Clients will fail to retrieve the CRL/OCSP in case of the general address as it > is just a CNAME for a FreeIPA server whose certificate does not allow it to > serve this address. > > 2) Even though we have 2 OCSP URIs in the certificate, the Firefox browser will > not fail over to the general URI due to limitation in NSS which only tries the > last OCSP and then fail when it is not available. > > > HOW WE WANT TO FIX THE SITUATION: > Issue 1) is being fixed by converting https in OCSP/CRL URIs to plain http as > the responses are already signed and verifiable. This will allow FreeIPA CAs to > serve the general URI ipa-ca.example.com. > > Relevant upstream tickets: > https://fedorahosted.org/freeipa/ticket/3547 > https://fedorahosted.org/freeipa/ticket/3552 > > When the issue is fixed in FreeIPA server, client certificates containing a > wrong OCSP/CRL URIs can be fixed by requesting new certificates from FreeIPA > CA. This task can be simplified by asking certmonger to request a new > certificate for given service ("ipa-getcert resubmit" command). > > We plan to prepare a script automating this task on clients for your convenience. > > > Issue 2) is more difficult to fix as it requires an enhancement to Firefox and > NSS to support an OCSP fail over when a certificates contains multiple OCSP > URIs. There is an open Mozilla Bugzilla with a request for this feature: > > https://bugzilla.mozilla.org/show_bug.cgi?id=797815 > > You are welcome to support our case and add your comments or use cases to this > Bugzilla. > > If you have concerns or a question about this plan, please just add a comment. > We will inform you about our next steps. > > Thank you. > Update from the field: given the resistance we received from NSS/Firefox to implement OCSP fail over ability as a default and given our aim to address this issue for as most platforms as possible, we decided to abandon the original plan to have multiple OCSP/CRL URIs in the certificates. Instead, we plan to issue FreeIPA certificates with just one OCSP/CRL URI pointing to the general DNS name. This DNS name will contain A DNS records to all FreeIPA CAs and it will be automatically maintained by FreeIPA if it manages your DNS. Otherwise, administrator would need to maintain this DNS name on his own if he wants to keep the OCSP/CRL links functional. Upstream tickets were updated to match the new plan: https://fedorahosted.org/freeipa/ticket/3547 https://fedorahosted.org/freeipa/ticket/3552 Martin From matthew.joseph at lmco.com Wed Apr 10 11:55:05 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 10 Apr 2013 07:55:05 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Monday, April 08, 2013 12:30 PM To: Nathan Kinder Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt From: Nathan Kinder [mailto:nkinder at redhat.com] Sent: Monday, April 08, 2013 12:28 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-/access. -NGK Matt From: Nathan Kinder [mailto:nkinder at redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); ------------------------ IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg ------------------------------ Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin at domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. There was a bug in 389-ds-base that was fixed a while back where negative LDAP error codes were all printed as "System Error". The -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: #define LDAP_CONNECT_ERROR (-11) It sounds like this connection error is occurring when it tries to initialize the replica. It might help to enable replication level logging on the master, then trying to run ipa-replica-install again. The errors in the 389 DS errors log might point to the problem. To enable replication level logging, you can perform the following operation with ldapmodify as "cn=Directory Manager": ------------------------------------------ dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ------------------------------------------ When you are finished debugging the issue, don't forget to change the log level back to "0". -NGK Thanks, Matt _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 10 13:46:39 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Apr 2013 09:46:39 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> Message-ID: <51656D3F.1020000@redhat.com> Joseph, Matthew (EXP) wrote: > Hey, > > I?m still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, Matthew > (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed ? Peer does not recognize and trust the CA that > issued your certificate. > > Matt > > *From:*Nathan Kinder [mailto:nkinder at redhat.com] > *Sent:* Monday, April 08, 2013 12:28 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors > > On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: > > Hey, > > So on the IPA server under the access logs I am getting the > following error. > > Error: could not send startTLS request: Error -11 (connect error) > errno 0 (success) > > Any ideas? > > Does the access log on the receiving side show a connection attempt from > the master at the same time? The access log will be located at > /var/log/dirsrv/slapd-/access. > > -NGK > > Matt > > *From:*Nathan Kinder [mailto:nkinder at redhat.com] > *Sent:* Thursday, April 04, 2013 6:00 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users at redhat.com > *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors > > On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I?m trying to setup a replica server with ipa-2.2.0-16 on both the > Server and the Replica Server. > > Here are the steps I ran (From the Red Hat 6.3 IdM Administration > Guide); > > ------------------------ > > *IPA_Server:* > > ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 > > scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ > ipareplica:/var/lib/ipa/ > > *IPA_Replica:* > > ipa-replica-install --setup-ca --setup-dns > /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg > > ------------------------------ > > Below is the error I am getting when running ipa-replica-install; > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'IPA_Server.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > admin at domain.ca password: > > Execute check on remote master > > Check connection from master to remote replica 'IPA_Replica.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > Configuring directory server for the CA: Estimated time 30 seconds > > [1/3]: creating directory server user > > [2/3]: creating directory server instance > > [3/3]: restarting directory server > > done configuring pkids. > > Configuring certificate server: Estimated time 3 minutes 30 seconds > > [1/13]: creating certificate server user > > [2/13]: creating pki-ca instance > > [3/13]: configuring certificate server instance > > [4/13]: disabling nonces > > [5/13]: creating RA agent certificate database > > [6/13]: importing CA chain to RA certificate database > > [7/13]: fixing RA database permissions > > [8/13]: setting up signing cert profile > > [9/13]: set up CRL publishing > > [10/13]: set certificate subject base > > [11/13]: enabling Subject Key Identifier > > [12/13]: configuring certificate server to start on boot > > [13/13]: Configure HTTP to proxy connections > > done configuring pki-cad. > > Restarting the directory and certificate servers > > Configuring directory server: Estimated time 1 minute > > [1/30]: creating directory server user > > [2/30]: creating directory server instance > > [3/30]: adding default schema > > [4/30]: enabling memberof plugin > > [5/30]: enabling referential integrity plugin > > [6/30]: enabling winsync plugin > > [7/30]: configuring replication version plugin > > [8/30]: enabling IPA enrollment plugin > > [9/30]: enabling ldapi > > [10/30]: configuring uniqueness plugin > > [11/30]: configuring uuid plugin > > [12/30]: configuring modrdn plugin > > [13/30]: enabling entryUSN plugin > > [14/30]: configuring lockout plugin > > [15/30]: creating indices > > [16/30]: configuring ssl for ds instance > > [17/30]: configuring certmap.conf > > [18/30]: configure autobind for root > > [19/30]: configure new location for managed entries > > [20/30]: restarting directory server > > [21/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - > System error] > > creation of replica failed: Failed to start replication > > Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the > following error; > > NSMMReplicationPlugin ? agmt=?cn=metoIPA_Server.domain.ca? > (ipa_server:389): Replica has a different generation ID than the > local data. > > This is probably just fallout from the replica initialization failure. > If a replica is never initialized, it will get a generation ID mismatch > error when the master contacts it. > > Any thoughts or ideas on this issue? Searching google I don?t see anyone > getting the Status:-11 ? System Error. > > There was a bug in 389-ds-base that was fixed a while back where > negative LDAP error codes were all printed as "System Error". The -11 > is a connection error. Here is how it is defined in /usr/include/ldap.h: > > #define LDAP_CONNECT_ERROR (-11) > > It sounds like this connection error is occurring when it tries to > initialize the replica. It might help to enable replication level > logging on the master, then trying to run ipa-replica-install again. > The errors in the 389 DS errors log might point to the problem. To > enable replication level logging, you can perform the following > operation with ldapmodify as "cn=Directory Manager": > > ------------------------------------------ > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > ------------------------------------------ > > When you are finished debugging the issue, don't forget to change the > log level back to "0". > > -NGK > > Thanks, > > Matt > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From matthew.joseph at lmco.com Wed Apr 10 13:49:38 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 10 Apr 2013 09:49:38 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <51656D3F.1020000@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51656D3F.1020000@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7B85@HCXMSP1.ca.lmco.com> Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: > Hey, > > I'm still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, > Matthew > (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install > errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed - Peer does not recognize and trust the CA that > issued your certificate. > > Matt > > *From:*Nathan Kinder [mailto:nkinder at redhat.com] > *Sent:* Monday, April 08, 2013 12:28 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users at redhat.com > *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install > errors > > On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: > > Hey, > > So on the IPA server under the access logs I am getting the > following error. > > Error: could not send startTLS request: Error -11 (connect error) > errno 0 (success) > > Any ideas? > > Does the access log on the receiving side show a connection attempt > from the master at the same time? The access log will be located at > /var/log/dirsrv/slapd-/access. > > -NGK > > Matt > > *From:*Nathan Kinder [mailto:nkinder at redhat.com] > *Sent:* Thursday, April 04, 2013 6:00 PM > *To:* Joseph, Matthew (EXP) > *Cc:* freeipa-users at redhat.com > *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors > > On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: > > Hello, > > I'm trying to setup a replica server with ipa-2.2.0-16 on both the > Server and the Replica Server. > > Here are the steps I ran (From the Red Hat 6.3 IdM Administration > Guide); > > ------------------------ > > *IPA_Server:* > > ipa-replica-prepare ipareplica.example.com --ip-address > 192.168.1.2 > > scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ > ipareplica:/var/lib/ipa/ > > *IPA_Replica:* > > ipa-replica-install --setup-ca --setup-dns > /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg > > ------------------------------ > > Below is the error I am getting when running ipa-replica-install; > > Directory Manager (existing master) password: > > Run connection check to master > > Check connection from replica to remote master 'IPA_Server.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > The following list of ports use UDP protocol and would need to be > > checked manually: > > Kerberos KDC: UDP (88): SKIPPED > > Kerberos Kpasswd: UDP (464): SKIPPED > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > admin at domain.ca password: > > Execute check on remote master > > Check connection from master to remote replica 'IPA_Replica.domain.ca': > > Directory Service: Unsecure port (389): OK > > Directory Service: Secure port (636): OK > > Kerberos KDC: TCP (88): OK > > Kerberos KDC: UDP (88): OK > > Kerberos Kpasswd: TCP (464): OK > > Kerberos Kpasswd: UDP (464): OK > > HTTP Server: Unsecure port (80): OK > > HTTP Server: Secure port (443): OK > > PKI-CA: Directory Service port (7389): OK > > Connection from master to replica is OK. > > Connection check OK > > Configuring ntpd > > [1/4]: stopping ntpd > > [2/4]: writing configuration > > [3/4]: configuring ntpd to start on boot > > [4/4]: starting ntpd > > done configuring ntpd. > > Configuring directory server for the CA: Estimated time 30 seconds > > [1/3]: creating directory server user > > [2/3]: creating directory server instance > > [3/3]: restarting directory server > > done configuring pkids. > > Configuring certificate server: Estimated time 3 minutes 30 > seconds > > [1/13]: creating certificate server user > > [2/13]: creating pki-ca instance > > [3/13]: configuring certificate server instance > > [4/13]: disabling nonces > > [5/13]: creating RA agent certificate database > > [6/13]: importing CA chain to RA certificate database > > [7/13]: fixing RA database permissions > > [8/13]: setting up signing cert profile > > [9/13]: set up CRL publishing > > [10/13]: set certificate subject base > > [11/13]: enabling Subject Key Identifier > > [12/13]: configuring certificate server to start on boot > > [13/13]: Configure HTTP to proxy connections > > done configuring pki-cad. > > Restarting the directory and certificate servers > > Configuring directory server: Estimated time 1 minute > > [1/30]: creating directory server user > > [2/30]: creating directory server instance > > [3/30]: adding default schema > > [4/30]: enabling memberof plugin > > [5/30]: enabling referential integrity plugin > > [6/30]: enabling winsync plugin > > [7/30]: configuring replication version plugin > > [8/30]: enabling IPA enrollment plugin > > [9/30]: enabling ldapi > > [10/30]: configuring uniqueness plugin > > [11/30]: configuring uuid plugin > > [12/30]: configuring modrdn plugin > > [13/30]: enabling entryUSN plugin > > [14/30]: configuring lockout plugin > > [15/30]: creating indices > > [16/30]: configuring ssl for ds instance > > [17/30]: configuring certmap.conf > > [18/30]: configure autobind for root > > [19/30]: configure new location for managed entries > > [20/30]: restarting directory server > > [21/30]: setting up initial replication > > Starting replication, please wait until this has completed. > > [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - > System error] > > creation of replica failed: Failed to start replication > > Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the > following error; > > NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" > (ipa_server:389): Replica has a different generation ID than the > local data. > > This is probably just fallout from the replica initialization failure. > If a replica is never initialized, it will get a generation ID > mismatch error when the master contacts it. > > Any thoughts or ideas on this issue? Searching google I don't see > anyone getting the Status:-11 - System Error. > > There was a bug in 389-ds-base that was fixed a while back where > negative LDAP error codes were all printed as "System Error". The -11 > is a connection error. Here is how it is defined in /usr/include/ldap.h: > > #define LDAP_CONNECT_ERROR (-11) > > It sounds like this connection error is occurring when it tries to > initialize the replica. It might help to enable replication level > logging on the master, then trying to run ipa-replica-install again. > The errors in the 389 DS errors log might point to the problem. To > enable replication level logging, you can perform the following > operation with ldapmodify as "cn=Directory Manager": > > ------------------------------------------ > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > ------------------------------------------ > > When you are finished debugging the issue, don't forget to change the > log level back to "0". > > -NGK > > Thanks, > > Matt > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Wed Apr 10 14:01:09 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Apr 2013 10:01:09 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7B85@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51656D3F.1020000@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7B85@HCXMSP1.ca.lmco.com> Message-ID: <516570A5.9050203@redhat.com> Joseph, Matthew (EXP) wrote: > Hey Rob, > > Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob > > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, April 10, 2013 10:47 AM > To: Joseph, Matthew (EXP); Nathan Kinder > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > Joseph, Matthew (EXP) wrote: >> Hey, >> >> I'm still trying to figure out this error but I am getting nothing. >> >> Anyone have any suggestions or ideas on why this is failing? > > Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. > > rob > >> >> Matt >> >> *From:*freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, >> Matthew >> (EXP) >> *Sent:* Monday, April 08, 2013 12:30 PM >> *To:* Nathan Kinder >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install >> errors >> >> Hey, >> >> >> Yup, the client side says the following; >> >> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that >> issued your certificate. >> >> Matt >> >> *From:*Nathan Kinder [mailto:nkinder at redhat.com] >> *Sent:* Monday, April 08, 2013 12:28 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install >> errors >> >> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: >> >> Hey, >> >> So on the IPA server under the access logs I am getting the >> following error. >> >> Error: could not send startTLS request: Error -11 (connect error) >> errno 0 (success) >> >> Any ideas? >> >> Does the access log on the receiving side show a connection attempt >> from the master at the same time? The access log will be located at >> /var/log/dirsrv/slapd-/access. >> >> -NGK >> >> Matt >> >> *From:*Nathan Kinder [mailto:nkinder at redhat.com] >> *Sent:* Thursday, April 04, 2013 6:00 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* freeipa-users at redhat.com >> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors >> >> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: >> >> Hello, >> >> I'm trying to setup a replica server with ipa-2.2.0-16 on both the >> Server and the Replica Server. >> >> Here are the steps I ran (From the Red Hat 6.3 IdM Administration >> Guide); >> >> ------------------------ >> >> *IPA_Server:* >> >> ipa-replica-prepare ipareplica.example.com --ip-address >> 192.168.1.2 >> >> scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ >> ipareplica:/var/lib/ipa/ >> >> *IPA_Replica:* >> >> ipa-replica-install --setup-ca --setup-dns >> /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg >> >> ------------------------------ >> >> Below is the error I am getting when running ipa-replica-install; >> >> Directory Manager (existing master) password: >> >> Run connection check to master >> >> Check connection from replica to remote master 'IPA_Server.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to be >> >> checked manually: >> >> Kerberos KDC: UDP (88): SKIPPED >> >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> >> Start listening on required ports for remote master check >> >> Get credentials to log in to remote master >> >> admin at domain.ca password: >> >> Execute check on remote master >> >> Check connection from master to remote replica 'IPA_Replica.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos KDC: UDP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> Kerberos Kpasswd: UDP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> >> Configuring ntpd >> >> [1/4]: stopping ntpd >> >> [2/4]: writing configuration >> >> [3/4]: configuring ntpd to start on boot >> >> [4/4]: starting ntpd >> >> done configuring ntpd. >> >> Configuring directory server for the CA: Estimated time 30 seconds >> >> [1/3]: creating directory server user >> >> [2/3]: creating directory server instance >> >> [3/3]: restarting directory server >> >> done configuring pkids. >> >> Configuring certificate server: Estimated time 3 minutes 30 >> seconds >> >> [1/13]: creating certificate server user >> >> [2/13]: creating pki-ca instance >> >> [3/13]: configuring certificate server instance >> >> [4/13]: disabling nonces >> >> [5/13]: creating RA agent certificate database >> >> [6/13]: importing CA chain to RA certificate database >> >> [7/13]: fixing RA database permissions >> >> [8/13]: setting up signing cert profile >> >> [9/13]: set up CRL publishing >> >> [10/13]: set certificate subject base >> >> [11/13]: enabling Subject Key Identifier >> >> [12/13]: configuring certificate server to start on boot >> >> [13/13]: Configure HTTP to proxy connections >> >> done configuring pki-cad. >> >> Restarting the directory and certificate servers >> >> Configuring directory server: Estimated time 1 minute >> >> [1/30]: creating directory server user >> >> [2/30]: creating directory server instance >> >> [3/30]: adding default schema >> >> [4/30]: enabling memberof plugin >> >> [5/30]: enabling referential integrity plugin >> >> [6/30]: enabling winsync plugin >> >> [7/30]: configuring replication version plugin >> >> [8/30]: enabling IPA enrollment plugin >> >> [9/30]: enabling ldapi >> >> [10/30]: configuring uniqueness plugin >> >> [11/30]: configuring uuid plugin >> >> [12/30]: configuring modrdn plugin >> >> [13/30]: enabling entryUSN plugin >> >> [14/30]: configuring lockout plugin >> >> [15/30]: creating indices >> >> [16/30]: configuring ssl for ds instance >> >> [17/30]: configuring certmap.conf >> >> [18/30]: configure autobind for root >> >> [19/30]: configure new location for managed entries >> >> [20/30]: restarting directory server >> >> [21/30]: setting up initial replication >> >> Starting replication, please wait until this has completed. >> >> [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - >> System error] >> >> creation of replica failed: Failed to start replication >> >> Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the >> following error; >> >> NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" >> (ipa_server:389): Replica has a different generation ID than the >> local data. >> >> This is probably just fallout from the replica initialization failure. >> If a replica is never initialized, it will get a generation ID >> mismatch error when the master contacts it. >> >> Any thoughts or ideas on this issue? Searching google I don't see >> anyone getting the Status:-11 - System Error. >> >> There was a bug in 389-ds-base that was fixed a while back where >> negative LDAP error codes were all printed as "System Error". The -11 >> is a connection error. Here is how it is defined in /usr/include/ldap.h: >> >> #define LDAP_CONNECT_ERROR (-11) >> >> It sounds like this connection error is occurring when it tries to >> initialize the replica. It might help to enable replication level >> logging on the master, then trying to run ipa-replica-install again. >> The errors in the 389 DS errors log might point to the problem. To >> enable replication level logging, you can perform the following >> operation with ldapmodify as "cn=Directory Manager": >> >> ------------------------------------------ >> dn: cn=config >> changetype: modify >> replace: nsslapd-errorlog-level >> nsslapd-errorlog-level: 8192 >> ------------------------------------------ >> >> When you are finished debugging the issue, don't forget to change the >> log level back to "0". >> >> -NGK >> >> Thanks, >> >> Matt >> >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From matthew.joseph at lmco.com Wed Apr 10 14:13:30 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Wed, 10 Apr 2013 10:13:30 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <516570A5.9050203@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51656D3F.1020000@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7B85@HCXMSP1.ca.lmco.com> <516570A5.9050203@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7BBB@HCXMSP1.ca.lmco.com> Hey Rob, Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/ Server: Server-Cert u,u,u Client: Server-Cert u,u,u Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Wednesday, April 10, 2013 11:01 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: > Hey Rob, > > Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob > > > Matt > > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Wednesday, April 10, 2013 10:47 AM > To: Joseph, Matthew (EXP); Nathan Kinder > Cc: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > Joseph, Matthew (EXP) wrote: >> Hey, >> >> I'm still trying to figure out this error but I am getting nothing. >> >> Anyone have any suggestions or ideas on why this is failing? > > Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. > > rob > >> >> Matt >> >> *From:*freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, >> Matthew >> (EXP) >> *Sent:* Monday, April 08, 2013 12:30 PM >> *To:* Nathan Kinder >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install >> errors >> >> Hey, >> >> >> Yup, the client side says the following; >> >> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that >> issued your certificate. >> >> Matt >> >> *From:*Nathan Kinder [mailto:nkinder at redhat.com] >> *Sent:* Monday, April 08, 2013 12:28 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install >> errors >> >> On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: >> >> Hey, >> >> So on the IPA server under the access logs I am getting the >> following error. >> >> Error: could not send startTLS request: Error -11 (connect error) >> errno 0 (success) >> >> Any ideas? >> >> Does the access log on the receiving side show a connection attempt >> from the master at the same time? The access log will be located at >> /var/log/dirsrv/slapd-/access. >> >> -NGK >> >> Matt >> >> *From:*Nathan Kinder [mailto:nkinder at redhat.com] >> *Sent:* Thursday, April 04, 2013 6:00 PM >> *To:* Joseph, Matthew (EXP) >> *Cc:* freeipa-users at redhat.com >> *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors >> >> On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: >> >> Hello, >> >> I'm trying to setup a replica server with ipa-2.2.0-16 on both the >> Server and the Replica Server. >> >> Here are the steps I ran (From the Red Hat 6.3 IdM Administration >> Guide); >> >> ------------------------ >> >> *IPA_Server:* >> >> ipa-replica-prepare ipareplica.example.com --ip-address >> 192.168.1.2 >> >> scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ >> ipareplica:/var/lib/ipa/ >> >> *IPA_Replica:* >> >> ipa-replica-install --setup-ca --setup-dns >> /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg >> >> ------------------------------ >> >> Below is the error I am getting when running >> ipa-replica-install; >> >> Directory Manager (existing master) password: >> >> Run connection check to master >> >> Check connection from replica to remote master 'IPA_Server.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to >> be >> >> checked manually: >> >> Kerberos KDC: UDP (88): SKIPPED >> >> Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> >> Start listening on required ports for remote master check >> >> Get credentials to log in to remote master >> >> admin at domain.ca password: >> >> Execute check on remote master >> >> Check connection from master to remote replica 'IPA_Replica.domain.ca': >> >> Directory Service: Unsecure port (389): OK >> >> Directory Service: Secure port (636): OK >> >> Kerberos KDC: TCP (88): OK >> >> Kerberos KDC: UDP (88): OK >> >> Kerberos Kpasswd: TCP (464): OK >> >> Kerberos Kpasswd: UDP (464): OK >> >> HTTP Server: Unsecure port (80): OK >> >> HTTP Server: Secure port (443): OK >> >> PKI-CA: Directory Service port (7389): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> >> Configuring ntpd >> >> [1/4]: stopping ntpd >> >> [2/4]: writing configuration >> >> [3/4]: configuring ntpd to start on boot >> >> [4/4]: starting ntpd >> >> done configuring ntpd. >> >> Configuring directory server for the CA: Estimated time 30 >> seconds >> >> [1/3]: creating directory server user >> >> [2/3]: creating directory server instance >> >> [3/3]: restarting directory server >> >> done configuring pkids. >> >> Configuring certificate server: Estimated time 3 minutes 30 >> seconds >> >> [1/13]: creating certificate server user >> >> [2/13]: creating pki-ca instance >> >> [3/13]: configuring certificate server instance >> >> [4/13]: disabling nonces >> >> [5/13]: creating RA agent certificate database >> >> [6/13]: importing CA chain to RA certificate database >> >> [7/13]: fixing RA database permissions >> >> [8/13]: setting up signing cert profile >> >> [9/13]: set up CRL publishing >> >> [10/13]: set certificate subject base >> >> [11/13]: enabling Subject Key Identifier >> >> [12/13]: configuring certificate server to start on boot >> >> [13/13]: Configure HTTP to proxy connections >> >> done configuring pki-cad. >> >> Restarting the directory and certificate servers >> >> Configuring directory server: Estimated time 1 minute >> >> [1/30]: creating directory server user >> >> [2/30]: creating directory server instance >> >> [3/30]: adding default schema >> >> [4/30]: enabling memberof plugin >> >> [5/30]: enabling referential integrity plugin >> >> [6/30]: enabling winsync plugin >> >> [7/30]: configuring replication version plugin >> >> [8/30]: enabling IPA enrollment plugin >> >> [9/30]: enabling ldapi >> >> [10/30]: configuring uniqueness plugin >> >> [11/30]: configuring uuid plugin >> >> [12/30]: configuring modrdn plugin >> >> [13/30]: enabling entryUSN plugin >> >> [14/30]: configuring lockout plugin >> >> [15/30]: creating indices >> >> [16/30]: configuring ssl for ds instance >> >> [17/30]: configuring certmap.conf >> >> [18/30]: configure autobind for root >> >> [19/30]: configure new location for managed entries >> >> [20/30]: restarting directory server >> >> [21/30]: setting up initial replication >> >> Starting replication, please wait until this has completed. >> >> [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - >> System error] >> >> creation of replica failed: Failed to start replication >> >> Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the >> following error; >> >> NSMMReplicationPlugin - agmt="cn=metoIPA_Server.domain.ca" >> (ipa_server:389): Replica has a different generation ID than the >> local data. >> >> This is probably just fallout from the replica initialization failure. >> If a replica is never initialized, it will get a generation ID >> mismatch error when the master contacts it. >> >> Any thoughts or ideas on this issue? Searching google I don't see >> anyone getting the Status:-11 - System Error. >> >> There was a bug in 389-ds-base that was fixed a while back where >> negative LDAP error codes were all printed as "System Error". The >> -11 is a connection error. Here is how it is defined in /usr/include/ldap.h: >> >> #define LDAP_CONNECT_ERROR (-11) >> >> It sounds like this connection error is occurring when it tries to >> initialize the replica. It might help to enable replication level >> logging on the master, then trying to run ipa-replica-install again. >> The errors in the 389 DS errors log might point to the problem. To >> enable replication level logging, you can perform the following >> operation with ldapmodify as "cn=Directory Manager": >> >> ------------------------------------------ >> dn: cn=config >> changetype: modify >> replace: nsslapd-errorlog-level >> nsslapd-errorlog-level: 8192 >> ------------------------------------------ >> >> When you are finished debugging the issue, don't forget to change the >> log level back to "0". >> >> -NGK >> >> Thanks, >> >> Matt >> >> >> >> >> _______________________________________________ >> >> Freeipa-users mailing list >> >> Freeipa-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From taaj.shawn at gmail.com Wed Apr 10 18:05:19 2013 From: taaj.shawn at gmail.com (Shawn) Date: Wed, 10 Apr 2013 14:05:19 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: [root at freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd -------------------- Access granted: True -------------------- Matched rules: allow_all [root at freeipa ~]# ??> ssh myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com -i /home/user/.ssh/key Connection closed by 54x.x.x.x (client server logs) Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): Access denied for user myuser: 4 (System error) Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for user client by PAM account configuration (client ipa versions) ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 (master ipa versions) [root at freeipa ~]# rpm -qa |grep ipa- ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root at freeipa ~]# On Thu, Apr 4, 2013 at 5:06 PM, KodaK wrote: > Run an hbactest: > > ipa hbactest --user=youruser --host=fqdn.of.host --service=sshd > > Make sure that works, if it does, then you can move on to troubleshooting > the host itself. > > > On Thu, Apr 4, 2013 at 2:27 PM, Shawn wrote: > >> Hi, >> >> I have configured a ipa-server, replica and client. >> >> In the GUI I can see that all hosts are in the "hosts" list.. I have >> created a single user as well and attached that user to the client. >> >> When trying to login as the user to the client, I see this in the >> secure.log. >> >> fatal: Access denied for user by PAM account configuration. >> >> any suggestions on steps to troubleshoot this? >> >> Thanks >> >> >> -- >> *- Shawn Taaj* >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Apr 10 18:11:14 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 10 Apr 2013 14:11:14 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: Message-ID: <5165AB42.1050902@redhat.com> Shawn wrote: > [root at freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: allow_all > [root at freeipa ~]# > > > ??> ssh myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com > -i > /home/user/.ssh/key > Connection closed by 54x.x.x.x > > (client server logs) > Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): > Access denied for user myuser: 4 (System error) > Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for > user client by PAM account configuration > > > (client ipa versions) > ipa-admintools-3.0.0-26.el6_4.2.x86_64 > ipa-client-3.0.0-26.el6_4.2.x86_64 > ipa-python-3.0.0-26.el6_4.2.x86_64 > > > (master ipa versions) > [root at freeipa ~]# rpm -qa |grep ipa- > > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-client-3.0.0-26.el6_4.2.x86_64 > ipa-python-3.0.0-26.el6_4.2.x86_64 > ipa-admintools-3.0.0-26.el6_4.2.x86_64 > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > [root at freeipa ~]# An error is occurring somewhere which is why access is denied. This isn't HBAC, that looks like: pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) You need to crank up debugging in sssd and see what its logs say. rob From jhrozek at redhat.com Wed Apr 10 18:15:00 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Apr 2013 20:15:00 +0200 Subject: [Freeipa-users] Issues after setup In-Reply-To: <5165AB42.1050902@redhat.com> References: <5165AB42.1050902@redhat.com> Message-ID: <20130410181500.GP30862@hendrix.brq.redhat.com> On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: > Shawn wrote: > >[root at freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd > >-------------------- > >Access granted: True > >-------------------- > > Matched rules: allow_all > >[root at freeipa ~]# > > > > > >??> ssh myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com > > -i > >/home/user/.ssh/key > >Connection closed by 54x.x.x.x > > > >(client server logs) > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): > >Access denied for user myuser: 4 (System error) > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for > >user client by PAM account configuration > > > > > >(client ipa versions) > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > >ipa-client-3.0.0-26.el6_4.2.x86_64 > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > > > > >(master ipa versions) > >[root at freeipa ~]# rpm -qa |grep ipa- > > > >ipa-pki-common-theme-9.0.3-7.el6.noarch > >ipa-pki-ca-theme-9.0.3-7.el6.noarch > >ipa-client-3.0.0-26.el6_4.2.x86_64 > >ipa-python-3.0.0-26.el6_4.2.x86_64 > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > >ipa-server-3.0.0-26.el6_4.2.x86_64 > >[root at freeipa ~]# > > An error is occurring somewhere which is why access is denied. This > isn't HBAC, that looks like: > > pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied) > > You need to crank up debugging in sssd and see what its logs say. > > rob What SSSD version is there on the client? It's possible that it might be a similar issue to one Jan-Frode had with SELinux. Rob is right, please raise the debug_level in the [pam] and [domain] sections and attach or paste the relevant portions of (sanitized) logs. From taaj.shawn at gmail.com Wed Apr 10 18:27:36 2013 From: taaj.shawn at gmail.com (Shawn) Date: Wed, 10 Apr 2013 14:27:36 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: <20130410181500.GP30862@hendrix.brq.redhat.com> References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> Message-ID: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'staaj' matched without domain, user is staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user: staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/company-dev.com/staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:staaj at vocal-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [company-dev.com][3][1][name=staaj] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:staaj at company-dev.com] (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0xb39fd0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: B35A10 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: company-dev.com (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): user:staaj (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 50.59.202.7 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 23185 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0xb41990 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed Apr 10 14:22:45 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:staaj at company-dev.com] only thing i see about selinux is here (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): creating the temp file for SELinux data failed. /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 30 # rpm -qa |grep sssd sssd-client-1.9.2-82.4.el6_4.x86_64 sssd-1.9.2-82.4.el6_4.x86_64 On Wed, Apr 10, 2013 at 2:15 PM, Jakub Hrozek wrote: > On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote: > > Shawn wrote: > > >[root at freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. > --service=sshd > > >-------------------- > > >Access granted: True > > >-------------------- > > > Matched rules: allow_all > > >[root at freeipa ~]# > > > > > > > > >??> ssh myuserj at ec2-54-xxx.xxx.compute-1.amazonaws.com > > > -i > > >/home/user/.ssh/key > > >Connection closed by 54x.x.x.x > > > > > >(client server logs) > > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account): > > >Access denied for user myuser: 4 (System error) > > >Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for > > >user client by PAM account configuration > > > > > > > > >(client ipa versions) > > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > > >ipa-client-3.0.0-26.el6_4.2.x86_64 > > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > > > > > > > >(master ipa versions) > > >[root at freeipa ~]# rpm -qa |grep ipa- > > > > > >ipa-pki-common-theme-9.0.3-7.el6.noarch > > >ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >ipa-client-3.0.0-26.el6_4.2.x86_64 > > >ipa-python-3.0.0-26.el6_4.2.x86_64 > > >ipa-admintools-3.0.0-26.el6_4.2.x86_64 > > >ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > > >ipa-server-3.0.0-26.el6_4.2.x86_64 > > >[root at freeipa ~]# > > > > An error is occurring somewhere which is why access is denied. This > > isn't HBAC, that looks like: > > > > pam_sss(sshd:account): Access denied for user admin: 6 (Permission > denied) > > > > You need to crank up debugging in sssd and see what its logs say. > > > > rob > > What SSSD version is there on the client? > > It's possible that it might be a similar issue to one Jan-Frode had with > SELinux. > > Rob is right, please raise the debug_level in the [pam] and [domain] > sections and attach or paste the relevant portions of (sanitized) logs. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Apr 10 18:31:53 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Apr 2013 20:31:53 +0200 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> Message-ID: <20130410183153.GT30862@hendrix.brq.redhat.com> On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040): > creating the temp file for SELinux data failed. > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) > [sssd[pam]] [pam_reply] (0x0100): blen: 30 I think this is the smoking gun. What state is SELinux in? (run sestate) Are there any AVC denials that would indicate the directory is mislabeled? What is the output of: # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins From taaj.shawn at gmail.com Wed Apr 10 18:34:06 2013 From: taaj.shawn at gmail.com (Shawn) Date: Wed, 10 Apr 2013 14:34:06 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: <20130410183153.GT30862@hendrix.brq.redhat.com> References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> <20130410183153.GT30862@hendrix.brq.redhat.com> Message-ID: [root at freeclient1 sssd]# sestatus SELinux status: disabled [root at freeclient1 sssd]# ls -ldZ /etc/selinux/ drwxr-xr-x root root ? /etc/selinux/ [root at freeclient1 sssd]# On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek wrote: > On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: > > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] > (0x0040): > > creating the temp file for SELinux data failed. > > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) > > [sssd[pam]] [pam_reply] (0x0100): blen: 30 > > I think this is the smoking gun. > > What state is SELinux in? (run sestate) > Are there any AVC denials that would indicate the directory is > mislabeled? > > What is the output of: > # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Apr 10 18:37:36 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Apr 2013 20:37:36 +0200 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> <20130410183153.GT30862@hendrix.brq.redhat.com> Message-ID: <20130410183736.GU30862@hendrix.brq.redhat.com> On Wed, Apr 10, 2013 at 02:34:06PM -0400, Shawn wrote: > [root at freeclient1 sssd]# sestatus > SELinux status: disabled > [root at freeclient1 sssd]# ls -ldZ /etc/selinux/ > drwxr-xr-x root root ? /etc/selinux/ > [root at freeclient1 sssd]# I take it there is no directory /etc/selinux/targeted/logins (or /etc/selinux/targeted/ for that matter?) Does mkdir -p /etc/selinux/targeted/logins solve things for you? > > > > On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek wrote: > > > On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: > > > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] > > (0x0040): > > > creating the temp file for SELinux data failed. > > > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) > > > [sssd[pam]] [pam_reply] (0x0100): blen: 30 > > > > I think this is the smoking gun. > > > > What state is SELinux in? (run sestate) > > Are there any AVC denials that would indicate the directory is > > mislabeled? > > > > What is the output of: > > # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins > > > > > > -- > *- Shawn Taaj* From taaj.shawn at gmail.com Wed Apr 10 18:49:46 2013 From: taaj.shawn at gmail.com (Shawn) Date: Wed, 10 Apr 2013 14:49:46 -0400 Subject: [Freeipa-users] Issues after setup In-Reply-To: <20130410183736.GU30862@hendrix.brq.redhat.com> References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> <20130410183153.GT30862@hendrix.brq.redhat.com> <20130410183736.GU30862@hendrix.brq.redhat.com> Message-ID: Yep, sure does. Thanks much. If selinux is disabled, why does it care? On Wed, Apr 10, 2013 at 2:37 PM, Jakub Hrozek wrote: > On Wed, Apr 10, 2013 at 02:34:06PM -0400, Shawn wrote: > > [root at freeclient1 sssd]# sestatus > > SELinux status: disabled > > [root at freeclient1 sssd]# ls -ldZ /etc/selinux/ > > drwxr-xr-x root root ? /etc/selinux/ > > [root at freeclient1 sssd]# > > I take it there is no directory /etc/selinux/targeted/logins (or > /etc/selinux/targeted/ for that matter?) > > Does mkdir -p /etc/selinux/targeted/logins solve things for you? > > > > > > > > > On Wed, Apr 10, 2013 at 2:31 PM, Jakub Hrozek > wrote: > > > > > On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote: > > > > (Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] > > > (0x0040): > > > > creating the temp file for SELinux data failed. > > > > /etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013) > > > > [sssd[pam]] [pam_reply] (0x0100): blen: 30 > > > > > > I think this is the smoking gun. > > > > > > What state is SELinux in? (run sestate) > > > Are there any AVC denials that would indicate the directory is > > > mislabeled? > > > > > > What is the output of: > > > # ls -ldZ /etc/selinux/targeted/ /etc/selinux/targeted/logins > > > > > > > > > > > -- > > *- Shawn Taaj* > -- *- Shawn Taaj* -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Apr 10 19:06:33 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 10 Apr 2013 21:06:33 +0200 Subject: [Freeipa-users] Issues after setup In-Reply-To: References: <5165AB42.1050902@redhat.com> <20130410181500.GP30862@hendrix.brq.redhat.com> <20130410183153.GT30862@hendrix.brq.redhat.com> <20130410183736.GU30862@hendrix.brq.redhat.com> Message-ID: <20130410190633.GV30862@hendrix.brq.redhat.com> On Wed, Apr 10, 2013 at 02:49:46PM -0400, Shawn wrote: > Yep, sure does. Thanks much. > > If selinux is disabled, why does it care? > It's an SSSD bug: https://bugzilla.redhat.com/show_bug.cgi?id=914433 We didn't realize that SELinux disabled might mean that the directory is not there at all. Luckily there is a simple workaround. From jnansi at redhat.com Thu Apr 11 00:36:07 2013 From: jnansi at redhat.com (Jatin Nansi) Date: Thu, 11 Apr 2013 10:36:07 +1000 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> Message-ID: <51660577.9010709@redhat.com> On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: > > Hey, > > I?m still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, > Matthew (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed ? Peer does not recognize and trust the CA that > issued your certificate. > > Matt > Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi From matthew.joseph at lmco.com Thu Apr 11 10:24:22 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 11 Apr 2013 06:24:22 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <51660577.9010709@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79463@HCXMSP1.ca.lmco.com> Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: > > Hey, > > I'm still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, > Matthew (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install > errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed - Peer does not recognize and trust the CA that > issued your certificate. > > Matt > Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From matthew.joseph at lmco.com Thu Apr 11 10:55:42 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 11 Apr 2013 06:55:42 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <51660577.9010709@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79479@HCXMSP1.ca.lmco.com> Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. Matt -----Original Message----- From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: > > Hey, > > I'm still trying to figure out this error but I am getting nothing. > > Anyone have any suggestions or ideas on why this is failing? > > Matt > > *From:*freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, > Matthew (EXP) > *Sent:* Monday, April 08, 2013 12:30 PM > *To:* Nathan Kinder > *Cc:* freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install > errors > > Hey, > > > Yup, the client side says the following; > > Op=-1 fd=64 closed - Peer does not recognize and trust the CA that > issued your certificate. > > Matt > Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From rcritten at redhat.com Thu Apr 11 13:13:06 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Apr 2013 09:13:06 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79463@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79463@HCXMSP1.ca.lmco.com> Message-ID: <5166B6E2.1030907@redhat.com> Joseph, Matthew (EXP) wrote: > Hey, > > Here is the output; > > Server-Cert u,u,u > > I am using nss-3-13.3-6 > I am using the IPA CA. The thing is, the IPA CA isn't there for some reason, on either side. You should also have something like EXAMPLE.COM IPA CA Ct,C,C You might check the working master with somethign like: certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM That will validate the cert trust. I'd suspect it will fail. So you'd need to add the IPA CA. certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt This may address the symptom but how you ended up with the CA missing is baffling. rob > > Matt > > -----Original Message----- > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi > Sent: Wednesday, April 10, 2013 9:36 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: >> >> Hey, >> >> I'm still trying to figure out this error but I am getting nothing. >> >> Anyone have any suggestions or ideas on why this is failing? >> >> Matt >> >> *From:*freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, >> Matthew (EXP) >> *Sent:* Monday, April 08, 2013 12:30 PM >> *To:* Nathan Kinder >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install >> errors >> >> Hey, >> >> >> Yup, the client side says the following; >> >> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that >> issued your certificate. >> >> Matt >> > Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - > > cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert > > > If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. > > Are you using the IPA CA, or are you managing the CA independently of IPA? > > -- > Jatin Nansi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From matthew.joseph at lmco.com Thu Apr 11 15:13:14 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Thu, 11 Apr 2013 11:13:14 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <5166B6E2.1030907@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79463@HCXMSP1.ca.lmco.com> <5166B6E2.1030907@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E26F7966B@HCXMSP1.ca.lmco.com> Hey, Yes you are correct. For some reason my IPA CA certs were missing. I've added them back onto both the Server and Client so now I am back to getting the; "Replica Data has a different generation ID than the local data" Matt -----Original Message----- From: Rob Crittenden [mailto:rcritten at redhat.com] Sent: Thursday, April 11, 2013 10:13 AM To: Joseph, Matthew (EXP); Jatin Nansi; freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: > Hey, > > Here is the output; > > Server-Cert u,u,u > > I am using nss-3-13.3-6 > I am using the IPA CA. The thing is, the IPA CA isn't there for some reason, on either side. You should also have something like EXAMPLE.COM IPA CA Ct,C,C You might check the working master with somethign like: certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM That will validate the cert trust. I'd suspect it will fail. So you'd need to add the IPA CA. certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt This may address the symptom but how you ended up with the CA missing is baffling. rob > > Matt > > -----Original Message----- > From: freeipa-users-bounces at redhat.com > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Jatin Nansi > Sent: Wednesday, April 10, 2013 9:36 PM > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors > > On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: >> >> Hey, >> >> I'm still trying to figure out this error but I am getting nothing. >> >> Anyone have any suggestions or ideas on why this is failing? >> >> Matt >> >> *From:*freeipa-users-bounces at redhat.com >> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Joseph, >> Matthew (EXP) >> *Sent:* Monday, April 08, 2013 12:30 PM >> *To:* Nathan Kinder >> *Cc:* freeipa-users at redhat.com >> *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install >> errors >> >> Hey, >> >> >> Yup, the client side says the following; >> >> Op=-1 fd=64 closed - Peer does not recognize and trust the CA that >> issued your certificate. >> >> Matt >> > Check the version of the nss package on your IPA server. There was a > change that went into nss-3.14 that disables support for certificate > signatures using the MD5 hash algorithm. To check if you are using MD5 > certificate signatures, use this command to examine the certificates - > > cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert > > > If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. > > Are you using the IPA CA, or are you managing the CA independently of IPA? > > -- > Jatin Nansi > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From bmoczulski at gmail.com Thu Apr 11 18:47:15 2013 From: bmoczulski at gmail.com (Bartek Moczulski) Date: Thu, 11 Apr 2013 20:47:15 +0200 Subject: [Freeipa-users] LDAP authentication for 3rd party Message-ID: hi, I've got a problem with using IPA as authentication source over LDAP. Generally there are two approaches to LDAP authentication: 1. bind using admin account and read passwords from user objects (but in ipa you cannot read passwords through ldap, right?) 2. "bind to authenticate" - service tries to log in to ldap with user's credentials. If login is successful authentication is also succesful - this approach does not work because you cannot login to IPA ldap using bare username, you need a full LDAP DN. Now, I've got a 3rd party application supporting both mentioned above appoaches and the question is - how to make it work with ipa? thanks in advance, Bartek. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 11 18:59:29 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 11 Apr 2013 14:59:29 -0400 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: References: Message-ID: <51670811.8030505@redhat.com> Bartek Moczulski wrote: > hi, > I've got a problem with using IPA as authentication source over LDAP. > Generally there are two approaches to LDAP authentication: > 1. bind using admin account and read passwords from user objects (but in > ipa you cannot read passwords through ldap, right?) > 2. "bind to authenticate" - service tries to log in to ldap with user's > credentials. If login is successful authentication is also succesful - > this approach does not work because you cannot login to IPA ldap using > bare username, you need a full LDAP DN. > > Now, I've got a 3rd party application supporting both mentioned above > appoaches and the question is - how to make it work with ipa? > > thanks in advance, We won't do #1. In our opinion it is insecure to share password hashes. For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a search on the uid, gets the DN, then attempts a bind. I'd be curious to know what LDAP servers your 3rd party app is certified against. rob From jdennis at redhat.com Thu Apr 11 19:04:38 2013 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Apr 2013 15:04:38 -0400 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: References: Message-ID: <51670946.3080501@redhat.com> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: > hi, > I've got a problem with using IPA as authentication source over LDAP. > Generally there are two approaches to LDAP authentication: > 1. bind using admin account and read passwords from user objects (but in > ipa you cannot read passwords through ldap, right?) > 2. "bind to authenticate" - service tries to log in to ldap with user's > credentials. If login is successful authentication is also succesful - > this approach does not work because you cannot login to IPA ldap using > bare username, you need a full LDAP DN. Most applications I know of that do "bind as user" to authenticate also permit you to specify a format string into which the user name is inserted (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to discover the dn. If you application does not support either approach it's broken IMHO. Reading passwords and/or password hashes is not supported for security reasons. > Now, I've got a 3rd party application supporting both mentioned above > appoaches and the question is - how to make it work with ipa? > > thanks in advance, > Bartek. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dpal at redhat.com Thu Apr 11 19:21:49 2013 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 11 Apr 2013 15:21:49 -0400 Subject: [Freeipa-users] FreeIPA Fedora 19 Test Day Announcement Message-ID: <51670D4D.50102@redhat.com> The FreeIPA team is happy to welcome you to a Fedora Test Day that will be held on Thursday, April 18th. We invite you to take part in testing of the new features that will become available in upcoming FreeIPA 3.2 upstream release and would be a part of Fedora 19. To read more about the test day and suggested tests use the following link http://fedoraproject.org/wiki/Test_Day:2013-04-18 The outline of the features of the upcoming release can be found in the following announcement: https://www.redhat.com/archives/freeipa-devel/2013-April/msg00028.html Thank you for your help and participation! FreeIPA team From rendhalver at gmail.com Thu Apr 11 22:32:43 2013 From: rendhalver at gmail.com (Peter Brown) Date: Fri, 12 Apr 2013 08:32:43 +1000 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: <51670946.3080501@redhat.com> References: <51670946.3080501@redhat.com> Message-ID: On 12 April 2013 05:04, John Dennis wrote: > On 04/11/2013 02:47 PM, Bartek Moczulski wrote: > >> hi, >> I've got a problem with using IPA as authentication source over LDAP. >> Generally there are two approaches to LDAP authentication: >> 1. bind using admin account and read passwords from user objects (but in >> ipa you cannot read passwords through ldap, right?) >> 2. "bind to authenticate" - service tries to log in to ldap with user's >> credentials. If login is successful authentication is also succesful - >> this approach does not work because you cannot login to IPA ldap using >> bare username, you need a full LDAP DN. >> > > Most applications I know of that do "bind as user" to authenticate also > permit you to specify a format string into which the user name is inserted > (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,**dc=example,dc=com") > -or- they do a search to discover the dn. If you application does not > support either approach it's broken IMHO. > I have used this method for Confluence, Jira, Stash, Icinga and Foreman. I will be adding more applications in the future as well. If the application doesn't support Kerberos it's the next best thing in my opinion. I have also use it to get email lists into dovecot and postfix. One caveat I found is you need to tell Atlassian applications that FreeIPA is a plain OpenLDAP server to get it to work. Apart from that it works "out of the box" as they say. > > Reading passwords and/or password hashes is not supported for security > reasons. > > Now, I've got a 3rd party application supporting both mentioned above >> appoaches and the question is - how to make it work with ipa? >> >> thanks in advance, >> Bartek. >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/**mailman/listinfo/freeipa-users >> >> > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Thu Apr 11 23:07:23 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Thu, 11 Apr 2013 16:07:23 -0700 Subject: [Freeipa-users] User Roles and access in GUI Message-ID: Hello, I have a question regarding Uer Roles and Access in GUI. What I have found that irrespective of Role assigned to a user, he gets read only access across the directory. For example, I created one user say "dnsadmin" with only Roles related to DNS such as DNS Servers, DNS Administrator. Now that user has read only access to entire directory. Is there any way of controlling it? Thanks, Chandan -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Thu Apr 11 23:27:11 2013 From: simo at redhat.com (Simo Sorce) Date: Thu, 11 Apr 2013 19:27:11 -0400 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: <51670811.8030505@redhat.com> References: <51670811.8030505@redhat.com> Message-ID: <1365722831.2845.122.camel@willson.li.ssimo.org> On Thu, 2013-04-11 at 14:59 -0400, Rob Crittenden wrote: > Bartek Moczulski wrote: > > hi, > > I've got a problem with using IPA as authentication source over LDAP. > > Generally there are two approaches to LDAP authentication: > > 1. bind using admin account and read passwords from user objects (but in > > ipa you cannot read passwords through ldap, right?) > > 2. "bind to authenticate" - service tries to log in to ldap with user's > > credentials. If login is successful authentication is also succesful - > > this approach does not work because you cannot login to IPA ldap using > > bare username, you need a full LDAP DN. > > > > Now, I've got a 3rd party application supporting both mentioned above > > appoaches and the question is - how to make it work with ipa? > > > > thanks in advance, > > We won't do #1. In our opinion it is insecure to share password hashes. > > For #2 AFAIK LDAP simple bind requires a DN. Typically the app does a > search on the uid, gets the DN, then attempts a bind. > > I'd be curious to know what LDAP servers your 3rd party app is certified > against. Ad supports simple binds with a username instead of a DN ... yeah not standard but we might want to support it, we have a pre-bind plugin after all, so we could if we want to, just a matter of creating a RFE ticket. Simo. -- Simo Sorce * Red Hat, Inc * New York From jnansi at redhat.com Fri Apr 12 01:18:13 2013 From: jnansi at redhat.com (Jatin Nansi) Date: Fri, 12 Apr 2013 11:18:13 +1000 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79479@HCXMSP1.ca.lmco.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79479@HCXMSP1.ca.lmco.com> Message-ID: <516760D5.7050109@redhat.com> On 04/11/2013 08:55 PM, Joseph, Matthew (EXP) wrote: > Hey, > > Sorry didn't read your full message and realize you wanted all of the information for it. > > The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. OK, then it was just the CA certificate that was missing, the MD5 hash information that I provided does not apply. About: > "Replica Data has a different generation ID than the local data" Its probably best if you reinitialize the replica. If the ipa-replica-install script never completed, you could try creating a new replica information file from the existing IPA server and redo the whole replica installation. From simon.williams at thehelpfulcat.com Fri Apr 12 05:51:35 2013 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Fri, 12 Apr 2013 06:51:35 +0100 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: References: <51670946.3080501@redhat.com> Message-ID: I use Atlassian products, but use Crowd to provide single signon. This means that Crowd is the only application that needs to authenticate against LDAP. I found that I had to tell Crowd that the server was 389 DS. I could not get it to work set to OpenLDAP. Regards Simon On 11 Apr 2013 23:36, "Peter Brown" wrote: > On 12 April 2013 05:04, John Dennis wrote: > >> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: >> >>> hi, >>> I've got a problem with using IPA as authentication source over LDAP. >>> Generally there are two approaches to LDAP authentication: >>> 1. bind using admin account and read passwords from user objects (but in >>> ipa you cannot read passwords through ldap, right?) >>> 2. "bind to authenticate" - service tries to log in to ldap with user's >>> credentials. If login is successful authentication is also succesful - >>> this approach does not work because you cannot login to IPA ldap using >>> bare username, you need a full LDAP DN. >>> >> >> Most applications I know of that do "bind as user" to authenticate also >> permit you to specify a format string into which the user name is inserted >> (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,**dc=example,dc=com") >> -or- they do a search to discover the dn. If you application does not >> support either approach it's broken IMHO. >> > > I have used this method for Confluence, Jira, Stash, Icinga and Foreman. > I will be adding more applications in the future as well. > If the application doesn't support Kerberos it's the next best thing in my > opinion. > I have also use it to get email lists into dovecot and postfix. > > One caveat I found is you need to tell Atlassian applications that FreeIPA > is a plain OpenLDAP server to get it to work. > Apart from that it works "out of the box" as they say. > > > >> >> Reading passwords and/or password hashes is not supported for security >> reasons. >> >> Now, I've got a 3rd party application supporting both mentioned above >>> appoaches and the question is - how to make it work with ipa? >>> >>> thanks in advance, >>> Bartek. >>> >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users >>> >>> >> >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> ______________________________**_________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/**mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rendhalver at gmail.com Fri Apr 12 05:58:24 2013 From: rendhalver at gmail.com (Peter Brown) Date: Fri, 12 Apr 2013 15:58:24 +1000 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: References: <51670946.3080501@redhat.com> Message-ID: On 12 April 2013 15:51, Simon Williams wrote: > I use Atlassian products, but use Crowd to provide single signon. This > means that Crowd is the only application that needs to authenticate against > LDAP. I found that I had to tell Crowd that the server was 389 DS. I could > not get it to work set to OpenLDAP. > I had a look at crowd but it seemed like overkill when I could just point everything at FreeIPA. We are a small shop so the extra queries weren't going to affect much. I tried telling my Atlaassian apps that freeipa was a 389 ds server but it refused to work properly. Slightly strange considering the ldap modules for all of them are the same as the one used in crowd. > Regards > > Simon > On 11 Apr 2013 23:36, "Peter Brown" wrote: > >> On 12 April 2013 05:04, John Dennis wrote: >> >>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: >>> >>>> hi, >>>> I've got a problem with using IPA as authentication source over LDAP. >>>> Generally there are two approaches to LDAP authentication: >>>> 1. bind using admin account and read passwords from user objects (but in >>>> ipa you cannot read passwords through ldap, right?) >>>> 2. "bind to authenticate" - service tries to log in to ldap with user's >>>> credentials. If login is successful authentication is also succesful - >>>> this approach does not work because you cannot login to IPA ldap using >>>> bare username, you need a full LDAP DN. >>>> >>> >>> Most applications I know of that do "bind as user" to authenticate also >>> permit you to specify a format string into which the user name is inserted >>> (i.e. the format string is the dn, e.g. "uid=%u,cn=users,cn=accounts,**dc=example,dc=com") >>> -or- they do a search to discover the dn. If you application does not >>> support either approach it's broken IMHO. >>> >> >> I have used this method for Confluence, Jira, Stash, Icinga and Foreman. >> I will be adding more applications in the future as well. >> If the application doesn't support Kerberos it's the next best thing in >> my opinion. >> I have also use it to get email lists into dovecot and postfix. >> >> One caveat I found is you need to tell Atlassian applications that >> FreeIPA is a plain OpenLDAP server to get it to work. >> Apart from that it works "out of the box" as they say. >> >> >> >>> >>> Reading passwords and/or password hashes is not supported for security >>> reasons. >>> >>> Now, I've got a 3rd party application supporting both mentioned above >>>> appoaches and the question is - how to make it work with ipa? >>>> >>>> thanks in advance, >>>> Bartek. >>>> >>>> >>>> ______________________________**_________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/**mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> John Dennis >>> >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> ______________________________**_________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/**mailman/listinfo/freeipa-users >>> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Fri Apr 12 06:23:13 2013 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 12 Apr 2013 08:23:13 +0200 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: References: Message-ID: <5167A851.4030200@redhat.com> On 04/12/2013 01:07 AM, Chandan Kumar wrote: > Hello, > > I have a question regarding Uer Roles and Access in GUI. What I have found that > irrespective of Role assigned to a user, he gets read only access across the > directory. > > For example, I created one user say "dnsadmin" with only Roles related to DNS > such as DNS Servers, DNS Administrator. Now that user has read only access to > entire directory. Is there any way of controlling it? > > > Thanks, > Chandan > Hello Chandan, If you create a new role, assign "DNS Administrators" privilege to it, and assign that role to user dnsadmin, that user will have write access to DNS tree and configuration. Beyond that tree, dnsadmin will have read-only access just like all other non-admin users. If you want dnsadmin to have write access also to other entries, you would need to assign more privileges/roles to it. HTH, Martin From matthew.joseph at lmco.com Fri Apr 12 11:01:59 2013 From: matthew.joseph at lmco.com (Joseph, Matthew (EXP)) Date: Fri, 12 Apr 2013 07:01:59 -0400 Subject: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors In-Reply-To: <516760D5.7050109@redhat.com> References: <543FB8F8BFD9A74298A96670DA2F2E7F0E25E498E0@HCXMSP1.ca.lmco.com> <515DE9BF.8020908@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7207@HCXMSP1.ca.lmco.com> <5162E1F7.10406@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB72B3@HCXMSP1.ca.lmco.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26DB7AAF@HCXMSP1.ca.lmco.com> <51660577.9010709@redhat.com> <543FB8F8BFD9A74298A96670DA2F2E7F0E26F79479@HCXMSP1.ca.lmco.com> <516760D5.7050109@redhat.com> Message-ID: <543FB8F8BFD9A74298A96670DA2F2E7F0E8DB1AF27@HCXMSP1.ca.lmco.com> Hey, I tried recreating the replica information and doing the ipa-replica-install and it's still failing at trying to start the replication. I've also tried doing a force sync and it comes up with that generation ID error. Matt -----Original Message----- From: Jatin Nansi [mailto:jnansi at redhat.com] Sent: Thursday, April 11, 2013 10:18 PM To: Joseph, Matthew (EXP) Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/11/2013 08:55 PM, Joseph, Matthew (EXP) wrote: > Hey, > > Sorry didn't read your full message and realize you wanted all of the information for it. > > The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. OK, then it was just the CA certificate that was missing, the MD5 hash information that I provided does not apply. About: > "Replica Data has a different generation ID than the local data" Its probably best if you reinitialize the replica. If the ipa-replica-install script never completed, you could try creating a new replica information file from the existing IPA server and redo the whole replica installation. From dpal at redhat.com Fri Apr 12 12:48:54 2013 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 12 Apr 2013 08:48:54 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <5167A851.4030200@redhat.com> References: <5167A851.4030200@redhat.com> Message-ID: <516802B6.6020109@redhat.com> On 04/12/2013 02:23 AM, Martin Kosek wrote: > On 04/12/2013 01:07 AM, Chandan Kumar wrote: >> Hello, >> >> I have a question regarding Uer Roles and Access in GUI. What I have found that >> irrespective of Role assigned to a user, he gets read only access across the >> directory. >> >> For example, I created one user say "dnsadmin" with only Roles related to DNS >> such as DNS Servers, DNS Administrator. Now that user has read only access to >> entire directory. Is there any way of controlling it? >> >> >> Thanks, >> Chandan >> > Hello Chandan, > > If you create a new role, assign "DNS Administrators" privilege to it, and > assign that role to user dnsadmin, that user will have write access to DNS tree > and configuration. > > Beyond that tree, dnsadmin will have read-only access just like all other > non-admin users. If you want dnsadmin to have write access also to other > entries, you would need to assign more privileges/roles to it. > > HTH, > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users If you are worried about the read access the LDAP data is traditionally readable by any authenticated user. In the past is was even possible to read the tree as anonymous user which is a bad security practice and not recommended. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From rmeggins at redhat.com Fri Apr 12 13:59:39 2013 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Apr 2013 07:59:39 -0600 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: References: <51670946.3080501@redhat.com> Message-ID: <5168134B.20702@redhat.com> On 04/11/2013 11:58 PM, Peter Brown wrote: > On 12 April 2013 15:51, Simon Williams > > wrote: > > I use Atlassian products, but use Crowd to provide single signon. > This means that Crowd is the only application that needs to > authenticate against LDAP. I found that I had to tell Crowd that > the server was 389 DS. I could not get it to work set to OpenLDAP. > > > I had a look at crowd but it seemed like overkill when I could just > point everything at FreeIPA. > We are a small shop so the extra queries weren't going to affect much. > I tried telling my Atlaassian apps that freeipa was a 389 ds server > but it refused to work properly. Not sure what that means, exactly. Check the 389 access logs to see what operations Atlassian is performing against 389. > Slightly strange considering the ldap modules for all of them are the > same as the one used in crowd. > > Regards > > Simon > > On 11 Apr 2013 23:36, "Peter Brown" > wrote: > > On 12 April 2013 05:04, John Dennis > wrote: > > On 04/11/2013 02:47 PM, Bartek Moczulski wrote: > > hi, > I've got a problem with using IPA as authentication > source over LDAP. > Generally there are two approaches to LDAP authentication: > 1. bind using admin account and read passwords from > user objects (but in > ipa you cannot read passwords through ldap, right?) > 2. "bind to authenticate" - service tries to log in to > ldap with user's > credentials. If login is successful authentication is > also succesful - > this approach does not work because you cannot login > to IPA ldap using > bare username, you need a full LDAP DN. > > > Most applications I know of that do "bind as user" to > authenticate also permit you to specify a format string > into which the user name is inserted (i.e. the format > string is the dn, e.g. > "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they > do a search to discover the dn. If you application does > not support either approach it's broken IMHO. > > > I have used this method for Confluence, Jira, Stash, Icinga > and Foreman. > I will be adding more applications in the future as well. > If the application doesn't support Kerberos it's the next best > thing in my opinion. > I have also use it to get email lists into dovecot and postfix. > > One caveat I found is you need to tell Atlassian applications > that FreeIPA is a plain OpenLDAP server to get it to work. > Apart from that it works "out of the box" as they say. > > > > Reading passwords and/or password hashes is not supported > for security reasons. > > Now, I've got a 3rd party application supporting both > mentioned above > appoaches and the question is - how to make it work > with ipa? > > thanks in advance, > Bartek. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > John Dennis > > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 12 19:35:49 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 12 Apr 2013 21:35:49 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris Message-ID: hi, apparently what I am trying to do is not very usual because I do not get any answer on the omnios (opensolaris derivative) mailing list. I have successfully joined a host to the ipa domain, I can log in the omnios host as an ipa user, getent works, kerberos works (thanks to Johan Petersson in this thread: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) But when configuring nfs with krb5(i/p) security I get an error: # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # share -F nfs -o sec=krb5 -d "homedirs" /export/home/ Could not share: /export/home: invalid security type The omnios host has a keytab with both host and nfs principals: # klist -k -e Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with HMAC/sha1) 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with HMAC/sha1) 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) I can kinit with both principals: root at testomnios:~# kinit -k root at testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX Valid starting Expires Service principal 04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX renew until 04/19/13 11:56:07 root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx root at testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX Valid starting Expires Service principal 04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX renew until 04/19/13 11:56:28 so the keytab is correct I have edited /etc/nfssec.conf and removed the comments for the krb5 lines. According to all my google-fu it should work, but it does not. Any tips greatly appreciated. . -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri Apr 12 20:09:27 2013 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 12 Apr 2013 16:09:27 -0400 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: References: Message-ID: <516869F7.6020108@redhat.com> On 04/12/2013 03:35 PM, Natxo Asenjo wrote: > hi, > > apparently what I am trying to do is not very usual because I do not > get any answer on the omnios (opensolaris derivative) mailing list. > > I have successfully joined a host to the ipa domain, I can log in the > omnios host as an ipa user, getent works, kerberos works (thanks to > Johan Petersson in this thread: > https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) > > But when configuring nfs with krb5(i/p) security I get an error: I am completely unaware how zfs works but... > > # zfs set sharenfs=sec=krb5 rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot be set > to invalid options That looks like a syntax error. It seems like krb5 is an invalid option. May be something needs to be restarted after you changed the config file? > > # share -F nfs -o sec=krb5 -d "homedirs" /export/home/ > Could not share: /export/home: invalid security type > > The omnios host has a keytab with both host and nfs principals: > > # klist -k -e > > Keytab name: FILE:/etc/krb5/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with > 96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with > 96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode > with HMAC/sha1) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode > with 96-bit SHA-1 HMAC) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode > with 96-bit SHA-1 HMAC) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode > with HMAC/sha1) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) > > I can kinit with both principals: > > root at testomnios:~# kinit -k > root at testomnios:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX > > Valid starting Expires Service principal > 04/12/13 11:56:07 04/13/13 11:56:07 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > renew until 04/19/13 11:56:07 > root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx > root at testomnios:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX > > Valid starting Expires Service principal > 04/12/13 11:56:28 04/13/13 11:56:28 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > renew until 04/19/13 11:56:28 > > so the keytab is correct > > I have edited /etc/nfssec.conf and removed the comments for the krb5 > lines. > > According to all my google-fu it should work, but it does not. Any > tips greatly appreciated. > . > -- > Groeten, > natxo > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Fri Apr 12 21:30:18 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 12 Apr 2013 23:30:18 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: References: Message-ID: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> Your syntax seem correct but you need to quote the value. Natxo Asenjo wrote: >hi, > >apparently what I am trying to do is not very usual because I do not >get >any answer on the omnios (opensolaris derivative) mailing list. > >I have successfully joined a host to the ipa domain, I can log in the >omnios host as an ipa user, getent works, kerberos works (thanks to >Johan >Petersson in this thread: >https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html) > >But when configuring nfs with krb5(i/p) security I get an error: > ># zfs set sharenfs=sec=krb5 rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > ># share -F nfs -o sec=krb5 -d "homedirs" /export/home/ >Could not share: /export/home: invalid security type > >The omnios host has a keytab with both host and nfs principals: > ># klist -k -e > >Keytab name: FILE:/etc/krb5/krb5.keytab >KVNO Principal >---- >-------------------------------------------------------------------------- > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with >96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with >96-bit SHA-1 HMAC) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with >HMAC/sha1) > 1 nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-256 CTS mode with >96-bit SHA-1 HMAC) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (AES-128 CTS mode with >96-bit SHA-1 HMAC) >2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (Triple DES cbc mode with >HMAC/sha1) > 2 host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX (ArcFour with HMAC/md5) > >I can kinit with both principals: > >root at testomnios:~# kinit -k >root at testomnios:~# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: host/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX > >Valid starting Expires Service principal >04/12/13 11:56:07 04/13/13 11:56:07 >krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > renew until 04/19/13 11:56:07 >root at testomnios:~# kinit -k nfs/testomnios.ipa.asenjo.nx >root at testomnios:~# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: nfs/testomnios.ipa.asenjo.nx at IPA.ASENJO.NX > >Valid starting Expires Service principal >04/12/13 11:56:28 04/13/13 11:56:28 >krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > renew until 04/19/13 11:56:28 > >so the keytab is correct > >I have edited /etc/nfssec.conf and removed the comments for the krb5 >lines. > >According to all my google-fu it should work, but it does not. Any tips >greatly appreciated. >. >-- >Groeten, >natxo > > >------------------------------------------------------------------------ > >_______________________________________________ >Freeipa-users mailing list >Freeipa-users at redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 12 21:44:43 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 12 Apr 2013 23:44:43 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> References: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> Message-ID: hi, thanks, still not working though: # share -F nfs -o "sec=krb5" -d "homedirs" /export/home Could not share: /export/home: invalid security type # zfs set sharenfs="sec"="krb5" rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set "sharenfs"="sec"="krb5" rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec="krb5" rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set sharenfs=sec=krb5 rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options # zfs set "sharenfs=sec=krb5" rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options -- Groeten, natxo On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie wrote: > Your syntax seem correct but you need to quote the value. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Fri Apr 12 21:57:43 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Fri, 12 Apr 2013 23:57:43 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: References: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> Message-ID: <86460fd2-eb21-4eb0-b97e-6d26846a5f27@email.android.com> zfs set sharenfs='sec=krb5' pool/dataset Natxo Asenjo wrote: >hi, > >thanks, still not working though: > ># share -F nfs -o "sec=krb5" -d "homedirs" /export/home >Could not share: /export/home: invalid security type > > # zfs set sharenfs="sec"="krb5" rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > ># zfs set "sharenfs"="sec"="krb5" rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > ># zfs set sharenfs=sec="krb5" rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > ># zfs set sharenfs=sec=krb5 rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > ># zfs set "sharenfs=sec=krb5" rpool/export/home >cannot set property for 'rpool/export/home': 'sharenfs' cannot be set >to >invalid options > > >-- >Groeten, >natxo > > >On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie >wrote: > >> Your syntax seem correct but you need to quote the value. >> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandank.kumar at gmail.com Sat Apr 13 00:17:13 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Fri, 12 Apr 2013 17:17:13 -0700 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516802B6.6020109@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> Message-ID: Thanks for the response. The way we can turn off the anonymous bind in 389 Server. using "nsslapd-allow-anonymous-access: off". Is there any way to limit the read access of user to only to the DNS entries? In that way I can create a user who could/will be able to see/edit DNS entries only. Thanks, Chandan On Friday, April 12, 2013, Dmitri Pal wrote: > On 04/12/2013 02:23 AM, Martin Kosek wrote: > > On 04/12/2013 01:07 AM, Chandan Kumar wrote: > >> Hello, > >> > >> I have a question regarding Uer Roles and Access in GUI. What I have > found that > >> irrespective of Role assigned to a user, he gets read only access > across the > >> directory. > >> > >> For example, I created one user say "dnsadmin" with only Roles related > to DNS > >> such as DNS Servers, DNS Administrator. Now that user has read only > access to > >> entire directory. Is there any way of controlling it? > >> > >> > >> Thanks, > >> Chandan > >> > > Hello Chandan, > > > > If you create a new role, assign "DNS Administrators" privilege to it, > and > > assign that role to user dnsadmin, that user will have write access to > DNS tree > > and configuration. > > > > Beyond that tree, dnsadmin will have read-only access just like all other > > non-admin users. If you want dnsadmin to have write access also to other > > entries, you would need to assign more privileges/roles to it. > > > > HTH, > > Martin > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > If you are worried about the read access the LDAP data is traditionally > readable by any authenticated user. > In the past is was even possible to read the tree as anonymous user > which is a bad security practice and not recommended. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Sat Apr 13 11:16:28 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 13 Apr 2013 13:16:28 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: <86460fd2-eb21-4eb0-b97e-6d26846a5f27@email.android.com> References: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> <86460fd2-eb21-4eb0-b97e-6d26846a5f27@email.android.com> Message-ID: # zfs set sharenfs='sec=krb5' rpool/export/home cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to invalid options I am starting to think this is a bug in illumos, Thanks anyway! -- Groeten, natxo On Fri, Apr 12, 2013 at 11:57 PM, Sigbjorn Lie wrote: > zfs set sharenfs='sec=krb5' pool/dataset > > > Natxo Asenjo wrote: >> >> hi, >> >> thanks, still not working though: >> >> # share -F nfs -o "sec=krb5" -d "homedirs" /export/home >> Could not share: /export/home: invalid security type >> >> # zfs set sharenfs="sec"="krb5" rpool/export/home >> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to >> invalid options >> >> # zfs set "sharenfs"="sec"="krb5" rpool/export/home >> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to >> invalid options >> >> # zfs set sharenfs=sec="krb5" rpool/export/home >> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to >> invalid options >> >> # zfs set sharenfs=sec=krb5 rpool/export/home >> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to >> invalid options >> >> # zfs set "sharenfs=sec=krb5" rpool/export/home >> cannot set property for 'rpool/export/home': 'sharenfs' cannot be set to >> invalid options >> >> >> -- >> Groeten, >> natxo >> >> >> On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie wrote: >> >>> Your syntax seem correct but you need to quote the value. >>> >> >> > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigbjorn at nixtra.com Sat Apr 13 11:55:29 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Sat, 13 Apr 2013 13:55:29 +0200 Subject: [Freeipa-users] bit OT: trouble getting nfsv4 with kerberos with ipa and opensolaris In-Reply-To: References: <7ce4a82e-26ca-44f9-940d-e9e2729a8bdf@email.android.com> <86460fd2-eb21-4eb0-b97e-6d26846a5f27@email.android.com> Message-ID: <516947B1.1020109@nixtra.com> No that syntax is correct. # zfs create p00/test # zfs set sharenfs='sec=krb5' p00/test No errors on my system. But have you remembered to enable krb5 in /etc/nfssec.conf? It is not enabled by default. You may read this thread I wrote a while back for how to make NexentaStor work with FreeIPA. It will be the same setup for openindiana: https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html Rgds, Siggi On 04/13/2013 01:16 PM, Natxo Asenjo wrote: > # zfs set sharenfs='sec=krb5' rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot be set > to invalid options > > I am starting to think this is a bug in illumos, > > > Thanks anyway! > > -- > Groeten, > natxo > > > On Fri, Apr 12, 2013 at 11:57 PM, Sigbjorn Lie > wrote: > > zfs set sharenfs='sec=krb5' pool/dataset > > > Natxo Asenjo > wrote: > > hi, > > thanks, still not working though: > > # share -F nfs -o "sec=krb5" -d "homedirs" /export/home > Could not share: /export/home: invalid security type > > # zfs set sharenfs="sec"="krb5" rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot > be set to invalid options > > # zfs set "sharenfs"="sec"="krb5" rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot > be set to invalid options > > # zfs set sharenfs=sec="krb5" rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot > be set to invalid options > > # zfs set sharenfs=sec=krb5 rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot > be set to invalid options > > # zfs set "sharenfs=sec=krb5" rpool/export/home > cannot set property for 'rpool/export/home': 'sharenfs' cannot > be set to invalid options > > > -- > Groeten, > natxo > > > On Fri, Apr 12, 2013 at 11:30 PM, Sigbjorn Lie > > wrote: > > Your syntax seem correct but you need to quote the value. > > > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From janfrode at tanso.net Sun Apr 14 11:49:14 2013 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sun, 14 Apr 2013 13:49:14 +0200 Subject: [Freeipa-users] sudo made a bit easier to configure In-Reply-To: References: Message-ID: <20130414114914.GA11308@dibs.tanso.net> On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: > > I discovered that using this recipe makes setting up sudo-ldap very simple. > Even when anonymous binds is disabled. > > TLS_CACERT /etc/ipa/ca.crt > TLS_REQCERT demand > SASL_MECH GSSAPI > BASE dc=domain,dc=com > URI ldap://auth-ipa.domain.com > ROOTUSE_SASL on > SUDOERS_BASE ou=SUDOers,dc=domain,dc=com > SUDOERS_DEBUG 2 > I really liked that this configuration didn't need a binddn/bindpw in sudo-ldap.conf, but it only works for me if I do password login and is issued a kerberos ticket on the host, and not if I do ssh pubkey/GSS-API login to the host. Do you have a pam config that issues kerberos ticket on sudo auth so that it always works? An even better config would be if we could use the host's keytab to bind to LDAP here.. -jf From jhrozek at redhat.com Mon Apr 15 09:00:51 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 Apr 2013 11:00:51 +0200 Subject: [Freeipa-users] sudo made a bit easier to configure In-Reply-To: <20130414114914.GA11308@dibs.tanso.net> References: <20130414114914.GA11308@dibs.tanso.net> Message-ID: <20130415090051.GG3820@hendrix.brq.redhat.com> On Sun, Apr 14, 2013 at 01:49:14PM +0200, Jan-Frode Myklebust wrote: > On Thu, Dec 20, 2012 at 04:43:08PM +0100, Han Boetes wrote: > An even better config would be if we could use the host's keytab to bind > to LDAP here.. Coming up as a default in sssd 1.10 (beta). From aborrero at cica.es Mon Apr 15 13:16:19 2013 From: aborrero at cica.es (Arturo Borrero) Date: Mon, 15 Apr 2013 15:16:19 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API Message-ID: <516BFDA3.30505@cica.es> Hi there, In a freshly installed server, I try: # ipa-server-install [...] [12/13]: restarting httpd [13/13]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting the directory server Restarting the KDC Sample zone file for bind has been created in /tmp/sample.zone.NGKJk1.db Restarting the web server Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain cica.es --server sheldon.cica.es --realm CICA.ES --hostname sheldon.cica.es' returned non-zero exit status 1 If I see the ipa-client-install logs, I have: [...] importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' args=klist -V stdout=Kerberos 5 version 1.10.3 stderr= importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' Failed to initialize IPA API. Installation failed. Rolling back changes. IPA client is not configured on this system. I fit all prerequisites listed in fedora and redhat documentation: http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html After this, if I try ipactl: # ipactl start Starting Directory Service Starting dirsrv: CICA-ES... already running [ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': 'Unknown authentication method'} Shutting down Shutting down dirsrv: CICA-ES... [ OK ] PKI-IPA... [ OK ] Any idea how to get rid of this error and continuing installing/using? regards -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Mon Apr 15 13:31:19 2013 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Apr 2013 09:31:19 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> Message-ID: <516C0127.9030301@redhat.com> On 04/12/2013 08:17 PM, Chandan Kumar wrote: > > Thanks for the response. > > The way we can turn off the anonymous bind in 389 Server. using > "nsslapd-allow-anonymous-access: off". > > Is there any way to limit the read access of user to only to the DNS > entries? In that way I can create a user who could/will be able to > see/edit DNS entries only. In general yes though it is not standard because as I mentioned earlier the tree is assumed to be readable to an authenticated user. When user logs in the framework the UI or CLI will log into LDAP as a user and try to do operations. It will need to read user entry and groups and other things so closing read access to everything other than DNS would not work. You can close access to some of the objects but not to all of them. It still unclear what is the harm in ability to read other parts of the tree but not modify them. To change the permissions you would have to user LDAP level ACI commands as we do not expose these capabilities via CLI or UI but be careful as I mentioned above you might end up hiding something that would prevent framework from functioning properly. > > Thanks, > Chandan > > On Friday, April 12, 2013, Dmitri Pal wrote: > > On 04/12/2013 02:23 AM, Martin Kosek wrote: > > On 04/12/2013 01:07 AM, Chandan Kumar wrote: > >> Hello, > >> > >> I have a question regarding Uer Roles and Access in GUI. What I > have found that > >> irrespective of Role assigned to a user, he gets read only > access across the > >> directory. > >> > >> For example, I created one user say "dnsadmin" with only Roles > related to DNS > >> such as DNS Servers, DNS Administrator. Now that user has read > only access to > >> entire directory. Is there any way of controlling it? > >> > >> > >> Thanks, > >> Chandan > >> > > Hello Chandan, > > > > If you create a new role, assign "DNS Administrators" privilege > to it, and > > assign that role to user dnsadmin, that user will have write > access to DNS tree > > and configuration. > > > > Beyond that tree, dnsadmin will have read-only access just like > all other > > non-admin users. If you want dnsadmin to have write access also > to other > > entries, you would need to assign more privileges/roles to it. > > > > HTH, > > Martin > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > If you are worried about the read access the LDAP data is > traditionally > readable by any authenticated user. > In the past is was even possible to read the tree as anonymous user > which is a bad security practice and not recommended. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > -- > http://about.me/chandank > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon Apr 15 13:33:19 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 15 Apr 2013 15:33:19 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516BFDA3.30505@cica.es> References: <516BFDA3.30505@cica.es> Message-ID: <516C019F.1040205@redhat.com> On 04/15/2013 03:16 PM, Arturo Borrero wrote: > Hi there, > > In a freshly installed server, I try: > > # ipa-server-install > [...] > [12/13]: restarting httpd > [13/13]: configuring httpd to start on boot > Done configuring the web interface (httpd). > Applying LDAP updates > Restarting the directory server > Restarting the KDC > Sample zone file for bind has been created in /tmp/sample.zone.NGKJk1.db > Restarting the web server > Configuration of client side components failed! > ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master > --unattended --domain cica.es --server sheldon.cica.es --realm CICA.ES > --hostname sheldon.cica.es' returned non-zero exit status 1 > > If I see the ipa-client-install logs, I have: > > [...] > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' > args=klist -V > stdout=Kerberos 5 version 1.10.3 > > stderr= > importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' > importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' > importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' > importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' > Failed to initialize IPA API. > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > I fit all prerequisites listed in fedora and redhat documentation: > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html > > > After this, if I try ipactl: > > # ipactl start > Starting Directory Service > Starting dirsrv: > CICA-ES... already running [ OK ] > PKI-IPA... already running [ OK ] > Failed to read data from Directory Service: Unknown error when retrieving list > of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': > 'Unknown authentication method'} > Shutting down > Shutting down dirsrv: > CICA-ES... [ OK ] > PKI-IPA... [ OK ] > > > Any idea how to get rid of this error and continuing installing/using? > > regards > Hello Arturo, This error could have been caused if /etc/ipa/default.conf was not created before ipa-client-install was executed. Could you please check ipaserver-install.log and see if there are not any errors related to creating /etc/ipa/default.conf? Does /etc/ipa/ exist? Thanks, Martin From rcritten at redhat.com Mon Apr 15 13:39:26 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Apr 2013 09:39:26 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516C0127.9030301@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> Message-ID: <516C030E.4010800@redhat.com> Dmitri Pal wrote: > On 04/12/2013 08:17 PM, Chandan Kumar wrote: >> >> Thanks for the response. >> >> The way we can turn off the anonymous bind in 389 Server. using >> "nsslapd-allow-anonymous-access: off". >> >> Is there any way to limit the read access of user to only to the DNS >> entries? In that way I can create a user who could/will be able to >> see/edit DNS entries only. > > In general yes though it is not standard because as I mentioned earlier > the tree is assumed to be readable to an authenticated user. > When user logs in the framework the UI or CLI will log into LDAP as a > user and try to do operations. It will need to read user entry and > groups and other things so closing read access to everything other than > DNS would not work. You can close access to some of the objects but not > to all of them. > It still unclear what is the harm in ability to read other parts of the > tree but not modify them. > > To change the permissions you would have to user LDAP level ACI commands > as we do not expose these capabilities via CLI or UI but be careful as I > mentioned above you might end up hiding something that would prevent > framework from functioning properly. There is no easy way to do this. We start with granting all authenticated users read access to the tree with the exception of certain attributes (like passwords). You'd have to start by removing that, then one by one granting read access to the various containers based on, well, something. It would be very prone to error, with probably lots of corner cases and overlap. Do you really want to deny read access or do you want to simplify the the UI to include only certain tabs/functions? rob From aborrero at cica.es Mon Apr 15 13:40:36 2013 From: aborrero at cica.es (Arturo Borrero) Date: Mon, 15 Apr 2013 15:40:36 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516C019F.1040205@redhat.com> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> Message-ID: <516C0354.8050005@cica.es> On 15/04/13 15:33, Martin Kosek wrote: > On 04/15/2013 03:16 PM, Arturo Borrero wrote: >> Hi there, >> >> In a freshly installed server, I try: >> >> # ipa-server-install >> [...] >> [12/13]: restarting httpd >> [13/13]: configuring httpd to start on boot >> Done configuring the web interface (httpd). >> Applying LDAP updates >> Restarting the directory server >> Restarting the KDC >> Sample zone file for bind has been created in /tmp/sample.zone.NGKJk1.db >> Restarting the web server >> Configuration of client side components failed! >> ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master >> --unattended --domain cica.es --server sheldon.cica.es --realm CICA.ES >> --hostname sheldon.cica.es' returned non-zero exit status 1 >> >> If I see the ipa-client-install logs, I have: >> >> [...] >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >> args=klist -V >> stdout=Kerberos 5 version 1.10.3 >> >> stderr= >> importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >> importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >> importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >> importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >> Failed to initialize IPA API. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> I fit all prerequisites listed in fedora and redhat documentation: >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html >> >> >> After this, if I try ipactl: >> >> # ipactl start >> Starting Directory Service >> Starting dirsrv: >> CICA-ES... already running [ OK ] >> PKI-IPA... already running [ OK ] >> Failed to read data from Directory Service: Unknown error when retrieving list >> of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', 'desc': >> 'Unknown authentication method'} >> Shutting down >> Shutting down dirsrv: >> CICA-ES... [ OK ] >> PKI-IPA... [ OK ] >> >> >> Any idea how to get rid of this error and continuing installing/using? >> >> regards >> > Hello Arturo, > > This error could have been caused if /etc/ipa/default.conf was not created > before ipa-client-install was executed. > > Could you please check ipaserver-install.log and see if there are not any > errors related to creating /etc/ipa/default.conf? > > Does /etc/ipa/ exist? > > Thanks, > Martin Thanks, /etc/ipa exist, with this content: [root at sheldon ipa]# ll -R .: total 8 -r--r--r--. 1 root root 1295 abr 15 13:40 ca.crt drwxr-xr-x. 2 root root 4096 abr 12 11:37 html ./html: total 28 -rw-r--r--. 1 root root 3929 mar 8 15:10 browserconfig.html -rw-r--r--. 1 root root 2871 mar 8 15:10 ffconfig.js -rw-r--r--. 1 root root 4603 mar 8 15:10 ffconfig_page.js -rw-r--r--. 1 root root 521 mar 8 15:10 ipa_error.css -rw-r--r--. 1 root root 3974 mar 8 15:10 ssbrowser.html -rw-r--r--. 1 root root 1370 mar 8 15:10 unauthorized.html So, no /etc/ipa/default.conf exist. Which package is intended to deploy it? regads. -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Apr 15 13:50:12 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Apr 2013 09:50:12 -0400 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516C0354.8050005@cica.es> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> <516C0354.8050005@cica.es> Message-ID: <516C0594.9050802@redhat.com> Arturo Borrero wrote: > On 15/04/13 15:33, Martin Kosek wrote: >> On 04/15/2013 03:16 PM, Arturo Borrero wrote: >>> Hi there, >>> >>> In a freshly installed server, I try: >>> >>> # ipa-server-install >>> [...] >>> [12/13]: restarting httpd >>> [13/13]: configuring httpd to start on boot >>> Done configuring the web interface (httpd). >>> Applying LDAP updates >>> Restarting the directory server >>> Restarting the KDC >>> Sample zone file for bind has been created in /tmp/sample.zone.NGKJk1.db >>> Restarting the web server >>> Configuration of client side components failed! >>> ipa-client-install returned: Command '/usr/sbin/ipa-client-install >>> --on-master >>> --unattended --domain cica.es --server sheldon.cica.es --realm CICA.ES >>> --hostname sheldon.cica.es' returned non-zero exit status 1 >>> >>> If I see the ipa-client-install logs, I have: >>> >>> [...] >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >>> args=klist -V >>> stdout=Kerberos 5 version 1.10.3 >>> >>> stderr= >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >>> importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >>> Failed to initialize IPA API. >>> Installation failed. Rolling back changes. >>> IPA client is not configured on this system. >>> >>> I fit all prerequisites listed in fedora and redhat documentation: >>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html >>> >>> >>> >>> After this, if I try ipactl: >>> >>> # ipactl start >>> Starting Directory Service >>> Starting dirsrv: >>> CICA-ES... already running [ OK ] >>> PKI-IPA... already running [ OK ] >>> Failed to read data from Directory Service: Unknown error when >>> retrieving list >>> of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', >>> 'desc': >>> 'Unknown authentication method'} >>> Shutting down >>> Shutting down dirsrv: >>> CICA-ES... [ OK ] >>> PKI-IPA... [ OK ] >>> >>> >>> Any idea how to get rid of this error and continuing installing/using? >>> >>> regards >>> >> Hello Arturo, >> >> This error could have been caused if /etc/ipa/default.conf was not >> created >> before ipa-client-install was executed. >> >> Could you please check ipaserver-install.log and see if there are not any >> errors related to creating /etc/ipa/default.conf? >> >> Does /etc/ipa/ exist? >> >> Thanks, >> Martin > Thanks, > > /etc/ipa exist, with this content: > > [root at sheldon ipa]# ll -R > .: > total 8 > -r--r--r--. 1 root root 1295 abr 15 13:40 ca.crt > drwxr-xr-x. 2 root root 4096 abr 12 11:37 html > > ./html: > total 28 > -rw-r--r--. 1 root root 3929 mar 8 15:10 browserconfig.html > -rw-r--r--. 1 root root 2871 mar 8 15:10 ffconfig.js > -rw-r--r--. 1 root root 4603 mar 8 15:10 ffconfig_page.js > -rw-r--r--. 1 root root 521 mar 8 15:10 ipa_error.css > -rw-r--r--. 1 root root 3974 mar 8 15:10 ssbrowser.html > -rw-r--r--. 1 root root 1370 mar 8 15:10 unauthorized.html > > So, no /etc/ipa/default.conf exist. > > Which package is intended to deploy it? The server installer creates it. I believe this file gets removed by the client when its install fails. The server log may have some failures though, as suggested by Martin, so I'd start there. rob From mkosek at redhat.com Mon Apr 15 13:54:43 2013 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 15 Apr 2013 15:54:43 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516C0594.9050802@redhat.com> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> <516C0354.8050005@cica.es> <516C0594.9050802@redhat.com> Message-ID: <516C06A3.1010805@redhat.com> On 04/15/2013 03:50 PM, Rob Crittenden wrote: > Arturo Borrero wrote: >> On 15/04/13 15:33, Martin Kosek wrote: >>> On 04/15/2013 03:16 PM, Arturo Borrero wrote: >>>> Hi there, >>>> >>>> In a freshly installed server, I try: >>>> >>>> # ipa-server-install >>>> [...] >>>> [12/13]: restarting httpd >>>> [13/13]: configuring httpd to start on boot >>>> Done configuring the web interface (httpd). >>>> Applying LDAP updates >>>> Restarting the directory server >>>> Restarting the KDC >>>> Sample zone file for bind has been created in /tmp/sample.zone.NGKJk1.db >>>> Restarting the web server >>>> Configuration of client side components failed! >>>> ipa-client-install returned: Command '/usr/sbin/ipa-client-install >>>> --on-master >>>> --unattended --domain cica.es --server sheldon.cica.es --realm CICA.ES >>>> --hostname sheldon.cica.es' returned non-zero exit status 1 >>>> >>>> If I see the ipa-client-install logs, I have: >>>> >>>> [...] >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >>>> args=klist -V >>>> stdout=Kerberos 5 version 1.10.3 >>>> >>>> stderr= >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >>>> importing plugin module >>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >>>> Failed to initialize IPA API. >>>> Installation failed. Rolling back changes. >>>> IPA client is not configured on this system. >>>> >>>> I fit all prerequisites listed in fedora and redhat documentation: >>>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html >>>> >>>> >>>> >>>> >>>> After this, if I try ipactl: >>>> >>>> # ipactl start >>>> Starting Directory Service >>>> Starting dirsrv: >>>> CICA-ES... already running [ OK ] >>>> PKI-IPA... already running [ OK ] >>>> Failed to read data from Directory Service: Unknown error when >>>> retrieving list >>>> of services from LDAP: {'info': 'SASL(-4): no mechanism available: ', >>>> 'desc': >>>> 'Unknown authentication method'} >>>> Shutting down >>>> Shutting down dirsrv: >>>> CICA-ES... [ OK ] >>>> PKI-IPA... [ OK ] >>>> >>>> >>>> Any idea how to get rid of this error and continuing installing/using? >>>> >>>> regards >>>> >>> Hello Arturo, >>> >>> This error could have been caused if /etc/ipa/default.conf was not >>> created >>> before ipa-client-install was executed. >>> >>> Could you please check ipaserver-install.log and see if there are not any >>> errors related to creating /etc/ipa/default.conf? >>> >>> Does /etc/ipa/ exist? >>> >>> Thanks, >>> Martin >> Thanks, >> >> /etc/ipa exist, with this content: >> >> [root at sheldon ipa]# ll -R >> .: >> total 8 >> -r--r--r--. 1 root root 1295 abr 15 13:40 ca.crt >> drwxr-xr-x. 2 root root 4096 abr 12 11:37 html >> >> ./html: >> total 28 >> -rw-r--r--. 1 root root 3929 mar 8 15:10 browserconfig.html >> -rw-r--r--. 1 root root 2871 mar 8 15:10 ffconfig.js >> -rw-r--r--. 1 root root 4603 mar 8 15:10 ffconfig_page.js >> -rw-r--r--. 1 root root 521 mar 8 15:10 ipa_error.css >> -rw-r--r--. 1 root root 3974 mar 8 15:10 ssbrowser.html >> -rw-r--r--. 1 root root 1370 mar 8 15:10 unauthorized.html >> >> So, no /etc/ipa/default.conf exist. >> >> Which package is intended to deploy it? > > The server installer creates it. > > I believe this file gets removed by the client when its install fails. > > The server log may have some failures though, as suggested by Martin, so I'd > start there. > > rob This file is being created right after the wizard part of ipa-server-install, so when the services are being configured, it should be there (you can check that and get its contents). Unfortunately, there is not logging around it, so you may not see much info in you ipaserver-install.log... BTW I really suspect that missing or unreadable /etc/ipa/default.conf may really be the root cause of this issue, I reproduced this exact message when I run "ipa-client-install --on-master" on clean VM without /etc/ipa/default.conf. Martin From pspacek at redhat.com Mon Apr 15 14:15:59 2013 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 15 Apr 2013 16:15:59 +0200 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516C030E.4010800@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> Message-ID: <516C0B9F.90207@redhat.com> On 15.4.2013 15:39, Rob Crittenden wrote: > There is no easy way to do this. We start with granting all authenticated > users read access to the tree with the exception of certain attributes (like > passwords). > > You'd have to start by removing that, then one by one granting read access to > the various containers based on, well, something. Would it be possible to create a new role to allow current 'read-all access' and add this role to all users by default? It could be much simpler to change the behaviour with this role, or not? :-) -- Petr Spacek From abokovoy at redhat.com Mon Apr 15 14:49:35 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 15 Apr 2013 17:49:35 +0300 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516C0B9F.90207@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> Message-ID: <20130415144935.GO6823@redhat.com> On Mon, 15 Apr 2013, Petr Spacek wrote: >On 15.4.2013 15:39, Rob Crittenden wrote: >>There is no easy way to do this. We start with granting all authenticated >>users read access to the tree with the exception of certain attributes (like >>passwords). >> >>You'd have to start by removing that, then one by one granting read access to >>the various containers based on, well, something. > >Would it be possible to create a new role to allow current 'read-all >access' and add this role to all users by default? > >It could be much simpler to change the behaviour with this role, or not? :-) It would affect service accounts (include host/fqdn at REALM) since roles cannot be applied to them, if I remember correctly. We would need to make an exclusive ACI that allows all services to gain read only access... -- / Alexander Bokovoy From chandank.kumar at gmail.com Mon Apr 15 15:11:53 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 15 Apr 2013 08:11:53 -0700 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <20130415144935.GO6823@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> Message-ID: I think controlling Visibility of tabs would be the best option, if possible, based on Roles as mentioned by Rob. As long as other entries are not visible in UI, even though they have read only access with command line, should be enough. On Monday, April 15, 2013, Alexander Bokovoy wrote: > On Mon, 15 Apr 2013, Petr Spacek wrote: > >> On 15.4.2013 15:39, Rob Crittenden wrote: >> >>> There is no easy way to do this. We start with granting all authenticated >>> users read access to the tree with the exception of certain attributes >>> (like >>> passwords). >>> >>> You'd have to start by removing that, then one by one granting read >>> access to >>> the various containers based on, well, something. >>> >> >> Would it be possible to create a new role to allow current 'read-all >> access' and add this role to all users by default? >> >> It could be much simpler to change the behaviour with this role, or not? >> :-) >> > It would affect service accounts (include host/fqdn at REALM) since roles > cannot be applied to them, if I remember correctly. We would need to > make an exclusive ACI that allows all services to gain read only access... > > -- > / Alexander Bokovoy > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From Adam.Bishop at ja.net Mon Apr 15 15:45:17 2013 From: Adam.Bishop at ja.net (Adam Bishop) Date: Mon, 15 Apr 2013 15:45:17 +0000 Subject: [Freeipa-users] FreeIPA dual stacked Message-ID: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> Hi, I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. The server hostname resolves to more than one address: yyyy:yyyy:yyyy:yyyy::4 xxx.xxx.xxx.180 Please provide the IP address to be used for this host name: The answer I would like to give here is both - is this a limitation of the installation script that I can fix up later, or is FreeIPA incompatible with dual-stacked hosts at the moment? Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 From erinn.looneytriggs at gmail.com Mon Apr 15 16:06:52 2013 From: erinn.looneytriggs at gmail.com (Erinn Looney-Triggs) Date: Mon, 15 Apr 2013 10:06:52 -0600 Subject: [Freeipa-users] FreeIPA dual stacked In-Reply-To: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> References: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> Message-ID: <516C259C.3000601@gmail.com> On 04/15/2013 09:45 AM, Adam Bishop wrote: > Hi, > > I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. > > The server hostname resolves to more than one address: > yyyy:yyyy:yyyy:yyyy::4 > xxx.xxx.xxx.180 > Please provide the IP address to be used for this host name: > > The answer I would like to give here is both - is this a limitation of the installation script that I can fix up later, or is FreeIPA incompatible with dual-stacked hosts at the moment? > > Thanks, > > Adam Bishop > > gpg: 0x6609D460 > > Janet, the UK's research and education network. > > > Janet(UK) is a trading name of Jisc Collections and Janet Limited, a > not-for-profit company which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Probably the installer. I have a a dual stacked IPA setup that is working just fine, though when it was originally installed it was running only IPv4. -Erinn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature URL: From jdennis at redhat.com Mon Apr 15 16:45:21 2013 From: jdennis at redhat.com (John Dennis) Date: Mon, 15 Apr 2013 12:45:21 -0400 Subject: [Freeipa-users] FreeIPA dual stacked In-Reply-To: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> References: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> Message-ID: <516C2EA1.4010000@redhat.com> On 04/15/2013 11:45 AM, Adam Bishop wrote: > Hi, > > I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. > > The server hostname resolves to more than one address: > yyyy:yyyy:yyyy:yyyy::4 > xxx.xxx.xxx.180 > Please provide the IP address to be used for this host name: > > The answer I would like to give here is both - is this a limitation of the installation script that I can fix up later, or is FreeIPA incompatible with dual-stacked hosts at the moment? We're supposed to work fine with IPv6. Dual stack should also be fine. I know we've done a bunch of testing in this area but apparently something fell through the cracks. I suspect this is an installer only issue where it's validation logic is not sufficiently robust. Please open a bug report so we can address this. I think if you pick one of the addresses and let the install proceed everything should just work. Please let us know if it doesn't. I'm not surprised we still have some IPv6 bumps to smooth out, it doesn't get exercised as much as IPv4. FWIW we fully expect IPv6 enabled systems to be dual stack. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From sigbjorn at nixtra.com Mon Apr 15 17:07:23 2013 From: sigbjorn at nixtra.com (Sigbjorn Lie) Date: Mon, 15 Apr 2013 19:07:23 +0200 Subject: [Freeipa-users] FreeIPA dual stacked In-Reply-To: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> References: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> Message-ID: <516C33CB.4090506@nixtra.com> On 04/15/2013 05:45 PM, Adam Bishop wrote: > Hi, > > I've just had a go at deploying FreeIPA v3.1.3 and have hit a minor road bump. > > The server hostname resolves to more than one address: > yyyy:yyyy:yyyy:yyyy::4 > xxx.xxx.xxx.180 > Please provide the IP address to be used for this host name: > > The answer I would like to give here is both - is this a limitation of the installation script that I can fix up later, or is FreeIPA incompatible with dual-stacked hosts at the moment? > > Thanks, > > My IPA was installed having dual stack from the beginning and is working just fine with dual stack today. That was IPA 2.1.3 when I originally installed it. Regards, Siggi From christianh at 4over.com Mon Apr 15 17:12:55 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 10:12:55 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe Message-ID: Hello, >From time to time we are getting complaints that I can sum up as "I cannot log in to server X" Here is a spinet of the /var/log/sssd/sssd_DOMAIN.log ... *(Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Sending result [0][4OVER.COM] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM]]] [be_get_account_info] (0x0100): Got request for [3][1][name=tradeftp] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=4over,dc=com, returned 0 results. Skipping * Here (more interesting) is the krb log file *(Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [tradeftp at 4OVER.COM] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [krb5_child_setup] (0x0100): Not using FAST. (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [tradeftp at 4OVER.COM] (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [krb5_child_setup] (0x0100): Not using FAST. (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [tradeftp at 4OVER.COM] (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [krb5_child_setup] (0x0100): Not using FAST. (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [tradeftp at 4OVER.COM] (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_NgD4RE] keytab: [/etc/krb5.keytab] (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [krb5_child_setup] (0x0100): Not using FAST. * Here is the ldap_child.log file... *(Mon Apr 15 09:41:27 2013) [[sssd[ldap_child[18435]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/xx.la3.4over.com at 4OVER.COM' not found in Kerberos database (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client 'host/xx.la3.4over.com at 4OVER.COM' not found in Kerberos database (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20245]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ xx.la3.4over.com at 4OVER.COM] * Now restarting the SSSD daemon alleviates the issue - but the problem still creeps up after a day or two. I'm running 2.1.90.rc1 on CentOS 6.3 - I have 3 IPA servers that are multimaster. --Christian ** -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Apr 15 18:29:18 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Apr 2013 14:29:18 -0400 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: References: Message-ID: <516C46FE.9000206@redhat.com> Christian Hernandez wrote: > Hello, > > From time to time we are getting complaints that I can sum up as "I > cannot log in to server X" > > Here is a spinet of the /var/log/sssd/sssd_DOMAIN.log ... > > /(Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler] (0x0100): Got request with the following data > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): domain: 4OVER.COM > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): user: tradeftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): service: vsftpd > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): tty: ftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): ruser: tradeftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): rhost: mammoth.4over.com > > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): authtok type: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): authtok size: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): priv: 1 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): cli_pid: 17841 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) > [Success] > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler_callback] (0x0100): Sending result [0][4OVER.COM > ] > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler_callback] (0x0100): Sent result [0][4OVER.COM > ] > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler] (0x0100): Got request with the following data > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): command: PAM_SETCRED > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): domain: 4OVER.COM > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): user: tradeftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): service: vsftpd > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): tty: ftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): ruser: tradeftp > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): rhost: mammoth.4over.com > > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): authtok type: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): authtok size: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): priv: 1 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [pam_print_data] (0x0100): cli_pid: 17841 > (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] > [be_pam_handler] (0x0100): Sending result [0][4OVER.COM ] > (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM ]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=tradeftp] > (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM ]]] > [sdap_initgr_nested_search] (0x0040): Search for group > cn=ipausers,cn=groups,cn=accounts,dc=4over,dc=com, returned 0 results. > Skipping > / > > Here (more interesting) is the krb log file > > > /(Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] > (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] > UPN [tradeftp at 4OVER.COM ] > (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] > (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] > [krb5_child_setup] (0x0100): Not using FAST. > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] > (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] > UPN [tradeftp at 4OVER.COM ] > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] > [krb5_child_setup] (0x0100): Not using FAST. > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] > (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] > UPN [tradeftp at 4OVER.COM ] > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] > [krb5_child_setup] (0x0100): Not using FAST. > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] > (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] > UPN [tradeftp at 4OVER.COM ] > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_6676_NgD4RE] keytab: [/etc/krb5.keytab] > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] > [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] > [krb5_child_setup] (0x0100): Not using FAST. > > / > Here is the ldap_child.log file... > > /(Mon Apr 15 09:41:27 2013) [[sssd[ldap_child[18435]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client > 'host/xx.la3.4over.com at 4OVER.COM ' > not found in Kerberos database > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client > 'host/xx.la3.4over.com at 4OVER.COM ' > not found in Kerberos database > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20245]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [host/xx.la3.4over.com at 4OVER.COM ] > > / > Now restarting the SSSD daemon alleviates the issue - but the problem > still creeps up after a day or two. > > I'm running 2.1.90.rc1 on CentOS 6.3 - I have 3 IPA servers that are > multimaster. A pre-release of IPA... You might consider upgrading to the latest, at least an official 2.x release for RHEL. I don't believe the version is related to these problems though. What version of sssd is this? There are some odd errors in ldap_child.log but it seems to cover a later period than the other logs (not being able to bind using its keytab is a bad thing). I think what you'll want to do, and this may be relatively tough, is try to correlate these failures with the 389-ds access log and the KDC logs to see if there are equivalent failures at around the same times. rob From christianh at 4over.com Mon Apr 15 19:01:43 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 12:01:43 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: <516C46FE.9000206@redhat.com> References: <516C46FE.9000206@redhat.com> Message-ID: We are running 1.9.2 Looks like 3.0 is available for my build of CentOS ~ Any suggestions on how to proceed to updating? Is Multimaster replication "sustained" during updating? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christianh at 4over.com www.4over.com On Mon, Apr 15, 2013 at 11:29 AM, Rob Crittenden wrote: > Christian Hernandez wrote: > >> Hello, >> >> From time to time we are getting complaints that I can sum up as "I >> cannot log in to server X" >> >> Here is a spinet of the /var/log/sssd/sssd_DOMAIN.log ... >> >> /(Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler] (0x0100): Got request with the following data >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): command: PAM_ACCT_MGMT >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): domain: 4OVER.COM >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): user: tradeftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): service: vsftpd >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): tty: ftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): ruser: tradeftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): rhost: mammoth.4over.com >> >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): authtok type: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): authtok size: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): newauthtok type: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): newauthtok size: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): priv: 1 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): cli_pid: 17841 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule >> [allow_all] >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) >> [Success] >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) >> [Success] >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler_callback] (0x0100): Sending result [0][4OVER.COM >> ] >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler_callback] (0x0100): Sent result [0][4OVER.COM >> ] >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [be_pam_handler] (0x0100): Got request with the following data >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): command: PAM_SETCRED >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): domain: 4OVER.COM >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): user: tradeftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): service: vsftpd >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): tty: ftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): ruser: tradeftp >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): rhost: mammoth.4over.com >> >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): authtok type: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): authtok size: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): newauthtok type: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> >> [pam_print_data] (0x0100): newauthtok size: 0 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): priv: 1 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [pam_print_data] (0x0100): cli_pid: 17841 >> (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM ]]] >> [be_pam_handler] (0x0100): Sending result [0][4OVER.COM > >] >> (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM ]]] >> >> [be_get_account_info] (0x0100): Got request for [3][1][name=tradeftp] >> (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM ]]] >> >> [sdap_initgr_nested_search] (0x0040): Search for group >> cn=ipausers,cn=groups,cn=**accounts,dc=4over,dc=com, returned 0 results. >> Skipping >> / >> >> Here (more interesting) is the krb log file >> >> >> /(Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] >> >> (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] >> UPN [tradeftp at 4OVER.COM ] >> >> (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: >> [/etc/krb5.keytab] >> (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] >> from environment. >> (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] >> [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855]]]] >> [krb5_child_setup] (0x0100): Not using FAST. >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] >> UPN [tradeftp at 4OVER.COM ] >> >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: >> [/etc/krb5.keytab] >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] >> from environment. >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] >> [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862]]]] >> [krb5_child_setup] (0x0100): Not using FAST. >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] >> UPN [tradeftp at 4OVER.COM ] >> >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: >> [/etc/krb5.keytab] >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] >> from environment. >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] >> [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Mon Apr 15 09:37:00 2013) [[sssd[krb5_child[17871]]]] >> [krb5_child_setup] (0x0100): Not using FAST. >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] >> (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] >> UPN [tradeftp at 4OVER.COM ] >> >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] [unpack_buffer] >> (0x0100): ccname: [FILE:/tmp/krb5cc_6676_NgD4RE] keytab: >> [/etc/krb5.keytab] >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] >> from environment. >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] >> [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from >> environment. >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] >> [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] >> (Mon Apr 15 09:37:01 2013) [[sssd[krb5_child[17881]]]] >> [krb5_child_setup] (0x0100): Not using FAST. >> >> / >> Here is the ldap_child.log file... >> >> /(Mon Apr 15 09:41:27 2013) [[sssd[ldap_child[18435]]]] >> >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client >> 'host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >' >> >> not found in Kerberos database >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18779]]]] [main] (0x0020): >> ldap_child_get_tgt_sync failed. >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Apr 15 09:43:10 2013) [[sssd[ldap_child[18780]]]] >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Apr 15 09:43:55 2013) [[sssd[ldap_child[18884]]]] >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Apr 15 09:44:50 2013) [[sssd[ldap_child[19099]]]] >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Client >> 'host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >' >> >> not found in Kerberos database >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20244]]]] [main] (0x0020): >> ldap_child_get_tgt_sync failed. >> (Mon Apr 15 09:59:46 2013) [[sssd[ldap_child[20245]]]] >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: >> [host/xx.la3.4over.com at 4OVER.**COM > xx.la3.4over.com@**4OVER.COM >] >> >> >> / >> Now restarting the SSSD daemon alleviates the issue - but the problem >> still creeps up after a day or two. >> >> I'm running 2.1.90.rc1 on CentOS 6.3 - I have 3 IPA servers that are >> multimaster. >> > > A pre-release of IPA... You might consider upgrading to the latest, at > least an official 2.x release for RHEL. I don't believe the version is > related to these problems though. > > What version of sssd is this? > > There are some odd errors in ldap_child.log but it seems to cover a later > period than the other logs (not being able to bind using its keytab is a > bad thing). > > I think what you'll want to do, and this may be relatively tough, is try > to correlate these failures with the 389-ds access log and the KDC logs to > see if there are equivalent failures at around the same times. > > rob > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Mon Apr 15 22:13:41 2013 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Apr 2013 18:13:41 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> Message-ID: <516C7B95.70809@redhat.com> On 04/15/2013 11:11 AM, Chandan Kumar wrote: > > I think controlling Visibility of tabs would be the best option, if > possible, based on Roles as mentioned by Rob. As long as other entries > are not visible in UI, even though they have read only access with > command line, should be enough. > It would not be a security feature though. Just a convenience because the same admin would be able to bind directly to ldap and run a search. This is why we did not go this route. Yes we can hide panels but it would not mean that the user can't easily get that info. So is there really a value in hiding? So far we did not see any this is why we did not do it, but may be you have some arguments that might convince us that we are wrong. Can you please share these arguments with us? > > On Monday, April 15, 2013, Alexander Bokovoy wrote: > > On Mon, 15 Apr 2013, Petr Spacek wrote: > > On 15.4.2013 15:39, Rob Crittenden wrote: > > There is no easy way to do this. We start with granting > all authenticated > users read access to the tree with the exception of > certain attributes (like > passwords). > > You'd have to start by removing that, then one by one > granting read access to > the various containers based on, well, something. > > > Would it be possible to create a new role to allow current > 'read-all access' and add this role to all users by default? > > It could be much simpler to change the behaviour with this > role, or not? :-) > > It would affect service accounts (include host/fqdn at REALM) since roles > cannot be applied to them, if I remember correctly. We would need to > make an exclusive ACI that allows all services to gain read only > access... > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > > -- > http://about.me/chandank > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbingram at gmail.com Mon Apr 15 23:14:47 2013 From: sbingram at gmail.com (Stephen Ingram) Date: Mon, 15 Apr 2013 16:14:47 -0700 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516C7B95.70809@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> Message-ID: On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal wrote: > On 04/15/2013 11:11 AM, Chandan Kumar wrote: > > > I think controlling Visibility of tabs would be the best option, if > possible, based on Roles as mentioned by Rob. As long as other entries are > not visible in UI, even though they have read only access with command > line, should be enough. > > > It would not be a security feature though. Just a convenience because the > same admin would be able to bind directly to ldap and run a search. This is > why we did not go this route. Yes we can hide panels but it would not mean > that the user can't easily get that info. So is there really a value in > hiding? So far we did not see any this is why we did not do it, but may be > you have some arguments that might convince us that we are wrong. Can you > please share these arguments with us? > I wasn't involved in this thread before now, however, in our case we do not allow LDAP access (only Kerberos and WebUI) from outside firewall so there *could* be a distinction between the two. I could also present that some users have been confused when they login to change their personal information and see a huge list of other users. Of course, they are directed to their information first upon login, however, we all know that one wrong click can always happen with some users. Perhaps it's better to just put together a new WebUI using the Python API, however, with the fantastic new password reset page in 3.x, I've become lazy and let users access IPA directly. Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From rendhalver at gmail.com Mon Apr 15 23:14:47 2013 From: rendhalver at gmail.com (Peter Brown) Date: Tue, 16 Apr 2013 09:14:47 +1000 Subject: [Freeipa-users] LDAP authentication for 3rd party In-Reply-To: <5168134B.20702@redhat.com> References: <51670946.3080501@redhat.com> <5168134B.20702@redhat.com> Message-ID: On 12 April 2013 23:59, Rich Megginson wrote: > On 04/11/2013 11:58 PM, Peter Brown wrote: > > On 12 April 2013 15:51, Simon Williams wrote: > >> I use Atlassian products, but use Crowd to provide single signon. This >> means that Crowd is the only application that needs to authenticate against >> LDAP. I found that I had to tell Crowd that the server was 389 DS. I could >> not get it to work set to OpenLDAP. >> > > I had a look at crowd but it seemed like overkill when I could just > point everything at FreeIPA. > We are a small shop so the extra queries weren't going to affect much. > I tried telling my Atlaassian apps that freeipa was a 389 ds server but > it refused to work properly. > > > Not sure what that means, exactly. Check the 389 access logs to see what > operations Atlassian is performing against 389. > I don't remember the exact error and they get used every day and they work as is so I will have to wait for an update to switch it over to see what errors it produces. > > > Slightly strange considering the ldap modules for all of them are the > same as the one used in crowd. > > >> Regards >> >> Simon >> On 11 Apr 2013 23:36, "Peter Brown" wrote: >> >>> On 12 April 2013 05:04, John Dennis wrote: >>> >>>> On 04/11/2013 02:47 PM, Bartek Moczulski wrote: >>>> >>>>> hi, >>>>> I've got a problem with using IPA as authentication source over LDAP. >>>>> Generally there are two approaches to LDAP authentication: >>>>> 1. bind using admin account and read passwords from user objects (but >>>>> in >>>>> ipa you cannot read passwords through ldap, right?) >>>>> 2. "bind to authenticate" - service tries to log in to ldap with user's >>>>> credentials. If login is successful authentication is also succesful - >>>>> this approach does not work because you cannot login to IPA ldap using >>>>> bare username, you need a full LDAP DN. >>>>> >>>> >>>> Most applications I know of that do "bind as user" to authenticate >>>> also permit you to specify a format string into which the user name is >>>> inserted (i.e. the format string is the dn, e.g. >>>> "uid=%u,cn=users,cn=accounts,dc=example,dc=com") -or- they do a search to >>>> discover the dn. If you application does not support either approach it's >>>> broken IMHO. >>>> >>> >>> I have used this method for Confluence, Jira, Stash, Icinga and Foreman. >>> I will be adding more applications in the future as well. >>> If the application doesn't support Kerberos it's the next best thing >>> in my opinion. >>> I have also use it to get email lists into dovecot and postfix. >>> >>> One caveat I found is you need to tell Atlassian applications that >>> FreeIPA is a plain OpenLDAP server to get it to work. >>> Apart from that it works "out of the box" as they say. >>> >>> >>> >>>> >>>> Reading passwords and/or password hashes is not supported for security >>>> reasons. >>>> >>>> Now, I've got a 3rd party application supporting both mentioned above >>>>> appoaches and the question is - how to make it work with ipa? >>>>> >>>>> thanks in advance, >>>>> Bartek. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>> >>>> -- >>>> John Dennis >>>> >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon Apr 15 23:19:52 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Tue, 16 Apr 2013 01:19:52 +0200 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: <516C46FE.9000206@redhat.com> References: <516C46FE.9000206@redhat.com> Message-ID: <20130415231952.GA2024@hendrix.redhat.com> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: > There are some odd errors in ldap_child.log but it seems to cover a > later period than the other logs (not being able to bind using its > keytab is a bad thing). > > I think what you'll want to do, and this may be relatively tough, is > try to correlate these failures with the 389-ds access log and the > KDC logs to see if there are equivalent failures at around the same > times. I agree, the ldap_child failing usually indicates an issue with the keytab and/or the KDC. The ldap_child functionality is roughly equivalent to "kinit -k". From chandank.kumar at gmail.com Mon Apr 15 23:42:11 2013 From: chandank.kumar at gmail.com (Chandan Kumar) Date: Mon, 15 Apr 2013 16:42:11 -0700 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516C7B95.70809@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> Message-ID: I agree it won't be a security feature nor you are doing wrong by not adding it. However, it might come as nice to have feature. Let me explain you my condition. We host web application where lot of DNS entries (Public and Internal) are created for different kind of requests and features. Now we already have a separate DNS server, Separate Manual Linux User/Access Control management by puppet. Linux users ACL have no relationship with the web application user (which is internal to the web app). So FreeIPA can help me to centralize the Linux user-management as well as (Public and Internal) DNS. However, the problem is : traditionally the access levels were different for DNS users (support guys) and user management (sysadmins). Now bring both system together even the Host based access control, sudoers rule everything becomes visible to non-sysadmin group. You are right that every user could query all entries from command line and hence it won't help to secure the system, but not having it on GUI may help to avoid "obvious" visibility of the whole directory. I believe similar GUI "views" could be applied for discussion http://osdir.com/ml/freeipa-users/2013-03/msg00218.html where geographically separate Organization units may share the same directory with limited visibility on other branches. Having said that, I am not sure how feasible/logical my view is owing to my limited knowledge in 389 directory server and IPA. Thanks Chandan On Monday, April 15, 2013, Dmitri Pal wrote: > On 04/15/2013 11:11 AM, Chandan Kumar wrote: > > > I think controlling Visibility of tabs would be the best option, if > possible, based on Roles as mentioned by Rob. As long as other entries are > not visible in UI, even though they have read only access with command > line, should be enough. > > > It would not be a security feature though. Just a convenience because the > same admin would be able to bind directly to ldap and run a search. This is > why we did not go this route. Yes we can hide panels but it would not mean > that the user can't easily get that info. So is there really a value in > hiding? So far we did not see any this is why we did not do it, but may be > you have some arguments that might convince us that we are wrong. Can you > please share these arguments with us? > > > On Monday, April 15, 2013, Alexander Bokovoy wrote: > >> On Mon, 15 Apr 2013, Petr Spacek wrote: >> >>> On 15.4.2013 15:39, Rob Crittenden wrote: >>> >>>> There is no easy way to do this. We start with granting all >>>> authenticated >>>> users read access to the tree with the exception of certain attributes >>>> (like >>>> passwords). >>>> >>>> You'd have to start by removing that, then one by one granting read >>>> access to >>>> the various containers based on, well, something. >>>> >>> >>> Would it be possible to create a new role to allow current 'read-all >>> access' and add this role to all users by default? >>> >>> It could be much simpler to change the behaviour with this role, or not? >>> :-) >>> >> It would affect service accounts (include host/fqdn at REALM) since roles >> cannot be applied to them, if I remember correctly. We would need to >> make an exclusive ACI that allows all services to gain read only access... >> >> -- >> / Alexander Bokovoy >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > > -- > http://about.me/chandank > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > -- -- http://about.me/chandank -------------- next part -------------- An HTML attachment was scrubbed... URL: From christianh at 4over.com Mon Apr 15 23:58:00 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 16:58:00 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: <20130415231952.GA2024@hendrix.redhat.com> References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> Message-ID: Okay, So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)... But I think may be replication broke? [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= ipa1.gln.4over.com Invalid password Any ideas? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christianh at 4over.com www.4over.com On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek wrote: > On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: > > There are some odd errors in ldap_child.log but it seems to cover a > > later period than the other logs (not being able to bind using its > > keytab is a bad thing). > > > > I think what you'll want to do, and this may be relatively tough, is > > try to correlate these failures with the 389-ds access log and the > > KDC logs to see if there are equivalent failures at around the same > > times. > > I agree, the ldap_child failing usually indicates an issue with the > keytab and/or the KDC. The ldap_child functionality is roughly equivalent > to > "kinit -k". > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christianh at 4over.com Tue Apr 16 00:41:37 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 17:41:37 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> Message-ID: Yup, looks like replication is broken =\ [root at ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect ipa1.la3.4over.com Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com Failed to get data from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com: master ipa1.gln.4over.com: master ipa1.da2.4over.com: master Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christianh at 4over.com www.4over.com On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez wrote: > Okay, > > So I tried to update to the newest version. Update went okay and users can > authenticate (as far as I can tell)... > > But I think may be replication broke? > > [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= > ipa1.gln.4over.com > Invalid password > > Any ideas? > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christianh at 4over.com > www.4over.com > > > On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek wrote: > >> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >> > There are some odd errors in ldap_child.log but it seems to cover a >> > later period than the other logs (not being able to bind using its >> > keytab is a bad thing). >> > >> > I think what you'll want to do, and this may be relatively tough, is >> > try to correlate these failures with the 389-ds access log and the >> > KDC logs to see if there are equivalent failures at around the same >> > times. >> >> I agree, the ldap_child failing usually indicates an issue with the >> keytab and/or the KDC. The ldap_child functionality is roughly equivalent >> to >> "kinit -k". >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 16 01:16:23 2013 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Apr 2013 21:16:23 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> Message-ID: <516CA667.2080700@redhat.com> On 04/15/2013 07:42 PM, Chandan Kumar wrote: > > I agree it won't be a security feature nor you are doing wrong by not > adding it. However, it might come as nice to have feature. Let me > explain you my condition. > > We host web application where lot of DNS entries (Public and Internal) > are created for different kind of requests and features. Now we > already have a separate DNS server, Separate Manual Linux User/Access > Control management by puppet. Linux users ACL have no relationship > with the web application user (which is internal to the web app). > > So FreeIPA can help me to centralize the Linux user-management as well > as (Public and Internal) DNS. However, the problem is : traditionally > the access levels were different for DNS users (support guys) and user > management (sysadmins). Now bring both system together even the Host > based access control, sudoers rule everything becomes visible to > non-sysadmin group. > > You are right that every user could query all entries from command > line and hence it won't help to secure the system, but not having it > on GUI may help to avoid "obvious" visibility of the whole directory. > > I believe similar GUI "views" could be applied for discussion > > http://osdir.com/ml/freeipa-users/2013-03/msg00218.html > > where geographically separate Organization units may share the same > directory with limited visibility on other branches. > > > Having said that, I am not sure how feasible/logical my view is owing > to my limited knowledge in 389 directory server and IPA. I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217 and somewhat about this https://fedorahosted.org/freeipa/ticket/1313 Would you mind adding the details of your use case to one of those two tickets? Alternatively we can start another ticket. However I think we should have some kind of a complete solution that covers LDAP, UI and CLI consistently. Doing it right would be a huge task IMO. For LDAP we would probably have to implement some kind of "smart" proxy that would reply only to the requests that user are entitled to. Same with CLI and UI. But the point is that one configuration should be respected by all three at the same time. For example if you are not allowed to manage sudo the sudo commands should not return any data as well as LDAP searches and there should be no panel in the UI. I am really reluctant to fix just UI because we would end up different components of the system behaving differently and it would be hard to evolve them and maintain. Thanks Dmitri > > Thanks > Chandan > > > On Monday, April 15, 2013, Dmitri Pal wrote: > > On 04/15/2013 11:11 AM, Chandan Kumar wrote: >> >> I think controlling Visibility of tabs would be the best option, >> if possible, based on Roles as mentioned by Rob. As long as other >> entries are not visible in UI, even though they have read only >> access with command line, should be enough. >> > > It would not be a security feature though. Just a convenience > because the same admin would be able to bind directly to ldap and > run a search. This is why we did not go this route. Yes we can > hide panels but it would not mean that the user can't easily get > that info. So is there really a value in hiding? So far we did not > see any this is why we did not do it, but may be you have some > arguments that might convince us that we are wrong. Can you please > share these arguments with us? > >> >> On Monday, April 15, 2013, Alexander Bokovoy wrote: >> >> On Mon, 15 Apr 2013, Petr Spacek wrote: >> >> On 15.4.2013 15:39, Rob Crittenden wrote: >> >> There is no easy way to do this. We start with >> granting all authenticated >> users read access to the tree with the exception of >> certain attributes (like >> passwords). >> >> You'd have to start by removing that, then one by one >> granting read access to >> the various containers based on, well, something. >> >> >> Would it be possible to create a new role to allow >> current 'read-all access' and add this role to all users >> by default? >> >> It could be much simpler to change the behaviour with >> this role, or not? :-) >> >> It would affect service accounts (include host/fqdn at REALM) >> since roles >> cannot be applied to them, if I remember correctly. We would >> need to >> make an exclusive ACI that allows all services to gain read >> only access... >> >> -- >> / Alexander Bokovoy >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> >> -- >> http://about.me/chandank >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > -- > > -- > http://about.me/chandank > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 16 01:21:57 2013 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 15 Apr 2013 21:21:57 -0400 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> Message-ID: <516CA7B5.9090204@redhat.com> On 04/15/2013 08:41 PM, Christian Hernandez wrote: > Yup, looks like replication is broken =\ > > [root at ipa1.gln.4over.com ipa]# > ipa-replica-manage disconnect ipa1.la3.4over.com > > Failed to get list of agreements from 'ipa1.la3.4over.com > ': Invalid credentials SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > [root at ipa1.gln.4over.com ipa]# > ipa-replica-manage list ipa1.la3.4over.com > Failed to get data from 'ipa1.la3.4over.com > ': Invalid credentials SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > > [root at ipa1.gln.4over.com ipa]# > ipa-replica-manage list > ipa1.la3.4over.com : master > ipa1.gln.4over.com : master > ipa1.da2.4over.com : master Do the machines resolve each other correctly? > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christianh at 4over.com > > > www.4over.com > > > > On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez > > wrote: > > Okay, > > So I tried to update to the newest version. Update went okay and > users can authenticate (as far as I can tell)... > > But I think may be replication broke? > > [root at ipa1.da2.4over.com log]# > ipa-replica-manage force-sync --from=ipa1.gln.4over.com > > Invalid password > > Any ideas? > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christianh at 4over.com > > > www.4over.com > > > > On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek > wrote: > > On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: > > There are some odd errors in ldap_child.log but it seems to > cover a > > later period than the other logs (not being able to bind > using its > > keytab is a bad thing). > > > > I think what you'll want to do, and this may be relatively > tough, is > > try to correlate these failures with the 389-ds access log > and the > > KDC logs to see if there are equivalent failures at around > the same > > times. > > I agree, the ldap_child failing usually indicates an issue > with the > keytab and/or the KDC. The ldap_child functionality is roughly > equivalent to > "kinit -k". > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From christianh at 4over.com Tue Apr 16 01:58:06 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 18:58:06 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: <516CA7B5.9090204@redhat.com> References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> <516CA7B5.9090204@redhat.com> Message-ID: Yes; I verified that both forward and reverse DNS match on all nodes. Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christianh at 4over.com www.4over.com On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal wrote: > On 04/15/2013 08:41 PM, Christian Hernandez wrote: > > Yup, looks like replication is broken =\ > > [root at ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect > ipa1.la3.4over.com > Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid > credentials SASL(-13): authentication failure: GSSAPI Failure: > gss_accept_sec_context > > [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com > Failed to get data from 'ipa1.la3.4over.com': Invalid credentials > SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context > > [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list > ipa1.la3.4over.com: master > ipa1.gln.4over.com: master > ipa1.da2.4over.com: master > > > > Do the machines resolve each other correctly? > > > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christianh at 4over.com > www.4over.com > > > On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez > wrote: > >> Okay, >> >> So I tried to update to the newest version. Update went okay and users >> can authenticate (as far as I can tell)... >> >> But I think may be replication broke? >> >> [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= >> ipa1.gln.4over.com >> Invalid password >> >> Any ideas? >> >> >> Thank you, >> >> Christian Hernandez >> 1225 Los Angeles Street >> Glendale, CA 91204 >> Phone: 877-782-2737 ext. 4566 >> Fax: 818-265-3152 >> christianh at 4over.com >> www.4over.com >> >> >> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek wrote: >> >>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >>> > There are some odd errors in ldap_child.log but it seems to cover a >>> > later period than the other logs (not being able to bind using its >>> > keytab is a bad thing). >>> > >>> > I think what you'll want to do, and this may be relatively tough, is >>> > try to correlate these failures with the 389-ds access log and the >>> > KDC logs to see if there are equivalent failures at around the same >>> > times. >>> >>> I agree, the ldap_child failing usually indicates an issue with the >>> keytab and/or the KDC. The ldap_child functionality is roughly >>> equivalent to >>> "kinit -k". >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christianh at 4over.com Tue Apr 16 02:11:09 2013 From: christianh at 4over.com (Christian Hernandez) Date: Mon, 15 Apr 2013 19:11:09 -0700 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> <516CA7B5.9090204@redhat.com> Message-ID: Looks like I've narrowed it down to...something... [root at ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.gln.4over.com Failed to get data from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [root at ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.da2.4over.com ipa1.gln.4over.com: replica ipa1.la3.4over.com: replica [root at ipa1.la3.4over.com ~]# ipa-replica-manage list $(hostname) ipa1.da2.4over.com: replica ipa1.gln.4over.com: replica [root at ipa1.la3.4over.com ~]# rpm -qa |egrep '389|ipa' ipa-admintools-3.0.0-26.el6_4.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-26.el6_4.2.x86_64 libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 389-ds-base-libs-1.2.11.15-12.el6_4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.4.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 389-ds-base-1.2.11.15-12.el6_4.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 Although when I try to remove the replication agreement...I can't =\ [root at ipa1.la3.4over.com ~]# ipa-replica-manage disconnect $(hostname) ipa1.gln.4over.com Failed to get list of agreements from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christianh at 4over.com www.4over.com On Mon, Apr 15, 2013 at 6:58 PM, Christian Hernandez wrote: > Yes; I verified that both forward and reverse DNS match on all nodes. > > > Thank you, > > Christian Hernandez > 1225 Los Angeles Street > Glendale, CA 91204 > Phone: 877-782-2737 ext. 4566 > Fax: 818-265-3152 > christianh at 4over.com > www.4over.com > > > On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal wrote: > >> On 04/15/2013 08:41 PM, Christian Hernandez wrote: >> >> Yup, looks like replication is broken =\ >> >> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect >> ipa1.la3.4over.com >> Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid >> credentials SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context >> >> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com >> Failed to get data from 'ipa1.la3.4over.com': Invalid credentials >> SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context >> >> [root at ipa1.gln.4over.com ipa]# ipa-replica-manage list >> ipa1.la3.4over.com: master >> ipa1.gln.4over.com: master >> ipa1.da2.4over.com: master >> >> >> >> Do the machines resolve each other correctly? >> >> >> >> >> Thank you, >> >> Christian Hernandez >> 1225 Los Angeles Street >> Glendale, CA 91204 >> Phone: 877-782-2737 ext. 4566 >> Fax: 818-265-3152 >> christianh at 4over.com >> www.4over.com >> >> >> On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez < >> christianh at 4over.com> wrote: >> >>> Okay, >>> >>> So I tried to update to the newest version. Update went okay and users >>> can authenticate (as far as I can tell)... >>> >>> But I think may be replication broke? >>> >>> [root at ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= >>> ipa1.gln.4over.com >>> Invalid password >>> >>> Any ideas? >>> >>> >>> Thank you, >>> >>> Christian Hernandez >>> 1225 Los Angeles Street >>> Glendale, CA 91204 >>> Phone: 877-782-2737 ext. 4566 >>> Fax: 818-265-3152 >>> christianh at 4over.com >>> www.4over.com >>> >>> >>> On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek wrote: >>> >>>> On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: >>>> > There are some odd errors in ldap_child.log but it seems to cover a >>>> > later period than the other logs (not being able to bind using its >>>> > keytab is a bad thing). >>>> > >>>> > I think what you'll want to do, and this may be relatively tough, is >>>> > try to correlate these failures with the 389-ds access log and the >>>> > KDC logs to see if there are equivalent failures at around the same >>>> > times. >>>> >>>> I agree, the ldap_child failing usually indicates an issue with the >>>> keytab and/or the KDC. The ldap_child functionality is roughly >>>> equivalent to >>>> "kinit -k". >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >> >> >> _______________________________________________ >> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 16 02:15:40 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 Apr 2013 22:15:40 -0400 Subject: [Freeipa-users] IPA not authenticating - SSSD issue maybe In-Reply-To: References: <516C46FE.9000206@redhat.com> <20130415231952.GA2024@hendrix.redhat.com> <516CA7B5.9090204@redhat.com> Message-ID: <516CB44C.7040409@redhat.com> Christian Hernandez wrote: > Looks like I've narrowed it down to...something... > > [root at ipa1.la3.4over.com ~]# > ipa-replica-manage list ipa1.gln.4over.com > Failed to get data from 'ipa1.gln.4over.com > ': Invalid credentials SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context > [root at ipa1.la3.4over.com ~]# > ipa-replica-manage list ipa1.da2.4over.com > ipa1.gln.4over.com : replica > ipa1.la3.4over.com : replica > [root at ipa1.la3.4over.com ~]# > ipa-replica-manage list $(hostname) > ipa1.da2.4over.com : replica > ipa1.gln.4over.com : replica > [root at ipa1.la3.4over.com ~]# rpm -qa > |egrep '389|ipa' > ipa-admintools-3.0.0-26.el6_4.2.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-python-3.0.0-26.el6_4.2.x86_64 > libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 > 389-ds-base-libs-1.2.11.15-12.el6_4.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > libipa_hbac-1.9.2-82.4.el6_4.x86_64 > ipa-client-3.0.0-26.el6_4.2.x86_64 > 389-ds-base-1.2.11.15-12.el6_4.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > > Although when I try to remove the replication agreement...I can't =\ > > [root at ipa1.la3.4over.com ~]# > ipa-replica-manage disconnect $(hostname) ipa1.gln.4over.com > > Failed to get list of agreements from 'ipa1.gln.4over.com > ': Invalid credentials SASL(-13): > authentication failure: GSSAPI Failure: gss_accept_sec_context A couple of things to try: - Check the KDC logs on the various hosts to see what error it is logging trying to get a ticket. - kdestroy and let ipa-replica-manage prompt you for the DM password, or pass it via -p on the command-line The first might tell you why you are seeing an auth failure, the second should show the status of replication and let you run other commands. I'm not sure that disconnecting is going to fix anything though. I'm not sure what it is you're trying to do there. rob From aborrero at cica.es Tue Apr 16 07:13:08 2013 From: aborrero at cica.es (Arturo Borrero) Date: Tue, 16 Apr 2013 09:13:08 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516C06A3.1010805@redhat.com> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> <516C0354.8050005@cica.es> <516C0594.9050802@redhat.com> <516C06A3.1010805@redhat.com> Message-ID: <516CFA04.9020805@cica.es> Hi there! My problem was: I had some old registers of an old Microsoft AD in my DNS servers. The ipa-server-installer detected this and was being misconfigured. I deleted the AD references in the DNS, reinstall, and all went fine. Regards. -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From mkosek at redhat.com Tue Apr 16 07:18:14 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Apr 2013 09:18:14 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516CFA04.9020805@cica.es> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> <516C0354.8050005@cica.es> <516C0594.9050802@redhat.com> <516C06A3.1010805@redhat.com> <516CFA04.9020805@cica.es> Message-ID: <516CFB36.6070903@redhat.com> On 04/16/2013 09:13 AM, Arturo Borrero wrote: > Hi there! > > My problem was: > > I had some old registers of an old Microsoft AD in my DNS servers. > The ipa-server-installer detected this and was being misconfigured. > > I deleted the AD references in the DNS, reinstall, and all went fine. > > Regards. > I am glad to hear that. Can you please describe what exactly was wrong in the DNS? We already do several DNS checks which should prevent errors caused by misconfigured DNS. If we can reproduce your case, we can enhance our checks in ipa-server-install to prevent error like this in a future. Thanks, Martin From mkosek at redhat.com Tue Apr 16 07:38:07 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Apr 2013 09:38:07 +0200 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516CA667.2080700@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> <516CA667.2080700@redhat.com> Message-ID: <516CFFDF.90202@redhat.com> On 04/16/2013 03:16 AM, Dmitri Pal wrote: > On 04/15/2013 07:42 PM, Chandan Kumar wrote: >> >> I agree it won't be a security feature nor you are doing wrong by not adding >> it. However, it might come as nice to have feature. Let me explain you my >> condition. >> >> We host web application where lot of DNS entries (Public and Internal) are >> created for different kind of requests and features. Now we already have a >> separate DNS server, Separate Manual Linux User/Access Control management by >> puppet. Linux users ACL have no relationship with the web application user >> (which is internal to the web app). >> >> So FreeIPA can help me to centralize the Linux user-management as well as >> (Public and Internal) DNS. However, the problem is : traditionally the access >> levels were different for DNS users (support guys) and user management >> (sysadmins). Now bring both system together even the Host based access >> control, sudoers rule everything becomes visible to non-sysadmin group. >> >> You are right that every user could query all entries from command line and >> hence it won't help to secure the system, but not having it on GUI may help >> to avoid "obvious" visibility of the whole directory. >> >> I believe similar GUI "views" could be applied for discussion >> >> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html >> >> where geographically separate Organization units may share the same directory >> with limited visibility on other branches. >> >> >> Having said that, I am not sure how feasible/logical my view is owing to my >> limited knowledge in 389 directory server and IPA. > > I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217 > and somewhat about this https://fedorahosted.org/freeipa/ticket/1313 > > Would you mind adding the details of your use case to one of those two tickets? > > Alternatively we can start another ticket. > However I think we should have some kind of a complete solution that covers > LDAP, UI and CLI consistently. > Doing it right would be a huge task IMO. > For LDAP we would probably have to implement some kind of "smart" proxy that > would reply only to the requests that user are entitled to. Same with CLI and > UI. But the point is that one configuration should be respected by all three at > the same time. For example if you are not allowed to manage sudo the sudo > commands should not return any data as well as LDAP searches and there should > be no panel in the UI. > > I am really reluctant to fix just UI because we would end up different > components of the system behaving differently and it would be hard to evolve > them and maintain. > > Thanks > Dmitri > I think there were some related discussions about this. I agree that this a bigger effort, but I do think that a proxy is needed. We should be able to achieve that goal by being able to disable global ACI allowing read access to all entries and attributes unless those explicitly blacklisted. I think we are talking about this ticket: https://fedorahosted.org/freeipa/ticket/2786 If there is a solid use case for this ticket (and it seems it is), we can increase its priority. In order to be able to manage such access also for system accounts (like sudo for example when SSSD is not used), we may want to also add API to manage such accounts and control their access too: https://fedorahosted.org/freeipa/ticket/2801 Martin From pvoborni at redhat.com Tue Apr 16 07:44:20 2013 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 16 Apr 2013 09:44:20 +0200 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> Message-ID: <516D0154.8020101@redhat.com> On 04/16/2013 01:14 AM, Stephen Ingram wrote: > On Mon, Apr 15, 2013 at 3:13 PM, Dmitri Pal wrote: > >> On 04/15/2013 11:11 AM, Chandan Kumar wrote: >> >> >> I think controlling Visibility of tabs would be the best option, if >> possible, based on Roles as mentioned by Rob. As long as other entries are >> not visible in UI, even though they have read only access with command >> line, should be enough. >> >> >> It would not be a security feature though. Just a convenience because the >> same admin would be able to bind directly to ldap and run a search. This is >> why we did not go this route. Yes we can hide panels but it would not mean >> that the user can't easily get that info. So is there really a value in >> hiding? So far we did not see any this is why we did not do it, but may be >> you have some arguments that might convince us that we are wrong. Can you >> please share these arguments with us? >> > > I wasn't involved in this thread before now, however, in our case we do not > allow LDAP access (only Kerberos and WebUI) from outside firewall so there > *could* be a distinction between the two. I could also present that some > users have been confused when they login to change their personal > information and see a huge list of other users. Of course, they are > directed to their information first upon login, however, we all know that > one wrong click can always happen with some users. We might hide menu and breadcrumb navigation in self-service. Would that help? Another possible problem is direct modification of url and thus showing details of another user. > > Perhaps it's better to just put together a new WebUI using the Python API, > however, with the fantastic new password reset page in 3.x, I've become > lazy and let users access IPA directly. > > Steve > -- Petr Vobornik From Adam.Bishop at ja.net Tue Apr 16 07:57:48 2013 From: Adam.Bishop at ja.net (Adam Bishop) Date: Tue, 16 Apr 2013 07:57:48 +0000 Subject: [Freeipa-users] FreeIPA dual stacked In-Reply-To: <516C2EA1.4010000@redhat.com> References: <15C4AD67-6BB9-4CE8-B77B-84CFB50F15FE@ja.net> <516C2EA1.4010000@redhat.com> Message-ID: <2B777F68-5697-475E-A06C-39C15158EB08@ja.net> On 15 Apr 2013, at 17:45, John Dennis wrote: > We're supposed to work fine with IPv6. Dual stack should also be fine. I know we've done a bunch of testing in this area but apparently something fell through the cracks. I suspect this is an installer only issue where it's validation logic is not sufficiently robust. Please open a bug report so we can address this. I think if you pick one of the addresses and let the install proceed everything should just work. Please let us know if it doesn't. I'm not surprised we still have some IPv6 bumps to smooth out, it doesn't get exercised as much as IPv4. FWIW we fully expect IPv6 enabled systems to be dual stack. Thanks for the replies all, I'll complete the installation later today and open a ticket with any issues. Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 From aborrero at cica.es Tue Apr 16 08:58:01 2013 From: aborrero at cica.es (Arturo Borrero) Date: Tue, 16 Apr 2013 10:58:01 +0200 Subject: [Freeipa-users] ipa-server-install: ERROR Failed to initialize IPA API In-Reply-To: <516CFB36.6070903@redhat.com> References: <516BFDA3.30505@cica.es> <516C019F.1040205@redhat.com> <516C0354.8050005@cica.es> <516C0594.9050802@redhat.com> <516C06A3.1010805@redhat.com> <516CFA04.9020805@cica.es> <516CFB36.6070903@redhat.com> Message-ID: <516D1299.50607@cica.es> On 16/04/13 09:18, Martin Kosek wrote: > I am glad to hear that. > > Can you please describe what exactly was wrong in the DNS? We already do > several DNS checks which should prevent errors caused by misconfigured DNS. In fact, the wrong situation was the DNS server already poiting to another Kerberos/Ldap server using SRV registers. [...] $ORIGIN _tcp.cica.es. $TTL 600 ; 10 minutes _gc SRV 0 100 3268 AD.cica.es. _kerberos SRV 0 100 88 AD.cica.es. _kpasswd SRV 0 100 464 AD.cica.es. _ldap SRV 0 100 389 AD.cica.es. [...] This was an old setting, not valid anymore, since the server "ad.cica.es" doesn't exist. FreeIPA server being installed was called "sheldon.cica.es" The server installation script detected this, causing that strange behaviour. I think its just a lazy sysadmin who didn't delete the old SRV registers :-) Best regards. -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Tue Apr 16 14:25:35 2013 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 16 Apr 2013 10:25:35 -0400 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516CFFDF.90202@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> <516CA667.2080700@redhat.com> <516CFFDF.90202@redhat.com> Message-ID: <516D5F5F.1040203@redhat.com> On 04/16/2013 03:38 AM, Martin Kosek wrote: > On 04/16/2013 03:16 AM, Dmitri Pal wrote: >> On 04/15/2013 07:42 PM, Chandan Kumar wrote: >>> I agree it won't be a security feature nor you are doing wrong by not adding >>> it. However, it might come as nice to have feature. Let me explain you my >>> condition. >>> >>> We host web application where lot of DNS entries (Public and Internal) are >>> created for different kind of requests and features. Now we already have a >>> separate DNS server, Separate Manual Linux User/Access Control management by >>> puppet. Linux users ACL have no relationship with the web application user >>> (which is internal to the web app). >>> >>> So FreeIPA can help me to centralize the Linux user-management as well as >>> (Public and Internal) DNS. However, the problem is : traditionally the access >>> levels were different for DNS users (support guys) and user management >>> (sysadmins). Now bring both system together even the Host based access >>> control, sudoers rule everything becomes visible to non-sysadmin group. >>> >>> You are right that every user could query all entries from command line and >>> hence it won't help to secure the system, but not having it on GUI may help >>> to avoid "obvious" visibility of the whole directory. >>> >>> I believe similar GUI "views" could be applied for discussion >>> >>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html >>> >>> where geographically separate Organization units may share the same directory >>> with limited visibility on other branches. >>> >>> >>> Having said that, I am not sure how feasible/logical my view is owing to my >>> limited knowledge in 389 directory server and IPA. >> I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217 >> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313 >> >> Would you mind adding the details of your use case to one of those two tickets? >> >> Alternatively we can start another ticket. >> However I think we should have some kind of a complete solution that covers >> LDAP, UI and CLI consistently. >> Doing it right would be a huge task IMO. >> For LDAP we would probably have to implement some kind of "smart" proxy that >> would reply only to the requests that user are entitled to. Same with CLI and >> UI. But the point is that one configuration should be respected by all three at >> the same time. For example if you are not allowed to manage sudo the sudo >> commands should not return any data as well as LDAP searches and there should >> be no panel in the UI. >> >> I am really reluctant to fix just UI because we would end up different >> components of the system behaving differently and it would be hard to evolve >> them and maintain. >> >> Thanks >> Dmitri >> > I think there were some related discussions about this. I agree that this a > bigger effort, but I do think that a proxy is needed. We should be able to > achieve that goal by being able to disable global ACI allowing read access to > all entries and attributes unless those explicitly blacklisted. > > I think we are talking about this ticket: > https://fedorahosted.org/freeipa/ticket/2786 Actually no. I see it on a much broader scale than in this ticket. I am thinking about blacklisting components like: sudo, hbac, selinux, DNS, hosts, users, services etc. Have a way to completely hide those areas from the user. It would get pretty complex right away as the dependencies are hierarchical. > > If there is a solid use case for this ticket (and it seems it is), we can > increase its priority. In order to be able to manage such access also for > system accounts (like sudo for example when SSSD is not used), we may want to > also add API to manage such accounts and control their access too: > > https://fedorahosted.org/freeipa/ticket/2801 And I do not think it is about system accounts. It is about different flavors of the admin accounts. It is another dimension of the access control - ability to scope the actual data that gets exposed to someone. > > Martin -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From mkosek at redhat.com Tue Apr 16 15:16:27 2013 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 16 Apr 2013 17:16:27 +0200 Subject: [Freeipa-users] User Roles and access in GUI In-Reply-To: <516D5F5F.1040203@redhat.com> References: <5167A851.4030200@redhat.com> <516802B6.6020109@redhat.com> <516C0127.9030301@redhat.com> <516C030E.4010800@redhat.com> <516C0B9F.90207@redhat.com> <20130415144935.GO6823@redhat.com> <516C7B95.70809@redhat.com> <516CA667.2080700@redhat.com> <516CFFDF.90202@redhat.com> <516D5F5F.1040203@redhat.com> Message-ID: <516D6B4B.4050200@redhat.com> On 04/16/2013 04:25 PM, Dmitri Pal wrote: > On 04/16/2013 03:38 AM, Martin Kosek wrote: >> On 04/16/2013 03:16 AM, Dmitri Pal wrote: >>> On 04/15/2013 07:42 PM, Chandan Kumar wrote: >>>> I agree it won't be a security feature nor you are doing wrong by not adding >>>> it. However, it might come as nice to have feature. Let me explain you my >>>> condition. >>>> >>>> We host web application where lot of DNS entries (Public and Internal) are >>>> created for different kind of requests and features. Now we already have a >>>> separate DNS server, Separate Manual Linux User/Access Control management by >>>> puppet. Linux users ACL have no relationship with the web application user >>>> (which is internal to the web app). >>>> >>>> So FreeIPA can help me to centralize the Linux user-management as well as >>>> (Public and Internal) DNS. However, the problem is : traditionally the access >>>> levels were different for DNS users (support guys) and user management >>>> (sysadmins). Now bring both system together even the Host based access >>>> control, sudoers rule everything becomes visible to non-sysadmin group. >>>> >>>> You are right that every user could query all entries from command line and >>>> hence it won't help to secure the system, but not having it on GUI may help >>>> to avoid "obvious" visibility of the whole directory. >>>> >>>> I believe similar GUI "views" could be applied for discussion >>>> >>>> http://osdir.com/ml/freeipa-users/2013-03/msg00218.html >>>> >>>> where geographically separate Organization units may share the same directory >>>> with limited visibility on other branches. >>>> >>>> >>>> Having said that, I am not sure how feasible/logical my view is owing to my >>>> limited knowledge in 389 directory server and IPA. >>> I think you are talking about this: https://fedorahosted.org/freeipa/ticket/217 >>> and somewhat about this https://fedorahosted.org/freeipa/ticket/1313 >>> >>> Would you mind adding the details of your use case to one of those two tickets? >>> >>> Alternatively we can start another ticket. >>> However I think we should have some kind of a complete solution that covers >>> LDAP, UI and CLI consistently. >>> Doing it right would be a huge task IMO. >>> For LDAP we would probably have to implement some kind of "smart" proxy that >>> would reply only to the requests that user are entitled to. Same with CLI and >>> UI. But the point is that one configuration should be respected by all three at >>> the same time. For example if you are not allowed to manage sudo the sudo >>> commands should not return any data as well as LDAP searches and there should >>> be no panel in the UI. >>> >>> I am really reluctant to fix just UI because we would end up different >>> components of the system behaving differently and it would be hard to evolve >>> them and maintain. >>> >>> Thanks >>> Dmitri >>> >> I think there were some related discussions about this. I agree that this a >> bigger effort, but I do think that a proxy is needed. We should be able to >> achieve that goal by being able to disable global ACI allowing read access to >> all entries and attributes unless those explicitly blacklisted. >> >> I think we are talking about this ticket: >> https://fedorahosted.org/freeipa/ticket/2786 > > > Actually no. I see it on a much broader scale than in this ticket. > I am thinking about blacklisting components like: sudo, hbac, selinux, > DNS, hosts, users, services etc. > Have a way to completely hide those areas from the user. > It would get pretty complex right away as the dependencies are hierarchical. This is what I meant. We could offer disabling the global ACI granting read access to everyone and let admins assign read privileges only to functions (HBAC, SUDO, SELinux, ...) they want. I tried to sum all these thoughts to this upstream ticket: https://fedorahosted.org/freeipa/ticket/3566 Comments and suggestions from FreeIPA users welcome! Thanks, Martin From rcritten at redhat.com Thu Apr 18 13:12:56 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Apr 2013 09:12:56 -0400 Subject: [Freeipa-users] Fedora 19 Test Day today, April 18 Message-ID: <516FF158.2040509@redhat.com> The FreeIPA team is happy to welcome you to a Fedora Test Day that is being held today, Thursday, April 18th. We invite you to take part in testing of the new features that will become available in upcoming FreeIPA 3.2 upstream release and will be a part of Fedora 19. To read more about the test day and suggested tests see the following link http://fedoraproject.org/wiki/Test_Day:2013-04-18 The outline of the features of the upcoming release can be found in the following announcement: https://www.redhat.com/archives/freeipa-devel/2013-April/msg00028.html Thank you for your help and participation! FreeIPA team From mkosek at redhat.com Thu Apr 18 13:21:14 2013 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 18 Apr 2013 15:21:14 +0200 Subject: [Freeipa-users] [Freeipa-devel] Fedora 19 Test Day today, April 18 In-Reply-To: <516FF158.2040509@redhat.com> References: <516FF158.2040509@redhat.com> Message-ID: <516FF34A.2030407@redhat.com> On 04/18/2013 03:12 PM, Rob Crittenden wrote: > The FreeIPA team is happy to welcome you to a Fedora Test Day that is being > held today, Thursday, April 18th. > > We invite you to take part in testing of the new features that will become > available in upcoming FreeIPA 3.2 upstream release and will be a part of Fedora > 19. > > To read more about the test day and suggested tests see the following link > http://fedoraproject.org/wiki/Test_Day:2013-04-18 > > The outline of the features of the upcoming release can be found in the > following announcement: > https://www.redhat.com/archives/freeipa-devel/2013-April/msg00028.html > > Thank you for your help and participation! > > FreeIPA team > I would just like to add more information for new testers. To save your time when testing FreeIPA on Fedora 19, please make sure that you have java-atk-wrapper package installed before you install FreeIPA (relevant Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=953413). If you do not have the package installed, you can avoid the ipa-server-install crash by installing this package and rebooting or killing pki processes before running ipa-server-install. Other already known issues can be found at the test day page or our public test day etherpad: http://openetherpad.org/Fedora-19-IPA-Test-Day Happy testing! Martin From rcritten at redhat.com Thu Apr 18 13:38:14 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Apr 2013 09:38:14 -0400 Subject: [Freeipa-users] Announcing FreeIPA 3.2.0 Beta 1 Message-ID: <516FF746.2090306@redhat.com> The FreeIPA team is proud to announce the first Beta of FreeIPA v3.2.0. We would like to welcome any early testers of this Beta to provide us feedback and help us stabilize this feature release which we plan to release as final in the beginning of May 2013. It can be downloaded from http://www.freeipa.org/page/Downloads. The new version has also been built for Fedora 19 Alpha. == Highlights in 3.2.0 Beta 1 == === New features for 3.2.0 === * Support installing FreeIPA without an embedded Certificate Authority, with user-provided SSL certificates for the HTTP and Directory servers. [1] * New cert-find command. Search certificates in the Dogtag database based on their serial number, validity or revocation details. This feature is available both as a CLI command and Web UI page. [2] * New trustconfig-show and trustconfig-mod command. Show or modify AD Trust settings generated during AD Trust installation (ipa-adtrust-install) [3] * Multiple FreeIPA servers can now be designated as Domain Controllers for trusts with Active Directory [12] * New realmdomains-show and realmdomains-mod command. Manage list of DNS domains associated with FreeIPA realm (realmdomains sommand). This list is primarily used by AD, which can pull all domains managed by FreeIPA and use that list for routing authentication requests for domains which do not match FreeIPA realm name. [4] * Support trusted domain users in HBAC test command (hbactest command). * Allow filtering incoming trusted domain SIDs per-trust (trust-mod command). [5] * Configurable PAC type for services. Service commands can now configure a set of PAC types (MS-PAC, PAD, no PAC) that are supported and handled for the service. * Faster UI loading. FreeIPA Web UI application is now packaged in minimalized format. FreeIPA web server is now also able to transmit data in compressed format. [6] [7] * UI now accepts confirmation of cancel of its dialogs via keyboard [11] * Client reenrollment. A host that has been recreated can now be reenrolled to FreeIPA server using a backed up host keytab or admin credentials [8] * Service and Host commands now provide options to add or remove selected Kerberos flags [9] * Full system backup and restore [13] * Source hosts have been completely removed from HBAC. They haven't been used by SSSD for quite some time and are being removed to avoid the suggestion that they might actually do something. * Updated French and Ukranian translations. === Beta 1 limitations === * List of DNS domains associated with FreeIPA realm currently only works with a special Samba build available for Fedora 18: http://koji.fedoraproject.org/koji/taskinfo?taskID=5184105. One needs to rebuild FreeIPA 3.2.0 beta 1 against this Samba version in order to get it working. * Test of trusted domain users in HBAC rules is accessible to only to members of 'Trust Admins' group due to privilege limitations * Same applies to any other trust-specific operations that require translation between user/group name and its security identifier (SID) === Bug fixes === * Fixed migration from OpenLDAP. FreeIPA is now able to migrate users and groups from OpenLDAP database instances. * Migration process is now also a lot faster and provides more debug output (to httpd error log). * SUDO rules disabled by sudorule-disable command are now removed from ou=sudoers compat tree without a need to restart 389 Directory Server instance. * Fixed LDAP schema upgrade when upgrading from a pre-2.2.0 release * Fixed server installation with external CA (--external-ca) * Consolidate on-line help system, show help without need of valid Kerberos credentials (ipa help) * New LDAP plugin (ipa_dns) has been added to add missing idnsSOASerial attribute for replicas which either do not have integrated DNS service enabled to which have disabled SOA serial autoincrement * LDAP lockout plugin has been fixed so that lockout policies are applied consistently both for LDAP binds and Kerberos authentication * ... and many others stabilization fixes, see Detailed changelog for full details == Changes in API or CLI == === Dropped --selfsign option === FreeIPA servers prior to 3.2.0 could be installed with --selfsign option. This configured the server with a NSS database based Certificate Authority with a selfsigned CA certificate and limited certificate operation support. This option was always intended for development or testing purposes only and was not intended for use in production. This release drops this option and deprecates the functionality. Current FreeIPA servers installed with --selfsigned option will still work, instructions on how to migrate to supported certificate options will be provided. FreeIPA servers version 3.2.0 and later supports the following 2 flavors of certificate management: * FreeIPA with pki-ca (dogtag) with either a self-signed certificate or with a certificate signed by external CA (--external-ca option) * FreeIPA with no pki-ca installed with certificates signed and provided by an external CA [1] === Dropped CSV support === FreeIPA client CLI supported CSV in some arguments so that multiple values could be added with just one convenient option: ipa permission-add some-perm --permissions=read,write --attrs=sn,cn ipa dnsrecord-add example.com --a-rec=10.0.0.1,10.0.0.2 CSV parsing however introduces great difficulty when trying to include a value with an embedded space in it. Escaping these values is not intuitive and made it very difficult to add such values. The level of effort in working around the CSV problems has come to the point where the benefits of it are outweighed by the problems which lead to decision to drop CSV support in CLI altogether [10]. There are several ways to workaround lack of CSV: Provide an argument multiple times on the command-line: ipa permission-add some-perm --permissions=read --permissions=write --attrs=sn --attrs=cn ipa dnsrecord-add example.com --a-rec=10.0.0.1 --a-rec=10.0.0.2 Let BASH do the expansion for you: ipa permission-add some-perm --permissions={read,write} --attrs={sn,cn} ipa dnsrecord-add example.com --a-rec={10.0.0.1,10.0.0.2} == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Documentation == * [1] http://www.freeipa.org/page/V3/CA-less_install * [2] http://www.freeipa.org/page/V3/Cert_find * [3] http://www.freeipa.org/page/V3/Trust_config_command * [4] http://www.freeipa.org/page/V3/Realm_Domains * [5] http://www.freeipa.org/page/V3/Configurable_SID_Blacklists * [6] http://www.freeipa.org/page/V3/WebUI_gzip_compression * [7] http://www.freeipa.org/page/V3/WebUI_build * [8] http://www.freeipa.org/page/V3/Forced_client_re-enrollment * [9] http://www.freeipa.org/page/V3/Kerberos_Flags * [10] http://www.freeipa.org/page/V3/Drop_CSV * [11] http://www.freeipa.org/page/V3/WebUI_keyboard_confirmation * [12] http://www.freeipa.org/page/V3/MultipleTrustServers * [13] http://freeipa.org/page/V3/Backup_and_Restore == Detailed Changelog since 3.2.0.pre1 == Alexander Bokovoy (1): * spec: detect Kerberos DAL driver ABI change from installed krb5-devel Ana Krivokapic (7): * Remove CA cert on client uninstall * Fix output for some CLI commands * Add missing summary message to dnszone_del * Remove HBAC source hosts from web UI * Remove any reference to HBAC source hosts from help * Deprecate HBAC source hosts from CLI * Integrate realmdomains with IPA DNS Jan Cholasta (4): * Do actually stop pki_cad in stop_pkicad instead of starting it. * Use only one URL for OCSP and CRL in IPA certificate profile. * Use A/AAAA records instead of CNAME records in ipa-ca. * Delete DNS records in ipa-ca on ipa-csreplica-manage del. Martin Kosek (2): * Fix trustconfig-mod primary group error * Require new samba and krb5 Petr Viktorin (7): * Display full command documentation in online help * Remove 'cn' attribute from idnsRecord and idnsZone objectClasses * ipa-server-install: correct help text for --external_{cert,ca}_file * Update translations from Transifex * Uninstall selfsign CA on upgrade * Remove obsolete self-sign references from man pages, docstrings, comments * Drop --selfsign server functionality Petr Vobornik (6): * Add ipakrbokasdelegate option to service and host Web UI pages * Run permission target switch action only for visible widgets * Filter groups by type (POSIX, non-POSIX, external) * Global trust config page * Don't show trusts pages when trust is not configured * Fix regression in group type selection in group adder dialog Rob Crittenden (5): * Fix two failing tests due to missing krb ticket flags * Full system backup and restore * Apply LDAP update files in blocks of 10, as originally designed. * Revert "Fix permission_find test error" * Become 3.2.0 Beta 1 Tomas Babej (2): * Add nfs:NONE to default PAC types only when needed * Update only selected attributes for winsync agreement From gmatz at collective.com Thu Apr 18 17:07:05 2013 From: gmatz at collective.com (Guy Matz) Date: Thu, 18 Apr 2013 13:07:05 -0400 Subject: [Freeipa-users] authenticating ssh using ssh publickey Message-ID: <51702839.6060104@collective.com> Hello! Trying to configure a Centos 6.3 server to authenticate ssh using keys stored in IPA . . . it's not working and I was hoping someone might be able to give a place to start debugging. My user is in IPA (is is a publickey): [root at iparepl01 log]# ipa user-find gmatz -------------- 1 user matched -------------- User login: gmatz First name: Guy Last name: Matz Home directory: /home/gmatz Login shell: /bin/bash UID: 1756600036 GID: 1756600036 Account disabled: False SSH public key fingerprint: B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa) Password: True Kerberos keys available: True . . . which matches the key used on the client machine: gmatz at halliburton:~$ uname -a Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux gmatz at halliburton:~$ ssh-keygen -l Enter file in which the key is (/home/gmatz/.ssh/id_rsa): 2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 gmatz at halliburton (RSA) When I run sshd in debug mode, I don't see any indication that the ssh server is trying to connect to IPA, but strace gives some indication that sssd libs are being loaded. I don't know if this is any help, but here's what audit.log says when publickey auth fails: type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? res=success' type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0 auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed' type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0 auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed' any help is greatly appreciated! Thanks a lot, Guy From rcritten at redhat.com Thu Apr 18 17:49:53 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 18 Apr 2013 13:49:53 -0400 Subject: [Freeipa-users] authenticating ssh using ssh publickey In-Reply-To: <51702839.6060104@collective.com> References: <51702839.6060104@collective.com> Message-ID: <51703241.8050607@redhat.com> Guy Matz wrote: > Hello! Trying to configure a Centos 6.3 server to authenticate ssh using > keys stored in IPA . . . it's not working and I was hoping someone > might be able to give a place to start debugging. > > My user is in IPA (is is a publickey): > [root at iparepl01 log]# ipa user-find gmatz > -------------- > 1 user matched > -------------- > User login: gmatz > First name: Guy > Last name: Matz > Home directory: /home/gmatz > Login shell: /bin/bash > UID: 1756600036 > GID: 1756600036 > Account disabled: False > SSH public key fingerprint: > B7:97:56:71:31:D8:35:67:6A:4B:5F:C2:D8:00:E6:39 (ssh-rsa) > Password: True > Kerberos keys available: True > > . . . which matches the key used on the client machine: > gmatz at halliburton:~$ uname -a > Linux halliburton 3.5.0-27-generic #46-Ubuntu SMP Mon Mar 25 19:58:17 > UTC 2013 x86_64 x86_64 x86_64 GNU/Linux > gmatz at halliburton:~$ ssh-keygen -l > Enter file in which the key is (/home/gmatz/.ssh/id_rsa): > 2048 b7:97:56:71:31:d8:35:67:6a:4b:5f:c2:d8:00:e6:39 gmatz at halliburton > (RSA) > > When I run sshd in debug mode, I don't see any indication that the ssh > server is trying to connect to IPA, but strace gives some indication > that sssd libs are being loaded. > > I don't know if this is any help, but here's what audit.log says when > publickey auth fails: > type=CRYPTO_KEY_USER msg=audit(1366304690.290:26013): user pid=1592 > uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=2b:54:31:7d:2f:18:d9:ed:5b:1e:7d:37:34:fa:a7:3b direction=? spid=1592 > suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? > res=success' > type=CRYPTO_KEY_USER msg=audit(1366304690.292:26014): user pid=1592 > uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server > fp=70:bc:4f:b5:1c:e4:93:0d:4f:c9:96:08:dc:85:22:ea direction=? spid=1592 > suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=? > res=success' > type=CRYPTO_SESSION msg=audit(1366304690.300:26015): user pid=1591 uid=0 > auid=4294967295 ses=4294967295 msg='op=start direction=from-client > cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 > laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=? > addr=192.168.2.67 terminal=? res=success' > type=CRYPTO_SESSION msg=audit(1366304690.300:26016): user pid=1591 uid=0 > auid=4294967295 ses=4294967295 msg='op=start direction=from-server > cipher=aes128-ctr ksize=128 spid=1592 suid=74 rport=45662 > laddr=172.16.6.203 lport=22 exe="/usr/sbin/sshd" hostname=? > addr=192.168.2.67 terminal=? res=success' > type=USER_AUTH msg=audit(1366304690.474:26017): user pid=1591 uid=0 > auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" > exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed' > type=USER_AUTH msg=audit(1366304690.485:26018): user pid=1591 uid=0 > auid=4294967295 ses=4294967295 msg='op=pubkey acct="gmatz" > exe="/usr/sbin/sshd" hostname=? addr=192.168.2.67 terminal=ssh res=failed' > > any help is greatly appreciated! SSH was a tech preview in 6.3, YMMV. Look on the client in /etc/ssh/ssh_config to see if it is configured, something like: GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h Double-check that PubkeyAuthentication is yes too. The server should have something like this in sshd_config: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys rob From natxo.asenjo at gmail.com Thu Apr 18 19:32:17 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 18 Apr 2013 21:32:17 +0200 Subject: [Freeipa-users] setting up a trust problem Message-ID: hi, On a centos 6.4 testlab I am testing a trust with a windows 2008r2 domain (separate dns domains). Following the docs https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html I install the cifs-utils package but get this dependency problem: # yum install cifs-utils Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirror.prolocation.net * extras: centos.mirror.triple-it.nl * updates: mirror.i3d.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package cifs-utils.i686 0:4.8.1-18.el6 will be installed --> Processing Dependency: libwbclient.so.0 for package: cifs-utils-4.8.1-18.el6.i686 --> Running transaction check ---> Package samba-winbind-clients.i686 0:3.6.9-151.el6 will be installed --> Processing Dependency: samba-winbind = 3.6.9-151.el6 for package: samba-winbind-clients-3.6.9-151.el6.i686 --> Running transaction check ---> Package samba-winbind.i686 0:3.6.9-151.el6 will be installed --> Processing Dependency: samba-common = 3.6.9-151.el6 for package: samba-winbind-3.6.9-151.el6.i686 --> Running transaction check ---> Package samba-common.i686 0:3.6.9-151.el6 will be installed --> Processing Conflict: samba4-common-4.0.0-55.el6.rc4.i686 conflicts samba-common < 3.9.9 --> Processing Conflict: samba4-winbind-4.0.0-55.el6.rc4.i686 conflicts samba-winbind < 3.9.9 --> Processing Conflict: samba4-winbind-clients-4.0.0-55.el6.rc4.i686 conflicts samba-winbind-clients < 3.9.9 --> Finished Dependency Resolution Error: samba4-winbind conflicts with samba-winbind-3.6.9-151.el6.i686 Error: samba4-common conflicts with samba-common-3.6.9-151.el6.i686 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-151.el6.i686 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is the cifs-utils package really necessary? TIA -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu Apr 18 20:13:35 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 18 Apr 2013 23:13:35 +0300 Subject: [Freeipa-users] setting up a trust problem In-Reply-To: References: Message-ID: <20130418201335.GC6823@redhat.com> On Thu, 18 Apr 2013, Natxo Asenjo wrote: >hi, > >On a centos 6.4 testlab I am testing a trust with a windows 2008r2 domain >(separate dns domains). > >Following the docs >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html > >I install the cifs-utils package but get this dependency problem: > ># yum install cifs-utils >Loaded plugins: fastestmirror, security >Loading mirror speeds from cached hostfile > * base: mirror.prolocation.net > * extras: centos.mirror.triple-it.nl > * updates: mirror.i3d.net >Setting up Install Process >Resolving Dependencies >--> Running transaction check >---> Package cifs-utils.i686 0:4.8.1-18.el6 will be installed >--> Processing Dependency: libwbclient.so.0 for package: >cifs-utils-4.8.1-18.el6.i686 >--> Running transaction check >---> Package samba-winbind-clients.i686 0:3.6.9-151.el6 will be installed >--> Processing Dependency: samba-winbind = 3.6.9-151.el6 for package: >samba-winbind-clients-3.6.9-151.el6.i686 >--> Running transaction check >---> Package samba-winbind.i686 0:3.6.9-151.el6 will be installed >--> Processing Dependency: samba-common = 3.6.9-151.el6 for package: >samba-winbind-3.6.9-151.el6.i686 >--> Running transaction check >---> Package samba-common.i686 0:3.6.9-151.el6 will be installed >--> Processing Conflict: samba4-common-4.0.0-55.el6.rc4.i686 conflicts >samba-common < 3.9.9 >--> Processing Conflict: samba4-winbind-4.0.0-55.el6.rc4.i686 conflicts >samba-winbind < 3.9.9 >--> Processing Conflict: samba4-winbind-clients-4.0.0-55.el6.rc4.i686 >conflicts samba-winbind-clients < 3.9.9 >--> Finished Dependency Resolution >Error: samba4-winbind conflicts with samba-winbind-3.6.9-151.el6.i686 >Error: samba4-common conflicts with samba-common-3.6.9-151.el6.i686 >Error: samba4-winbind-clients conflicts with >samba-winbind-clients-3.6.9-151.el6.i686 > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > >Is the cifs-utils package really necessary? cifs-utils is not needed for trusts to function. I guess documentation was implying that cifs-utils might have been installed for mounting CIFS shares. -- / Alexander Bokovoy From natxo.asenjo at gmail.com Thu Apr 18 20:33:29 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Thu, 18 Apr 2013 22:33:29 +0200 Subject: [Freeipa-users] setting up a trust problem In-Reply-To: <20130418201335.GC6823@redhat.com> References: <20130418201335.GC6823@redhat.com> Message-ID: Is the cifs-utils package really necessary? >> > cifs-utils is not needed for trusts to function. I guess documentation > was implying that cifs-utils might have been installed for mounting CIFS > shares. > ok, thanks for clarifying this. In the link I posted you can read this: The cifs-utils package is removed when Samba3 is removed. This must be re-installed. So I thought it was necessary ;-) Talking about the docs, on that same page in order to verify the srv records from the AD domain the interactive nslookup shell is shown. IMHO it would be much easier to use nslookup like this: z:> nslookup -type=srv _ldap._tcp.ipadomain.tld But that is just my opinion, of course. -- thanks, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 19 09:03:02 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 11:03:02 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains Message-ID: hi, while following the instructions in https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html I run step 9: smbclient -L kdc.ipa.asenjo.nx -k lp_load_ex: changing to config backend registry Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED) I have a valid ticket: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at IPA.ASENJO.NX Valid starting Expires Service principal 04/19/13 08:46:48 04/20/13 08:46:48 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX 04/19/13 08:56:59 04/20/13 08:46:48 HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX and I see this on the /var/log/messages: Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.497215, 0] ipa_sam.c:3689(bind_callback_cleanup) Apr 19 10:54:06 kdc winbindd[6379]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.498194, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Apr 19 10:54:06 kdc winbindd[6379]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket with dn="[Anonymous bind]" Error: Local error Apr 19 10:54:06 kdc winbindd[6379]: #011(unknown) Apr 19 10:54:07 kdc winbindd[6379]: [2013/04/19 10:54:07.500882, 0] ipa_sam.c:3689(bind_callback_cleanup) Apr 19 10:54:07 kdc winbindd[6379]: kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX and shortly afterwards winbindd dumps core: Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625708, 0] ipa_sam.c:4001(pdb_init_ipasam) Apr 19 10:59:22 kdc winbindd[6568]: Failed to get base DN. Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625837, 0] ../source3/passdb/pdb_interface.c:177(make_pdb_method_name) Apr 19 10:59:22 kdc winbindd[6568]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.626032, 0] ../source3/lib/util.c:810(smb_panic_s3) Apr 19 10:59:22 kdc winbindd[6568]: PANIC (pid 6568): pdb_get_methods: failed to get pdb methods for backend ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket Apr 19 10:59:22 kdc winbindd[6568]: Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.627382, 0] ../source3/lib/util.c:921(log_stack_trace) Apr 19 10:59:22 kdc winbindd[6568]: BACKTRACE: 27 stack frames: Apr 19 10:59:22 kdc winbindd[6568]: #0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x2e) [0x4e69de] Apr 19 10:59:22 kdc winbindd[6568]: #1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x32) [0x4e6b02] Apr 19 10:59:22 kdc winbindd[6568]: #2 /usr/lib/libsamba-util.so.0(smb_panic+0x20b) [0x7faf6b] Apr 19 10:59:22 kdc winbindd[6568]: #3 /usr/lib/libpdb.so.0(+0x1f884) [0x2a6884] Apr 19 10:59:22 kdc winbindd[6568]: #4 /usr/lib/libpdb.so.0(pdb_capabilities+0xc) [0x2a6d0c] Apr 19 10:59:22 kdc winbindd[6568]: #5 winbindd(_lsa_EnumTrustedDomainsEx+0x26) [0x80ee736] Apr 19 10:59:22 kdc winbindd[6568]: #6 winbindd() [0x80fb440] Apr 19 10:59:22 kdc winbindd[6568]: #7 winbindd() [0x80c7e58] Apr 19 10:59:22 kdc winbindd[6568]: #8 /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_raw_call_send+0xaf) [0x369289f] Apr 19 10:59:22 kdc winbindd[6568]: #9 /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call_send+0x2ac) [0x3692bac] Apr 19 10:59:22 kdc winbindd[6568]: #10 /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call+0x6a) [0x3692cca] Apr 19 10:59:22 kdc winbindd[6568]: #11 /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx_r+0x55) [0x3716165] Apr 19 10:59:22 kdc winbindd[6568]: #12 /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx+0x50) [0x37161d0] Apr 19 10:59:22 kdc winbindd[6568]: #13 winbindd(rpc_trusted_domains+0xa3) [0x808edb3] Apr 19 10:59:22 kdc winbindd[6568]: #14 winbindd() [0x809662a] Apr 19 10:59:22 kdc winbindd[6568]: #15 winbindd() [0x8076d5c] Apr 19 10:59:22 kdc winbindd[6568]: #16 winbindd(winbindd_dual_list_trusted_domains+0x51) [0x80844b1] Apr 19 10:59:22 kdc winbindd[6568]: #17 winbindd() [0x809c4fc] Apr 19 10:59:22 kdc winbindd[6568]: #18 winbindd() [0x809d19d] Apr 19 10:59:22 kdc winbindd[6568]: #19 /usr/lib/libtevent.so.0() [0xda9d15] Apr 19 10:59:22 kdc winbindd[6568]: #20 /usr/lib/libtevent.so.0(tevent_common_loop_immediate+0xef) [0xda987f] Apr 19 10:59:22 kdc winbindd[6568]: #21 /usr/lib/libsmbconf.so.0(run_events_poll+0x41) [0x4ff9a1] Apr 19 10:59:22 kdc winbindd[6568]: #22 /usr/lib/libsmbconf.so.0(+0x36186) [0x500186] Apr 19 10:59:22 kdc winbindd[6568]: #23 /usr/lib/libtevent.so.0(_tevent_loop_once+0x98) [0xda8c18] Apr 19 10:59:22 kdc winbindd[6568]: #24 winbindd(main+0x973) [0x806ddd3] Apr 19 10:59:22 kdc winbindd[6568]: #25 /lib/libc.so.6(__libc_start_main+0xe6) [0xe13ce6] Apr 19 10:59:22 kdc winbindd[6568]: #26 winbindd() [0x8060271] Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.630601, 0] ../source3/lib/dumpcore.c:317(dump_core) Apr 19 10:59:22 kdc winbindd[6568]: dumping core in /var/log/samba/cores/winbindd Apr 19 10:59:22 kdc winbindd[6568]: Apr 19 10:59:22 kdc abrtd: Directory 'ccpp-2013-04-19-10:59:22-6568' creation detected Apr 19 10:59:22 kdc abrt[6571]: Saved core dump of pid 6568 (/usr/sbin/winbindd) to /var/spool/abrt/ccpp-2013-04-19-10:59:22-6568 (1814528 bytes) -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Apr 19 09:27:41 2013 From: sbose at redhat.com (Sumit Bose) Date: Fri, 19 Apr 2013 11:27:41 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: References: Message-ID: <20130419092741.GX20956@localhost.localdomain> On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote: > hi, > > while following the instructions in > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html > > I run step 9: > > smbclient -L kdc.ipa.asenjo.nx -k > lp_load_ex: changing to config backend registry > Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED) > > I have a valid ticket: > > # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin at IPA.ASENJO.NX > > Valid starting Expires Service principal > 04/19/13 08:46:48 04/20/13 08:46:48 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > 04/19/13 08:56:59 04/20/13 08:46:48 HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX did ipa-adtrust-install finished successfully? Can you check if there is a cifs service: $ ipa service show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX the output should show 'Keytab: True' Then please check if samba knows about the keytab and it's content. $ net conf list should contain 'kerberos method = dedicated keytab' and 'dedicated keytab file = FILE:/etc/samba/samba.keytab' $ klist -ekt /etc/samba/samba.keytab should show entries with different encryption types. Next please try to get a ticket for this service: $ kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX klist should now list the ticket. Please try the smbclient command agains. bye, Sumit > > and I see this on the /var/log/messages: > > Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.497215, 0] > ipa_sam.c:3689(bind_callback_cleanup) > Apr 19 10:54:06 kdc winbindd[6379]: kerberos error: code=-1765328203, > message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX > Apr 19 10:54:06 kdc winbindd[6379]: [2013/04/19 10:54:06.498194, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > Apr 19 10:54:06 kdc winbindd[6379]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket with dn="[Anonymous > bind]" Error: Local error > Apr 19 10:54:06 kdc winbindd[6379]: #011(unknown) > Apr 19 10:54:07 kdc winbindd[6379]: [2013/04/19 10:54:07.500882, 0] > ipa_sam.c:3689(bind_callback_cleanup) > Apr 19 10:54:07 kdc winbindd[6379]: kerberos error: code=-1765328203, > message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX > > and shortly afterwards winbindd dumps core: > > Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625708, 0] > ipa_sam.c:4001(pdb_init_ipasam) > Apr 19 10:59:22 kdc winbindd[6568]: Failed to get base DN. > Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.625837, 0] > ../source3/passdb/pdb_interface.c:177(make_pdb_method_name) > Apr 19 10:59:22 kdc winbindd[6568]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket did not correctly > init (error was NT_STATUS_UNSUCCESSFUL) > Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.626032, 0] > ../source3/lib/util.c:810(smb_panic_s3) > Apr 19 10:59:22 kdc winbindd[6568]: PANIC (pid 6568): pdb_get_methods: > failed to get pdb methods for backend > ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket > Apr 19 10:59:22 kdc winbindd[6568]: > Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.627382, 0] > ../source3/lib/util.c:921(log_stack_trace) > Apr 19 10:59:22 kdc winbindd[6568]: BACKTRACE: 27 stack frames: > Apr 19 10:59:22 kdc winbindd[6568]: #0 > /usr/lib/libsmbconf.so.0(log_stack_trace+0x2e) [0x4e69de] > Apr 19 10:59:22 kdc winbindd[6568]: #1 > /usr/lib/libsmbconf.so.0(smb_panic_s3+0x32) [0x4e6b02] > Apr 19 10:59:22 kdc winbindd[6568]: #2 > /usr/lib/libsamba-util.so.0(smb_panic+0x20b) [0x7faf6b] > Apr 19 10:59:22 kdc winbindd[6568]: #3 /usr/lib/libpdb.so.0(+0x1f884) > [0x2a6884] > Apr 19 10:59:22 kdc winbindd[6568]: #4 > /usr/lib/libpdb.so.0(pdb_capabilities+0xc) [0x2a6d0c] > Apr 19 10:59:22 kdc winbindd[6568]: #5 > winbindd(_lsa_EnumTrustedDomainsEx+0x26) [0x80ee736] > Apr 19 10:59:22 kdc winbindd[6568]: #6 winbindd() [0x80fb440] > Apr 19 10:59:22 kdc winbindd[6568]: #7 winbindd() [0x80c7e58] > Apr 19 10:59:22 kdc winbindd[6568]: #8 > /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_raw_call_send+0xaf) > [0x369289f] > Apr 19 10:59:22 kdc winbindd[6568]: #9 > /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call_send+0x2ac) > [0x3692bac] > Apr 19 10:59:22 kdc winbindd[6568]: #10 > /usr/lib/libdcerpc-binding.so.0(dcerpc_binding_handle_call+0x6a) [0x3692cca] > Apr 19 10:59:22 kdc winbindd[6568]: #11 > /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx_r+0x55) > [0x3716165] > Apr 19 10:59:22 kdc winbindd[6568]: #12 > /usr/lib/samba/libdcerpc-samba.so(dcerpc_lsa_EnumTrustedDomainsEx+0x50) > [0x37161d0] > Apr 19 10:59:22 kdc winbindd[6568]: #13 > winbindd(rpc_trusted_domains+0xa3) [0x808edb3] > Apr 19 10:59:22 kdc winbindd[6568]: #14 winbindd() [0x809662a] > Apr 19 10:59:22 kdc winbindd[6568]: #15 winbindd() [0x8076d5c] > Apr 19 10:59:22 kdc winbindd[6568]: #16 > winbindd(winbindd_dual_list_trusted_domains+0x51) [0x80844b1] > Apr 19 10:59:22 kdc winbindd[6568]: #17 winbindd() [0x809c4fc] > Apr 19 10:59:22 kdc winbindd[6568]: #18 winbindd() [0x809d19d] > Apr 19 10:59:22 kdc winbindd[6568]: #19 /usr/lib/libtevent.so.0() > [0xda9d15] > Apr 19 10:59:22 kdc winbindd[6568]: #20 > /usr/lib/libtevent.so.0(tevent_common_loop_immediate+0xef) [0xda987f] > Apr 19 10:59:22 kdc winbindd[6568]: #21 > /usr/lib/libsmbconf.so.0(run_events_poll+0x41) [0x4ff9a1] > Apr 19 10:59:22 kdc winbindd[6568]: #22 > /usr/lib/libsmbconf.so.0(+0x36186) [0x500186] > Apr 19 10:59:22 kdc winbindd[6568]: #23 > /usr/lib/libtevent.so.0(_tevent_loop_once+0x98) [0xda8c18] > Apr 19 10:59:22 kdc winbindd[6568]: #24 winbindd(main+0x973) [0x806ddd3] > Apr 19 10:59:22 kdc winbindd[6568]: #25 > /lib/libc.so.6(__libc_start_main+0xe6) [0xe13ce6] > Apr 19 10:59:22 kdc winbindd[6568]: #26 winbindd() [0x8060271] > Apr 19 10:59:22 kdc winbindd[6568]: [2013/04/19 10:59:22.630601, 0] > ../source3/lib/dumpcore.c:317(dump_core) > Apr 19 10:59:22 kdc winbindd[6568]: dumping core in > /var/log/samba/cores/winbindd > Apr 19 10:59:22 kdc winbindd[6568]: > Apr 19 10:59:22 kdc abrtd: Directory 'ccpp-2013-04-19-10:59:22-6568' > creation detected > Apr 19 10:59:22 kdc abrt[6571]: Saved core dump of pid 6568 > (/usr/sbin/winbindd) to /var/spool/abrt/ccpp-2013-04-19-10:59:22-6568 > (1814528 bytes) > > > -- > Groeten, > natxo > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From natxo.asenjo at gmail.com Fri Apr 19 09:38:03 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 11:38:03 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: <20130419092741.GX20956@localhost.localdomain> References: <20130419092741.GX20956@localhost.localdomain> Message-ID: On Fri, Apr 19, 2013 at 11:27 AM, Sumit Bose wrote: > On Fri, Apr 19, 2013 at 11:03:02AM +0200, Natxo Asenjo wrote: > > hi, > > > > while following the instructions in > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html > > > > I run step 9: > > > > smbclient -L kdc.ipa.asenjo.nx -k > > lp_load_ex: changing to config backend registry > > Connection to kdc.ipa.asenjo.nx failed (Error > NT_STATUS_CONNECTION_REFUSED) > > > > I have a valid ticket: > > > > # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: admin at IPA.ASENJO.NX > > > > Valid starting Expires Service principal > > 04/19/13 08:46:48 04/20/13 08:46:48 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX > > 04/19/13 08:56:59 04/20/13 08:46:48 > HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX > > did ipa-adtrust-install finished successfully? > > yes > Can you check if there is a cifs service: > > $ ipa service show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX > # ipa service-show cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX Principal: cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX Keytab: True Managed by: kdc.ipa.asenjo.nx > the output should show 'Keytab: True' > > > Then please check if samba knows about the keytab and it's content. > > $ net conf list > > should contain 'kerberos method = dedicated keytab' and > 'dedicated keytab file = FILE:/etc/samba/samba.keytab' > > # net conf list | grep keytab kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab > $ klist -ekt /etc/samba/samba.keytab > > should show entries with different encryption types. > Next please try to get a ticket for this service: > > $ kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX > > # kvno cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 1 [root at kdc ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at IPA.ASENJO.NX Valid starting Expires Service principal 04/19/13 08:46:48 04/20/13 08:46:48 krbtgt/IPA.ASENJO.NX at IPA.ASENJO.NX 04/19/13 08:56:59 04/20/13 08:46:48 HTTP/kdc.ipa.asenjo.nx at IPA.ASENJO.NX 04/19/13 11:33:19 04/20/13 08:46:48 cifs/kdc.ipa.asenjo.nx at IPA.ASENJO.NX klist should now list the ticket. Please try the smbclient command > agains. > # smbclient -L kdc.ipa.asenjo.nx -k lp_load_ex: changing to config backend registry Connection to kdc.ipa.asenjo.nx failed (Error NT_STATUS_CONNECTION_REFUSED) Thanks, -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 19 09:45:47 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 11:45:47 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: <20130419092741.GX20956@localhost.localdomain> References: <20130419092741.GX20956@localhost.localdomain> Message-ID: I saw there is a log in /var/log/samba/log.wb-IPA The log complains about missing keys for the spn for the hostname (not the fqdn, just the hostname): Connection to LDAP server failed for the 15 try! [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/kdc at IPA.ASENJO.NX -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Apr 19 10:11:03 2013 From: sbose at redhat.com (Sumit Bose) Date: Fri, 19 Apr 2013 12:11:03 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: References: <20130419092741.GX20956@localhost.localdomain> Message-ID: <20130419101103.GY20956@localhost.localdomain> On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: > I saw there is a log in /var/log/samba/log.wb-IPA > > The log complains about missing keys for the spn for the hostname (not the > fqdn, just the hostname): > > Connection to LDAP server failed for the 15 try! > [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) > kerberos error: code=-1765328203, message=Keytab contains no suitable > keys for cifs/kdc at IPA.ASENJO.NX Can you check if $ hostname returns the fully qualified hostname, if not, please fix this, call ipactl stop and ipactl start and try again. bye, Sumit > > > -- > Groeten, > natxo From natxo.asenjo at gmail.com Fri Apr 19 10:37:30 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 12:37:30 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: <20130419101103.GY20956@localhost.localdomain> References: <20130419092741.GX20956@localhost.localdomain> <20130419101103.GY20956@localhost.localdomain> Message-ID: I modified /etc/sysconfig/network HOSTNAME=kdc.ipa.asenjo.nx rebooted the host. Re-ran # smbclient -L kdc.ipa.asenjo.nx -klp_load_ex: changing to config backend registry Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.0.0rc4) Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] Tha was ok. re-ran: # ipa trust-add --type=ad ad.asenjo.nx --admin Administrator --password Active directory domain administrator's password: ----------------------------------------------------- Added Active Directory trust for realm "ad.asenjo.nx" ----------------------------------------------------- Realm name: ad.asenjo.nx Domain NetBIOS name: AD Domain Security Identifier: S-1-5-21-2508008360-1834726910-79835928 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified And it is working :-) Awesome. Thanks! -- groet, natxo -- Groeten, natxo On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose wrote: > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: > > I saw there is a log in /var/log/samba/log.wb-IPA > > > > The log complains about missing keys for the spn for the hostname (not > the > > fqdn, just the hostname): > > > > Connection to LDAP server failed for the 15 try! > > [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) > > kerberos error: code=-1765328203, message=Keytab contains no suitable > > keys for cifs/kdc at IPA.ASENJO.NX > > Can you check if > > $ hostname > > returns the fully qualified hostname, if not, please fix this, call > ipactl stop and ipactl start and try again. > > bye, > Sumit > > > > > > > -- > > Groeten, > > natxo > -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 19 10:47:47 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 12:47:47 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: References: <20130419092741.GX20956@localhost.localdomain> <20130419101103.GY20956@localhost.localdomain> Message-ID: hi, just a little 'but'. when verifying the trust (point 12 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html) # kinit user Password for nasenjo at IPA.ASENJO.NX: [root at kdc ~]# kvno host/host.ipa.asenjo.nx at IPA.ASENJO.NX host/host.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 2 [root at kdc ~]# kvno cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX kvno: KDC policy rejects request while getting credentials for cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri Apr 19 10:58:37 2013 From: sbose at redhat.com (Sumit Bose) Date: Fri, 19 Apr 2013 12:58:37 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: References: <20130419092741.GX20956@localhost.localdomain> <20130419101103.GY20956@localhost.localdomain> Message-ID: <20130419105837.GZ20956@localhost.localdomain> On Fri, Apr 19, 2013 at 12:37:30PM +0200, Natxo Asenjo wrote: > I modified /etc/sysconfig/network > HOSTNAME=kdc.ipa.asenjo.nx > > rebooted the host. Re-ran > > # smbclient -L kdc.ipa.asenjo.nx -klp_load_ex: changing to config backend > registry > Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] > > Sharename Type Comment > --------- ---- ------- > IPC$ IPC IPC Service (Samba 4.0.0rc4) > Domain=[IPA] OS=[Unix] Server=[Samba 4.0.0rc4] > > Tha was ok. > > re-ran: > > # ipa trust-add --type=ad ad.asenjo.nx --admin Administrator --password > Active directory domain administrator's password: > ----------------------------------------------------- > Added Active Directory trust for realm "ad.asenjo.nx" > ----------------------------------------------------- > Realm name: ad.asenjo.nx > Domain NetBIOS name: AD > Domain Security Identifier: S-1-5-21-2508008360-1834726910-79835928 > Trust direction: Two-way trust > Trust type: Active Directory domain > Trust status: Established and verified > > And it is working :-) > > Awesome. Great. Please note that having hostname to return a fully qualified host name is not a new requirement coming with the trust feature. It was always recommended because also other services like sshd, httpd, sssd might have problems finding the right Kerberos keys from their keytabs. bye, Sumit > > Thanks! > > -- > groet, > natxo > > > -- > Groeten, > natxo > > > On Fri, Apr 19, 2013 at 12:11 PM, Sumit Bose wrote: > > > On Fri, Apr 19, 2013 at 11:45:47AM +0200, Natxo Asenjo wrote: > > > I saw there is a log in /var/log/samba/log.wb-IPA > > > > > > The log complains about missing keys for the spn for the hostname (not > > the > > > fqdn, just the hostname): > > > > > > Connection to LDAP server failed for the 15 try! > > > [2013/04/19 11:39:22.352522, 0] ipa_sam.c:3689(bind_callback_cleanup) > > > kerberos error: code=-1765328203, message=Keytab contains no suitable > > > keys for cifs/kdc at IPA.ASENJO.NX > > > > Can you check if > > > > $ hostname > > > > returns the fully qualified hostname, if not, please fix this, call > > ipactl stop and ipactl start and try again. > > > > bye, > > Sumit > > > > > > > > > > > -- > > > Groeten, > > > natxo > > From sbose at redhat.com Fri Apr 19 11:08:54 2013 From: sbose at redhat.com (Sumit Bose) Date: Fri, 19 Apr 2013 13:08:54 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: References: <20130419092741.GX20956@localhost.localdomain> <20130419101103.GY20956@localhost.localdomain> Message-ID: <20130419110854.GA20956@localhost.localdomain> On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote: > hi, > > just a little 'but'. > > when verifying the trust (point 12 > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html) > > > # kinit user > Password for nasenjo at IPA.ASENJO.NX: > [root at kdc ~]# kvno host/host.ipa.asenjo.nx at IPA.ASENJO.NX > host/host.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 2 > [root at kdc ~]# kvno cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX > kvno: KDC policy rejects request while getting credentials for > cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX Can you check if klist shows a cross-realm ticket like krbtgt/AD.REALM at IPA.REALM after the second kvno call? If yes, if might be a policy on the AD side which rejects the request. bye, Sumit > > -- > groet, > natxo From natxo.asenjo at gmail.com Fri Apr 19 12:16:32 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 14:16:32 +0200 Subject: [Freeipa-users] problems with trust with AD (2 different domains In-Reply-To: <20130419110854.GA20956@localhost.localdomain> References: <20130419092741.GX20956@localhost.localdomain> <20130419101103.GY20956@localhost.localdomain> <20130419110854.GA20956@localhost.localdomain> Message-ID: On Fri, Apr 19, 2013 at 1:08 PM, Sumit Bose wrote: > On Fri, Apr 19, 2013 at 12:47:47PM +0200, Natxo Asenjo wrote: > > hi, > > > > just a little 'but'. > > > > when verifying the trust (point 12 > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html > ) > > > > > > # kinit user > > Password for nasenjo at IPA.ASENJO.NX: > > [root at kdc ~]# kvno host/host.ipa.asenjo.nx at IPA.ASENJO.NX > > host/host.ipa.asenjo.nx at IPA.ASENJO.NX: kvno = 2 > > [root at kdc ~]# kvno cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX > > kvno: KDC policy rejects request while getting credentials for > > cifs/win2k8.ad.asenjo.nx at AD.ASENJO.NX > > Can you check if klist shows a cross-realm ticket like > krbtgt/AD.REALM at IPA.REALM after the second kvno call? If yes, if might > be a policy on the AD side which rejects the request. > > hi, yes, the krbtgt ticket for the AD domain is there all right. let's try to find out where to allow that request then. -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 19 14:35:06 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 16:35:06 +0200 Subject: [Freeipa-users] ssh login from windows AD trust host not working Message-ID: hi, after succesfully configuring the trust between 2 different domains (IPA.ASENJO.NX and AD.ASENJO.NX) I would like to login from the windows host to the linux host using the trusted kerberos tickets. This is my krb.conf in the linux host: includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.ASENJO.NX dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] IPA.ASENJO.NX = { kdc = kdc.ipa.asenjo.nx:88 admin_server = kdc.ipa.asenjo.nx:749 default_domain = ipa.asenjo.nx pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@ $0](^.*@AD.ASENJO.NX$)s/@AD.ASENJO.NX/@ad.asenjo.nx/ auth_to_local = DEFAULT } [domain_realm] .ipa.asenjo.nx = IPA.ASENJO.NX ipa.asenjo.nx = IPA.ASENJO.NX [dbmodules] # IPA.ASENJO.NX = { # db_library = kldap # ldap_servers = ldapi://%2fvar%2frun%2fslapd-IPA-ASENJO-NX.socket # ldap_kerberos_container_dn = cn=kerberos,dc=ipa,dc=asenjo,dc=nx # ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx # ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=ipa,dc=asenjo,dc=nx # ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd # } IPA.ASENJO.NX = { db_library = ipadb.so } and in /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam, ssh, pac domains = ipa.asenjo.nx [nss] [pam] [domain/ipa.asenjo.nx] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.asenjo.nx id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kdc.ipa.asenjo.nx chpass_provider = ipa ipa_server = kdc.ipa.asenjo.nx ldap_tls_cacert = /etc/ipa/ca.crt subdomains_provider = ipa I restarted the server after this change Then I created an external group like explained here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-groups.html And tried logging in using ssh with putty from the windows hosts (using the login Administrator at ad.asenjo.nx, with gss-api credentials delegation). Unfortunately it keeps asking me for a password for the user Administrator at ad.asenjo.nx@kdc.ipa.asenjo.nx, so it is adding the name of of the linux host to the login name. Any help greatly appreciated. -- groet, natxo -- Groeten, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From natxo.asenjo at gmail.com Fri Apr 19 15:15:50 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 17:15:50 +0200 Subject: [Freeipa-users] ssh login from windows AD trust host not working In-Reply-To: References: Message-ID: hi, some progress. I disabled the firewall of the linux host (also the kdc, incidentally). From the Windows host using the AD Domain and Trusts tool I can verify the trust and using putty I can login and get the linux kerberos tickets as a windows realm user. If i enable the firewall and I do not block the ldap/ldaps port (the windows host is also the domain controller, yeah, I know, this is a home test lab on very modest virtual hardware), then I can login using putty with sso too, but I cannot verify the trust using the AD Domain and Trusts tool. So is this expected behaviour? -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 19 15:26:51 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 19 Apr 2013 18:26:51 +0300 Subject: [Freeipa-users] ssh login from windows AD trust host not working In-Reply-To: References: Message-ID: <20130419152651.GG6823@redhat.com> On Fri, 19 Apr 2013, Natxo Asenjo wrote: >hi, > >some progress. I disabled the firewall of the linux host (also the kdc, >incidentally). From the Windows host using the AD Domain and Trusts tool I >can verify the trust and using putty I can login and get the linux kerberos >tickets as a windows realm user. > >If i enable the firewall and I do not block the ldap/ldaps port (the >windows host is also the domain controller, yeah, I know, this is a home >test lab on very modest virtual hardware), then I can login using putty >with sso too, but I cannot verify the trust using the AD Domain and Trusts >tool. > >So is this expected behaviour? Yes, because you also need to keep right ports open. Verification of trust is done via SMB protocol (actually, netlogon pipe), so you need to get SMB ports open -- 135/tcp, 139/tcp, 445/tcp and some ports starting from 1024/tcp for end-point mapper. -- / Alexander Bokovoy From natxo.asenjo at gmail.com Fri Apr 19 20:14:36 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Fri, 19 Apr 2013 22:14:36 +0200 Subject: [Freeipa-users] ssh login from windows AD trust host not working In-Reply-To: <20130419152651.GG6823@redhat.com> References: <20130419152651.GG6823@redhat.com> Message-ID: hi, a bit puzzled now. I have joined another 2k8r2 host to the AD domain that is trusted by the ipa domain. As AD\administrator I can ssh to the linux host. I create a bunch of AD users, standard members of 'Domain Users'. But I cannot login to the linux host. When I run wbinfo --online-status i get this: # wbinfo --online-status BUILTIN : online IPA : online AD : offline # wbinfo --domain-info ad.asenjo.nx Name : AD Alt_Name : ad.asenjo.nx SID : S-1-5-21-2508008360-1834726910-79835928 Active Directory : No Native : No Primary : No # wbinfo --domain ad.asenjo.nx -u With this last command I would expect to see all the users I created in the AD. # getent group ad_users ad_users:*:642801446:administrator at ad.asenjo.nx this tellms me that the external group we created has only the AD administrator in it, so It makes sense only this one is allowed. But I I checked the SID of the mapped group: # ipa group-show ad_users_external Group name: ad_users_external Description: AD users external map Member of groups: ad_users External member: S-1-5-21-2508008360-1834726910-79835928-513 And it is the AD\Domain Users sid, I checked it on the windows host because wbinfo shows me no info: [root at kdc ~]# wbinfo -n "AD\Domain Users" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name AD\Domain Users [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d ad.asenjo.nx failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 So how can I get the rest of the users in the group mapped? TIA, -- groet, natxo -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Sat Apr 20 18:32:45 2013 From: sbose at redhat.com (Sumit Bose) Date: Sat, 20 Apr 2013 20:32:45 +0200 Subject: [Freeipa-users] ssh login from windows AD trust host not working In-Reply-To: References: <20130419152651.GG6823@redhat.com> Message-ID: <20130420183245.GF20956@localhost.localdomain> On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote: > hi, > > a bit puzzled now. I have joined another 2k8r2 host to the AD domain that > is trusted by the ipa domain. > > As AD\administrator I can ssh to the linux host. > > I create a bunch of AD users, standard members of 'Domain Users'. But I > cannot login to the linux host. > > When I run wbinfo --online-status i get this: > > # wbinfo --online-status > BUILTIN : online > IPA : online > AD : offline > > # wbinfo --domain-info ad.asenjo.nx > Name : AD > Alt_Name : ad.asenjo.nx > SID : S-1-5-21-2508008360-1834726910-79835928 > Active Directory : No > Native : No > Primary : No > > # wbinfo --domain ad.asenjo.nx -u > With this last command I would expect to see all the users I created in the > AD. > > # getent group ad_users > ad_users:*:642801446:administrator at ad.asenjo.nx > > this tellms me that the external group we created has only the AD > administrator in it, so It makes sense only this one is allowed. But I I no, this is a wrong interpretation. The group membership for users from trusted domains is only evaluated at login time with the help of the data stored in the MS-PAC. Because group-membership resolution in an AD environment can be cumbersome, especially when it comes to forests and forest trusts, and the MS-PAC provides all memberships we decided to rely only on the MS-PAC here. As a consequence getent group only shows the users of the IPA domain and AD users who already logged in successfully. > checked the SID of the mapped group: > > # ipa group-show ad_users_external > Group name: ad_users_external > Description: AD users external map > Member of groups: ad_users > External member: S-1-5-21-2508008360-1834726910-79835928-513 > > And it is the AD\Domain Users sid, I checked it on the windows host because > wbinfo shows me no info: > > [root at kdc ~]# wbinfo -n "AD\Domain Users" > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name AD\Domain Users > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d > ad.asenjo.nx > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 looks like winbind has some issues connecting to the AD server. Did you change any firewall setting that might cause the issue here? More details might be available in the winbind logs. bye, Sumit > > So how can I get the rest of the users in the group mapped? > > TIA, > > -- > groet, > natxo > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From nareshbtech at yahoo.com Sat Apr 20 01:33:55 2013 From: nareshbtech at yahoo.com (Naresh Chandra R Paturi) Date: Sat, 20 Apr 2013 02:33:55 +0100 Subject: [Freeipa-users] Freeipa -ssh keys Message-ID: <5171F083.1020409@yahoo.com> Hi all I am new to freeipa we have a group of linux servers where we are tyring to establish password less logins, in order to do this we need to copy ssh keys of all uses to each and every cleint server . so we are trying to establish freeipa central server where we store the keys of all the users. we got free ipa working with passwords but trying to authenticate with keys. is this achievable. if you please kindly direct me. thank you regards Naresh Paturi ssh debug log as follows slab at ubuntu:~/.ssh$ ssh -vvv slab at eng.switchlab.net@backuptest.eng.switchlab.net OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to backuptest.eng.switchlab.net [192.168.2.67] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/slab/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/slab/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/slab/.ssh/id_rsa-cert type -1 debug3: Incorrect RSA1 identifier debug3: Could not load "/home/slab/.ssh/id_dsa" as a RSA1 public key debug1: identity file /home/slab/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: identity file /home/slab/.ssh/id_dsa-cert type -1 debug1: identity file /home/slab/.ssh/id_ecdsa type -1 debug1: identity file /home/slab/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "backuptest.eng.switchlab.net" from file "/home/slab/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/slab/.ssh/known_hosts:11 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 5b:aa:13:f7:27:08:bb:da:8c:1e:28:d4:e6:65:88:82 debug3: load_hostkeys: loading entries for host "backuptest.eng.switchlab.net" from file "/home/slab/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/slab/.ssh/known_hosts:11 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "192.168.2.67" from file "/home/slab/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /home/slab/.ssh/known_hosts:12 debug3: load_hostkeys: loaded 1 keys debug1: Host 'backuptest.eng.switchlab.net' is known and matches the ECDSA host key. debug1: Found key in /home/slab/.ssh/known_hosts:11 debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/slab/.ssh/id_rsa (0x7f96ad0974d0) debug2: key: /home/slab/.ssh/id_dsa (0x7f96ad097510) debug2: key: /home/slab/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/slab/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering DSA public key: /home/slab/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/slab/.ssh/id_ecdsa debug3: no such identity: /home/slab/.ssh/id_ecdsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password slab at eng.switchlab.net@backuptest.eng.switchlab.net's password: debug3: packet_send2: adding 48 (len 76 padlen 4 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). Authenticated to backuptest.eng.switchlab.net ([192.168.2.67]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: fd 3 setting TCP_NODELAY debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug1: Sending env LANG = en_GB.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LANGUAGE debug3: Ignored env LOGNAME debug3: Ignored env LESSOPEN debug3: Ignored env LESSCLOSE debug3: Ignored env _ debug3: Ignored env OLDPWD debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Sat Apr 20 02:23:41 BST 2013 System load: 0.0 Processes: 121 Usage of /: 4.5% of 128.25GB Users logged in: 1 Memory usage: 1% IP address for eth0: 192.168.2.67 Swap usage: 0% Graph this data and manage this system at https://landscape.canonical.com/ 126 packages can be updated. 65 updates are security updates. Last login: Sat Apr 20 02:19:27 2013 from 192.168.2.68 slab at backuptest:~$ From rcritten at redhat.com Sat Apr 20 19:11:02 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Sat, 20 Apr 2013 15:11:02 -0400 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <5171F083.1020409@yahoo.com> References: <5171F083.1020409@yahoo.com> Message-ID: <5172E846.9080507@redhat.com> Naresh Chandra R Paturi wrote: > Hi all > > I am new to freeipa > we have a group of linux servers where we are tyring to establish > password less logins, in order to do this we need to copy ssh keys of > all uses to each and every cleint server . so we are trying to establish > freeipa central server where we store the keys of all the users. > we got free ipa working with passwords but trying to authenticate with > keys. > is this achievable. if you please kindly direct me. With IPA 3.0 this is configured for you automatically by default on RHEL/Fedora systems. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys I believe you will need an openssh patch for this to work on a Debian/Ubuntu client. I believe it also requires sssd. rob From natxo.asenjo at gmail.com Sat Apr 20 21:21:01 2013 From: natxo.asenjo at gmail.com (Natxo Asenjo) Date: Sat, 20 Apr 2013 23:21:01 +0200 Subject: [Freeipa-users] ssh login from windows AD trust host not working In-Reply-To: <20130420183245.GF20956@localhost.localdomain> References: <20130419152651.GG6823@redhat.com> <20130420183245.GF20956@localhost.localdomain> Message-ID: On Sat, Apr 20, 2013 at 8:32 PM, Sumit Bose wrote: > On Fri, Apr 19, 2013 at 10:14:36PM +0200, Natxo Asenjo wrote: > > > # wbinfo --online-status > > BUILTIN : online > > IPA : online > > AD : offline > > > > # wbinfo --domain-info ad.asenjo.nx > > Name : AD > > Alt_Name : ad.asenjo.nx > > SID : S-1-5-21-2508008360-1834726910-79835928 > > Active Directory : No > > Native : No > > Primary : No > > > > # wbinfo --domain ad.asenjo.nx -u > > With this last command I would expect to see all the users I created in > the > > AD. > > > > # getent group ad_users > > ad_users:*:642801446:administrator at ad.asenjo.nx > > > > this tellms me that the external group we created has only the AD > > administrator in it, so It makes sense only this one is allowed. But I I > > no, this is a wrong interpretation. The group membership for users from > trusted domains is only evaluated at login time with the help of the > data stored in the MS-PAC. Because group-membership resolution in an AD > environment can be cumbersome, especially when it comes to forests and > forest trusts, and the MS-PAC provides all memberships we decided to > rely only on the MS-PAC here. As a consequence getent group only shows > the users of the IPA domain and AD users who already logged in > successfully. > > ok, got it. > > checked the SID of the mapped group: > > > > # ipa group-show ad_users_external > > Group name: ad_users_external > > Description: AD users external map > > Member of groups: ad_users > > External member: S-1-5-21-2508008360-1834726910-79835928-513 > > > > And it is the AD\Domain Users sid, I checked it on the windows host > because > > wbinfo shows me no info: > > > > [root at kdc ~]# wbinfo -n "AD\Domain Users" > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name AD\Domain Users > > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 > > [root at kdc ~]# wbinfo -s S-1-5-21-2508008360-1834726910-79835928-513 -d > > ad.asenjo.nx > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-21-2508008360-1834726910-79835928-513 > > looks like winbind has some issues connecting to the AD server. Did you > change any firewall setting that might cause the issue here? > > With the firewalls (both at the linux host and at the windows host) enabled I can login as AD\administrator user from the same windows host I cannot ssh to as a normal 'domain user' . So the firewall does not seem the issue at hand. My iptables rules: # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,389,636,88,464,53,138,139,445 state NEW,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 88,464,53,123,138,139,389,445 state NEW,ESTABLISHED REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited > More details might be available in the winbind logs. > > What logs exactly would you like to see? ls -l /var/log/samba/log.winbindd* -rw-r--r--. 1 root root 10854 Apr 19 21:49 /var/log/samba/log.winbindd -rw-r--r--. 1 root root 0 Apr 19 15:02 /var/log/samba/log.winbindd-dc-connect -rw-r--r--. 1 root root 28532 Apr 19 21:51 /var/log/samba/log.winbindd-idmap -rw-r--r--. 1 root root 133 Apr 19 21:45 /var/log/samba/log.winbindd-locator How can I get more debugging info from winbind? -- Thanks, natxo > bye, > Sumit > > > > > So how can I get the rest of the users in the group mapped? > > > > TIA, > > > > -- > > groet, > > natxo > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 23 15:14:41 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 23 Apr 2013 11:14:41 -0400 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> Message-ID: <5176A561.50907@redhat.com> naresh reddy wrote: > Hi Rob > > Thank you very much > but i tried the same with two fedora systems > and got the similar issue > > i think the error is due to kerberos not installed but i can see it is > installed on the client and sever > please suggest. sssd needs to look up the keys in IPA so the client needs to be enrolled for this to work. rob > > [np at ldap ~]$ ssh -vvv np at eng.switchlab.net@ldap1.eng.switchlab.net > OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > -p 22 ldap1.eng.switchlab.net > debug1: identity file /home/np/.ssh/identity type -1 > debug3: Not a RSA1 key file /home/np/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/np/.ssh/id_rsa type 1 > debug1: identity file /home/np/.ssh/id_dsa type -1 > debug1: permanently_drop_suid: 501 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > debug1: match: OpenSSH_6.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug2: fd 5 setting O_NONBLOCK > debug2: fd 4 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug3: Wrote 792 bytes for a total of 813 > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug3: Wrote 24 bytes for a total of 837 > debug2: dh_gen_key: priv key bits set: 144/256 > debug2: bits set: 516/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: Wrote 144 bytes for a total of 981 > debug3: check_host_in_hostfile: filename /home/np/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 2 > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host > key. > debug1: Found key in /home/np/.ssh/known_hosts:2 > debug2: bits set: 499/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: Wrote 16 bytes for a total of 997 > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug3: Wrote 48 bytes for a total of 1045 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/np/.ssh/identity ((nil)) > debug2: key: /home/np/.ssh/id_rsa (0x7f9ee71687b0) > debug2: key: /home/np/.ssh/id_dsa ((nil)) > debug3: Wrote 80 bytes for a total of 1125 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure. Minor code may provide more information > > > debug1: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/np/.ssh/identity > debug3: no such identity: /home/np/.ssh/identity > debug1: Offering public key: /home/np/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug3: Wrote 384 bytes for a total of 1509 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Trying private key: /home/np/.ssh/id_dsa > debug3: no such identity: /home/np/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > np at eng.switchlab.net@ldap1.eng.switchlab.net's password: > debug3: packet_send2: adding 48 (len 75 padlen 5 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug3: Wrote 144 bytes for a total of 1653 > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug1: Requesting no-more-sessions at openssh.com > debug1: Entering interactive session. > debug3: Wrote 128 bytes for a total of 1781 > debug2: callback start > debug2: client_session2_setup: id 0 > debug2: channel 0: request pty-req confirm 1 > debug1: Sending environment. > debug3: Ignored env HOSTNAME > debug3: Ignored env SHELL > debug3: Ignored env TERM > debug3: Ignored env HISTSIZE > debug3: Ignored env USER > debug3: Ignored env LS_COLORS > debug3: Ignored env MAIL > debug3: Ignored env PATH > debug3: Ignored env PWD > debug1: Sending env LANG = en_US.UTF-8 > debug2: channel 0: request env confirm 0 > debug3: Ignored env HISTCONTROL > debug3: Ignored env SHLVL > debug3: Ignored env HOME > debug3: Ignored env LOGNAME > debug3: Ignored env CVS_RSH > debug3: Ignored env LESSOPEN > debug3: Ignored env G_BROKEN_FILENAMES > debug3: Ignored env _ > debug2: channel 0: request shell confirm 1 > debug2: callback done > debug2: channel 0: open confirm rwindow 0 rmax 32768 > debug3: Wrote 448 bytes for a total of 2229 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: PTY allocation request accepted on channel 0 > debug2: channel 0: rcvd adjust 2097152 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: shell request accepted on channel 0 > Last failed login: Tue Apr 23 14:37:59 BST 2013 from 10.30.2.177 on > ssh:notty > There were 8 failed login attempts since the last successful login. > -sh-4.2$ debug3: Wrote 48 bytes for a total of 2277 > edebug3: Wrote 48 bytes for a total of 2325 > xdebug3: Wrote 48 bytes for a total of 2373 > idebug3: Wrote 48 bytes for a total of 2421 > tdebug3: Wrote 48 bytes for a total of 2469 > > logout > debug2: channel 0: rcvd eof > debug2: channel 0: output open -> drain > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug2: channel 0: rcvd eow > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug2: channel 0: rcvd close > debug3: channel 0: will not send data after close > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e 7 c -1 > debug3: Wrote 32 bytes for a total of 2501 > debug3: Wrote 64 bytes for a total of 2565 > Connection to ldap1.eng.switchlab.net closed. > Transferred: sent 2288, received 2656 bytes, in 1.5 seconds > Bytes per second: sent 1563.3, received 1814.8 > debug1: Exit status 0 > > Nareshchandra Paturi > > 14, St. Augustine?s Court, > Mornington Road, > london. > E11 3BQ. > Mob:07466666001,07856918100 > Ph:02082579579 > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* Naresh Chandra R Paturi ; > freeipa-users at redhat.com > *Sent:* Saturday, April 20, 2013 8:11 PM > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys > > Naresh Chandra R Paturi wrote: > > Hi all > > > > I am new to freeipa > > we have a group of linux servers where we are tyring to establish > > password less logins, in order to do this we need to copy ssh keys of > > all uses to each and every cleint server . so we are trying to establish > > freeipa central server where we store the keys of all the users. > > we got free ipa working with passwords but trying to authenticate with > > keys. > > is this achievable. if you please kindly direct me. > > With IPA 3.0 this is configured for you automatically by default on > RHEL/Fedora systems. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys > > I believe you will need an openssh patch for this to work on a > Debian/Ubuntu client. I believe it also requires sssd. > > rob > > From nareshbtech at yahoo.com Tue Apr 23 18:20:16 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Tue, 23 Apr 2013 11:20:16 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <5176A561.50907@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> Message-ID: <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> Hi Rob I am sorry for?coming?back again i can see?client?can get the ssh keys from the server but still fails? please suggest. ? [root at ldap1 ssh]# /usr/bin/sss_ssh_authorizedkeys test at eng ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzvp0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDW9X6hJjbcoaY25HrzYvfNOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== tesst at ldap.eng. ssh-rsa AAAAB3NzaC1yc2EAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4yb3prkr4oobGuyKJj/yd+S4Pf7OUzZT2xXzpy0TZAjiLnqlioxnhyZqgLO/Rdg5o+wt3R7H7L9kGDfMtAyBqUBrRqQeYgfGWvoVrm2UhkTcq/jxxACbYZq0Jg7OTFXodV40uAuRKqVgev6W4V+ozrTxpeVRElqTM4cEJ96V0UxLUpZUHvT1exFKk4F1crZ2hLEuPVWOlOj8NS/sQX3DDuDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n test at ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz test at ldap0.eng. # ? ? ? $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. ?See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. ?Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile ? ? ?.ssh/authorized_keys #AuthorizedKeysCommand none AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. ?Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox ? ? ? ? ?# Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem ? ? ? sftp ? ?/usr/libexec/openssh/sftp-server # Uncomment this if you want to use .local domain #Host *.local # ? ? ? CheckHostIP no # Example of overriding settings on a per-user basis #Match User anoncvs # ? ? ? X11Forwarding no # ? ? ? AllowTcpForwarding no # ? ? ? ForceCommand cvs server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Rob Crittenden To: naresh reddy ; "freeipa-users at redhat.com" Sent: Tuesday, April 23, 2013 4:14 PM Subject: Re: [Freeipa-users] Freeipa -ssh keys naresh reddy wrote: > Hi Rob > > Thank you very much > but i tried the same with two fedora systems > and got the similar issue > > i think the error is due to kerberos not installed but i can see it is > installed on the client and sever > please suggest. sssd needs to look up the keys in IPA so the client needs to be enrolled for this to work. rob > >? [np at ldap ~]$? ssh -vvv? np at eng.switchlab.net@ldap1.eng.switchlab.net > OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > -p 22 ldap1.eng.switchlab.net > debug1: identity file /home/np/.ssh/identity type -1 > debug3: Not a RSA1 key file /home/np/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/np/.ssh/id_rsa type 1 > debug1: identity file /home/np/.ssh/id_dsa type -1 > debug1: permanently_drop_suid: 501 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > debug1: match: OpenSSH_6.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug2: fd 5 setting O_NONBLOCK > debug2: fd 4 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug3: Wrote 792 bytes for a total of 813 > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug3: Wrote 24 bytes for a total of 837 > debug2: dh_gen_key: priv key bits set: 144/256 > debug2: bits set: 516/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: Wrote 144 bytes for a total of 981 > debug3: check_host_in_hostfile: filename /home/np/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 2 > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host > key. > debug1: Found key in /home/np/.ssh/known_hosts:2 > debug2: bits set: 499/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: Wrote 16 bytes for a total of 997 > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug3: Wrote 48 bytes for a total of 1045 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/np/.ssh/identity ((nil)) > debug2: key: /home/np/.ssh/id_rsa (0x7f9ee71687b0) > debug2: key: /home/np/.ssh/id_dsa ((nil)) > debug3: Wrote 80 bytes for a total of 1125 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure.? Minor code may provide more information > > > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/np/.ssh/identity > debug3: no such identity: /home/np/.ssh/identity > debug1: Offering public key: /home/np/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug3: Wrote 384 bytes for a total of 1509 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Trying private key: /home/np/.ssh/id_dsa > debug3: no such identity: /home/np/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > np at eng.switchlab.net@ldap1.eng.switchlab.net's password: > debug3: packet_send2: adding 48 (len 75 padlen 5 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug3: Wrote 144 bytes for a total of 1653 > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug1: Requesting no-more-sessions at openssh.com > debug1: Entering interactive session. > debug3: Wrote 128 bytes for a total of 1781 > debug2: callback start > debug2: client_session2_setup: id 0 > debug2: channel 0: request pty-req confirm 1 > debug1: Sending environment. > debug3: Ignored env HOSTNAME > debug3: Ignored env SHELL > debug3: Ignored env TERM > debug3: Ignored env HISTSIZE > debug3: Ignored env USER > debug3: Ignored env LS_COLORS > debug3: Ignored env MAIL > debug3: Ignored env PATH > debug3: Ignored env PWD > debug1: Sending env LANG = en_US.UTF-8 > debug2: channel 0: request env confirm 0 > debug3: Ignored env HISTCONTROL > debug3: Ignored env SHLVL > debug3: Ignored env HOME > debug3: Ignored env LOGNAME > debug3: Ignored env CVS_RSH > debug3: Ignored env LESSOPEN > debug3: Ignored env G_BROKEN_FILENAMES > debug3: Ignored env _ > debug2: channel 0: request shell confirm 1 > debug2: callback done > debug2: channel 0: open confirm rwindow 0 rmax 32768 > debug3: Wrote 448 bytes for a total of 2229 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: PTY allocation request accepted on channel 0 > debug2: channel 0: rcvd adjust 2097152 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: shell request accepted on channel 0 > Last failed login: Tue Apr 23 14:37:59 BST 2013 from 10.30.2.177 on > ssh:notty > There were 8 failed login attempts since the last successful login. > -sh-4.2$ debug3: Wrote 48 bytes for a total of 2277 > edebug3: Wrote 48 bytes for a total of 2325 > xdebug3: Wrote 48 bytes for a total of 2373 > idebug3: Wrote 48 bytes for a total of 2421 > tdebug3: Wrote 48 bytes for a total of 2469 > > logout > debug2: channel 0: rcvd eof > debug2: channel 0: output open -> drain > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug2: channel 0: rcvd eow > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug2: channel 0: rcvd close > debug3: channel 0: will not send data after close > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: >? ? #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e 7 c -1 > debug3: Wrote 32 bytes for a total of 2501 > debug3: Wrote 64 bytes for a total of 2565 > Connection to ldap1.eng.switchlab.net closed. > Transferred: sent 2288, received 2656 bytes, in 1.5 seconds > Bytes per second: sent 1563.3, received 1814.8 > debug1: Exit status 0 > > Nareshchandra Paturi > > 14, St. Augustine?s Court, > Mornington Road, > london. > E11 3BQ. > Mob:07466666001,07856918100 > Ph:02082579579 > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* Naresh Chandra R Paturi ; > freeipa-users at redhat.com > *Sent:* Saturday, April 20, 2013 8:11 PM > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys > > Naresh Chandra R Paturi wrote: >? > Hi all >? > >? > I am new to freeipa >? > we have a group of linux servers where we are tyring to establish >? > password less logins, in order to do this we need to copy ssh keys of >? > all uses to each and every cleint server . so we are trying to establish >? > freeipa central server where we store the keys of all the users. >? > we got free ipa working with passwords but trying to authenticate with >? > keys. >? > is this achievable. if you please kindly direct me. > > With IPA 3.0 this is configured for you automatically by default on > RHEL/Fedora systems. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys > > I believe you will need an openssh patch for this to work on a > Debian/Ubuntu client. I believe it also requires sssd. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bclark at tendrilinc.com Tue Apr 23 22:47:26 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Tue, 23 Apr 2013 16:47:26 -0600 Subject: [Freeipa-users] Cloned server Message-ID: Question, Using ESXi to run many virtual servers in my environment. Sometimes its necessary to "clone" a server to a new name to have a copy of it. If the server is a IPA member, so will be the clone (?) until the clones hostname changes. I have done some looking around and I haven't found a solution to the issue that comes up in this situation. I don't want to remove the original host entry from IPA, but I do need to "uninstall" the configuration from the cloned server before I can add it back to IPA under its new hostname. Is there a way to accomplish this, or do I have to remove the original server from IPA, uninstall off the original and clone, then add each back into IPA? Thanks for all your help. -- Brent S. Clark This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue Apr 23 23:11:10 2013 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 23 Apr 2013 19:11:10 -0400 Subject: [Freeipa-users] Cloned server In-Reply-To: References: Message-ID: <5177150E.1060906@redhat.com> On 04/23/2013 06:47 PM, Brent Clark wrote: > Question, > > Using ESXi to run many virtual servers in my environment. Sometimes > its necessary to "clone" a server to a new name to have a copy of it. > If the server is a IPA member, so will be the clone (?) until the > clones hostname changes. > > I have done some looking around and I haven't found a solution to the > issue that comes up in this situation. I don't want to remove the > original host entry from IPA, but I do need to "uninstall" the > configuration from the cloned server before I can add it back to IPA > under its new hostname. > > Is there a way to accomplish this, or do I have to remove the original > server from IPA, uninstall off the original and clone, then add each > back into IPA? I think you can: 1) Create new host entry 2) Clone the system 3) uninstall the client on the cloned server being offline 4) install client on the cloned server being online Step 1) can be placed anywhere in the sequence before step 4. Other steps are sequential. That should preserve the original VM but create a new one properly configured. HTH > > Thanks for all your help. > > -- > Brent S. Clark > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the sender. > Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. > Finally, the recipient should check this email and any attachments for the presence of viruses. > The company accepts no liability for any damage caused by any virus transmitted by this email. > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Apr 24 10:30:00 2013 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 24 Apr 2013 12:30:00 +0200 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> Message-ID: <5177B428.7020002@redhat.com> On 23.4.2013 20:20, naresh reddy wrote: > Hi Rob > > I am sorry for coming back again > i can see client can get the ssh keys from the server but still fails > please suggest. > > By "client" you mean the machine that you are trying to ssh to, i.e. the machine that has sshd running? If not, make sure sss_ssh_authorizedkeys works on the machine with sshd, because that's the one that matters here. Also, what version of OpenSSH do you have installed? Honza -- Jan Cholasta From aborrero at cica.es Wed Apr 24 11:53:36 2013 From: aborrero at cica.es (Arturo Borrero) Date: Wed, 24 Apr 2013 13:53:36 +0200 Subject: [Freeipa-users] A public interface (aka My account management) Message-ID: <5177C7C0.4020702@cica.es> Hi there. I'm wondering if it's possible to get FreeIPA with a 'public user interface'. This is: a place where a standar user can update his password and other personal data. I'm thinking in something similar to google.com/accounts Does this exists? If not, it is possible to develop this addon? We are strongly evaluating this functionality in order to actually implement FreeIPA as our identity management system. Best regards -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From tbabej at redhat.com Wed Apr 24 12:32:54 2013 From: tbabej at redhat.com (Tomas Babej) Date: Wed, 24 Apr 2013 14:32:54 +0200 Subject: [Freeipa-users] A public interface (aka My account management) In-Reply-To: <5177C7C0.4020702@cica.es> References: <5177C7C0.4020702@cica.es> Message-ID: <5177D0F6.6070204@redhat.com> On 04/24/2013 01:53 PM, Arturo Borrero wrote: > Hi there. > > I'm wondering if it's possible to get FreeIPA with a 'public user > interface'. > This is: a place where a standar user can update his password and > other personal data. I'm thinking in something similar to > google.com/accounts > > Does this exists? If not, it is possible to develop this addon? > > We are strongly evaluating this functionality in order to actually > implement FreeIPA as our identity management system. > > Best regards > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi, every user can log in to the Web UI using their login and Kerberos password. Having no other rights, there they can only edit their contact information, address information, reset their password, etc. See /ipa/ui/ on your FreeIPA server, that is https://ipa.example.com/ipa/ui/ HTH Tomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From aly.khimji at gmail.com Wed Apr 24 16:38:31 2013 From: aly.khimji at gmail.com (Aly Khimji) Date: Wed, 24 Apr 2013 12:38:31 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO Message-ID: Hey All, Hoping you can help out I have provided all details below. I have broken up diagnostics into sudo-ldap for AD/IPA users and sudo-sss for for AD/IPA users. Quick background. Have a 2003 Domain, with an IPA Trust Established and working. AD users and well as local IPA users are able to login into clients, HBAC with both type of users work as expected. Problem is with SUDO. sudo uid has been configured, and I have followed the RedHat IDM Setup docs for v3. AD users have been nested as required AD users -> AD Grp -> IPA Ext Grp -> IPA Posix Grp -->HBAC/SUDO applied to this group IPA User -> Same HBAC/SUDO as above When using sudo-ldap on the client side neither local IPA users or AD users are able to use sudo(see below), when using sudo through sssd only the local IPA user is able to fetch the correct sudo rules. atest = local IPA user btest = AD trust user All platforms are RHEL6.4 fully updated 64bit Server Pkgs libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.4.el6_4.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libsss_idmap-1.9.2-82.4.el6_4.x86_64 sssd-1.9.2-82.4.el6_4.x86_64 libsss_autofs-1.9.2-82.4.el6_4.x86_64 sssd-client-1.9.2-82.4.el6_4.x86_64 sudo-1.8.6p3-7.el6.x86_64 Client Pkgs ipa-python-3.0.0-25.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 ipa-client-3.0.0-25.el6.x86_64 libipa_hbac-1.9.2-82.el6.x86_64 sssd-1.9.2-82.el6.x86_64 libsss_sudo-1.9.2-82.el6.x86_64 sssd-client-1.9.2-82.el6.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 libsss_idmap-1.9.2-82.el6.x86_64 sudo-1.8.6p3-7.el6.x86_6 Diag when using SUDO-> SSS LOCAL IDM USER -sh-4.1$ sudo -l Matching Defaults entries for atest on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User atest may run the following commands on this host: (root : wheel) /usr/bin/less -sh-4.1$ AD TRUST USER -sh-4.1$ sudo -l [sudo] password for btest at corpnonprd.xxxx.com: User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient. -sh-4.1$ [root at rhidmclient ~]# cat /etc/nsswitch.conf .... sudoers: files sss /etc/sssd/sssd.conf (CLIENT) [domain/nix.corpnonprd.xxxx.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.corpnonprd.xxxx.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rhidmclient.nix.corpnonprd.xxxx.com chpass_provider = ipa ipa_server = _srv_, didmsvrua01.nix.corpnonprd.xxxx.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://didmsvrua01.nix.corpnonprd.xxxx.com ldap_sudo_search_base = ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhidmclient.nix.corpnonprd.xxxx.com ldap_sasl_realm = NIX.CORPNONPRD.XXXX.COM krb5_server = didmsvrua01.nix.corpnonprd.XXXX.com subdomains_provider = ipa [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ssh, sudo, pac [sudo] /etc/krb5.conf (CLIENT) includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NIX.CORPNONPRD.xxxx.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] NIX.CORPNONPRD.xxxx.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@CORPNONPRD.xxxx.COM$)s/@ CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/ auth_to_local = DEFAULT } [domain_realm] .nix.corpnonprd.xxxx.com = NIX.CORPNONPRD.xxxx.COM nix.corpnonprd.xxxx.com = NIX.CORPNONPRD.xxxx.COM /var/log/sssd output (CLIENT) when triggering $>sudo -l LOCAL IDM USER (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=atest] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, returned 0 results. Skipping (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, returned 0 results. Skipping (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_initgr_nested_search] (0x0040): Search for group ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, returned 0 results. Skipping (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: nix.corpnonprd.xxxx.com (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: atest (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/3 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: atest (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 5382 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0080): TGT is valid. (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_818800005_KVeSdP if of different type than ccache in configuration file, reusing the old ccache (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][ nix.corpnonprd.xxxx.com] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][nix.corpnonprd.xxxx.com] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [5383] finished successfully. (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: nix.corpnonprd.xxxx.com (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: atest (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/3 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: atest (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 5382 (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][ nix.corpnonprd.xxxx.com] (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][nix.corpnonprd.xxxx.com] AD TRUST USER (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/3 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 5412 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_CfhZS2 if of different type than ccache in configuration file, reusing the old ccache (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [5414] finished successfully. (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/3 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 5412 (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed * I did note the [Internal Error (System error)] & the 3,95,User lookup failed, but I don't know specifics of these calls USING SUDO-LDAP [root at rhidmclient ~]# cat /etc/nsswitch.conf .... sudoers: files ldap [root at rhidmclient ~]# cat /etc/sudo-ldap.conf .... bindn uid=sudo,cn=sysaccounts,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com bindpw xxxx ssl start_tls uri ldap://didmsvrua01.nix.corpnonprd.xxxx.com sudoers_base ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com sudoers_debug 1 tls_cacertfile /etc/ipa/ca.crt LOCAL IDM USER -sh-4.1$ sudo -l sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com sudo: ldap search '(|(sudoUser=atest)(sudoUser=%atest)(sudoUser=%#818800005)(sudoUser=ALL))' sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: perform search for pwflag 52 sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x82 [sudo] password for atest: Your password will expire in 89 day(s). sudo: ldap search for command list sudo: reusing previous result (user atest) with 0 entries User atest is not allowed to run sudo on rhidmclient. sudo: removing reusable search result -sh-4.1$ AD TRUST USER -sh-4.1$ sudo -l sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com sudo: ldap search '(|(sudoUser=btest at corpnonprd.xxxx.com)(sudoUser=% btest at corpnonprd.xxxx.com)(sudoUser=%#59401108)(sudoUser=%domain admins at corpnonprd.xxxx.com)(sudoUser=%domain users at corpnonprd.xxxx.com )(sudoUser=%seca at corpnonprd.xxxx.com )(sudoUser=%ad_admins)(sudoUser=%#59400512)(sudoUser=%#59400513)(sudoUser=%#59401113)(sudoUser=%#818800006)(sudoUser=ALL))' sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: perform search for pwflag 52 sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(52)=0x82 [sudo] password for btest at corpnonprd.xxxx.com: Your password will expire in 8908 day(s). sudo: ldap search for command list sudo: reusing previous result (user btest at corpnonprd.xxxx.com) with 0 entries User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient. sudo: removing reusable search result -sh-4.1$ hope you guys can provide some support Thx Aly -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed Apr 24 17:01:41 2013 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 24 Apr 2013 13:01:41 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: References: Message-ID: <51780FF5.4090301@redhat.com> On 04/24/2013 12:38 PM, Aly Khimji wrote: > Hey All, > > Hoping you can help out I have provided all details below. I have > broken up diagnostics into sudo-ldap for AD/IPA users and sudo-sss for > for AD/IPA users. > Quick background. Have a 2003 Domain, with an IPA Trust Established > and working. AD users and well as local IPA users are able to login > into clients, HBAC with both type of users work as expected. Problem > is with SUDO. sudo uid has been configured, and I have followed the > RedHat IDM Setup docs for v3. AD users have been nested as required > > AD users -> AD Grp -> IPA Ext Grp -> IPA Posix Grp -->HBAC/SUDO > applied to this group > IPA User -> Same HBAC/SUDO as above > > When using sudo-ldap on the client side neither local IPA users or AD > users are able to use sudo(see below), when using sudo through sssd > only the local IPA user is able to fetch the correct sudo rules. > > atest = local IPA user > btest = AD trust user > > > All platforms are RHEL6.4 fully updated 64bit > > Server Pkgs > libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 > ipa-python-3.0.0-26.el6_4.2.x86_64 > ipa-client-3.0.0-26.el6_4.2.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-server-trust-ad-3.0.0-26.el6_4.2.x86_64 > libipa_hbac-1.9.2-82.4.el6_4.x86_64 > ipa-admintools-3.0.0-26.el6_4.2.x86_64 > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > > libsss_idmap-1.9.2-82.4.el6_4.x86_64 > sssd-1.9.2-82.4.el6_4.x86_64 > libsss_autofs-1.9.2-82.4.el6_4.x86_64 > sssd-client-1.9.2-82.4.el6_4.x86_64 > > sudo-1.8.6p3-7.el6.x86_64 > > Client Pkgs > ipa-python-3.0.0-25.el6.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > libipa_hbac-python-1.9.2-82.el6.x86_64 > ipa-client-3.0.0-25.el6.x86_64 > libipa_hbac-1.9.2-82.el6.x86_64 > > sssd-1.9.2-82.el6.x86_64 > libsss_sudo-1.9.2-82.el6.x86_64 > sssd-client-1.9.2-82.el6.x86_64 > libsss_autofs-1.9.2-82.el6.x86_64 > libsss_idmap-1.9.2-82.el6.x86_64 > > sudo-1.8.6p3-7.el6.x86_6 > > > Diag when using SUDO-> SSS > > LOCAL IDM USER > -sh-4.1$ sudo -l > Matching Defaults entries for atest on this host: > requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS > DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", > env_keep+="MAIL PS1 > PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE > LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY > LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL > LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", > secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User atest may run the following commands on this host: > (root : wheel) /usr/bin/less > -sh-4.1$ > > > AD TRUST USER > -sh-4.1$ sudo -l > [sudo] password for btest at corpnonprd.xxxx.com > : > User btest at corpnonprd.xxxx.com is > not allowed to run sudo on rhidmclient. > -sh-4.1$ > > > [root at rhidmclient ~]# cat /etc/nsswitch.conf > .... > sudoers: files sss > > > /etc/sssd/sssd.conf (CLIENT) > > [domain/nix.corpnonprd.xxxx.com ] > debug_level = 5 > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = nix.corpnonprd.xxxx.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = rhidmclient.nix.corpnonprd.xxxx.com > > chpass_provider = ipa > ipa_server = _srv_, didmsvrua01.nix.corpnonprd.xxxx.com > > ldap_tls_cacert = /etc/ipa/ca.crt > > sudo_provider = ldap > ldap_uri = ldap://didmsvrua01.nix.corpnonprd.xxxx.com > > ldap_sudo_search_base = ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/rhidmclient.nix.corpnonprd.xxxx.com > > ldap_sasl_realm = NIX.CORPNONPRD.XXXX.COM > krb5_server = didmsvrua01.nix.corpnonprd.XXXX.com > > > subdomains_provider = ipa > > [sssd] > config_file_version = 2 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam, ssh, sudo, pac > > [sudo] > > > > /etc/krb5.conf (CLIENT) > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = NIX.CORPNONPRD.xxxx.COM > dns_lookup_realm = true > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > NIX.CORPNONPRD.xxxx.COM = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > auth_to_local = RULE:[1:$1@$0](^.*@CORPNONPRD.xxxx.COM > $)s/@CORPNONPRD.xxxx.COM/@corpnonprd.xxxx.com/ > > auth_to_local = DEFAULT > } > > [domain_realm] > .nix.corpnonprd.xxxx.com = > NIX.CORPNONPRD.xxxx.COM > nix.corpnonprd.xxxx.com = > NIX.CORPNONPRD.xxxx.COM > > > /var/log/sssd output (CLIENT) when triggering $>sudo -l > > LOCAL IDM USER > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=atest] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [sdap_initgr_nested_search] > (0x0040): Search for group > cn=ipausers,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, > returned 0 results. Skipping > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [sdap_initgr_nested_search] > (0x0040): Search for group > ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, > returned 0 results. Skipping > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [sdap_initgr_nested_search] > (0x0040): Search for group > ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com, > returned 0 results. Skipping > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 0,0,Success > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler] (0x0100): Got > request with the following data > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): domain: > nix.corpnonprd.xxxx.com > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): user: atest > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > service: sudo > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): tty: > /dev/pts/3 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): ruser: > atest > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): rhost: > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > type: 1 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > size: 11 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > cli_pid: 5382 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [check_for_valid_tgt] (0x0080): > TGT is valid. > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [resolve_srv_send] (0x0200): The > status of SRV lookup is resolved > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_resolve_server_process] > (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com > : [10.137.216.162] TTL 1200 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [krb5_find_ccache_step] (0x0080): > Saved ccache FILE:/tmp/krb5cc_818800005_KVeSdP if of different type > than ccache in configuration file, reusing the old ccache > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'didmsvrua01.nix.corpnonprd.xxxx.com > ' as 'working' > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [set_server_common_status] > (0x0100): Marking server 'didmsvrua01.nix.corpnonprd.xxxx.com > ' as 'working' > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sending result [0][nix.corpnonprd.xxxx.com > ] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sent result [0][nix.corpnonprd.xxxx.com > ] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [child_sig_handler] (0x0100): > child [5383] finished successfully. > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler] (0x0100): Got > request with the following data > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > command: PAM_ACCT_MGMT > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): domain: > nix.corpnonprd.xxxx.com > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): user: atest > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > service: sudo > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): tty: > /dev/pts/3 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): ruser: > atest > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): rhost: > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > type: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > size: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > cli_pid: 5382 > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [ipa_hostgroup_info_done] > (0x0200): No host groups were dereferenced > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [ipa_hbac_evaluate_rules] > (0x0080): Access granted by HBAC rule [test_HBAC] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, Success) [Success] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sending result [0][nix.corpnonprd.xxxx.com > ] > (Wed Apr 24 10:56:30 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sent result [0][nix.corpnonprd.xxxx.com > ] > > > > AD TRUST USER > (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:15 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler] (0x0100): Got > request with the following data > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > command: PAM_AUTHENTICATE > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): user: > btest at CorpNonPrd.xxxx.com > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > service: sudo > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): tty: > /dev/pts/3 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): ruser: > btest at corpnonprd.xxxx.com > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): rhost: > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > type: 1 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > size: 11 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > cli_pid: 5412 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [check_for_valid_tgt] (0x0020): > krb5_cc_retrieve_cred failed. > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [resolve_srv_send] (0x0200): The > status of SRV lookup is resolved > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_resolve_server_process] > (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com > : [10.137.216.162] TTL 1200 > (Wed Apr 24 10:57:18 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [krb5_find_ccache_step] (0x0080): > Saved ccache FILE:/tmp/krb5cc_59401108_CfhZS2 if of different type > than ccache in configuration file, reusing the old ccache > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'didmsvrua01.nix.corpnonprd.xxxx.com > ' as 'working' > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [set_server_common_status] > (0x0100): Marking server 'didmsvrua01.nix.corpnonprd.xxxx.com > ' as 'working' > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sent result [0][CorpNonPrd.xxxx.com > ] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [child_sig_handler] (0x0100): > child [5414] finished successfully. > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler] (0x0100): Got > request with the following data > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > command: PAM_ACCT_MGMT > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): user: > btest at CorpNonPrd.xxxx.com > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > service: sudo > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): tty: > /dev/pts/3 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): ruser: > btest at corpnonprd.xxxx.com > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): rhost: > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > type: 0 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): authtok > size: 0 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [pam_print_data] (0x0100): > cli_pid: 5412 > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [ipa_hostgroup_info_done] > (0x0200): No host groups were dereferenced > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [ipa_hbac_evaluate_rules] > (0x0080): Access granted by HBAC rule [test_HBAC] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (0, 0, ) [Success] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [sss_selinux_extract_user] > (0x0040): sysdb_search_user_by_name failed. > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [ipa_selinux_handler] (0x0040): > Cannot create op context > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_pam_handler_callback] > (0x0100): Sent result [0][CorpNonPrd.xxxx.com > ] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [be_get_account_info] (0x0100): > Got request for [3][1][name=btest] > (Wed Apr 24 10:57:19 2013) [sssd[be[nix.corpnonprd.xxxx.com > ]]] [acctinfo_callback] (0x0100): > Request processed. Returned 3,95,User lookup failed > > * I did note the [Internal Error (System error)] & the 3,95,User > lookup failed, but I don't know specifics of these calls > > > > USING SUDO-LDAP > > [root at rhidmclient ~]# cat /etc/nsswitch.conf > .... > sudoers: files ldap > > [root at rhidmclient ~]# cat /etc/sudo-ldap.conf > .... > bindn uid=sudo,cn=sysaccounts,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > bindpw xxxx > ssl start_tls > uri ldap://didmsvrua01.nix.corpnonprd.xxxx.com > > sudoers_base ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > sudoers_debug 1 > tls_cacertfile /etc/ipa/ca.crt > > > > LOCAL IDM USER > -sh-4.1$ sudo -l > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_sasl_bind_s() ok > sudo: Looking for cn=defaults: cn=defaults > sudo: no default options found in > ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > sudo: ldap search > '(|(sudoUser=atest)(sudoUser=%atest)(sudoUser=%#818800005)(sudoUser=ALL))' > sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: ldap search '(sudoUser=+*)' > sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: sorting remaining 0 entries > sudo: perform search for pwflag 52 > sudo: done with LDAP searches > sudo: user_matches=1 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(52)=0x82 > [sudo] password for atest: > Your password will expire in 89 day(s). > sudo: ldap search for command list > sudo: reusing previous result (user atest) with 0 entries > User atest is not allowed to run sudo on rhidmclient. > sudo: removing reusable search result > -sh-4.1$ > > > AD TRUST USER > -sh-4.1$ sudo -l > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_sasl_bind_s() ok > sudo: Looking for cn=defaults: cn=defaults > sudo: no default options found in > ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > sudo: ldap search '(|(sudoUser=btest at corpnonprd.xxxx.com > )(sudoUser=%btest at corpnonprd.xxxx.com )(sudoUser=%#59401108)(sudoUser=%domain > admins at corpnonprd.xxxx.com > )(sudoUser=%domain > users at corpnonprd.xxxx.com > )(sudoUser=%seca at corpnonprd.xxxx.com > )(sudoUser=%ad_admins)(sudoUser=%#59400512)(sudoUser=%#59400513)(sudoUser=%#59401113)(sudoUser=%#818800006)(sudoUser=ALL))' > sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: ldap search '(sudoUser=+*)' > sudo: searching from base 'ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com' > sudo: adding search result > sudo: result now has 0 entries > sudo: sorting remaining 0 entries > sudo: perform search for pwflag 52 > sudo: done with LDAP searches > sudo: user_matches=1 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(52)=0x82 > [sudo] password for btest at corpnonprd.xxxx.com > : > Your password will expire in 8908 day(s). > sudo: ldap search for command list > sudo: reusing previous result (user btest at corpnonprd.xxxx.com > ) with 0 entries > User btest at corpnonprd.xxxx.com is > not allowed to run sudo on rhidmclient. > sudo: removing reusable search result > -sh-4.1$ > > hope you guys can provide some support > I am not sure that sudo-ldap would work for the trust case at all. The resolution of user to sudo rule via his AD group membership to ipa groups is tricky and done by SSSD. sudo natively cant resolve it as part of the data is not stored in the LDAP but taken from the kerberos ticket that user has. I suspect that sudo dose not work for the AD user in the SSSD test above because user have never authenticated. User should authenticate and get on the box first either via SSH or via a direct login into the box. In both cases there will be a Kerberos TGT acquired for this user. The TGT will come from AD and will have MS-PAC - a blob of authorization data that contains the list of the groups the user is a member of. One of the groups should be a member of the IPA group. So the user would be resolved to the right sudo rule(s). Right now data about the AD group membership is missing. Please authenticate with the test user and try again. > Thx > > Aly > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From aly.khimji at gmail.com Wed Apr 24 17:20:15 2013 From: aly.khimji at gmail.com (Aly Khimji) Date: Wed, 24 Apr 2013 13:20:15 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: <51780FF5.4090301@redhat.com> References: <51780FF5.4090301@redhat.com> Message-ID: Hey, Thanks for the quick reply. See below Client login as: btest at corpnonprd btest at corpnonprd@10.137.216.163's password: Your password will expire in 8908 day(s). Last login: Wed Apr 24 11:13:47 2013 from 10.110.124.80 Could not chdir to home directory /home/CorpNonPrd.xxxx.com/btest: No such file or directory -sh-4.1$ id uid=59401108(btest at corpnonprd.xxxx.com) gid=59401108( btest at corpnonprd.xxxx.com) groups=59401108(btest at corpnonprd.xxxx.com),59400512(domain admins at corpnonprd.xxxx.com),59400513(domain users at corpnonprd.xxxx.com ),59401113(seca at corpnonprd.xxxx.com),818800006(ad_admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ sudo -l [sudo] password for btest at corpnonprd.xxxx.com: Your password will expire in 8908 day(s). User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient. -sh-4.1$ Logs (I cleared the logs so the logs below are only the the above actions - login, id, sudo -l) (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=btest] (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ rhidmclient.nix.corpnonprd.xxxx.com (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [6032] finished successfully. (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sshd (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: 10.110.124.80 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6030 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_Qv9FNY if of different type than ccache in configuration file, reusing the old ccache (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [6033] finished successfully. (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sshd (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: 10.110.124.80 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6030 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sshd (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: 10.110.124.80 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6030 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sshd (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: 10.110.124.80 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 1 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6030 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sshd (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: ssh (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: 10.110.124.80 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6035 (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401108] (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=818800006] (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_get_user_send] (0x0080): Couldn't parse out user information based on DN (null), falling back to an LDAP lookup (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_grpmem] (0x0040): Failed to save user ad_admins (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_groups] (0x0040): Failed to store group 0 members. (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/5 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6061 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_Qv9FNY if of different type than ccache in configuration file, reusing the old ccache (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [6062] finished successfully. (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/5 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 6061 (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=btest] (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0020): Unknown client removed ... (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/ kpasswdinfo.NIX.CORPNONPRD.xxxx.COM], [2][No such file or directory] Thx Aly -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed Apr 24 18:51:45 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 24 Apr 2013 20:51:45 +0200 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: References: <51780FF5.4090301@redhat.com> Message-ID: <20130424185145.GN24896@hendrix.brq.redhat.com> On Wed, Apr 24, 2013 at 01:20:15PM -0400, Aly Khimji wrote: > Hey, > > Thanks for the quick reply. > > See below > > Client > Hi Aly, I no longer remember the details, but according to the git history, we did some fixes for trusted AD users: https://fedorahosted.org/sssd/ticket/1616 I'm adding Pavel Brezina who wrote that support to chime in. > login as: btest at corpnonprd > btest at corpnonprd@10.137.216.163's password: > Your password will expire in 8908 day(s). > Last login: Wed Apr 24 11:13:47 2013 from 10.110.124.80 > Could not chdir to home directory /home/CorpNonPrd.xxxx.com/btest: No such > file or directory > > -sh-4.1$ id > uid=59401108(btest at corpnonprd.xxxx.com) gid=59401108( > btest at corpnonprd.xxxx.com) > groups=59401108(btest at corpnonprd.xxxx.com),59400512(domain > admins at corpnonprd.xxxx.com),59400513(domain users at corpnonprd.xxxx.com > ),59401113(seca at corpnonprd.xxxx.com),818800006(ad_admins) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > -sh-4.1$ sudo -l > [sudo] password for btest at corpnonprd.xxxx.com: > Your password will expire in 8908 day(s). > User btest at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient. > -sh-4.1$ > > > Logs > (I cleared the logs so the logs below are only the the above actions - > login, id, sudo -l) > > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4097][1][name=btest] > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [6032] finished successfully. > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sshd > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: ssh > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: 10.110.124.80 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 1 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 11 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 1 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6030 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Wed Apr 24 13:07:18 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [krb5_find_ccache_step] (0x0080): Saved ccache > FILE:/tmp/krb5cc_59401108_Qv9FNY if of different type than ccache in > configuration file, reusing the old ccache > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [6033] finished successfully. > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sshd > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: ssh > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: 10.110.124.80 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 1 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6030 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_selinux_handler] (0x0040): Cannot create op context > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) > [Internal Error (System error)] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4099][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_SETCRED > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sshd > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: ssh > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: 10.110.124.80 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 1 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6030 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_OPEN_SESSION > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sshd > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: ssh > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: 10.110.124.80 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 1 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6030 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4099][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_SETCRED > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sshd > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: ssh > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: 10.110.124.80 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6035 > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401108] > (Wed Apr 24 13:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for > [4098][1][idnumber=818800006] > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_nested_get_user_send] (0x0080): Couldn't parse out user information > based on DN (null), falling back to an LDAP lookup > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_grpmem] (0x0040): Failed to save user ad_admins > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_groups] (0x0040): Failed to store group 0 members. > (Wed Apr 24 13:07:20 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sudo > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/5 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 1 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 11 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6061 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [krb5_find_ccache_step] (0x0080): Saved ccache > FILE:/tmp/krb5cc_59401108_Qv9FNY if of different type than ccache in > configuration file, reusing the old ccache > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [6062] finished successfully. > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: btest at CorpNonPrd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sudo > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/5 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: btest at corpnonprd.xxxx.com > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 6061 > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_selinux_handler] (0x0040): Cannot create op context > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) > [Internal Error (System error)] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=btest] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0020): Unknown client removed ... > (Wed Apr 24 13:07:48 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/ > kpasswdinfo.NIX.CORPNONPRD.xxxx.COM], [2][No such file or directory] > > > Thx > > Aly > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From cevich at redhat.com Wed Apr 24 20:30:23 2013 From: cevich at redhat.com (Chris Evich) Date: Wed, 24 Apr 2013 16:30:23 -0400 Subject: [Freeipa-users] A public interface (aka My account management) In-Reply-To: <5177D0F6.6070204@redhat.com> References: <5177C7C0.4020702@cica.es> <5177D0F6.6070204@redhat.com> Message-ID: <517840DF.50401@redhat.com> On 04/24/2013 08:32 AM, Tomas Babej wrote: > On 04/24/2013 01:53 PM, Arturo Borrero wrote: >> Hi there. >> >> I'm wondering if it's possible to get FreeIPA with a 'public user >> interface'. >> This is: a place where a standar user can update his password and >> other personal data. I'm thinking in something similar to >> google.com/accounts >> >> Does this exists? If not, it is possible to develop this addon? >> >> We are strongly evaluating this functionality in order to actually >> implement FreeIPA as our identity management system. >> >> Best regards > Hi, > > every user can log in to the Web UI using their login and Kerberos > password. > > Having no other rights, there they can only edit their contact > information, address information, reset their password, etc. > > See /ipa/ui/ on your FreeIPA server, that is > https://ipa.example.com/ipa/ui/ > Having played with it off/on a year or so ago, IIRC it's relatively easy to get apache + SSL speaking with LDAP + Kerberos. Even ignoring the direct python IPA interface. With some server-side scripting (I did it in python) you could emulate most of what's on the google accounts-page. The hardest part I found was getting my head around the lower-level LDAP + Kerberos python interfaces. However, going from understanding common-operations of both technologies from the command-line level to working with the API's isn't a very long road. Depending on how "pretty" the web-site needs to be, the "code one yourself" approach could be feasible, given educated developer resources. Since it sounds like your requirements are fairly basic, this may be an option to consider. (No I'm not volunteering, though it sounds fun :) Otherwise, I've also used the built-in web interface. It may be a bit cluttered for someone who _just_ needs to change a password or other very simplistic task (compared to google accounts-page). However if your users are somewhat technically-mided, they shouldn't have any trouble with the built-in self-service UI. It also offers a HUGE benefit to greatly extend self-service to the n-th degree, when it's multi-level rights-management features are used. -- Chris Evich, RHCA, RHCE, RHCDS, RHCSS Quality Assurance Engineer From mkosek at redhat.com Thu Apr 25 08:30:29 2013 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 25 Apr 2013 10:30:29 +0200 Subject: [Freeipa-users] A public interface (aka My account management) In-Reply-To: <517840DF.50401@redhat.com> References: <5177C7C0.4020702@cica.es> <5177D0F6.6070204@redhat.com> <517840DF.50401@redhat.com> Message-ID: <5178E9A5.9030606@redhat.com> On 04/24/2013 10:30 PM, Chris Evich wrote: > On 04/24/2013 08:32 AM, Tomas Babej wrote: >> On 04/24/2013 01:53 PM, Arturo Borrero wrote: >>> Hi there. >>> >>> I'm wondering if it's possible to get FreeIPA with a 'public user >>> interface'. >>> This is: a place where a standar user can update his password and >>> other personal data. I'm thinking in something similar to >>> google.com/accounts >>> >>> Does this exists? If not, it is possible to develop this addon? >>> >>> We are strongly evaluating this functionality in order to actually >>> implement FreeIPA as our identity management system. >>> >>> Best regards >> Hi, >> >> every user can log in to the Web UI using their login and Kerberos >> password. >> >> Having no other rights, there they can only edit their contact >> information, address information, reset their password, etc. >> >> See /ipa/ui/ on your FreeIPA server, that is >> https://ipa.example.com/ipa/ui/ >> =user&navigation=identity&user-pkey=random&user-facet=details> > > Having played with it off/on a year or so ago, IIRC it's relatively > easy to get apache + SSL speaking with LDAP + Kerberos. Even ignoring > the direct python IPA interface. With some server-side scripting (I did > it in python) you could emulate most of what's on the google > accounts-page. > > The hardest part I found was getting my head around the lower-level LDAP > + Kerberos python interfaces. However, going from understanding > common-operations of both technologies from the command-line level to > working with the API's isn't a very long road. > > Depending on how "pretty" the web-site needs to be, the "code one > yourself" approach could be feasible, given educated developer > resources. Since it sounds like your requirements are fairly basic, > this may be an option to consider. (No I'm not volunteering, though it > sounds fun :) > > Otherwise, I've also used the built-in web interface. It may be a bit > cluttered for someone who _just_ needs to change a password or other > very simplistic task (compared to google accounts-page). However if > your users are somewhat technically-mided, they shouldn't have any > trouble with the built-in self-service UI. It also offers a HUGE > benefit to greatly extend self-service to the n-th degree, when it's > multi-level rights-management features are used. > Hello Chris, Thanks for info! Do you have any specific suggestions which would help you make the user self-service page more acceptable for regular users? Having users building their own selfservice pages instead of using the vanilla selfservice page does not seems like something we would like to have. We are already considering simplifying the self-service page, so any suggestions and ideas for improving it are welcome. Martin From aborrero at cica.es Thu Apr 25 08:49:32 2013 From: aborrero at cica.es (Arturo Borrero) Date: Thu, 25 Apr 2013 10:49:32 +0200 Subject: [Freeipa-users] A public interface (aka My account management) In-Reply-To: <5178E9A5.9030606@redhat.com> References: <5177C7C0.4020702@cica.es> <5177D0F6.6070204@redhat.com> <517840DF.50401@redhat.com> <5178E9A5.9030606@redhat.com> Message-ID: <5178EE1C.10202@cica.es> On 25/04/13 10:30, Martin Kosek wrote: > On 04/24/2013 10:30 PM, Chris Evich wrote: >> On 04/24/2013 08:32 AM, Tomas Babej wrote: >>> On 04/24/2013 01:53 PM, Arturo Borrero wrote: >>>> Hi there. >>>> >>>> I'm wondering if it's possible to get FreeIPA with a 'public user >>>> interface'. >>>> This is: a place where a standar user can update his password and >>>> other personal data. I'm thinking in something similar to >>>> google.com/accounts >>>> >>>> Does this exists? If not, it is possible to develop this addon? >>>> >>>> We are strongly evaluating this functionality in order to actually >>>> implement FreeIPA as our identity management system. >>>> >>>> Best regards >>> Hi, >>> >>> every user can log in to the Web UI using their login and Kerberos >>> password. >>> >>> Having no other rights, there they can only edit their contact >>> information, address information, reset their password, etc. >>> >>> See /ipa/ui/ on your FreeIPA server, that is >>> https://ipa.example.com/ipa/ui/ >>> > =user&navigation=identity&user-pkey=random&user-facet=details> >> >> Having played with it off/on a year or so ago, IIRC it's relatively >> easy to get apache + SSL speaking with LDAP + Kerberos. Even ignoring >> the direct python IPA interface. With some server-side scripting (I did >> it in python) you could emulate most of what's on the google >> accounts-page. >> >> The hardest part I found was getting my head around the lower-level LDAP >> + Kerberos python interfaces. However, going from understanding >> common-operations of both technologies from the command-line level to >> working with the API's isn't a very long road. >> >> Depending on how "pretty" the web-site needs to be, the "code one >> yourself" approach could be feasible, given educated developer >> resources. Since it sounds like your requirements are fairly basic, >> this may be an option to consider. (No I'm not volunteering, though it >> sounds fun :) >> >> Otherwise, I've also used the built-in web interface. It may be a bit >> cluttered for someone who _just_ needs to change a password or other >> very simplistic task (compared to google accounts-page). However if >> your users are somewhat technically-mided, they shouldn't have any >> trouble with the built-in self-service UI. It also offers a HUGE >> benefit to greatly extend self-service to the n-th degree, when it's >> multi-level rights-management features are used. >> > Hello Chris, > > Thanks for info! Do you have any specific suggestions which would help you make > the user self-service page more acceptable for regular users? Having users > building their own selfservice pages instead of using the vanilla selfservice > page does not seems like something we would like to have. > > We are already considering simplifying the self-service page, so any > suggestions and ideas for improving it are welcome. > Hi all, thanks all for your quick and deep response. FreeIPA is an amazing tool :-) Best regards. -- Arturo Borrero Gonz?lez Departamento de Seguridad Inform?tica (nis at cica.es) Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Econom?a, Innovaci?n, Ciencia y Empleo Junta de Andaluc?a -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3072 bytes Desc: S/MIME Cryptographic Signature URL: From pbrezina at redhat.com Thu Apr 25 10:38:18 2013 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Thu, 25 Apr 2013 12:38:18 +0200 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: References: <51780FF5.4090301@redhat.com> Message-ID: <5179079A.9020904@redhat.com> On 04/24/2013 07:20 PM, Aly Khimji wrote: > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context > (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] Hi, this looks like a selinux problem to me. What happens when you set selinux to permissive? Also does this problem occur only with sudo, or other services are affected too (id, authentication, ssh)? Can you please perform following commands? It will remove cache and logs so do it in a safe non-production environment. As root: # service stop sssd # rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* # service sssd start As normal user: $ su ad-user at trusted-domain $ sudo -l $ exit And send us the sanitized logs (all of them). Thank you. From sbose at redhat.com Thu Apr 25 11:36:17 2013 From: sbose at redhat.com (Sumit Bose) Date: Thu, 25 Apr 2013 13:36:17 +0200 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: <5179079A.9020904@redhat.com> References: <51780FF5.4090301@redhat.com> <5179079A.9020904@redhat.com> Message-ID: <20130425113617.GK29324@localhost.localdomain> On Thu, Apr 25, 2013 at 12:38:18PM +0200, Pavel B?ezina wrote: > On 04/24/2013 07:20 PM, Aly Khimji wrote: > >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] > >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context This issue is already know, https://bugzilla.redhat.com/show_bug.cgi?id=954342 and https://fedorahosted.org/sssd/ticket/1892 . I will send a fix for this to sssd-devel soon. bye, Sumit > >(Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] > > Hi, > this looks like a selinux problem to me. What happens when you set > selinux to permissive? > > Also does this problem occur only with sudo, or other services are > affected too (id, authentication, ssh)? > > Can you please perform following commands? It will remove cache and > logs so do it in a safe non-production environment. > > As root: > # service stop sssd > # rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* > # service sssd start > > As normal user: > $ su ad-user at trusted-domain > $ sudo -l > $ exit > > And send us the sanitized logs (all of them). > > Thank you. > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From aly.khimji at gmail.com Thu Apr 25 14:16:51 2013 From: aly.khimji at gmail.com (Aly Khimji) Date: Thu, 25 Apr 2013 10:16:51 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: <5179079A.9020904@redhat.com> References: <51780FF5.4090301@redhat.com> <5179079A.9020904@redhat.com> Message-ID: Hey guys, So selinux has been in permissive mode this whole time. As per your request, I first log in with a local user (local to the system), and then attempt to su'd to the AD user which worked. I then attempted to sudo -l which failed. I have sanitized and provided logs below. debugging is at 8, so hopefully its ok and not too verbose. ldap, krb5, and sssd logs are only logs with data in them. Thanks for you help guys, nixadmin is the localuser akhimji is the AD trust user ldap_child.log (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [main] (0x0400): ldap_child started. (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [main] (0x2000): context initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): total buffer size: 83 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): realm_str size: 25 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): princ_str size: 42 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [main] (0x2000): getting TGT sync (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NIX.CORPNONPRD.xxxx.COM ] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [prepare_response] (0x0400): Building response for result [0] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [pack_buffer] (0x2000): response size: 73 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10010]]]] [main] (0x0400): ldap_child completed successfully (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [main] (0x0400): ldap_child started. (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [main] (0x2000): context initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): total buffer size: 83 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): realm_str size: 25 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): princ_str size: 42 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [main] (0x2000): getting TGT sync (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NIX.CORPNONPRD.xxxx.COM ] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [prepare_response] (0x0400): Building response for result [0] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [pack_buffer] (0x2000): response size: 73 (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:22 2013) [[sssd[ldap_child[10012]]]] [main] (0x0400): ldap_child completed successfully sssd_nix.corpnonprd.xxxx.com.log (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [confdb_get_domain_internal] (0x0400): No enumeration for [ nix.corpnonprd.xxxx.com]! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E624E0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe62980/0xe61280 (15), -/W (enabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_nix.corpnonprd.xxxx.com ,1) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_timeout] (0x2000): 0xe62d50 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.10004 to a link /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.10004,guid=62e4e74a864a2bdbb5ae5e72000239a1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe63ac0/0xe5f300 (16), R/- (enabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Loading backend [ipa] with path [/usr/lib64/sssd/libsss_ipa.so]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_dyndns_update is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_dyndns_iface has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_host_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_automount_location has value default (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'IPA' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'IPA' using 'tcp'. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_servers_init] (0x0400): Added service lookup for service IPA (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'IPA' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_servers_init] (0x0400): Added Server didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Will look for host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default keytab (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [match_principal] (0x1000): Principal matched to the sample (host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected realm: NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1366898672.583946 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): ID backend target successfully loaded from provider [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option krb5_realm has value NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_automount_location has value default (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_ccname_template has value FILE:%d/krb5cc_%U_XXXXXX (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_auth_timeout has value 15 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_kpasswd has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_lifetime has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_renew_interval has value 0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_use_fast has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_fast_principal has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Will look for host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default keytab (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [match_principal] (0x1000): Principal matched to the sample (host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected realm: NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_options] (0x0100): ccache is of type FILE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): AUTH backend target successfully loaded from provider [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option krb5_realm has value NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_automount_location has value default (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): CHPASS backend target successfully loaded from provider [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Loading backend [ldap] with path [/usr/lib64/sssd/libsss_ldap.so]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has value password (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value rfc2307 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 10800 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has value filter (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_get_options] (0x0200): Search base not set, trying to discover it later when connecting to the LDAP server. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value memberuid (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_object_class has value nisNetgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_member has value memberNisNetgroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_triple has value nisNetgroupTriple (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_uuid has value nsUniqueId (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sssm_ldap_id_init] (0x1000): Service name for discovery set to ldap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'LDAP' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_urls_init] (0x0400): Added URI ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'LDAP' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_gssapi_init] (0x0040): Missing krb5_realm option, will use libkrb default (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_gssapi_get_default_realm] (0x1000): Will use default realm NIX.CORPNONPRD.xxxx.COM (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'KERBEROS' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'KERBEROS' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_servers_init] (0x0400): Added Server didmsvrua01.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1366898672.603368 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_init] (0x2000): Initializing sudo LDAP back end (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_get_sudo_options] (0x0400): Search base not set, trying to discover it later connecting to the LDAP server. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: 10.137.216.163 in network 10.137.216.160/28 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_hostnames_send] (0x2000): Found fqdn: rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_hostnames_send] (0x2000): Found hostname: rhidmclient (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): SUDO backend target successfully loaded from provider [ldap]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sssm_ipa_autofs_init] (0x2000): Initializing IPA autofs handler (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_autofs_init] (0x2000): Initializing autofs LDAP back end (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_autofs_options] (0x1000): Option ldap_autofs_search_base set to cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value automountMapName (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): autofs backend target successfully loaded from provider [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [main] (0x0400): Backend provider (nix.corpnonprd.xxxx.com) started! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1366898662 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' didmsvrua01.nix.corpnonprd.xxxx.com' in files (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'resolving name' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'didmsvrua01.nix.corpnonprd.xxxx.com' in files (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' didmsvrua01.nix.corpnonprd.xxxx.com' in DNS (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_timeout] (0x2000): 0xe62d50 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'name resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [21]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[0xe80400], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[0xe80400], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[0xe80400], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service KERBEROS (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 0 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 83 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10010] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10010] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[(nil)], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xe92680. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E92680 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe92940/0xe8da00 (22), -/W (disabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xe92bb0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xe92ec0. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E92EC0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe93310/0xe92a30 (23), -/W (disabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xe93580] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xe94cf0. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E94CF0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe95420/0xe94820 (24), -/W (disabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xe95690] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xe963e0. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E963E0 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe96ad0/0xe95570 (25), -/W (disabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xe96d40] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0xe96d40] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0xe92bb0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [SSH] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xe99b30. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection E99B30 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0xe9a100/0xe97f60 (26), -/W (disabled) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xe9a370] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0xe93580] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [PAC] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0xe95690] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [PAM] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0xe9a370] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [NSS] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1366985061] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1366899562 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [10010]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [10010] finished successfully. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= rhidmclient.nix.corpnonprd.xxxx.com )(sudoHost=rhidmclient)(sudoHost=10.137.216.163)(sudoHost= 10.137.216.160/28)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com ]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[0xea3b00], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsUser] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsGroup] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[0xea3b00], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 1 rules (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule sudotest (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [834] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1366920262 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1366899562 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe82a90], connected[1], ops[(nil)], ldap[0xe83380] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use DNS discovery domain 'nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._ tcp.nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._ tcp.nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_done] (0x0400): Inserted server ' didmsvrua01.nix.corpnonprd.xxxx.com:389' for service IPA (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [27]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8e530], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8e530], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8e530], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 83 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10012] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10012] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1366985061] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1366899562 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ rhidmclient.nix.corpnonprd.xxxx.com (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [10012]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [10012] finished successfully. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe82cc0], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe82cc0], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_subdomains] (0x0400): Adding sub-domain [CorpNonPrd.xxxx.com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_ranges] (0x0400): Adding range [NIX.CORPNONPRD.xxxx.COM_id_range]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_ranges] (0x0400): Adding range [CORPNONPRD.xxxx.COM_id_range]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [not forced][] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8efb0], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8efb0], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe90c10], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe90c10], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe90c10], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe90c10], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe82cc0], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe82cc0], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe82cc0], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=nixadmin] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xea5480], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=nixadmin)) (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=nixadmin] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe90060], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=nixadmin)) (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:29 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1366898672)(!(lastLogin=*)))) (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1366898672))) (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1366902272.584663 (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1366898672)(!(lastLogin=*)))) (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1366898672))) (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1366909472.604323 (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=akhimji] (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13 (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb42a0], ldap[0xea54e0] (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:35 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][ corpnonprd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fc90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fa90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fa90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fa90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8fa90], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb3ac0], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb3ac0], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb3ac0], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10041 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_auth_send] (0x0100): No ccache file for user [ akhimji at CorpNonPrd.xxxx.com] found. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10042] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10042] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][CORPNONPRD] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=818800006] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=818800006)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb2840], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [nsUniqueId] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb2840], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_group_process_deref_step] (0x0400): Falling back to individual lookups (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_group_process_noderef] (0x2000): Looking up missing DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_get_user_send] (0x0080): Couldn't parse out user information based on DN (null), falling back to an LDAP lookup (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=posixAccount)][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe5f720], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe5f720], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x0400): Processing group ad_admins (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x2000): This is a posix group (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] to attributes of [ad_admins]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130424190620Z] to attributes of [ad_admins]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x0400): Storing info for group ad_admins (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_grpmem] (0x1000): Adding member users to group [ad_admins] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_grpmem] (0x0040): Failed to save user ad_admins (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_groups] (0x0040): Failed to store group 0 members. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 20 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xebc4e0], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xebc450], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba090], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][44]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1366898677][1366898678][1366934677][1366985078]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [safe_remove_old_ccache_file] (0x0200): No old ccache, nothing to do (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [10042]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [10042] finished successfully. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10041 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_access_send] (0x0400): Performing access check for user [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] using OpenLDAP deref (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb2020], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb2020], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb2020], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe4be50], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb9e80], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb9e80], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb9e80], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeb9e80], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xed6b60], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xed6b60], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xed6b60], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x0020): [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a user or group. Skipping (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [ rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): [1] groups for [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10041 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10041 (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=akhimji] (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401108] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59401108)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8f810], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59400512)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8f810], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59400513)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8f810], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59401113)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xe8f810], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][ corpnonprd.xxxx.com] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:40 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10044 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [cc_residual_is_used] (0x1000): User [59401108] is still active, reusing ccache [/tmp/krb5cc_59401108_mPn8ss]. (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_mPn8ss if of different type than ccache in configuration file, reusing the old ccache (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [10045] (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [10045] (Thu Apr 25 10:04:42 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][44]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1366898682][1366898682][1366934682][1366985082]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, no one will be deleted. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [10045]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [10045] finished successfully. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 10044 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_access_send] (0x0400): Performing access check for user [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xed8560], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xed8560], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] using OpenLDAP deref (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba1e0], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba1e0], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba1e0], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 36 (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[0xeba640], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x0020): [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a user or group. Skipping (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [ rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): [1] groups for [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ akhimji at CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Thu Apr 25 10:04:43 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0xe93310/0xe92a80 (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0xe93310/0xe92a30 (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0020): Unknown client removed ... (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0xe96ad0/0xe95160 (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0xe96ad0/0xe95570 (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/ kpasswdinfo.NIX.CORPNONPRD.xxxx.COM], [2][No such file or directory] (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_handle_release] (0x2000): Trace: sh[0xe82a90], connected[1], ops[(nil)], ldap[0xe83380], destructor_lock[0], release_memory[0] (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_handle_release] (0x2000): Trace: sh[0xe8f260], connected[1], ops[(nil)], ldap[0xea54e0], destructor_lock[0], release_memory[0] (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0xe63ac0/0xe5f300 (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed NSS client (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed SUDO client (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed PAM client (Thu Apr 25 10:04:51 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed SSH client krb5_child.log (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [main] (0x0400): krb5_child started. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [unpack_buffer] (0x1000): total buffer size: [132] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [unpack_buffer] (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline [false] UPN [akhimji at CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_XXXXXX] keytab: [/etc/krb5.keytab] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [krb5_child_setup] (0x0400): Will perform online auth (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [krb5_child_setup] (0x0100): Not using FAST. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [769610607] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [validate_tgt] (0x0400): TGT verified using key for [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [become_user] (0x0200): Trying to become user [59401108][59401108]. (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_59401108_XXXXXX] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_59401108_mPn8ss] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [prepare_response_message] (0x0400): Building response for result [0] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [pack_response_packet] (0x2000): response packet size: [150] (Thu Apr 25 10:04:38 2013) [[sssd[krb5_child[10042]]]] [main] (0x0400): krb5_child completed successfully (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [main] (0x0400): krb5_child started. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [unpack_buffer] (0x1000): total buffer size: [132] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [unpack_buffer] (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline [false] UPN [akhimji at CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_mPn8ss] keytab: [/etc/krb5.keytab] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [krb5_child_setup] (0x0400): Will perform online auth (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [krb5_child_setup] (0x0100): Not using FAST. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [769610603] (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [validate_tgt] (0x0400): TGT verified using key for [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [become_user] (0x0200): Trying to become user [59401108][59401108]. (Thu Apr 25 10:04:42 2013) [[sssd[krb5_child[10045]]]] [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_59401108_mPn8ss] (Thu Apr 25 10:04:43 2013) [[sssd[krb5_child[10045]]]] [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_59401108_mPn8ss] (Thu Apr 25 10:04:43 2013) [[sssd[krb5_child[10045]]]] [prepare_response_message] (0x0400): Building response for result [0] (Thu Apr 25 10:04:43 2013) [[sssd[krb5_child[10045]]]] [pack_response_packet] (0x2000): response packet size: [150] (Thu Apr 25 10:04:43 2013) [[sssd[krb5_child[10045]]]] [main] (0x0400): krb5_child completed successfully Aly On Thu, Apr 25, 2013 at 6:38 AM, Pavel B?ezina wrote: > On 04/24/2013 07:20 PM, Aly Khimji wrote: > >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.**com]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) >> [Success] >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.**com]]] >> [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.**com]]] >> [ipa_selinux_handler] (0x0040): Cannot create op context >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx.**com]]] >> [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) >> [Internal Error (System error)] >> > > Hi, > this looks like a selinux problem to me. What happens when you set > selinux to permissive? > > Also does this problem occur only with sudo, or other services are > affected too (id, authentication, ssh)? > > Can you please perform following commands? It will remove cache and logs > so do it in a safe non-production environment. > > As root: > # service stop sssd > # rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* > # service sssd start > > As normal user: > $ su ad-user at trusted-domain > $ sudo -l > $ exit > > And send us the sanitized logs (all of them). > > Thank you. > > > > > > > > ______________________________**_________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nareshbtech at yahoo.com Thu Apr 25 15:24:54 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Thu, 25 Apr 2013 08:24:54 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <5177B428.7020002@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> Message-ID: <1366903494.29240.YahooMailNeo@web162103.mail.bf1.yahoo.com> Hi Jan yes thats correct clinet is ldap1 and server is ldap1. root at ldap1 ssh]# /usr/bin/sss_ssh_knownhostsproxy -p 22 ldap1.eng.switchlab.net --debug 10 SSH-2.0-OpenSSH_6.1 Protocol mismatch. [root at ldap1 ssh]# /usr/bin/sss_ssh_authorizedkeys test at eng ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzvp0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDW9X6hJjbcoaY25HrzYvfNOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== tesst at ldap.eng. ssh-rsa AAAAB3NzaC1yc2EAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4yb3prkr4oobGuyKJj/yd+S4Pf7OUzZT2xXzpy0TZAjiLnqlioxnhyZqgLO/Rdg5o+wt3R7H7L9kGDfMtAyBqUBrRqQeYgfGWvoVrm2UhkTcq/jxxACbYZq0Jg7OTFXodV40uAuRKqVgev6W4V+ozrTxpeVRElqTM4cEJ96V0UxLUpZUHvT1exFKk4F1crZ2hLEuPVWOlOj8NS/sQX3DDuDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n test at ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz test at ldap0.eng. Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Jan Cholasta To: naresh reddy Cc: Rob Crittenden ; "freeipa-users at redhat.com" Sent: Wednesday, April 24, 2013 11:30 AM Subject: Re: [Freeipa-users] Freeipa -ssh keys On 23.4.2013 20:20, naresh reddy wrote: > Hi Rob > > I am sorry for coming back again > i can see client can get the ssh keys from the server but still fails > please suggest. > > By "client" you mean the machine that you are trying to ssh to, i.e. the machine that has sshd running? If not, make sure sss_ssh_authorizedkeys works on the machine with sshd, because that's the one that matters here. Also, what version of OpenSSH do you have installed? Honza -- Jan Cholasta -------------- next part -------------- An HTML attachment was scrubbed... URL: From nareshbtech at yahoo.com Thu Apr 25 17:10:18 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Thu, 25 Apr 2013 10:10:18 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366903494.29240.YahooMailNeo@web162103.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366903494.29240.YahooMailNeo@web162103.mail.bf1.yahoo.com> Message-ID: <1366909818.17595.YahooMailNeo@web162102.mail.bf1.yahoo.com> Hi Jan I tried to flow this https://fedoraproject.org/wiki/QA:Testcase_FreeIPA_realmd_ssh https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/openssh-sssd.html still unable to loggin via ssh keys Please kindly suggest OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 -d ENG.SWITCHLAB.COM ?ldap1.eng.switchlab.net --debug 40 debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: permanently_drop_suid: 1000 (Thu Apr 25 17:45:58:088846 2013) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0040): sss_ssh_get_ent() failed (2): No such file or directory debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information debug1: Unspecified GSS failure. ?Minor code may provide more information Matching credential not found debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Trying private key: /home/np/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [np at ldap0 ~]$ ssh ?-v np at eng.switchlab.net@ldap1.eng.switchlab.net OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 -d ENG.SWITCHLAB.COM ?ldap1.eng.switchlab.net --debug 40 debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: permanently_drop_suid: 1000 (Thu Apr 25 18:06:04:463614 2013) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0040): sss_ssh_get_ent() failed (2): No such file or directory debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information debug1: Unspecified GSS failure. ?Minor code may provide more information Matching credential not found debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Trying private key: /home/np/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ? Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: naresh reddy To: Jan Cholasta Cc: Rob Crittenden ; "freeipa-users at redhat.com" Sent: Thursday, April 25, 2013 4:24 PM Subject: Re: [Freeipa-users] Freeipa -ssh keys Hi Jan yes thats correct clinet is ldap1 and server is ldap1. root at ldap1 ssh]# /usr/bin/sss_ssh_knownhostsproxy -p 22 ldap1.eng.switchlab.net --debug 10 SSH-2.0-OpenSSH_6.1 Protocol mismatch. [root at ldap1 ssh]# /usr/bin/sss_ssh_authorizedkeys test at eng ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzvp0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDW9X6hJjbcoaY25HrzYvfNOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== tesst at ldap.eng. ssh-rsa AAAAB3NzaC1yc2EAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4yb3prkr4oobGuyKJj/yd+S4Pf7OUzZT2xXzpy0TZAjiLnqlioxnhyZqgLO/Rdg5o+wt3R7H7L9kGDfMtAyBqUBrRqQeYgfGWvoVrm2UhkTcq/jxxACbYZq0Jg7OTFXodV40uAuRKqVgev6W4V+ozrTxpeVRElqTM4cEJ96V0UxLUpZUHvT1exFKk4F1crZ2hLEuPVWOlOj8NS/sQX3DDuDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n test at ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz test at ldap0.eng. Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Jan Cholasta To: naresh reddy Cc: Rob Crittenden ; "freeipa-users at redhat.com" Sent: Wednesday, April 24, 2013 11:30 AM Subject: Re: [Freeipa-users] Freeipa -ssh keys On 23.4.2013 20:20, naresh reddy wrote: > Hi Rob > > I am sorry for coming back again > i can see client can get the ssh keys from the server but still fails > please suggest. > > By "client" you mean the machine that you are trying to ssh to, i.e. the machine that has sshd running? If not, make sure sss_ssh_authorizedkeys works on the machine with sshd, because that's the one that matters here. Also, what version of OpenSSH do you have installed? Honza -- Jan Cholasta -------------- next part -------------- An HTML attachment was scrubbed... URL: From sylvainangers at gmail.com Thu Apr 25 17:50:40 2013 From: sylvainangers at gmail.com (Sylvain Angers) Date: Thu, 25 Apr 2013 13:50:40 -0400 Subject: [Freeipa-users] deleted ipa admin groups Message-ID: Hello Someone did delete the admin group by mistake, how can we recover from this? No one change password, or any other admin task is allow. But we have the Directory server password. the remaining group is "ipausers" and we had only the default group Please any help will be appreciate -- Sylvain Angers -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu Apr 25 18:16:49 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 25 Apr 2013 14:16:49 -0400 Subject: [Freeipa-users] deleted ipa admin groups In-Reply-To: References: Message-ID: <51797311.6000000@redhat.com> Sylvain Angers wrote: > > Hello > Someone did delete the admin group by mistake, how can we recover from > this? No one change password, or any other admin task is allow. But we have the Directory server password. > > > the remaining group is "ipausers" and we had only the default group > > > Please any help will be appreciate > We prevent this in newer versions. This is untested so YMMV. Try putting this into an LDIF. Change example.com and replace with the UID of the old group if you can. If you don't have it then use 999 and a new one should be assigned. dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com objectClass: top objectClass: groupofnames objectClass: posixgroup objectClass: ipausergroup objectClass: ipaobject objectClass: nestedGroup cn: admins description: Account administrators group member: uid=admin,cn=users,cn=accounts,dc=example,dc=com gidNumber: # ldapadd -x -D 'cn=Directory Manager' -W < /path/to/ldif You also may need to fix up some delegations. You can use ipa-show --all --raw on these privileges to see if admins is a member, I doubt it is. You want to look at: Replication Administrators Host Enrollment Unlock user accounts Manage service keytab If not add it using something like this for each privilege: # ldapmodify -x -D 'cn=Directory Manager' -w password dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com changetype: modify add: member member: cn=admins,cn=groups,cn=accounts,dc=example,dc=com ^D rob From nareshbtech at yahoo.com Thu Apr 25 18:14:13 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Thu, 25 Apr 2013 11:14:13 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <5177B428.7020002@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> Message-ID: <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> Hi all? my sshd config file # ? ? ? $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. ?See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. ?Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile ? ? .ssh/authorized_keys #AuthorizedKeysCommand none AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no #PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. ?Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox ? ? ? ? ?# Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem ? ? ? sftp ? ?/usr/libexec/openssh/sftp-server # Uncomment this if you want to use .local domain #Host *.local # ? ? ? CheckHostIP no # Example of overriding settings on a per-user basis #Match User anoncvs # ? ? ? X11Forwarding no # ? ? ? AllowTcpForwarding no # ? ? ? ForceCommand cvs server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes #GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys %u and debug is? OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 140/256 debug2: bits set: 500/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug2: bits set: 510/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/np/.ssh/id_rsa (0x7fe3011f4d60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /home/np/.ssh/id_dsa debug3: no such identity: /home/np/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: Authentication succeeded (keyboard-interactive). Authenticated to ldap1.eng.switchlab.net ([10.30.1.135]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env XDG_SESSION_ID debug3: Ignored env HOSTNAME debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env HISTSIZE debug3: Ignored env QTDIR debug3: Ignored env QTINC debug3: Ignored env QT_GRAPHICSSYSTEM_CHECKED debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug1: Sending env LANG = en_GB.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env HISTCONTROL debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env QTLIB debug3: Ignored env LESSOPEN debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last failed login: Thu Apr 25 18:58:55 BST 2013 from 10.30.1.134 on ssh:notty There were 26 failed login attempts since the last successful login. ? Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Jan Cholasta To: naresh reddy Cc: Rob Crittenden ; "freeipa-users at redhat.com" Sent: Wednesday, April 24, 2013 11:30 AM Subject: Re: [Freeipa-users] Freeipa -ssh keys On 23.4.2013 20:20, naresh reddy wrote: > Hi Rob > > I am sorry for coming back again > i can see client can get the ssh keys from the server but still fails > please suggest. > > By "client" you mean the machine that you are trying to ssh to, i.e. the machine that has sshd running? If not, make sure sss_ssh_authorizedkeys works on the machine with sshd, because that's the one that matters here. Also, what version of OpenSSH do you have installed? Honza -- Jan Cholasta -------------- next part -------------- An HTML attachment was scrubbed... URL: From nareshbtech at yahoo.com Thu Apr 25 19:10:48 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Thu, 25 Apr 2013 12:10:48 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <5176A561.50907@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> Message-ID: <1366917048.25714.YahooMailNeo@web162103.mail.bf1.yahoo.com> Hi Rob Sorry for the trouble? I am still struggling my open ssh version is 6.1 sssd version is 1.8 can you please suggest me? [domain/eng.switchlab.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = eng.switchlab.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ldap1.eng.switchlab.net chpass_provider = ipa ipa_server = _srv_, ldap0.eng.switchlab.net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = eng.switchlab.net [nss] [pam] [sudo] [autofs] [ssh] [pac] my sshd config at the remote end # ? ? ? $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. ?See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. ?Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile ? ? .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no #PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. ?Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox ? ? ? ? ?# Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem ? ? ? sftp ? ?/usr/libexec/openssh/sftp-server # Uncomment this if you want to use .local domain #Host *.local # ? ? ? CheckHostIP no # Example of overriding settings on a per-user basis #Match User anoncvs # ? ? ? X11Forwarding no # ? ? ? AllowTcpForwarding no # ? ? ? ForceCommand cvs server ? ? ? ? KerberosAuthentication no ? ? ? ? PubkeyAuthentication yes ? ? ? ? UsePAM yes # ? ? ? GSSAPIAuthentication yes ? ? ? ? AuthorizedKeysCommand '/usr/bin/sss_ssh_authorizedkeys %u' ? ? ? ? RSAAuthentication yes ? ? ? ? AuthorizedKeysCommandUser nobody # ? ? ? PasswordAuthentication yes debug of the ssh session OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss, debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 492/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug2: bits set: 518/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/np/.ssh/id_rsa (0x7f310a31cd60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /home/np/.ssh/id_dsa debug3: no such identity: /home/np/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64) ^X^C [np at ldap0 ~]$ ssh ?-vvv np at eng.switchlab.net@ldap1.eng.switchlab.net OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss, debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 503/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug2: bits set: 500/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/np/.ssh/id_rsa (0x7fdfaf20fd60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /home/np/.ssh/id_dsa debug3: no such identity: /home/np/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 ? Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Rob Crittenden To: naresh reddy ; "freeipa-users at redhat.com" Sent: Tuesday, April 23, 2013 4:14 PM Subject: Re: [Freeipa-users] Freeipa -ssh keys naresh reddy wrote: > Hi Rob > > Thank you very much > but i tried the same with two fedora systems > and got the similar issue > > i think the error is due to kerberos not installed but i can see it is > installed on the client and sever > please suggest. sssd needs to look up the keys in IPA so the client needs to be enrolled for this to work. rob > >? [np at ldap ~]$? ssh -vvv? np at eng.switchlab.net@ldap1.eng.switchlab.net > OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > -p 22 ldap1.eng.switchlab.net > debug1: identity file /home/np/.ssh/identity type -1 > debug3: Not a RSA1 key file /home/np/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/np/.ssh/id_rsa type 1 > debug1: identity file /home/np/.ssh/id_dsa type -1 > debug1: permanently_drop_suid: 501 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > debug1: match: OpenSSH_6.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug2: fd 5 setting O_NONBLOCK > debug2: fd 4 setting O_NONBLOCK > debug1: SSH2_MSG_KEXINIT sent > debug3: Wrote 792 bytes for a total of 813 > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug3: Wrote 24 bytes for a total of 837 > debug2: dh_gen_key: priv key bits set: 144/256 > debug2: bits set: 516/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: Wrote 144 bytes for a total of 981 > debug3: check_host_in_hostfile: filename /home/np/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 2 > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host > key. > debug1: Found key in /home/np/.ssh/known_hosts:2 > debug2: bits set: 499/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: Wrote 16 bytes for a total of 997 > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug3: Wrote 48 bytes for a total of 1045 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/np/.ssh/identity ((nil)) > debug2: key: /home/np/.ssh/id_rsa (0x7f9ee71687b0) > debug2: key: /home/np/.ssh/id_dsa ((nil)) > debug3: Wrote 80 bytes for a total of 1125 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: > gssapi-with-mic,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug1: Unspecified GSS failure.? Minor code may provide more information > > > debug1: Unspecified GSS failure.? Minor code may provide more information > Credentials cache file '/tmp/krb5cc_501' not found > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/np/.ssh/identity > debug3: no such identity: /home/np/.ssh/identity > debug1: Offering public key: /home/np/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug3: Wrote 384 bytes for a total of 1509 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Trying private key: /home/np/.ssh/id_dsa > debug3: no such identity: /home/np/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > np at eng.switchlab.net@ldap1.eng.switchlab.net's password: > debug3: packet_send2: adding 48 (len 75 padlen 5 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug3: Wrote 144 bytes for a total of 1653 > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug1: Requesting no-more-sessions at openssh.com > debug1: Entering interactive session. > debug3: Wrote 128 bytes for a total of 1781 > debug2: callback start > debug2: client_session2_setup: id 0 > debug2: channel 0: request pty-req confirm 1 > debug1: Sending environment. > debug3: Ignored env HOSTNAME > debug3: Ignored env SHELL > debug3: Ignored env TERM > debug3: Ignored env HISTSIZE > debug3: Ignored env USER > debug3: Ignored env LS_COLORS > debug3: Ignored env MAIL > debug3: Ignored env PATH > debug3: Ignored env PWD > debug1: Sending env LANG = en_US.UTF-8 > debug2: channel 0: request env confirm 0 > debug3: Ignored env HISTCONTROL > debug3: Ignored env SHLVL > debug3: Ignored env HOME > debug3: Ignored env LOGNAME > debug3: Ignored env CVS_RSH > debug3: Ignored env LESSOPEN > debug3: Ignored env G_BROKEN_FILENAMES > debug3: Ignored env _ > debug2: channel 0: request shell confirm 1 > debug2: callback done > debug2: channel 0: open confirm rwindow 0 rmax 32768 > debug3: Wrote 448 bytes for a total of 2229 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: PTY allocation request accepted on channel 0 > debug2: channel 0: rcvd adjust 2097152 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: shell request accepted on channel 0 > Last failed login: Tue Apr 23 14:37:59 BST 2013 from 10.30.2.177 on > ssh:notty > There were 8 failed login attempts since the last successful login. > -sh-4.2$ debug3: Wrote 48 bytes for a total of 2277 > edebug3: Wrote 48 bytes for a total of 2325 > xdebug3: Wrote 48 bytes for a total of 2373 > idebug3: Wrote 48 bytes for a total of 2421 > tdebug3: Wrote 48 bytes for a total of 2469 > > logout > debug2: channel 0: rcvd eof > debug2: channel 0: output open -> drain > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug2: channel 0: rcvd eow > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug2: channel 0: rcvd close > debug3: channel 0: will not send data after close > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: >? ? #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e 7 c -1 > debug3: Wrote 32 bytes for a total of 2501 > debug3: Wrote 64 bytes for a total of 2565 > Connection to ldap1.eng.switchlab.net closed. > Transferred: sent 2288, received 2656 bytes, in 1.5 seconds > Bytes per second: sent 1563.3, received 1814.8 > debug1: Exit status 0 > > Nareshchandra Paturi > > 14, St. Augustine?s Court, > Mornington Road, > london. > E11 3BQ. > Mob:07466666001,07856918100 > Ph:02082579579 > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* Naresh Chandra R Paturi ; > freeipa-users at redhat.com > *Sent:* Saturday, April 20, 2013 8:11 PM > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys > > Naresh Chandra R Paturi wrote: >? > Hi all >? > >? > I am new to freeipa >? > we have a group of linux servers where we are tyring to establish >? > password less logins, in order to do this we need to copy ssh keys of >? > all uses to each and every cleint server . so we are trying to establish >? > freeipa central server where we store the keys of all the users. >? > we got free ipa working with passwords but trying to authenticate with >? > keys. >? > is this achievable. if you please kindly direct me. > > With IPA 3.0 this is configured for you automatically by default on > RHEL/Fedora systems. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys > > I believe you will need an openssh patch for this to work on a > Debian/Ubuntu client. I believe it also requires sssd. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu Apr 25 20:40:14 2013 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 25 Apr 2013 16:40:14 -0400 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366917048.25714.YahooMailNeo@web162103.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366917048.25714.YahooMailNeo@web162103.mail.bf1.yahoo.com> Message-ID: <517994AE.4050103@redhat.com> On 04/25/2013 03:10 PM, naresh reddy wrote: > Hi Rob > > Sorry for the trouble > I am still struggling > my open ssh version is 6.1 > sssd version is 1.8 > > can you please suggest me > Naresh, some of our SSH specialists are in Europe so they will take a look at your setup in the morning. Thank you for patience. > [domain/eng.switchlab.net] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = eng.switchlab.net > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = ldap1.eng.switchlab.net > chpass_provider = ipa > ipa_server = _srv_, ldap0.eng.switchlab.net > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = eng.switchlab.net > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > my sshd config at the remote end > > # $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with PATH=/usr/local/bin:/usr/bin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options override the > # default value. > > # If you want to change the port on a SELinux system, you have to tell > # SELinux about this change. > # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER > # > Port 22 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # The default requires explicit activation of protocol 1 > #Protocol 2 > > # HostKey for protocol version 1 > #HostKey /etc/ssh/ssh_host_key > # HostKeys for protocol version 2 > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_dsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > #ServerKeyBits 1024 > > # Logging > # obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > SyslogFacility AUTHPRIV > #LogLevel INFO > > # Authentication: > > #LoginGraceTime 2m > #PermitRootLogin yes > #StrictModes yes > #MaxAuthTries 6 > #MaxSessions 10 > > #RSAAuthentication yes > #PubkeyAuthentication yes > > # The default is to check both .ssh/authorized_keys and > .ssh/authorized_keys2 > # but this is overridden so installations will only check > .ssh/authorized_keys > #AuthorizedKeysFile .ssh/authorized_keys > > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > > #AuthorizedPrincipalsFile none > > # For this to work you will also need host keys in > /etc/ssh/ssh_known_hosts > #RhostsRSAAuthentication no > # similar for protocol version 2 > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # RhostsRSAAuthentication and HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > > # To disable tunneled clear text passwords, change to no here! > #PasswordAuthentication yes > #PermitEmptyPasswords no > #PasswordAuthentication no > > # Change to no to disable s/key passwords > #ChallengeResponseAuthentication yes > #ChallengeResponseAuthentication no > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > #KerberosUseKuserok yes > > # GSSAPI options > #GSSAPIAuthentication yes > #GSSAPICleanupCredentials yes > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > # WARNING: 'UsePAM no' is not supported in Fedora and may cause several > # problems. > #UsePAM no > > #AllowAgentForwarding yes > #AllowTcpForwarding yes > #GatewayPorts no > #X11Forwarding no > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > UsePrivilegeSeparation sandbox # Default for new installations. > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #ShowPatchLevel no > #UseDNS yes > #PidFile /var/run/sshd.pid > #MaxStartups 10 > #PermitTunnel no > #ChrootDirectory none > #VersionAddendum none > > # no default banner path > #Banner none > > # Accept locale-related environment variables > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE > AcceptEnv XMODIFIERS > > # override default of no subsystems > Subsystem sftp /usr/libexec/openssh/sftp-server > > # Uncomment this if you want to use .local domain > #Host *.local > # CheckHostIP no > > # Example of overriding settings on a per-user basis > #Match User anoncvs > # X11Forwarding no > # AllowTcpForwarding no > # ForceCommand cvs server > > KerberosAuthentication no > PubkeyAuthentication yes > UsePAM yes > # GSSAPIAuthentication yes > AuthorizedKeysCommand '/usr/bin/sss_ssh_authorizedkeys %u' > RSAAuthentication yes > AuthorizedKeysCommandUser nobody > # PasswordAuthentication yes > > debug of the ssh session > > OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 55: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. > debug1: Connection established. > debug3: Incorrect RSA1 identifier > debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key > debug1: identity file /home/np/.ssh/id_rsa type 1 > debug1: identity file /home/np/.ssh/id_rsa-cert type -1 > debug1: identity file /home/np/.ssh/id_dsa type -1 > debug1: identity file /home/np/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > debug1: match: OpenSSH_6.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.1 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:1 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /var/lib/sss/pubconf/known_hosts:1 > debug3: load_hostkeys: found key type DSA in file > /var/lib/sss/pubconf/known_hosts:2 > debug3: load_hostkeys: loaded 2 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss, > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 126/256 > debug2: bits set: 492/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Server host key: RSA > 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:1 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /var/lib/sss/pubconf/known_hosts:1 > debug3: load_hostkeys: found key type DSA in file > /var/lib/sss/pubconf/known_hosts:2 > debug3: load_hostkeys: loaded 2 keys > debug3: load_hostkeys: loading entries for host "10.30.1.135" from > file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "10.30.1.135" from > file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: loaded 0 keys > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA > host key. > debug1: Found key in /home/np/.ssh/known_hosts:1 > debug2: bits set: 518/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/np/.ssh/id_rsa (0x7f310a31cd60) > debug2: key: /home/np/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /home/np/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Trying private key: /home/np/.ssh/id_dsa > debug3: no such identity: /home/np/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64) > > > > ^X^C > [np at ldap0 ~]$ ssh -vvv np at eng.switchlab.net@ldap1.eng.switchlab.net > OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 55: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. > debug1: Connection established. > debug3: Incorrect RSA1 identifier > debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key > debug1: identity file /home/np/.ssh/id_rsa type 1 > debug1: identity file /home/np/.ssh/id_rsa-cert type -1 > debug1: identity file /home/np/.ssh/id_dsa type -1 > debug1: identity file /home/np/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > debug1: match: OpenSSH_6.1 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.1 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:1 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /var/lib/sss/pubconf/known_hosts:1 > debug3: load_hostkeys: found key type DSA in file > /var/lib/sss/pubconf/known_hosts:2 > debug3: load_hostkeys: loaded 2 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss, > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 128/256 > debug2: bits set: 503/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Server host key: RSA > 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:1 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host > "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /var/lib/sss/pubconf/known_hosts:1 > debug3: load_hostkeys: found key type DSA in file > /var/lib/sss/pubconf/known_hosts:2 > debug3: load_hostkeys: loaded 2 keys > debug3: load_hostkeys: loading entries for host "10.30.1.135" from > file "/home/np/.ssh/known_hosts" > debug3: load_hostkeys: found key type RSA in file > /home/np/.ssh/known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "10.30.1.135" from > file "/var/lib/sss/pubconf/known_hosts" > debug3: load_hostkeys: loaded 0 keys > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA > host key. > debug1: Found key in /home/np/.ssh/known_hosts:1 > debug2: bits set: 500/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/np/.ssh/id_rsa (0x7fdfaf20fd60) > debug2: key: /home/np/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /home/np/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Trying private key: /home/np/.ssh/id_dsa > debug3: no such identity: /home/np/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: Next authentication method: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64) > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > > > Nareshchandra Paturi > > 14, St. Augustine's Court, > Mornington Road, > london. > E11 3BQ. > Mob:07466666001,07856918100 > Ph:02082579579 > ------------------------------------------------------------------------ > *From:* Rob Crittenden > *To:* naresh reddy ; "freeipa-users at redhat.com" > > *Sent:* Tuesday, April 23, 2013 4:14 PM > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys > > naresh reddy wrote: > > Hi Rob > > > > Thank you very much > > but i tried the same with two fedora systems > > and got the similar issue > > > > i think the error is due to kerberos not installed but i can see it is > > installed on the client and sever > > please suggest. > > sssd needs to look up the keys in IPA so the client needs to be enrolled > for this to work. > > rob > > > > > [np at ldap ~]$ ssh -vvv np at eng.switchlab.net > @ldap1.eng.switchlab.net > > OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for * > > debug2: ssh_connect: needpriv 0 > > debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy > > -p 22 ldap1.eng.switchlab.net > > debug1: identity file /home/np/.ssh/identity type -1 > > debug3: Not a RSA1 key file /home/np/.ssh/id_rsa. > > debug2: key_type_from_name: unknown key type '-----BEGIN' > > debug3: key_read: missing keytype > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug2: key_type_from_name: unknown key type '-----END' > > debug3: key_read: missing keytype > > debug1: identity file /home/np/.ssh/id_rsa type 1 > > debug1: identity file /home/np/.ssh/id_dsa type -1 > > debug1: permanently_drop_suid: 501 > > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 > > debug1: match: OpenSSH_6.1 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_5.3 > > debug2: fd 5 setting O_NONBLOCK > > debug2: fd 4 setting O_NONBLOCK > > debug1: SSH2_MSG_KEXINIT sent > > debug3: Wrote 792 bytes for a total of 813 > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > > > debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib at openssh.com > ,zlib > > debug2: kex_parse_kexinit: none,zlib at openssh.com > ,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > > > debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se > > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,umac-64 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com > ,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib at openssh.com > > > debug2: kex_parse_kexinit: none,zlib at openssh.com > > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_setup: found hmac-md5 > > debug1: kex: server->client aes128-ctr hmac-md5 none > > debug2: mac_setup: found hmac-md5 > > debug1: kex: client->server aes128-ctr hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug3: Wrote 24 bytes for a total of 837 > > debug2: dh_gen_key: priv key bits set: 144/256 > > debug2: bits set: 516/1024 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug3: Wrote 144 bytes for a total of 981 > > debug3: check_host_in_hostfile: filename /home/np/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 2 > > debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host > > key. > > debug1: Found key in /home/np/.ssh/known_hosts:2 > > debug2: bits set: 499/1024 > > debug1: ssh_rsa_verify: signature correct > > debug2: kex_derive_keys > > debug2: set_newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug3: Wrote 16 bytes for a total of 997 > > debug2: set_newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: SSH2_MSG_SERVICE_REQUEST sent > > debug3: Wrote 48 bytes for a total of 1045 > > debug2: service_accept: ssh-userauth > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug2: key: /home/np/.ssh/identity ((nil)) > > debug2: key: /home/np/.ssh/id_rsa (0x7f9ee71687b0) > > debug2: key: /home/np/.ssh/id_dsa ((nil)) > > debug3: Wrote 80 bytes for a total of 1125 > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug3: start over, passed a different list > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug3: preferred > > gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_lookup gssapi-keyex > > debug3: remaining preferred: > > gssapi-with-mic,publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-keyex > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup gssapi-with-mic > > debug3: remaining preferred: publickey,keyboard-interactive,password > > debug3: authmethod_is_enabled gssapi-with-mic > > debug1: Next authentication method: gssapi-with-mic > > debug1: Unspecified GSS failure. Minor code may provide more > information > > Credentials cache file '/tmp/krb5cc_501' not found > > > > debug1: Unspecified GSS failure. Minor code may provide more > information > > Credentials cache file '/tmp/krb5cc_501' not found > > > > debug1: Unspecified GSS failure. Minor code may provide more > information > > > > > > debug1: Unspecified GSS failure. Minor code may provide more > information > > Credentials cache file '/tmp/krb5cc_501' not found > > > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Trying private key: /home/np/.ssh/identity > > debug3: no such identity: /home/np/.ssh/identity > > debug1: Offering public key: /home/np/.ssh/id_rsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug3: Wrote 384 bytes for a total of 1509 > > debug1: Authentications that can continue: > > publickey,gssapi-keyex,gssapi-with-mic,password > > debug1: Trying private key: /home/np/.ssh/id_dsa > > debug3: no such identity: /home/np/.ssh/id_dsa > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup password > > debug3: remaining preferred: ,password > > debug3: authmethod_is_enabled password > > debug1: Next authentication method: password > > np at eng.switchlab.net > @ldap1.eng.switchlab.net's password: > > debug3: packet_send2: adding 48 (len 75 padlen 5 extra_pad 64) > > debug2: we sent a password packet, wait for reply > > debug3: Wrote 144 bytes for a total of 1653 > > debug1: Authentication succeeded (password). > > debug1: channel 0: new [client-session] > > debug3: ssh_session2_open: channel_new: 0 > > debug2: channel 0: send open > > debug1: Requesting no-more-sessions at openssh.com > > > debug1: Entering interactive session. > > debug3: Wrote 128 bytes for a total of 1781 > > debug2: callback start > > debug2: client_session2_setup: id 0 > > debug2: channel 0: request pty-req confirm 1 > > debug1: Sending environment. > > debug3: Ignored env HOSTNAME > > debug3: Ignored env SHELL > > debug3: Ignored env TERM > > debug3: Ignored env HISTSIZE > > debug3: Ignored env USER > > debug3: Ignored env LS_COLORS > > debug3: Ignored env MAIL > > debug3: Ignored env PATH > > debug3: Ignored env PWD > > debug1: Sending env LANG = en_US.UTF-8 > > debug2: channel 0: request env confirm 0 > > debug3: Ignored env HISTCONTROL > > debug3: Ignored env SHLVL > > debug3: Ignored env HOME > > debug3: Ignored env LOGNAME > > debug3: Ignored env CVS_RSH > > debug3: Ignored env LESSOPEN > > debug3: Ignored env G_BROKEN_FILENAMES > > debug3: Ignored env _ > > debug2: channel 0: request shell confirm 1 > > debug2: callback done > > debug2: channel 0: open confirm rwindow 0 rmax 32768 > > debug3: Wrote 448 bytes for a total of 2229 > > debug2: channel_input_status_confirm: type 99 id 0 > > debug2: PTY allocation request accepted on channel 0 > > debug2: channel 0: rcvd adjust 2097152 > > debug2: channel_input_status_confirm: type 99 id 0 > > debug2: shell request accepted on channel 0 > > Last failed login: Tue Apr 23 14:37:59 BST 2013 from 10.30.2.177 on > > ssh:notty > > There were 8 failed login attempts since the last successful login. > > -sh-4.2$ debug3: Wrote 48 bytes for a total of 2277 > > edebug3: Wrote 48 bytes for a total of 2325 > > xdebug3: Wrote 48 bytes for a total of 2373 > > idebug3: Wrote 48 bytes for a total of 2421 > > tdebug3: Wrote 48 bytes for a total of 2469 > > > > logout > > debug2: channel 0: rcvd eof > > debug2: channel 0: output open -> drain > > debug2: channel 0: obuf empty > > debug2: channel 0: close_write > > debug2: channel 0: output drain -> closed > > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com > reply 0 > > debug2: channel 0: rcvd eow > > debug2: channel 0: close_read > > debug2: channel 0: input open -> closed > > debug2: channel 0: rcvd close > > debug3: channel 0: will not send data after close > > debug2: channel 0: almost dead > > debug2: channel 0: gc: notify user > > debug2: channel 0: gc: user detached > > debug2: channel 0: send close > > debug2: channel 0: is dead > > debug2: channel 0: garbage collecting > > debug1: channel 0: free: client-session, nchannels 1 > > debug3: channel 0: status: The following connections are open: > > #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > > > debug3: channel 0: close_fds r -1 w -1 e 7 c -1 > > debug3: Wrote 32 bytes for a total of 2501 > > debug3: Wrote 64 bytes for a total of 2565 > > Connection to ldap1.eng.switchlab.net closed. > > Transferred: sent 2288, received 2656 bytes, in 1.5 seconds > > Bytes per second: sent 1563.3, received 1814.8 > > debug1: Exit status 0 > > > > Nareshchandra Paturi > > > > 14, St. Augustine's Court, > > Mornington Road, > > london. > > E11 3BQ. > > Mob:07466666001,07856918100 > > Ph:02082579579 > > ------------------------------------------------------------------------ > > *From:* Rob Crittenden > > > *To:* Naresh Chandra R Paturi >; > > freeipa-users at redhat.com > > *Sent:* Saturday, April 20, 2013 8:11 PM > > *Subject:* Re: [Freeipa-users] Freeipa -ssh keys > > > > Naresh Chandra R Paturi wrote: > > > Hi all > > > > > > I am new to freeipa > > > we have a group of linux servers where we are tyring to establish > > > password less logins, in order to do this we need to copy ssh keys of > > > all uses to each and every cleint server . so we are trying to > establish > > > freeipa central server where we store the keys of all the users. > > > we got free ipa working with passwords but trying to authenticate > with > > > keys. > > > is this achievable. if you please kindly direct me. > > > > With IPA 3.0 this is configured for you automatically by default on > > RHEL/Fedora systems. > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#user-keys > > > > I believe you will need an openssh patch for this to work on a > > Debian/Ubuntu client. I believe it also requires sssd. > > > > rob > > > > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bclark at tendrilinc.com Thu Apr 25 20:49:34 2013 From: bclark at tendrilinc.com (Brent Clark) Date: Thu, 25 Apr 2013 14:49:34 -0600 Subject: [Freeipa-users] Freeipa-users Digest, Vol 57, Issue 66 In-Reply-To: References: Message-ID: I use the following on my CentOS 6.3 servers for the ssh keys to work from IPA. sshd.conf AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys > ---------------------------------------------------------------------- > To: freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Freeipa -ssh keys > Message-ID: <517994AE.4050103 at redhat.com> > > > > AuthorizedKeysCommand '/usr/bin/sss_ssh_authorizedkeys %u' > -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog [image: Tendril] This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Fri Apr 26 04:28:00 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 26 Apr 2013 07:28:00 +0300 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> Message-ID: <20130426042800.GC7607@redhat.com> On Thu, 25 Apr 2013, naresh reddy wrote: >Hi all? > >my sshd config file > > ># ? ? ? $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ > ># This is the sshd server system-wide configuration file. ?See ># sshd_config(5) for more information. > ># This sshd was compiled with PATH=/usr/local/bin:/usr/bin > ># The strategy used for options in the default sshd_config shipped with ># OpenSSH is to specify options with their default value where ># possible, but leave them commented. ?Uncommented options override the ># default value. > ># If you want to change the port on a SELinux system, you have to tell ># SELinux about this change. ># semanage port -a -t ssh_port_t -p tcp #PORTNUMBER ># >Port 22 >#AddressFamily any >#ListenAddress 0.0.0.0 >#ListenAddress :: > ># The default requires explicit activation of protocol 1 >#Protocol 2 > ># HostKey for protocol version 1 >#HostKey /etc/ssh/ssh_host_key ># HostKeys for protocol version 2 >#HostKey /etc/ssh/ssh_host_rsa_key >#HostKey /etc/ssh/ssh_host_dsa_key >#HostKey /etc/ssh/ssh_host_ecdsa_key > ># Lifetime and size of ephemeral version 1 server key >#KeyRegenerationInterval 1h >#ServerKeyBits 1024 > ># Logging ># obsoletes QuietMode and FascistLogging >#SyslogFacility AUTH >SyslogFacility AUTHPRIV >#LogLevel INFO > ># Authentication: > >#LoginGraceTime 2m >#PermitRootLogin yes >#StrictModes yes >#MaxAuthTries 6 >#MaxSessions 10 > >RSAAuthentication yes >PubkeyAuthentication yes > ># The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 ># but this is overridden so installations will only check .ssh/authorized_keys >#AuthorizedKeysFile ? ? .ssh/authorized_keys > >#AuthorizedKeysCommand none >AuthorizedKeysCommandUser nobody > >#AuthorizedPrincipalsFile none > ># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts >#RhostsRSAAuthentication no ># similar for protocol version 2 >#HostbasedAuthentication no ># Change to yes if you don't trust ~/.ssh/known_hosts for ># RhostsRSAAuthentication and HostbasedAuthentication >#IgnoreUserKnownHosts no ># Don't read the user's ~/.rhosts and ~/.shosts files >#IgnoreRhosts yes > ># To disable tunneled clear text passwords, change to no here! >#PasswordAuthentication yes >#PermitEmptyPasswords no >#PasswordAuthentication no > ># Change to no to disable s/key passwords >#ChallengeResponseAuthentication yes >#ChallengeResponseAuthentication no > ># Kerberos options >#KerberosAuthentication no >#KerberosOrLocalPasswd yes >#KerberosTicketCleanup yes >#KerberosGetAFSToken no >#KerberosUseKuserok yes > ># GSSAPI options >#GSSAPIAuthentication yes >#GSSAPICleanupCredentials yes >#GSSAPICleanupCredentials yes >#GSSAPIStrictAcceptorCheck yes >#GSSAPIKeyExchange no > ># Set this to 'yes' to enable PAM authentication, account processing, ># and session processing. If this is enabled, PAM authentication will ># be allowed through the ChallengeResponseAuthentication and ># PasswordAuthentication. ?Depending on your PAM configuration, ># PAM authentication via ChallengeResponseAuthentication may bypass ># the setting of "PermitRootLogin without-password". ># If you just want the PAM account and session checks to run without ># PAM authentication, then enable this but set PasswordAuthentication ># and ChallengeResponseAuthentication to 'no'. ># WARNING: 'UsePAM no' is not supported in Fedora and may cause several ># problems. >#UsePAM no > >#AllowAgentForwarding yes >#AllowTcpForwarding yes >#GatewayPorts no >#X11Forwarding no >X11Forwarding yes >#X11DisplayOffset 10 >#X11UseLocalhost yes >#PrintMotd yes >#PrintLastLog yes >#TCPKeepAlive yes >#UseLogin no >UsePrivilegeSeparation sandbox ? ? ? ? ?# Default for new installations. >#PermitUserEnvironment no >#Compression delayed >#ClientAliveInterval 0 >#ClientAliveCountMax 3 >#ShowPatchLevel no >#UseDNS yes >#PidFile /var/run/sshd.pid >#MaxStartups 10 >#PermitTunnel no >#ChrootDirectory none >#VersionAddendum none > ># no default banner path >#Banner none > ># Accept locale-related environment variables >AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES >AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT >AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE >AcceptEnv XMODIFIERS > ># override default of no subsystems >Subsystem ? ? ? sftp ? ?/usr/libexec/openssh/sftp-server > ># Uncomment this if you want to use .local domain >#Host *.local ># ? ? ? CheckHostIP no > ># Example of overriding settings on a per-user basis >#Match User anoncvs ># ? ? ? X11Forwarding no ># ? ? ? AllowTcpForwarding no ># ? ? ? ForceCommand cvs server >KerberosAuthentication no >PubkeyAuthentication yes >UsePAM yes >#GSSAPIAuthentication yes GSSAPIAuthentication defaults to 'no' in OpenSSH. We require it set to 'yes' in order to log in with Kerberos ticket. As your other Kerberos options were disabled as well, the result is predictable. It looks like you haven't configured this machine with ipa-client-install since that would have turned GSSAPIAuthentication to 'yes'. Or you did change sshd_config by yourself to non-working state. -- / Alexander Bokovoy From rendhalver at gmail.com Fri Apr 26 05:22:31 2013 From: rendhalver at gmail.com (Peter Brown) Date: Fri, 26 Apr 2013 15:22:31 +1000 Subject: [Freeipa-users] exporting ldap certificate Message-ID: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. I have no idea which certificate that is and I have no idea how to export it. Can someone please tell me how to do this? Thanks in advance. Pete. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pviktori at redhat.com Fri Apr 26 08:30:00 2013 From: pviktori at redhat.com (Petr Viktorin) Date: Fri, 26 Apr 2013 10:30:00 +0200 Subject: [Freeipa-users] exporting ldap certificate In-Reply-To: References: Message-ID: <517A3B08.9060308@redhat.com> Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: > Hi everyone. > > I am attempting to get Google Apps to sync with FreeIPA and I am having > problems getting the sync utility to talk to freeipa. > It complains about the ssl cert. > I have it setup so it only accepts ssl or tls encrypted connections and > I don't want to turn that off. > I have imported the ca cert using the jre's keytool but it still refuses > to connect. > I am getting the impression I need to import the ssl cert for the ldap > server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. > I have no idea which certificate that is and I have no idea how to > export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. > Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petr? From abokovoy at redhat.com Fri Apr 26 10:44:32 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 26 Apr 2013 13:44:32 +0300 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366971491.4954.YahooMailNeo@web162101.mail.bf1.yahoo.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> <20130426042800.GC7607@redhat.com> <1366971491.4954.YahooMailNeo@web162101.mail.bf1.yahoo.com> Message-ID: <20130426104432.GD7607@redhat.com> On Fri, 26 Apr 2013, naresh reddy wrote: >Hi Alex? > >I had tried tshoot and so i have changed?GSSAPIAuthentication to no? >because i was getting >debug1: Unspecified GSS failure. ?Minor code may provide more information >Ticket expired ^^^ Ticket expired means your ticket on the machine from which you are trying to connect to ssh server. You need to maintain actual credentials: [client]$ kinit np at eng.switchlab.net Password: <...> [client]$ ssh -K -l np at eng.switchlab.net ldap1.eng.switchlab.net You can read basics about Kerberos here: http://www.kerberos.org/software/tutorial.html -- / Alexander Bokovoy From jsunn at nets.eu Fri Apr 26 11:46:37 2013 From: jsunn at nets.eu (Johan Sunnerstig) Date: Fri, 26 Apr 2013 11:46:37 +0000 Subject: [Freeipa-users] Kerberos delegation error on replica Message-ID: Hi. I have two IPA servers in a multi master setup, running IPA 3.0. They've been working fine for the last ~16 months and started life as 2.2 servers. Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day. ipa1: ~> ipa user-status user ----------------------- Account disabled: False ----------------------- Server: ipa1.domain.tld Failed logins: 0 Last successful authentication: 2013-04-26T11:20:06Z Last failed authentication: 2013-04-26T08:44:08Z Time now: 2013-04-26T11:20:06Z Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) ---------------------------- Number of entries returned 2 ---------------------------- The same exact thing happens on the other replica. Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. The following shows up in the krb5kdc.log on the both the servers: Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory Any help would be appreciated. Regards Johan Sunnerstig From abokovoy at redhat.com Fri Apr 26 11:58:52 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 26 Apr 2013 14:58:52 +0300 Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <1366975756.60948.YahooMailNeo@web162103.mail.bf1.yahoo.com> References: <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> <20130426042800.GC7607@redhat.com> <1366971491.4954.YahooMailNeo@web162101.mail.bf1.yahoo.com> <20130426104432.GD7607@redhat.com> <1366975756.60948.YahooMailNeo@web162103.mail.bf1.yahoo.com> Message-ID: <20130426115852.GE7607@redhat.com> On Fri, 26 Apr 2013, naresh reddy wrote: >Hi Alexander > >Thank you very much it worked. >its?fantastic?and I really appreciate your help. >? >but this scenario is to use?the?kerboros ticket for each time to login > >?what we are trying to?establish?is? >users will have priviate and public ssh keys >public sssh keys will be updated to the freeipa server and? > >then users will connect to the remotes servers via the private ssh >keys, remote servers need to authenticate via the keys recieved from >the freeipa server > > >but the present working condition?doesn't?satisfy this as user needs to >get the kerborse ticket every life time. I think you mix two different approaches. In your debug log below: >debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password This means public key can be used to authenticate, along with GSSAPI and plain password. However, your issue is in the fact that you did not set up sshd to use sss_ssh_authorizedkeys properly -- you missed the fact that both AuthorizedKeysCommand and AuthorizedKeysCommandUser should be configured and AuthorizedKeysCommand should only get the path to the sss_ssh_authorizedkeys utility. Add AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody And it should work, works for me on Fedora 19. There is one issue that 'AuthorizedKeysCommandUser' is a new option in recent OpenSSH (6.2) and did not exist before. We have patch to support it already but not merged yet. In OpenSSH before 6.2 there was no support for AuthorizedKeys and there was Fedora/RHEL patch to add it. As the patch evolved, first user under which the command is run was separated to AuthorizedKeysCommandRunAs option and later upstream changed it to AuthorizedKeysCommandUser. Thus, we have three different types of OpenSSH versions and a bit of configuration mess. -- / Alexander Bokovoy From nareshbtech at yahoo.com Fri Apr 26 10:18:11 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Fri, 26 Apr 2013 03:18:11 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <20130426042800.GC7607@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> <20130426042800.GC7607@redhat.com> Message-ID: <1366971491.4954.YahooMailNeo@web162101.mail.bf1.yahoo.com> Hi Alex? I had tried tshoot and so i have changed?GSSAPIAuthentication to no? because i was getting debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information debug1: Unspecified GSS failure. ?Minor code may provide more information Matching credential not found ? now i uninstalled the ipa client and reinstlled it and joined the ipa domain and now sshd config is to its default? Please suggest [root at ldap1-eng-switchlab-net ipa]# ?ipa-client-install --hostname=ldap1.eng.switchlab.net WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): eng.switchlab.net Provide your IPA server name (ex: ipa.example.com): ldap0.eng.switchlab.net The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: ldap1.eng.switchlab.net Realm: ENG.SWITCHLAB.NET DNS Domain: eng.switchlab.net IPA Server: ldap0.eng.switchlab.net BaseDN: dc=eng,dc=switchlab,dc=net Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin at ENG.SWITCHLAB.NET: Enrolled in IPA realm ENG.SWITCHLAB.NET Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ENG.SWITCHLAB.NET trying https://ldap0.eng.switchlab.net/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u'https://ldap0.eng.switchlab.net/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root at ldap1-eng-switchlab-net ipa]# cat Configured /etc/ssh/sshd_config cat: Configured: No such file or directory # ? ? ? $OpenBSD: sshd_config,v 1.87 2012/07/10 02:19:15 djm Exp $ # This is the sshd server system-wide configuration file. ?See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. ?Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile ? ? ?.ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. ?Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox ? ? ? ? ?# Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem ? ? ? sftp ? ?/usr/libexec/openssh/sftp-server # Uncomment this if you want to use .local domain #Host *.local # ? ? ? CheckHostIP no # Example of overriding settings on a per-user basis #Match User anoncvs # ? ? ? X11Forwarding no # ? ? ? AllowTcpForwarding no # ? ? ? ForceCommand cvs server KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys on the remote eng [root at ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np at eng.switchlab.net ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzvpxxxxxxxxx+xxxxxxxxxxxxxmNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== np at ldap.eng.switchlab.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxErb0QPyVHPM8r4yb3prkr4oobGuyKJj/yd+S4Pf7OUzZT2xXzpy0TZAjiLnqlioxnhyZqgLO/Rdg5o+wt3R7H7L9kGDfMtAyBqUBrRqQeYgfGWvoVrm2UhkTcq/jxxACbYZq0Jg7OTFXodV40uAuRKqVgev6W4V+ozrTxpeVRElqTM4cEJ96V0UxLUpZUHvT1exFKk4F1crZ2hLEuPVWOlOj8NS/sQX3DDuDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n np at ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oznp at ldap0.eng.switchlab.net so the keys are bein? debug ssh sesssion OpenSSH_6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 55: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ldap1.eng.switchlab.net [10.30.1.135] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/np/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/np/.ssh/id_rsa type 1 debug1: identity file /home/np/.ssh/id_rsa-cert type -1 debug1: identity file /home/np/.ssh/id_dsa type -1 debug1: identity file /home/np/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1 debug1: match: OpenSSH_6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss, debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 127/256 debug2: bits set: 510/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 22:fd:38:1c:25:80:fc:15:87:31:7b:b9:7b:59:f6:07 debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "ldap1.eng.switchlab.net" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: found key type RSA in file /var/lib/sss/pubconf/known_hosts:1 debug3: load_hostkeys: found key type DSA in file /var/lib/sss/pubconf/known_hosts:2 debug3: load_hostkeys: loaded 2 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/home/np/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/np/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.30.1.135" from file "/var/lib/sss/pubconf/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: Host 'ldap1.eng.switchlab.net' is known and matches the RSA host key. debug1: Found key in /home/np/.ssh/known_hosts:1 debug2: bits set: 489/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/np/.ssh/id_rsa (0x7f74dfec0d60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. ?Minor code may provide more information debug1: Unspecified GSS failure. ?Minor code may provide more information Matching credential not found debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/np/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/np/.ssh/id_dsa debug3: no such identity: /home/np/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password np at eng.switchlab.net@ldap1.eng.switchlab.net's password: -------------- next part -------------- An HTML attachment was scrubbed... URL: From nareshbtech at yahoo.com Fri Apr 26 11:29:16 2013 From: nareshbtech at yahoo.com (naresh reddy) Date: Fri, 26 Apr 2013 04:29:16 -0700 (PDT) Subject: [Freeipa-users] Freeipa -ssh keys In-Reply-To: <20130426104432.GD7607@redhat.com> References: <5171F083.1020409@yahoo.com> <5172E846.9080507@redhat.com> <1366725927.18670.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5176A561.50907@redhat.com> <1366741216.81431.YahooMailNeo@web162105.mail.bf1.yahoo.com> <5177B428.7020002@redhat.com> <1366913653.2016.YahooMailNeo@web162102.mail.bf1.yahoo.com> <20130426042800.GC7607@redhat.com> <1366971491.4954.YahooMailNeo@web162101.mail.bf1.yahoo.com> <20130426104432.GD7607@redhat.com> Message-ID: <1366975756.60948.YahooMailNeo@web162103.mail.bf1.yahoo.com> Hi Alexander Thank you very much it worked. its?fantastic?and I really appreciate your help. ? but this scenario is to use?the?kerboros ticket for each time to login ?what we are trying to?establish?is? users will have priviate and public ssh keys public sssh keys will be updated to the freeipa server and? then users will connect to the remotes servers via the private ssh keys, remote servers need to authenticate via the keys recieved from the freeipa server but the present working condition?doesn't?satisfy this as user needs to get the kerborse ticket every life time. remote server getting the keys from free ipa [root at ldap1-eng-switchlab-net ipa]# /usr/bin/sss_ssh_authorizedkeys np ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOZ37IUe5gvlhO1i+bMhj8vhwlKZN6OKeMW6AM37aJhd7jxhz1R+Cod18YTB+gHkrfwe75kkEKfVyvTjpp9j5DRPeTyGMyWt4VbbyYq1Po4BZT7wOtUjwFq320QD5QnNKU6nbQKsB61xCMQy1Peu0nV/33dQTWHzlGi4uV0MN/KBvaWHmTwN6ZJ34uyEQ8kQ+fStd9XNFREw0iYglk42mNd/SA35njqNlsUbtBAR9ZokruAwAVVZqrfQw== np at ldap.eng.switchlab.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDS69+CH89z5ftzZZCmohY89y2AsJXfA0piHxg2XE+n np at ubuntu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFyO8uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMLGVqIwR8Ps5m6sYsB/hx3gm2fIoKq6fm0g976L26oAmclDi12CpVFYbI/osIjsq6mIpr9de5Qus/n9kIoxTZLHTRuoCEj7xc4PSPG78oE7JoWKLMvBDiwyhXNa+O9X1RgYhfYmS2m+1nGJYC9DG4xo7K60nO6WogBg3T+EwuDjYrVIfB5Rfe4D8iWKqOTNlJ+MzK4Dk8W8hqSJvuQFq5155DsbeqDy00EY1dMaGYVUq81lHEM91oz np at ldap0.eng.switchlab.net [root at ldap1-eng-switchlab-net ipa]# debug log of present ssh session debug2: key: /home/np/.ssh/id_rsa (0x7f495ef25d60) debug2: key: /home/np/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Nareshchandra Paturi 14, St. Augustine?s Court, Mornington Road, london. E11 3BQ. Mob:07466666001,07856918100 Ph:02082579579 ________________________________ From: Alexander Bokovoy To: naresh reddy Cc: Jan Cholasta ; "freeipa-users at redhat.com" Sent: Friday, April 26, 2013 11:44 AM Subject: Re: [Freeipa-users] Freeipa -ssh keys On Fri, 26 Apr 2013, naresh reddy wrote: >Hi Alex? > >I had tried tshoot and so i have changed?GSSAPIAuthentication to no? >because i was getting >debug1: Unspecified GSS failure. ?Minor code may provide more information >Ticket expired ^^^ Ticket expired means your ticket on the machine from which you are trying to connect to ssh server. You need to maintain actual credentials: [client]$ kinit np at eng.switchlab.net Password: <...> [client]$ ssh -K -l np at eng.switchlab.net ldap1.eng.switchlab.net You can read basics about Kerberos here: http://www.kerberos.org/software/tutorial.html -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Apr 26 13:49:59 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 26 Apr 2013 09:49:59 -0400 Subject: [Freeipa-users] Kerberos delegation error on replica In-Reply-To: References: Message-ID: <517A8607.2070807@redhat.com> Johan Sunnerstig wrote: > Hi. > > I have two IPA servers in a multi master setup, running IPA 3.0. > They've been working fine for the last ~16 months and started life as 2.2 servers. > Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day. > > ipa1: ~> ipa user-status user > ----------------------- > Account disabled: False > ----------------------- > Server: ipa1.domain.tld > Failed logins: 0 > Last successful authentication: 2013-04-26T11:20:06Z > Last failed authentication: 2013-04-26T08:44:08Z > Time now: 2013-04-26T11:20:06Z > > Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) > ---------------------------- > Number of entries returned 2 > ---------------------------- > > The same exact thing happens on the other replica. > > Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. > The following shows up in the krb5kdc.log on the both the servers: > Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory > Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory > One of the servers must be missing from the s4u2proxy delegation list. Are all the servers in here? # ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com and # ldapsearch -x -b cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com I'm guessing that it is missing one or more memberPrincipal. The format is be memberPrincipal: service/$FQDN@$REALM rob From aly.khimji at gmail.com Sat Apr 27 01:57:12 2013 From: aly.khimji at gmail.com (Aly Khimji) Date: Fri, 26 Apr 2013 21:57:12 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: <517A6A0E.3000801@redhat.com> References: <51780FF5.4090301@redhat.com> <5179079A.9020904@redhat.com> <517A6A0E.3000801@redhat.com> Message-ID: Hey Pavel/Guys There is only 1 sudorule, so yes 1 rule being downloaded is indeed correct. To make things a little more clean I have started using my userid instead of btest. UID akhimji is a AD user and atest is a IPA only user After raising the logging level (I have provided all below) I see this in the sudo logs, hopefully it helps you guys Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed ... (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory services stop, all logs and db's removed, service started, actions run, follow logs provided below : sssd_be, krb5,ldap,nss,pam,and sudo logs all provided. Thanks for the help, hope this sheds more light on the issue Thx Aly akhimji=AD user atest = IPA only user hierarchy [AD] akhimji - > "Domain Admins" -> [on IPA] -> "ad_admins_external" -> "ad_admins" -[sudotest rule] applied to this group atest[IPA only user] -> applied directly to sudotest rule applied to this user 1 sudo rule sudotest (contains /usr/bin/less) AD domain = corpnonprd.xxxx.com IPA Domain/Trust = nix.corpnonprd.xxxx.com Ldif # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # sudoers, nix.corpnonprd.xxxx.com dn: ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com objectClass: extensibleObject ou: sudoers # sudotest, sudoers, nix.corpnonprd.xxxx.com dn: cn=sudotest,ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com objectClass: sudoRole sudoUser: ALL sudoHost: rhidmclient.nix.corpnonprd.xxxx.com sudoHost: didmsvrua01.nix.corpnonprd.xxxx.com sudoCommand: /usr/bin/less sudoRunAsUser: root sudoRunAsGroup: wheel cn: sudotest # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 Actions Run as AD user [nixadmin at rhidmclient ~]$ su - 'akhimji at corpnonprd' Password: Your password will expire in 8906 day(s). su: warning: cannot change directory to /home/CorpNonPrd.xxxx.com/akhimji: No such file or directory -sh-4.1$ id uid=59401108(akhimji at corpnonprd.xxxx.com) gid=59401108( akhimji at corpnonprd.xxxx.com) groups=59401108(akhimji at corpnonprd.xxxx.com),59400512(domain admins at corpnonprd.xxxx.com), 59400513(domain users at corpnonprd.xxxx.com),59401113(seca at corpnonprd.xxxx.com ),818800006(ad_admins) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ sudo -l [sudo] password for akhimji at corpnonprd.xxxx.com: Your password will expire in 8906 day(s). User akhimji at corpnonprd.xxxx.com is not allowed to run sudo on rhidmclient. -sh-4.1$ ssss_sudo.log (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): Adding connection 11B5200 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x11b72d0/0x11b64c0 (13), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6fa0 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): Adding connection 11B7480 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x11b6480/0x11b7770 (14), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6dd0 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6fa0 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6dd0 (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_parse_query_send] (0x0400): Domain [corpnonprd.xxxx.com] not found, sending subdomain request (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41c570:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [nix.corpnonprd.xxxx.com][forced][ corpnonprd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b39e0 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c570:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b39e0 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [process_subdomains] (0x0200): Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [process_subdomains] (0x1000): Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [akhimji] from [CorpNonPrd.xxxx.com ] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41c570:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [akhimji] from [CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [akhimji] from [CorpNonPrd.xxxx.com ] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [akhimji] from [CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x11b6810 (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x11b6180][18] (Fri Apr 26 21:07:38 2013) [sssd[sudo]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down sss_pam.log (Fri Apr 26 21:07:05 2013) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Apr 26 21:07:05 2013) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_init_connection] (0x0200): Adding connection 16B5690 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x16b4900/0x16b1030 (13), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b4740 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_init_connection] (0x0200): Adding connection 16B5440 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x16b1110/0x16b25d0 (14), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b21a0 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb (Fri Apr 26 21:07:05 2013) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/nix.corpnonprd.xxxx.com/root] to negative cache permanently (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/nix.corpnonprd.xxxx.com/root] to negative cache permanently (Fri Apr 26 21:07:05 2013) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b4740 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b21a0 (Fri Apr 26 21:07:05 2013) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Apr 26 21:07:12 2013) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'nixadmin' matched without domain, user is nixadmin (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): user: nixadmin (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: 10.220.240.253 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15276 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][3][1][name=nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b1080 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b1080 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_check_user_search] (0x0080): No matching domain found for [nixadmin], fail! (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]. (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 8 (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_parse_in_data_v3] (0x0020): pam_parse_in_data_v2 failed. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41e750:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [nix.corpnonprd.xxxx.com][forced][ corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b02c0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41e750:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b02c0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_subdomains] (0x0200): Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_subdomains] (0x1000): Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b21a0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41e750:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b21a0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [filter_responses] (0x1000): User info type [0] not filtered. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 106 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b1080 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b1080 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sysdb_search_selinux_config] (0x0400): No SELinux root entry found (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_selinux_mappings] (0x2000): No SELinux support found for the domain (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b62a0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b62a0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b7d00 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b7d00 (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache (Fri Apr 26 21:07:32 2013) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b7bf0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b7bf0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [filter_responses] (0x1000): User info type [0] not filtered. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 106 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b3740 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): User's primary name is akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x16b83a0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x16b83a0 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sysdb_search_selinux_config] (0x0400): No SELinux root entry found (Fri Apr 26 21:07:32 2013) [sssd[pam]] [process_selinux_mappings] (0x2000): No SELinux support found for the domain (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 (Fri Apr 26 21:07:32 2013) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:32 2013) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x16c4140][21] (Fri Apr 26 21:07:37 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache (Fri Apr 26 21:07:37 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [ akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache (Fri Apr 26 21:07:38 2013) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Apr 26 21:07:38 2013) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x16b8fa0][20] (Fri Apr 26 21:07:38 2013) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x16b35d0][19] sssd_nss.log (Fri Apr 26 21:07:05 2013) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Apr 26 21:07:05 2013) [sssd[nss]] [confdb_get_domain_internal] (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_init_connection] (0x0200): Adding connection BA3C50 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_watch] (0x2000): 0xba36b0/0xba2e90 (13), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba1070 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_init_connection] (0x0200): Adding connection BA2D00 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_watch] (0x2000): 0xba0860/0xba30c0 (14), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb (Fri Apr 26 21:07:05 2013) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/nix.corpnonprd.xxxx.com/root] to negative cache permanently (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/nix.corpnonprd.xxxx.com/root] to negative cache permanently (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/tcsh in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/csh in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_mc_create_file] (0x0400): Failed to rm mmap file /var/lib/sss/mc/passwd: 2(No such file or directory) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_mc_create_file] (0x0400): Failed to rm mmap file /var/lib/sss/mc/group: 2(No such file or directory) (Fri Apr 26 21:07:05 2013) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba1070 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:05 2013) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Fri Apr 26 21:07:12 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nixadmin' matched without domain, user is nixadmin (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): Requesting info for [nixadmin] from [] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x4339e0:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [nix.corpnonprd.xxxx.com][not forced][] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x4339e0:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:12 2013) [sssd[nss]] [process_subdomains] (0x0200): Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:12 2013) [sssd[nss]] [process_subdomains] (0x1000): Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nixadmin' matched without domain, user is nixadmin (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_cb] (0x0400): Requesting info for [nixadmin] from [] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][4099][1][name=nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2ad0 (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x4339e0:domains at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2ad0 (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] to negative cache (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0040): No results for initgroups call (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'nixadmin' matched without domain, user is nixadmin (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): Requesting info for [nixadmin] from [] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0040): User [nixadmin] does not exist in [nix.corpnonprd.xxxx.com]! (negative cache) (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [nixadmin], fail! (Fri Apr 26 21:07:19 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam] (0x0100): Requesting info for [akhimji] from [CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:1:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][4097][1][name=akhimji] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xbb1290 (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:1:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xbb1290 (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:1:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for domain ' CorpNonPrd.xxxx.com', user is akhimji (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): Requesting info for [akhimji] from [CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx.com][4099][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 95, User lookup failed Will try to return what we have in cache (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:3:akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xbb1120][23] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/59401108] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401108 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59401108] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401108 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401108 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [59401108 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GROUP/ CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xba5220][23] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/59400512] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400512 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59400512] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2b80 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400512 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400512 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [59400512 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GROUP/CorpNonPrd.xxxx.com/domain admins at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/59400513] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400513 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59400513] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2e10 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400513 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59400513 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [59400513 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GROUP/CorpNonPrd.xxxx.com/domain users at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/59401113] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401113 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59401113] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): 0xba2ad0 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xba2ad0 (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401113 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [59401113 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [59401113 at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GROUP/ CorpNonPrd.xxxx.com/seca at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GID/818800006] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [818800006 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [818800006 at nix.corpnonprd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/GROUP/nix.corpnonprd.xxxx.com/ad_admins] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ nix.corpnonprd.xxxx.com/akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:24 2013) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:24 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xba5220][23] (Fri Apr 26 21:07:32 2013) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Fri Apr 26 21:07:32 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Fri Apr 26 21:07:32 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Fri Apr 26 21:07:32 2013) [sssd[nss]] [nss_cmd_endpwent] (0x0100): Terminating request info for all accounts (Fri Apr 26 21:07:32 2013) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Fri Apr 26 21:07:32 2013) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Fri Apr 26 21:07:32 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xba5220][23] (Fri Apr 26 21:07:38 2013) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xbb0f30][22] (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xba0fc0][21] (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xba6980][20] krb5_child.log (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [main] (0x0400): krb5_child started. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] (0x1000): total buffer size: [132] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline [false] UPN [akhimji at CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] (0x0400): Will perform online auth (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] (0x0100): Not using FAST. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [769484443] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [validate_tgt] (0x0400): TGT verified using key for [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [become_user] (0x0200): Trying to become user [59401108][59401108]. (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_59401108_XXXXXX] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_59401108_XYHO4h] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [prepare_response_message] (0x0400): Building response for result [0] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [pack_response_packet] (0x2000): response packet size: [150] (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [main] (0x0400): krb5_child completed successfully (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [main] (0x0400): krb5_child started. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] (0x1000): total buffer size: [132] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline [false] UPN [akhimji at CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_XYHO4h] keytab: [/etc/krb5.keytab] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] (0x0400): Will perform online auth (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] (0x0100): Not using FAST. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [769484433] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [validate_tgt] (0x2000): Keytab entry with the realm of the credential not found in keytab. Using the last entry. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [validate_tgt] (0x0400): TGT verified using key for [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [become_user] (0x0200): Trying to become user [59401108][59401108]. (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [create_ccache_file] (0x0200): Creating ccache at [FILE:/tmp/krb5cc_59401108_XYHO4h] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [create_ccache_file] (0x1000): Created ccache file: [FILE:/tmp/krb5cc_59401108_XYHO4h] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [prepare_response_message] (0x0400): Building response for result [0] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [pack_response_packet] (0x2000): response packet size: [150] (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [main] (0x0400): krb5_child completed successfully ldap_child.log (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x0400): ldap_child started. (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x2000): context initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): total buffer size: 83 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): realm_str size: 25 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): princ_str size: 42 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x2000): getting TGT sync (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NIX.CORPNONPRD.xxxx.COM ] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [prepare_response] (0x0400): Building response for result [0] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [pack_buffer] (0x2000): response size: 73 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x0400): ldap_child completed successfully (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x0400): ldap_child started. (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x2000): context initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): total buffer size: 83 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): realm_str size: 25 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): princ_str size: 42 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x2000): getting TGT sync (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NIX.CORPNONPRD.xxxx.COM ] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): credentials initialized (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): credentials stored (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [prepare_response] (0x0400): Building response for result [0] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [pack_buffer] (0x2000): response size: 73 (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM] (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x0400): ldap_child completed successfully sssd_be (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_context_init] (0x0400): Created new fail over context, retry timeout is 30 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [confdb_get_domain_internal] (0x0400): No enumeration for [ nix.corpnonprd.xxxx.com]! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 22FA640 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x22faa50/0x22f9280 (15), -/W (enabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_nix.corpnonprd.xxxx.com ,1) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_timeout] (0x2000): 0x22fae20 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.15267 to a link /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_new_server] (0x0400): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.15267,guid=09db3141cd4e8179d1add54b00042674 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x22fa210/0x22fb860 (16), R/- (enabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Loading backend [ipa] with path [/usr/lib64/sssd/libsss_ipa.so]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_dyndns_update is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_dyndns_iface has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_host_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_automount_location has value default (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'IPA' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_srv_server] (0x0400): Adding new SRV server to service 'IPA' using 'tcp'. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_servers_init] (0x0400): Added service lookup for service IPA (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'IPA' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_servers_init] (0x0400): Added Server didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Will look for host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default keytab (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [match_principal] (0x1000): Principal matched to the sample (host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected realm: NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1367024835.308454 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): ID backend target successfully loaded from provider [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option krb5_realm has value NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_automount_location has value default (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_ccname_template has value FILE:%d/krb5cc_%U_XXXXXX (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_auth_timeout has value 15 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_validate is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_kpasswd has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_lifetime has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_renew_interval has value 0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_use_fast has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_fast_principal has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_auth_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option krb5_realm set to NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Will look for host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default keytab (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [match_principal] (0x1000): Principal matched to the sample (host/ rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [select_principal_from_keytab] (0x0200): Selected realm: NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value ipaSshPubKey (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value ipaNisNetgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value memberUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value memberHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value externalHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value serverHostname (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value ipaSshPubKey (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value ipaHostgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value ipaselinuxusermap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value memberUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value memberHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value seeAlso (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value ipaEnabledFlag (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value userCategory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value hostCategory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value ipaUniqueID (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_and_export_options] (0x0100): ccache is of type FILE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): AUTH backend target successfully loaded from provider [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_domain has value nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_server has value _srv_, didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hostname has value rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_host_search_base has value cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option krb5_realm has value NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_automount_location has value default (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): ACCESS backend target successfully loaded from provider [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): CHPASS backend target successfully loaded from provider [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Loading backend [ldap] with path [/usr/lib64/sssd/libsss_ldap.so]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_uri has value ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok_type has value password (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_user_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_search_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_service_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_search_base has value ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value 21600 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_ip has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_schema has value rfc2307 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has value 300 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 10800 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cert has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_key has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_realm has value NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_server has value didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_backup_server has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_realm has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_pwd_policy has value none (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_referrals is TRUE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option account_cache_expiration has value 0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_filter has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_account_expire_policy has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_access_order has value filter (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value 60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_auth_disable_tls_never_use_in_production is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_page_size has value 1000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [dp_get_options] (0x0400): Option ldap_initgroups_use_matching_rule_in_chain is FALSE (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_get_options] (0x0200): Search base not set, trying to discover it later when connecting to the LDAP server. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_object_class has value posixAccount (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_name has value uid (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_home_directory has value homeDirectory (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_principal has value krbPrincipalName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_member_of has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_uuid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value shadowLastChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value shadowWarning (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value shadowInactive (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value shadowExpire (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value krbLastPwdChange (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value krbPasswordExpiration (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value authorizedService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value accountExpires (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value userAccountControl (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value loginDisabled (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has value loginExpirationTime (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has value loginAllowedTimeMap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_member has value memberuid (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_uuid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_object_class has value nisNetgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_member has value memberNisNetgroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_triple has value nisNetgroupTriple (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_uuid has value nsUniqueId (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_netgroup_modify_timestamp has value modifyTimestamp (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_object_class has value ipService (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_proto has value ipServiceProtocol (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sssm_ldap_id_init] (0x1000): Service name for discovery set to ldap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'LDAP' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_urls_init] (0x0400): Added URI ldap:// didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'LDAP' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_gssapi_init] (0x0040): Missing krb5_realm option, will use libkrb default (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_gssapi_get_default_realm] (0x1000): Will use default realm NIX.CORPNONPRD.xxxx.COM (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_new_service] (0x0400): Creating new service 'KERBEROS' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_add_server] (0x0080): Adding new server ' didmsvrua01.nix.corpnonprd.xxxx.com', to service 'KERBEROS' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_servers_init] (0x0400): Added Server didmsvrua01.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1367024835.331639 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_init] (0x2000): Initializing sudo LDAP back end (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_get_sudo_options] (0x0400): Search base not set, trying to discover it later connecting to the LDAP server. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value sudoRole (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value sudoRunAsUser (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value sudoRunAsGroup (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value sudoNotBefore (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value sudoNotAfter (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: 10.137.216.163 in network 10.137.216.160/28 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_hostnames_send] (0x2000): Found fqdn: rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_get_hostnames_send] (0x2000): Found hostname: rhidmclient (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): SUDO backend target successfully loaded from provider [ldap]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sssm_ipa_autofs_init] (0x2000): Initializing IPA autofs handler (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_autofs_init] (0x2000): Initializing autofs LDAP back end (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_autofs_options] (0x1000): Option ldap_autofs_search_base set to cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value automountMap (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value automountMapName (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value automount (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value automountInformation (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_process_init] (0x2000): autofs backend target successfully loaded from provider [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [load_backend_module] (0x1000): Backend [ipa] already loaded. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [main] (0x0400): Backend provider (nix.corpnonprd.xxxx.com) started! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1367024825 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' didmsvrua01.nix.corpnonprd.xxxx.com' in files (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'resolving name' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'didmsvrua01.nix.corpnonprd.xxxx.com' in files (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' didmsvrua01.nix.corpnonprd.xxxx.com' in DNS (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_timeout] (0x2000): 0x22fae20 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'name resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [21]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[0x231b9d0], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[0x231b9d0], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[0x231b9d0], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service KERBEROS (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 0 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 83 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [15273] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [15273] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[(nil)], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x232a890. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 232A890 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x232ab50/0x2329930 (22), -/W (disabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x232adc0] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x232c1e0. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 232C1E0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x232c4c0/0x2304f60 (23), -/W (disabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x232c730] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0x232c730] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [PAC] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x232dee0. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 232DEE0 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x232e540/0x232d8f0 (24), -/W (disabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x232e7b0] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x232f540. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 232F540 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x232faf0/0x232e280 (25), -/W (disabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x232fd60] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0x232fd60] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Entering. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0x2331b60. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_init_connection] (0x0200): Adding connection 2331B60 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_add_watch] (0x2000): 0x23321c0/0x23314a0 (26), -/W (disabled) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0x2332430] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0x232adc0] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [SSH] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0x232e7b0] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [PAM] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Cancel DP ID timeout [0x2332430] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [client_registration] (0x0100): Added Frontend client [NSS] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1367111223] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1367025725 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [15273]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [15273] finished successfully. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= rhidmclient.nix.corpnonprd.xxxx.com )(sudoHost=rhidmclient)(sudoHost=10.137.216.163)(sudoHost= 10.137.216.160/28)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com ]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[0x23293a0], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsUser] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsGroup] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[0x23293a0], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 1 rules (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule sudotest (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [1020] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1367046425 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1367025725 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], ops[(nil)], ldap[0x231b510] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use DNS discovery domain 'nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._ tcp.nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._ tcp.nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_done] (0x0400): Inserted server ' didmsvrua01.nix.corpnonprd.xxxx.com:389' for service IPA (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [27]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x233a300], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x233a300], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x233a300], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Got rootdse (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 83 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [15275] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [15275] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1367111223] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1367025725 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ rhidmclient.nix.corpnonprd.xxxx.com (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [15275]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [15275] finished successfully. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x22fab90], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x22fab90], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_subdomains] (0x0400): Adding sub-domain [CorpNonPrd.xxxx.com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23175b0], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23175b0], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23175b0], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23175b0], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_ranges] (0x0400): Adding range [NIX.CORPNONPRD.xxxx.COM_id_range]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_update_ranges] (0x0400): Adding range [CORPNONPRD.xxxx.COM_id_range]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2317710], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2317710], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2317710], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [not forced][] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234eec0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23284a0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23284a0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23284a0], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f570], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=nixadmin)) (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=nixadmin] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2349d00], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=nixadmin)) (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835)(!(lastLogin=*)))) (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835))) (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1367028435.309264 (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835)(!(lastLogin=*)))) (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835))) (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1367035635.332616 (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=akhimji] (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13 (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2317710], ldap[0x2328500] (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][ corpnonprd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f920], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f920], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f230], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f230], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f230], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234f230], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ba80], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ba80], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ba80], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_auth_send] (0x0100): No ccache file for user [ akhimji at CorpNonPrd.xxxx.com] found. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [15306] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [15306] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][CORPNONPRD] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=818800006] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=818800006)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23526a0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [nsUniqueId] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23526a0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_group_process_deref_step] (0x0400): Falling back to individual lookups (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_group_process_noderef] (0x2000): Looking up missing DN [cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_nested_get_user_send] (0x0080): Couldn't parse out user information based on DN (null), falling back to an LDAP lookup (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=posixAccount)][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2353820], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2353820], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23539c0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23539c0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x0400): Processing group ad_admins (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x2000): This is a posix group (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] to attributes of [ad_admins]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130424190620Z] to attributes of [ad_admins]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_group] (0x0400): Storing info for group ad_admins (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_grpmem] (0x1000): Adding member users to group [ad_admins] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_grpmem] (0x0040): Failed to save user ad_admins (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_save_groups] (0x0040): Failed to store group 0 members. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 20 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2350db0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b500], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2351520], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][44]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1367024840][1367024842][1367060840][1367111242]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [safe_remove_old_ccache_file] (0x0200): No old ccache, nothing to do (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [15306]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [15306] finished successfully. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_access_send] (0x0400): Performing access check for user [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2351b20], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2351b20], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] using OpenLDAP deref (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2368630], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2368630], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2368630], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b7e0], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x0020): [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a user or group. Skipping (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [ rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn= didmsvrua01.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a host or hostgroup. Skipping (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): [1] groups for [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: su-l (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: pts/1 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: nixadmin (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15305 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=akhimji] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401108] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59401108)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2352150], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59400512)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23528e0], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59400513)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2352150], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=59401113)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2352150], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][ corpnonprd.xxxx.com] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ab40], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ab40], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSecondaryBaseRID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b5e0], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b5e0], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b5e0], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234b5e0], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ad10], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ad10], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234ad10], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 1 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 11 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [cc_residual_is_used] (0x1000): User [59401108] is still active, reusing ccache [/tmp/krb5cc_59401108_XYHO4h]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_port_status] (0x1000): Port status of port 389 for server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [get_server_status] (0x1000): Status of server ' didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// didmsvrua01.nix.corpnonprd.xxxx.com' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_XYHO4h if of different type than ccache in configuration file, reusing the old ccache (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [15332] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [15332] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][44]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): TGT times are [1367024850][1367024852][1367060850][1367111252]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, no one will be deleted. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x1000): Waiting for child [15332]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [child_sig_handler] (0x0100): child [15332] finished successfully. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): service: sudo (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): rhost: (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): authtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): priv: 0 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [pam_print_data] (0x0100): cli_pid: 15331 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_access_send] (0x0400): Performing access check for user [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23672d0], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x23672d0], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] using OpenLDAP deref (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 36 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2370520], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2370520], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2370520], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 37 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x2366910], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= rhidmclient.nix.corpnonprd.xxxx.com ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[0x234a870], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x0020): [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a user or group. Skipping (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_users] (0x2000): No such entry (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [ rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn= didmsvrua01.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does not map to either a host or hostgroup. Skipping (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): [1] groups for [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ akhimji at CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_selinux_handler] (0x0040): Cannot create op context (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) [Internal Error (System error)] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not handled by the IPA provider but are resolved by the responder directly from the cache. (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232c4c0/0x230d8e0 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232c4c0/0x2304f60 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0020): Unknown client removed ... (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232faf0/0x232e2d0 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232faf0/0x232e280 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed SUDO client (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232ab50/0x2325620 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232ab50/0x2329930 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed SSH client (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232e540/0x232d940 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x232e540/0x232d8f0 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed PAM client (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x23321c0/0x23314f0 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x23321c0/0x23314a0 (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [be_client_destructor] (0x0400): Removed NSS client (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/ kpasswdinfo.NIX.CORPNONPRD.xxxx.COM], [2][No such file or directory] (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x2318a00], connected[1], ops[(nil)], ldap[0x231b510], destructor_lock[0], release_memory[0] (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x233acc0], connected[1], ops[(nil)], ldap[0x2328500], destructor_lock[0], release_memory[0] (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [sbus_remove_watch] (0x2000): 0x22fa210/0x22fb860 On Fri, Apr 26, 2013 at 7:50 AM, Pavel B?ezina wrote: > On 04/25/2013 04:16 PM, Aly Khimji wrote: > >> Hey guys, >> >> So selinux has been in permissive mode this whole time. >> >> As per your request, I first log in with a local user (local to the >> system), and then attempt to su'd to the AD user which worked. >> I then attempted to sudo -l which failed. I have sanitized and provided >> logs below. debugging is at 8, so hopefully its ok and not too verbose. >> >> ldap, krb5, and sssd logs are only logs with data in them. >> >> Thanks for you help guys, >> >> nixadmin is the localuser >> akhimji is the AD trust user >> > > Hi, > the sssd_be log says that one sudo rules has been downloaded. Is that > correct? Other things are unfortunately hidden in sssd_sudo.log, > sssd_nss.log and sssd_pam.log. > > Can you put debug_level = 8 also to [sudo], [nss] and [pam] sections of > your sssd.conf and re-run the test, please? Hopefully, that will reveal > more. > > What groups are atest and btest users part of? How goes their membership > hierarchy? Can you send us ldif of ou=sudoers,dc=nix,dc=** > corpnonprd,dc=xxxx,dc=com? > > Thank you. > > >> On Thu, Apr 25, 2013 at 6:38 AM, Pavel B?ezina > > wrote: >> >> On 04/24/2013 07:20 PM, Aly Khimji wrote: >> >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >> >]]] >> [be_pam_handler_callback] >> >> (0x0100): Backend returned: (0, 0, ) [Success] >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >> >]]] >> [sss_selinux_extract_user] >> (0x0040): sysdb_search_user_by_name failed. >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >> >]]] >> [ipa_selinux_handler] >> >> (0x0040): Cannot create op context >> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >> >]]] >> [be_pam_handler_callback] >> >> (0x0100): Backend returned: (3, 4, ) [Internal Error >> (System error)] >> >> >> Hi, >> this looks like a selinux problem to me. What happens when you set >> selinux to permissive? >> >> Also does this problem occur only with sudo, or other services are >> affected too (id, authentication, ssh)? >> >> Can you please perform following commands? It will remove cache and >> logs so do it in a safe non-production environment. >> >> As root: >> # service stop sssd >> # rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* >> # service sssd start >> >> As normal user: >> $ su ad-user at trusted-domain >> $ sudo -l >> $ exit >> >> And send us the sanitized logs (all of them). >> >> Thank you. >> >> >> >> >> >> >> >> ______________________________**___________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> > >> https://www.redhat.com/__**mailman/listinfo/freeipa-users >> >> **> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmatz at collective.com Sat Apr 27 14:35:07 2013 From: gmatz at collective.com (Guy Matz) Date: Sat, 27 Apr 2013 10:35:07 -0400 Subject: [Freeipa-users] nsupdate refused Message-ID: <517BE21B.8010005@collective.com> Hi! Anyone out there know how to get nsupdate to work with an IPA controlled DNS server? I have followed the instructions at http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to get a single machine to be able to perform any update, and have this as one of the entries in my "bind update policy": grant SERVICE\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; and dynamic update is set to true, but still I get this in /var/log/messages on my IPA server when attempting an update from the foreman server in the grant statement above: ipadevmstr named[27956]: client 192.168.8.113#60749: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help is greatly appreciated! Thanks, Guy From loris at lgs.com.ve Sat Apr 27 19:04:27 2013 From: loris at lgs.com.ve (Loris Santamaria) Date: Sat, 27 Apr 2013 14:34:27 -0430 Subject: [Freeipa-users] nsupdate refused In-Reply-To: <517BE21B.8010005@collective.com> References: <517BE21B.8010005@collective.com> Message-ID: <1367089467.11794.24.camel@toron.pzo.lgs.com.ve> Hi El s?b, 27-04-2013 a las 10:35 -0400, Guy Matz escribi?: > Hi! Anyone out there know how to get nsupdate to work with an IPA > controlled DNS server? I have followed the instructions at > http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to > get a single machine to be able to perform any update, and have this as > one of the entries in my "bind update policy": > grant SERVICE\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; Your zone update policy should include something like "grant host/\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;" After that on foreman.collmedia.net you should call kinit followed by nsupdate: # kinit -k host/foreman.collmedia.net # nsupdate -g Hope this helps. > and dynamic update is set to true, but still I get this in > /var/log/messages on my IPA server when attempting an update from the > foreman server in the grant statement above: > ipadevmstr named[27956]: client 192.168.8.113#60749: updating zone > 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) > > Any help is greatly appreciated! > > Thanks, > Guy > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6173 bytes Desc: not available URL: From jhrozek at redhat.com Sun Apr 28 17:50:47 2013 From: jhrozek at redhat.com (Jakub Hrozek) Date: Sun, 28 Apr 2013 19:50:47 +0200 Subject: [Freeipa-users] nsupdate refused In-Reply-To: <1367089467.11794.24.camel@toron.pzo.lgs.com.ve> References: <517BE21B.8010005@collective.com> <1367089467.11794.24.camel@toron.pzo.lgs.com.ve> Message-ID: <20130428175047.GA15680@hendrix.redhat.com> On Sat, Apr 27, 2013 at 02:34:27PM -0430, Loris Santamaria wrote: > Hi > > El s?b, 27-04-2013 a las 10:35 -0400, Guy Matz escribi?: > > Hi! Anyone out there know how to get nsupdate to work with an IPA > > controlled DNS server? I have followed the instructions at > > http://freeipa.org/page/Dynamic_updates_with_GSS-TSIG in an attempt to > > get a single machine to be able to perform any update, and have this as > > one of the entries in my "bind update policy": > > grant SERVICE\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; > > Your zone update policy should include something like "grant > host/\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;" > > After that on foreman.collmedia.net you should call kinit followed by > nsupdate: > > # kinit -k host/foreman.collmedia.net > # nsupdate -g > Also the SSSD logs on a high debug level (7+ IIRC) include the full nsupdate message that might come handy when troubleshooting. From arthur at deus.pro Mon Apr 29 04:13:30 2013 From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=) Date: Mon, 29 Apr 2013 10:13:30 +0600 Subject: [Freeipa-users] question about bind 10 plans Message-ID: <1367208810.2436.10.camel@arthur.bashnl.ru> HI! I am curious about your bind10 plans :) currently you are using bind9 with bind-ldap-bakend but next fedora release (f19) is going to use bind10 (and possible EL7 is going to use, but it is only my hypothesis), this leads me to think that you also are going to use bind10. But I could not find anything about how bind10 is going to work with ldap :( ________________ Best regards, Arthur Fayzullin From rendhalver at gmail.com Mon Apr 29 04:59:14 2013 From: rendhalver at gmail.com (Peter Brown) Date: Mon, 29 Apr 2013 14:59:14 +1000 Subject: [Freeipa-users] exporting ldap certificate In-Reply-To: <517A3B08.9060308@redhat.com> References: <517A3B08.9060308@redhat.com> Message-ID: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin wrote: > Hello, > > > On 04/26/2013 07:22 AM, Peter Brown wrote: > >> Hi everyone. >> >> I am attempting to get Google Apps to sync with FreeIPA and I am having >> problems getting the sync utility to talk to freeipa. >> It complains about the ssl cert. >> I have it setup so it only accepts ssl or tls encrypted connections and >> I don't want to turn that off. >> I have imported the ca cert using the jre's keytool but it still refuses >> to connect. >> I am getting the impression I need to import the ssl cert for the ldap >> server into it as well. >> > > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other > certs. Make sure you import it with the right trust level (SSL certificate > signing). Unfortunately I don't know about jre's keytool so I can't be more > specific. > > I have no idea which certificate that is and I have no idea how to >> export it. >> > > Do not do this. You should only explicitly trust the CA cert. > For example, if you trust the certs explicitly you'd have to re-import > them one by one when they are renewed. > > > Can someone please tell me how to do this? >> > > If you really want to: > There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one > for the LDAP server. > To export the httpd server certificate (to PEM): > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a > To export the directory server certificate (to PEM): > $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_**NAME/ -n Server-Cert -a > But again, you don't need this for what you're trying to do. > > -- > Petr? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Apr 29 05:11:36 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 29 Apr 2013 08:11:36 +0300 Subject: [Freeipa-users] question about bind 10 plans In-Reply-To: <1367208810.2436.10.camel@arthur.bashnl.ru> References: <1367208810.2436.10.camel@arthur.bashnl.ru> Message-ID: <20130429051135.GG7607@redhat.com> On Mon, 29 Apr 2013, ????? ????????? wrote: >HI! >I am curious about your bind10 plans :) >currently you are using bind9 with bind-ldap-bakend >but next fedora release (f19) is going to use bind10 (and possible EL7 >is going to use, but it is only my hypothesis), this leads me to think >that you also are going to use bind10. But I could not find anything >about how bind10 is going to work with ldap :( Both Bind 9 and Bind 10 are in Fedora 19 and there are no signs of Bind 9 going away in Fedora 19 timespan. Bind 10, while being nice modularized framework, still has work ahead. Adam Tkac and Peter Spacek can tell more but in short, Bind 10 module is on our radar. -- / Alexander Bokovoy From arthur at deus.pro Mon Apr 29 06:40:18 2013 From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=) Date: Mon, 29 Apr 2013 12:40:18 +0600 Subject: [Freeipa-users] question about bind 10 plans In-Reply-To: <20130429051135.GG7607@redhat.com> References: <1367208810.2436.10.camel@arthur.bashnl.ru> <20130429051135.GG7607@redhat.com> Message-ID: <1367217618.2436.12.camel@arthur.bashnl.ru> ? ??., 29/04/2013 ? 08:11 +0300, Alexander Bokovoy ?????: > Bind 10 module is on our radar. > Nice to hear that :) From pspacek at redhat.com Mon Apr 29 07:48:17 2013 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Apr 2013 09:48:17 +0200 Subject: [Freeipa-users] question about bind 10 plans In-Reply-To: <1367217618.2436.12.camel@arthur.bashnl.ru> References: <1367208810.2436.10.camel@arthur.bashnl.ru> <20130429051135.GG7607@redhat.com> <1367217618.2436.12.camel@arthur.bashnl.ru> Message-ID: <517E25C1.4020507@redhat.com> On 29.4.2013 08:40, ????? ????????? wrote: > ? ??., 29/04/2013 ? 08:11 +0300, Alexander Bokovoy ?????: >> Bind 10 module is on our radar. There is not much to add. I'm in touch with one Bind 10 developer and we are discussing various possibilities of integration. Let me know if you are interested in aplha/beta testing. I will send you an e-mail as soon as we have some testable code. -- Petr^2 Spacek From pspacek at redhat.com Mon Apr 29 08:04:55 2013 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 29 Apr 2013 10:04:55 +0200 Subject: [Freeipa-users] nsupdate refused In-Reply-To: <20130428175047.GA15680@hendrix.redhat.com> References: <517BE21B.8010005@collective.com> <1367089467.11794.24.camel@toron.pzo.lgs.com.ve> <20130428175047.GA15680@hendrix.redhat.com> Message-ID: <517E29A7.1040203@redhat.com> Hello, On 28.4.2013 19:50, Jakub Hrozek wrote: >> > >get a single machine to be able to perform any update, and have this as >> > >one of the entries in my "bind update policy": >> > >grant SERVICE\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; String "SERVICE/ipaserver.example.com at EXAMPLE.COM" in the example is full principal name including Kerberos REALM. The string "SERVICE" has to be replaced with real service name. Everything is case sensitive! See http://www.zytrax.com/tech/survival/kerberos.html#terminology for some Kerberos basics. >>Your zone update policy should include something like "grant >>host/\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;" This example contains an error: Character '/' in principal name has be to replaced with "\047". The corrected example is: "grant host\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY;" -- Petr^2 Spacek From arthur at deus.pro Mon Apr 29 09:09:47 2013 From: arthur at deus.pro (=?koi8-r?Q?=E1=D2=D4=D5=D2_?= =?koi8-r?Q?=E6=C1=CA=DA=D5=CC=CC=C9=CE?=) Date: Mon, 29 Apr 2013 15:09:47 +0600 Subject: [Freeipa-users] question about bind 10 plans In-Reply-To: <517E25C1.4020507@redhat.com> References: <1367208810.2436.10.camel@arthur.bashnl.ru> <20130429051135.GG7607@redhat.com> <1367217618.2436.12.camel@arthur.bashnl.ru> <517E25C1.4020507@redhat.com> Message-ID: <1367226587.2436.15.camel@arthur.bashnl.ru> ? ??., 29/04/2013 ? 09:48 +0200, Petr Spacek ?????: > On 29.4.2013 08:40, ????? ????????? wrote: > > ? ??., 29/04/2013 ? 08:11 +0300, Alexander Bokovoy ?????: > >> Bind 10 module is on our radar. > > There is not much to add. I'm in touch with one Bind 10 developer and we are > discussing various possibilities of integration. > > Let me know if you are interested in aplha/beta testing. I will send you an > e-mail as soon as we have some testable code. > Yes, I am interested in that :) Now I have some resources to do that, I do not know about future, but know I do :) From jsunn at nets.eu Mon Apr 29 10:16:46 2013 From: jsunn at nets.eu (Johan Sunnerstig) Date: Mon, 29 Apr 2013 10:16:46 +0000 Subject: [Freeipa-users] Kerberos delegation error on replica In-Reply-To: <517A8607.2070807@redhat.com> References: <517A8607.2070807@redhat.com> Message-ID: That was exactly it. Server 2 had a HTTP principal but no ldap principal. I added a principal for ldap as well and it's working fine now. Thanks a bunch. :) Regards Johan > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: den 26 april 2013 15:50 > To: Johan Sunnerstig; freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Kerberos delegation error on replica > > Johan Sunnerstig wrote: > > Hi. > > > > I have two IPA servers in a multi master setup, running IPA 3.0. > > They've been working fine for the last ~16 months and started life as 2.2 > servers. > > Recently the follow error started showing up, I'm not sure when exactly > since I only discovered it when I was checking the status of an account the > other day. > > > > ipa1: ~> ipa user-status user > > ----------------------- > > Account disabled: False > > ----------------------- > > Server: ipa1.domain.tld > > Failed logins: 0 > > Last successful authentication: 2013-04-26T11:20:06Z > > Last failed authentication: 2013-04-26T08:44:08Z > > Time now: 2013-04-26T11:20:06Z > > > > Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): > > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code > > may provide more information (KDC returned error string: > > NOT_ALLOWED_TO_DELEGATE) > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > The same exact thing happens on the other replica. > > > > Everything else works as far as I can tell, replication is fine and either one > will issue TGT's and so forth. Basically aside from the above I can't find > anything wrong. > > The following shows up in the krb5kdc.log on the both the servers: > > Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 > > etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, > > HTTP/ipa1.domain.tld at DOMAIN.TLD for > ldap/ipa2.domain.tld at DOMAIN.TLD, > > No such file or directory Apr 26 13:37:09 ipa1.domain.tld > > krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: > > NOT_ALLOWED_TO_DELEGATE: authtime 0, > HTTP/ipa1.domain.tld at DOMAIN.TLD > > for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory > > > > One of the servers must be missing from the s4u2proxy delegation list. > > Are all the servers in here? > > # ldapsearch -x -b > cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com > > and > > # ldapsearch -x -b > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com > > I'm guessing that it is missing one or more memberPrincipal. > > The format is be memberPrincipal: service/$FQDN@$REALM > > rob From acke.89 at gmail.com Mon Apr 29 11:55:29 2013 From: acke.89 at gmail.com (Axel Berlin) Date: Mon, 29 Apr 2013 13:55:29 +0200 Subject: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir Message-ID: Hello. Im trying to set up a redhat 6.1 to ipaserver. What i have done..... On the Ipaserver #ipa host-add --force --ip-address=192.168.237.1 seadv-.d1.gameop.net #kinit admin #ipa host-add-managedby --hosts=ipaserver.d1.gameop.net seadv-237-1.d1.gameop.net #ipa-getkeytab -s ipaserver.d1.gameop.net -p host/seadv-237-1.d1.gameop.net-k /tmp/seadv-.keytab #scp client1.keytab seadv-237-1.d1.gameop.net:/tmp On Client 6.1 #yum install krb5-workstation oddjob-mkhomedir #mv /tmp/client1.keytab /etc/krb5.keytab #vim /etc/krb5.conf [libdefaults] default_realm = D1.GAMEOP.NET dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] D1.GAMEOP.NET = { kdc = ipaserver.d1.gameop.net:88 admin_server = ipaserver.d1.gameop.net:749 default_domain = d1.gameop.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .d1.gameop.net = D1.GAMEOP.NET d1.gameop.net = D1.GAMEOP.NET #cd /etc/pam.d/ #vim fingerprint-auth auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim password-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim smartcard-auth auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim system-auth auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #vim /etc/sssd/sssd.conf [domain/d1.gameop.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = d1.gameop.net id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, ipaserver.d1.gameop.net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = d1.gameop.net [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 #chmod 0600 sssd.conf #vim /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files sss publickey: nisplus automount: files aliases: files nisplus Now I can do #kinit admin #klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at D1.GAMEOP.NET Valid starting Expires Service principal 04/29/13 13:41:37 04/30/13 13:41:35 krbtgt/D1.GAMEOP.NET at D1.GAMEOP.NET and when i try to do ID acke or ssh acke at seadv-237-1.d1.gameop.net. I get nothing... My dns records for my dns that i want to use. ipaserver.d1.gameop.net A 192.168.232.41 ipareplica.d1.gameop.net A 192.168.235.181 _ldap._tcp.d1.gameop.net SRV 100 389 ipaserver _ldap._tcp.d1.gameop.net SRV 100 389 ipareplica _kerberos TXT d1.gameop.net _kerberos._tcp.d1.gameop.net SRV 100 88 ipaserver _kerberos._udp.d1.gameop.net SRV 100 88 ipaserver _kerberos-master._tcp.d1.gameop.net SRV 100 88 ipaserver _kerberos-master._udp.d1.gameop.net SRV 100 88 ipaserver _kpasswd._tcp.d1.gameop.net SRV 100 88 ipaserver _kpasswd._udp.d1.gameop.net SRV 100 88 ipaserver This setup do not work whit my dns i want. But if i change my resolve.conf to nameserver 192.168.232.41 I can id and ssh... So have i missed somthing whit the dns? I have tried to have the SRV records to only _ldap._tcp and _kerberos._tcp but that dont work either. Thanks PS My first mailinglist sorry if I dont follow some kind of standard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Apr 29 15:15:18 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 29 Apr 2013 11:15:18 -0400 Subject: [Freeipa-users] Whit only krb5-workstation and oddjob-mkhomedir In-Reply-To: References: Message-ID: <517E8E86.3010704@redhat.com> Axel Berlin wrote: > Hello. > > Im trying to set up a redhat 6.1 to ipaserver. > > What i have done..... > > On the Ipaserver [ snip lots of config ] > > nameserver 192.168.232.41 > > I can id and ssh... > > So have i missed somthing whit the dns? > > I have tried to have the SRV records to only _ldap._tcp and > _kerberos._tcp but that dont work either. Did you start/restart sssd after creating the configuration? You may want to add debug_level = 9 to the domains section and start again to bump up the logging. The logs go into /var/log/sssd. What are the permissions on /etc/krb5.keytab? Should be 0600 root:root. Is SELinux in enforcing mode? If so I'd check the audit log too. rob From aly.khimji at gmail.com Mon Apr 29 18:31:02 2013 From: aly.khimji at gmail.com (Aly Khimji) Date: Mon, 29 Apr 2013 14:31:02 -0400 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: References: <51780FF5.4090301@redhat.com> <5179079A.9020904@redhat.com> <517A6A0E.3000801@redhat.com> Message-ID: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [confdb_get_domain_internal] (0x0400): No enumeration for [nix.corpnonprd.xxxx]! (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): Adding connection 99D200 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x99f2d0/0x99e4c0 (13), -/W (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e0a0 (13), R/- (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [monitor_common_send_id] (0x0100): Sending ID: (sudo,1) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x99efa0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e0a0 (13), R/- (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e4c0 (13), -/W (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sss_names_init] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): Adding connection 99F480 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): 0x99e480/0x99f770 (14), -/W (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99d130 (14), R/- (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,SUDO) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x99edd0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99d130 (14), R/- (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99f770 (14), -/W (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx: /var/lib/sss/db/cache_nix.corpnonprd.xxxx.ldb (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a0d80 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a2620 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a2620 "ltdb_timeout" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a0d80 "ltdb_callback" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x99e2d0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x99d5c0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x99d5c0 "ltdb_timeout" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x99e2d0 "ltdb_callback" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a0cf0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a0da0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a0da0 "ltdb_timeout" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a0cf0 "ltdb_callback" (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sss_process_init] (0x0400): Responder Initialization complete (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO Initialization complete (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99D200 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99D200 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e0a0 (13), R/- (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e4c0 (13), -/W (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99d130 (14), R/- (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99f770 (14), -/W (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e0a0 (13), R/- (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99f2d0/0x99e4c0 (13), -/W (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99d130 (14), R/- (enabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_toggle_watch] (0x4000): 0x99e480/0x99f770 (14), -/W (disabled) (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x99efa0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99D200 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x99edd0 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:22:51 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Apr 29 14:27:40 2013) [sssd[sudo]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [get_client_cred] (0x4000): Client creds: euid[0] egid[59401108] pid[2860]. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): Client connected! (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_parse_query_send] (0x0400): Domain [corpnonprd.xxxx] not found, sending subdomain request (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41c570:domains at nix.corpnonprd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [nix.corpnonprd.xxxx][forced][corpnonprd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x99b9e0 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c570:domains at nix.corpnonprd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x99b9e0 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a71b0 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a7260 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a7260 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a71b0 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [process_subdomains] (0x0200): Adding subdomain [CorpNonPrd.xxxx] to the domain [nix.corpnonprd.xxxx]! (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a6e70 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a6f20 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a6f20 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a6e70 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [process_subdomains] (0x1000): Adding flat name [NIX] to domain [nix.corpnonprd.xxxx]. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx' matched expression for domain 'CorpNonPrd.xxxx', user is akhimji (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [akhimji] from [CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a8ad0 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a8b80 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a8b80 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a8ad0 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx][3][1][name=akhimji] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x99e810 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41c570:domains at nix.corpnonprd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x99e810 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a6e70 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a6f20 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a6f20 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a6e70 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx' matched expression for domain 'CorpNonPrd.xxxx', user is akhimji (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'akhimji at corpnonprd.xxxx' matched expression for domain 'CorpNonPrd.xxxx', user is akhimji (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [akhimji] from [CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a8cd0 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9a8d80 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9a8d80 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a8cd0 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): Creating request for [CorpNonPrd.xxxx][3][1][name=akhimji] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): 0x99e810 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): Looking up the user info from Data Provider (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): 0x99e810 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99F480 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): Dispatching. (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 95 error message: User lookup failed (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0020): Unable to get information from Data Provider Error: 3, 95, User lookup failed (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x2000): Data Provider returned, check the cache again (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9a6c30 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9ab970 (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x9ab970 "ltdb_timeout" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x9a6c30 "ltdb_callback" (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx] (Mon Apr 29 14:27:44 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:47 2013) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x99e180][18] (Mon Apr 29 14:27:47 2013) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! (Mon Apr 29 14:27:47 2013) [sssd[sudo]] [client_destructor] (0x2000): Terminated client [0x99e180][18] (Mon Apr 29 14:27:50 2013) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus conn: 99D200 On Fri, Apr 26, 2013 at 9:57 PM, Aly Khimji wrote: > Hey Pavel/Guys > > There is only 1 sudorule, so yes 1 rule being downloaded is indeed > correct. > To make things a little more clean I have started using my userid instead > of btest. UID akhimji is a AD user and atest is a IPA only user > > After raising the logging level (I have provided all below) I see this in > the sudo logs, hopefully it helps you guys > > Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): > Looking up the user info from Data Provider > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > ... > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0040): Could not look up the user [2]: No such file or directory > > services stop, all logs and db's removed, service started, actions run, > follow logs provided below : sssd_be, krb5,ldap,nss,pam,and sudo logs all > provided. > > Thanks for the help, hope this sheds more light on the issue > > Thx > > Aly > > > akhimji=AD user > atest = IPA only user > > hierarchy > [AD] akhimji - > "Domain Admins" -> [on IPA] -> "ad_admins_external" -> > "ad_admins" -[sudotest rule] applied to this group > > atest[IPA only user] -> applied directly to sudotest rule applied to this > user > > 1 sudo rule > sudotest (contains /usr/bin/less) > > AD domain = corpnonprd.xxxx.com > IPA Domain/Trust = nix.corpnonprd.xxxx.com > > Ldif > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # sudoers, nix.corpnonprd.xxxx.com > dn: ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > objectClass: extensibleObject > ou: sudoers > > # sudotest, sudoers, nix.corpnonprd.xxxx.com > dn: cn=sudotest,ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > objectClass: sudoRole > sudoUser: ALL > sudoHost: rhidmclient.nix.corpnonprd.xxxx.com > sudoHost: didmsvrua01.nix.corpnonprd.xxxx.com > sudoCommand: /usr/bin/less > sudoRunAsUser: root > sudoRunAsGroup: wheel > cn: sudotest > > # search result > search: 4 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > Actions Run as AD user > > [nixadmin at rhidmclient ~]$ su - 'akhimji at corpnonprd' > Password: > Your password will expire in 8906 day(s). > su: warning: cannot change directory to /home/CorpNonPrd.xxxx.com/akhimji: > No such file or directory > -sh-4.1$ id > uid=59401108(akhimji at corpnonprd.xxxx.com) gid=59401108( > akhimji at corpnonprd.xxxx.com) > groups=59401108(akhimji at corpnonprd.xxxx.com),59400512(domain > admins at corpnonprd.xxxx.com), > 59400513(domain users at corpnonprd.xxxx.com),59401113( > seca at corpnonprd.xxxx.com),818800006(ad_admins) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -sh-4.1$ sudo -l > [sudo] password for akhimji at corpnonprd.xxxx.com: > Your password will expire in 8906 day(s). > User akhimji at corpnonprd.xxxx.com is not allowed to run sudo on > rhidmclient. > -sh-4.1$ > > > ssss_sudo.log > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [server_setup] (0x0400): CONFDB: > /var/lib/sss/db/config.ldb > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [confdb_get_domain_internal] > (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): > Adding connection 11B5200 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): > 0x11b72d0/0x11b64c0 (13), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [monitor_common_send_id] (0x0100): > Sending ID: (sudo,1) > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6fa0 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sss_names_init] (0x0100): Using > re > [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_init_connection] (0x0200): > Adding connection 11B7480 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_watch] (0x2000): > 0x11b6480/0x11b7770 (14), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [dp_common_send_id] (0x0100): > Sending ID to DP: (1,SUDO) > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6dd0 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sysdb_domain_init_internal] > (0x0200): DB File for nix.corpnonprd.xxxx.com: > /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [ldb] (0x0400): asq: Unable to > register control with rootdse! > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sss_process_init] (0x0400): > Responder Initialization complete > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sudo_process_init] (0x0400): SUDO > Initialization complete > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6fa0 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [id_callback] (0x0100): Got id ack > and version (1) from Monitor > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6dd0 > (Fri Apr 26 21:07:05 2013) [sssd[sudo]] [dp_id_callback] (0x0100): Got id > ack and version (1) from DP > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_parse_query_send] > (0x0400): Domain [corpnonprd.xxxx.com] not found, sending subdomain > request > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41c570:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_domains_msg] (0x0400): > Sending get domains request for [nix.corpnonprd.xxxx.com][forced][ > corpnonprd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b39e0 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41c570:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b39e0 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [process_subdomains] (0x0200): > Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ > nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [process_subdomains] (0x1000): > Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [akhimji] from [ > CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): > Looking up the user info from Data Provider > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41c570:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x2000): Data Provider returned, check the cache again > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No > results for getpwnam call > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0040): Could not look up the user [2]: No such file or directory > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [akhimji] from [CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): > Looking up the user info from Data Provider > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x2000): Data Provider returned, check the cache again > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No > results for getpwnam call > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0040): Could not look up the user [2]: No such file or directory > (Fri Apr 26 21:07:28 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [akhimji] from [ > CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): > Looking up the user info from Data Provider > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x2000): Data Provider returned, check the cache again > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No > results for getpwnam call > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0040): Could not look up the user [2]: No such file or directory > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [akhimji] from [CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_add_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_sudorules] (0x2000): > Looking up the user info from Data Provider > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sbus_remove_timeout] (0x2000): > 0x11b6810 > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x2000): Data Provider returned, check the cache again > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_get_user] (0x0080): No > results for getpwnam call > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0040): Could not look up the user [2]: No such file or directory > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x419120:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:32 2013) [sssd[sudo]] [client_destructor] (0x2000): > Terminated client [0x11b6180][18] > (Fri Apr 26 21:07:38 2013) [sssd[sudo]] [sss_responder_ctx_destructor] > (0x0400): Responder is being shut down > > > > sss_pam.log > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [server_setup] (0x0400): CONFDB: > /var/lib/sss/db/config.ldb > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [confdb_get_domain_internal] > (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_init_connection] (0x0200): > Adding connection 16B5690 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_watch] (0x2000): > 0x16b4900/0x16b1030 (13), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [monitor_common_send_id] (0x0100): > Sending ID: (pam,1) > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b4740 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_names_init] (0x0100): Using re > [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_init_connection] (0x0200): > Adding connection 16B5440 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_watch] (0x2000): > 0x16b1110/0x16b25d0 (14), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [dp_common_send_id] (0x0100): > Sending ID to DP: (1,PAM) > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b21a0 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sysdb_domain_init_internal] > (0x0200): DB File for nix.corpnonprd.xxxx.com: > /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [ldb] (0x0400): asq: Unable to > register control with rootdse! > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_process_init] (0x0400): > Responder Initialization complete > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/nix.corpnonprd.xxxx.com/root] to negative cache > permanently > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/nix.corpnonprd.xxxx.com/root] to negative cache > permanently > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [responder_set_fd_limit] (0x0100): > Maximum file descriptors set to [8192] > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b4740 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [id_callback] (0x0100): Got id ack > and version (1) from Monitor > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b21a0 > (Fri Apr 26 21:07:05 2013) [sssd[pam]] [dp_id_callback] (0x0100): Got id > ack and version (1) from DP > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [accept_fd_handler] (0x0400): > Client connected to privileged pipe! > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Received client version [3]. > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Offered version [3]. > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_cmd_open_session] (0x0100): > entering pam_cmd_open_session > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'nixadmin' matched without domain, user is nixadmin > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_OPEN_SESSION > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > not set > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > nixadmin > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > sshd > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > not set > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > 10.220.240.253 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15276 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][3][1][name=nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b1080 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b1080 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_check_user_search] (0x0080): > No matching domain found for [nixadmin], fail! > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [10]. > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 8 > (Fri Apr 26 21:07:12 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Received client version [3]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Offered version [3]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_authenticate] (0x0100): > entering pam_cmd_authenticate > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_parse_in_data_v3] (0x0020): > pam_parse_in_data_v2 failed. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41e750:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): > Sending get domains request for [nix.corpnonprd.xxxx.com][forced][ > corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b02c0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41e750:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b02c0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_subdomains] (0x0200): > Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ > nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_subdomains] (0x1000): > Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 11 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 11 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b21a0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41e750:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b21a0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [filter_responses] (0x1000): User > info type [0] not filtered. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 106 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): > entering pam_cmd_acct_mgmt > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b1080 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b1080 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ > akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sysdb_search_selinux_config] > (0x0400): No SELinux root entry found > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [process_selinux_mappings] > (0x2000): No SELinux support found for the domain > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_open_session] (0x0100): > entering pam_cmd_open_session > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_OPEN_SESSION > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ > akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_OPEN_SESSION > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b62a0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b62a0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_cmd_setcred] (0x0100): > entering pam_cmd_setcred > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_SETCRED > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ > akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_SETCRED > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > su-l > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15305 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b7d00 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b7d00 > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:22 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 > (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache > (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache > (Fri Apr 26 21:07:27 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Received client version [3]. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Offered version [3]. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_cmd_authenticate] (0x0100): > entering pam_cmd_authenticate > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > sudo > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 11 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15331 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ > akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_AUTHENTICATE > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > sudo > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 11 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15331 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b7bf0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b7bf0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [filter_responses] (0x1000): User > info type [0] not filtered. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 106 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): > entering pam_cmd_acct_mgmt > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > sudo > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15331 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b3740 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pd_set_primary_name] (0x0400): > User's primary name is akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [ > akhimji at corpnonprd.xxxx.com] added to PAM initgroup cache > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): command: > PAM_ACCT_MGMT > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: > CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): user: > akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): service: > sudo > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: > /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: > akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok > size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 15331 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): > 0x16b83a0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x41b300:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): > 0x16b83a0 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): > received: [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [0]. > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [sysdb_search_selinux_config] > (0x0400): No SELinux root entry found > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [process_selinux_mappings] > (0x2000): No SELinux support found for the domain > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 38 > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:32 2013) [sssd[pam]] [client_destructor] (0x2000): > Terminated client [0x16c4140][21] > (Fri Apr 26 21:07:37 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache > (Fri Apr 26 21:07:37 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): > [akhimji at corpnonprd.xxxx.com] removed from PAM initgroup cache > (Fri Apr 26 21:07:38 2013) [sssd[pam]] [sss_responder_ctx_destructor] > (0x0400): Responder is being shut down > (Fri Apr 26 21:07:38 2013) [sssd[pam]] [client_destructor] (0x2000): > Terminated client [0x16b8fa0][20] > (Fri Apr 26 21:07:38 2013) [sssd[pam]] [client_destructor] (0x2000): > Terminated client [0x16b35d0][19] > > > sssd_nss.log > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [server_setup] (0x0400): CONFDB: > /var/lib/sss/db/config.ldb > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [confdb_get_domain_internal] > (0x0400): No enumeration for [nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_init_connection] (0x0200): > Adding connection BA3C50 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_watch] (0x2000): > 0xba36b0/0xba2e90 (13), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [monitor_common_send_id] (0x0100): > Sending ID: (nss,1) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba1070 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_names_init] (0x0100): Using re > [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_init_connection] (0x0200): > Adding connection BA2D00 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_watch] (0x2000): > 0xba0860/0xba30c0 (14), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [dp_common_send_id] (0x0100): > Sending ID to DP: (1,NSS) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sysdb_domain_init_internal] > (0x0200): DB File for nix.corpnonprd.xxxx.com: > /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [ldb] (0x0400): asq: Unable to > register control with rootdse! > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_process_init] (0x0400): > Responder Initialization complete > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/nix.corpnonprd.xxxx.com/root] to negative cache > permanently > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'root' matched without domain, user is root > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/GROUP/nix.corpnonprd.xxxx.com/root] to negative cache > permanently > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/sh in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/bash in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /sbin/nologin in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/tcsh in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/csh in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_get_etc_shells] (0x0400): > Found shell /bin/dash in /etc/shells > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_mc_create_file] (0x0400): > Failed to rm mmap file /var/lib/sss/mc/passwd: 2(No such file or directory) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sss_mc_create_file] (0x0400): > Failed to rm mmap file /var/lib/sss/mc/group: 2(No such file or directory) > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [responder_set_fd_limit] (0x0100): > Maximum file descriptors set to [8192] > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [nss_process_init] (0x0400): NSS > Initialization complete > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba1070 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [id_callback] (0x0100): Got id ack > and version (1) from Monitor > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:05 2013) [sssd[nss]] [dp_id_callback] (0x0100): Got id > ack and version (1) from DP > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'nixadmin' matched without domain, user is nixadmin > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): > Requesting info for [nixadmin] from [] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x4339e0:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): > Sending get domains request for [nix.corpnonprd.xxxx.com][not forced][] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x4339e0:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [process_subdomains] (0x0200): > Adding subdomain [CorpNonPrd.xxxx.com] to the domain [ > nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [process_subdomains] (0x1000): > Adding flat name [NIX] to domain [nix.corpnonprd.xxxx.com]. > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'nixadmin' matched without domain, user is nixadmin > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_cb] (0x0400): > Requesting info for [nixadmin] from [] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0100): Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][4099][1][name=nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2ad0 > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x4339e0:domains at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2ad0 > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0100): Requesting info for [nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_set_str] (0x0400): > Adding [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] to negative cache > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0040): No results for initgroups call > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:3:nixadmin at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'nixadmin' matched without domain, user is nixadmin > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): using default domain [(null)] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): > Requesting info for [nixadmin] from [] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/nix.corpnonprd.xxxx.com/nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0040): User [nixadmin] does not exist in [nix.corpnonprd.xxxx.com]! > (negative cache) > (Fri Apr 26 21:07:12 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0080): No matching domain found for [nixadmin], fail! > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd' matched expression for domain ' > CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam] (0x0100): > Requesting info for [akhimji] from [CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:1:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][4097][1][name=akhimji] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xbb1290 > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:1:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xbb1290 > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): > Returning info for user [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:19 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:1:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_parse_name_for_domains] > (0x0200): name 'akhimji at corpnonprd.xxxx.com' matched expression for > domain 'CorpNonPrd.xxxx.com', user is akhimji > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups] (0x0100): > Requesting info for [akhimji] from [CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/CorpNonPrd.xxxx.com/akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups_search] > (0x0100): Requesting info for [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [CorpNonPrd.xxxx.com][4099][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 3 errno: 95 error message: User > lookup failed > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_initgroups_dp_callback] > (0x0040): Unable to get information from Data Provider > Error: 3, 95, User lookup failed > Will try to return what we have in cache > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:3:akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xbb1120][23] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GID/59401108] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401108 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59401108] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401108 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401108 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): > Returning info for gid [59401108 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GROUP/ > CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:2:59401108 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:22 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xba5220][23] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GID/59400512] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400512 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59400512] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2b80 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400512 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400512 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): > Returning info for gid [59400512 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GROUP/CorpNonPrd.xxxx.com/domain > admins at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/ > CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:2:59400512 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GID/59400513] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400513 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59400513] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2e10 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400513 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59400513 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): > Returning info for gid [59400513 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GROUP/CorpNonPrd.xxxx.com/domain > users at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/ > CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:2:59400513 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GID/59401113] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401113 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > Creating request for [nix.corpnonprd.xxxx.com][4098][1][idnumber=59401113] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_add_timeout] (0x2000): > 0xba2ad0 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sbus_remove_timeout] (0x2000): > 0xba2ad0 > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got > reply from Data Provider - DP error code: 0 errno: 0 error message: Success > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401113 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [59401113 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): > Returning info for gid [59401113 at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GROUP/ > CorpNonPrd.xxxx.com/seca at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/ > CorpNonPrd.xxxx.com/akhimji at corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x430590:2:59401113 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GID/818800006] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): > Requesting info for [818800006 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [check_cache] (0x0400): Cached > entry is valid, returning.. > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): > Returning info for gid [818800006 at nix.corpnonprd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/GROUP/nix.corpnonprd.xxxx.com/ad_admins] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/ > nix.corpnonprd.xxxx.com/akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:24 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xba5220][23] > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [accept_fd_handler] (0x0400): > Client connected! > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [nss_cmd_endpwent] (0x0100): > Terminating request info for all accounts > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [nss_cmd_endgrent] (0x0100): > Terminating request info for all groups > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Fri Apr 26 21:07:32 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xba5220][23] > (Fri Apr 26 21:07:38 2013) [sssd[nss]] [sss_responder_ctx_destructor] > (0x0400): Responder is being shut down > (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xbb0f30][22] > (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xba0fc0][21] > (Fri Apr 26 21:07:38 2013) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0xba6980][20] > > > krb5_child.log > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [main] (0x0400): > krb5_child started. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] > (0x1000): total buffer size: [132] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] > (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline > [false] UPN [akhimji at CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_XXXXXX] keytab: > [/etc/krb5.keytab] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] > (0x0400): Will perform online auth > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [krb5_child_setup] > (0x0100): Not using FAST. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [sss_krb5_expire_callback_func] (0x2000): exp_time: [769484443] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [validate_tgt] > (0x2000): Keytab entry with the realm of the credential not found in > keytab. Using the last entry. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [validate_tgt] > (0x0400): TGT verified using key for [host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [become_user] > (0x0200): Trying to become user [59401108][59401108]. > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [create_ccache_file] (0x0200): Creating ccache at > [FILE:/tmp/krb5cc_59401108_XXXXXX] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [create_ccache_file] (0x1000): Created ccache file: > [FILE:/tmp/krb5cc_59401108_XYHO4h] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [prepare_response_message] (0x0400): Building response for result [0] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] > [pack_response_packet] (0x2000): response packet size: [150] > (Fri Apr 26 21:07:22 2013) [[sssd[krb5_child[15306]]]] [main] (0x0400): > krb5_child completed successfully > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [main] (0x0400): > krb5_child started. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] > (0x1000): total buffer size: [132] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] > (0x0100): cmd [241] uid [59401108] gid [59401108] validate [true] offline > [false] UPN [akhimji at CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_59401108_XYHO4h] keytab: > [/etc/krb5.keytab] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] > (0x0400): Will perform online auth > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] > (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [krb5_child_setup] > (0x0100): Not using FAST. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [sss_krb5_expire_callback_func] (0x2000): exp_time: [769484433] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [validate_tgt] > (0x2000): Keytab entry with the realm of the credential not found in > keytab. Using the last entry. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [validate_tgt] > (0x0400): TGT verified using key for [host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM]. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [become_user] > (0x0200): Trying to become user [59401108][59401108]. > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [create_ccache_file] (0x0200): Creating ccache at > [FILE:/tmp/krb5cc_59401108_XYHO4h] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [create_ccache_file] (0x1000): Created ccache file: > [FILE:/tmp/krb5cc_59401108_XYHO4h] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [prepare_response_message] (0x0400): Building response for result [0] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] > [pack_response_packet] (0x2000): response packet size: [150] > (Fri Apr 26 21:07:32 2013) [[sssd[krb5_child[15332]]]] [main] (0x0400): > krb5_child completed successfully > > > ldap_child.log > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x0400): > ldap_child started. > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x2000): > context initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): total buffer size: 83 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): realm_str size: 25 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): princ_str size: 42 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): keytab_name size: 0 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [unpack_buffer] > (0x1000): lifetime: 86400 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x2000): > getting TGT sync > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): got realm_name: [ > NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials stored > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] > [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [prepare_response] > (0x0400): Building response for result [0] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [pack_buffer] > (0x2000): response size: 73 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [pack_buffer] > (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15273]]]] [main] (0x0400): > ldap_child completed successfully > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x0400): > ldap_child started. > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x2000): > context initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): total buffer size: 83 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): realm_str size: 25 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): got realm_str: NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): princ_str size: 42 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): got princ_str: host/rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): keytab_name size: 0 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [unpack_buffer] > (0x1000): lifetime: 86400 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x2000): > getting TGT sync > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): got realm_name: [ > NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): keytab ccname: [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials initialized > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials stored > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] > [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [prepare_response] > (0x0400): Building response for result [0] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [pack_buffer] > (0x2000): response size: 73 > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [pack_buffer] > (0x1000): result [0] krberr [0] msgsize [53] msg [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM] > (Fri Apr 26 21:07:05 2013) [[sssd[ldap_child[15275]]]] [main] (0x0400): > ldap_child completed successfully > > sssd_be > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [recreate_ares_channel] (0x0100): Initializing new c-ares channel > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_get_family_order] (0x1000): Lookup order: ipv4_first > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_context_init] (0x0400): Created new fail over context, retry timeout is > 30 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [confdb_get_domain_internal] (0x0400): No enumeration for [ > nix.corpnonprd.xxxx.com]! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_domain_init_internal] (0x0200): DB File for nix.corpnonprd.xxxx.com: > /var/lib/sss/db/cache_nix.corpnonprd.xxxx.com.ldb > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [ldb] > (0x0400): asq: Unable to register control with rootdse! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 22FA640 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x22faa50/0x22f9280 (15), -/W (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [monitor_common_send_id] (0x0100): Sending ID: (% > BE_nix.corpnonprd.xxxx.com,1) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_timeout] (0x2000): 0x22fae20 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_names_init] (0x0100): Using re > [(((?P[^\\]+)\\(?P.+$))|((?P[^@]+)@(?P.+$))|(^(?P[^@\\]+)$))]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [create_socket_symlink] (0x1000): Symlinking the dbus path > /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.15267 to a link > /var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_new_server] (0x0400): D-BUS Server listening on > unix:path=/var/lib/sss/pipes/private/sbus-dp_nix.corpnonprd.xxxx.com.15267,guid=09db3141cd4e8179d1add54b00042674 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x22fa210/0x22fb860 (16), R/- (enabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Loading backend [ipa] with path > [/usr/lib64/sssd/libsss_ipa.so]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_domain has value > nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_server has value _srv_, > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_hostname has value > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_dyndns_update is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_dyndns_iface has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_hbac_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_host_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_selinux_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_subdomains_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_master_domain_search_base has no > value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_realm has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_hbac_refresh has value 5 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_hbac_support_srchost is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_automount_location has value default > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ipa_ranges_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_new_service] (0x0400): Creating new service 'IPA' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_add_srv_server] (0x0400): Adding new SRV server to service 'IPA' using > 'tcp'. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_servers_init] (0x0400): Added service lookup for service IPA > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_add_server] (0x0080): Adding new server ' > didmsvrua01.nix.corpnonprd.xxxx.com', to service 'IPA' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_servers_init] (0x0400): Added Server > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_uri has value ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_service_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_search_base has value > ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value > 21600 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has > value 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_ip has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has > value 300 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cert has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_key has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_realm has value > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_server has value > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_realm has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_pwd_policy has value none > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_referrals is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option account_cache_expiration has value 0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_order has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value > 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_auth_disable_tls_never_use_in_production is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_page_size has value 1000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value > 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no > value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is > FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_initgroups_use_matching_rule_in_chain is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option krb5_realm set to > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Will look for host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default > keytab > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [match_principal] (0x1000): Principal matched to the sample (host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): Selected primary: host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): Selected realm: > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to > cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ipa_hbac_search_base set to > cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to > cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to > cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to > cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to > cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_object_class has value > posixAccount > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_name has value uid > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_home_directory has value > homeDirectory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_principal has value > krbPrincipalName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value > shadowLastChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value > shadowWarning > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value > shadowInactive > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value > shadowExpire > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value > krbLastPwdChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value > krbPasswordExpiration > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value > authorizedService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value > accountExpires > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value > userAccountControl > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value > loginDisabled > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has > value loginExpirationTime > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has > value loginAllowedTimeMap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value > ipaSshPubKey > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value > ipaNisNetgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value > memberUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value > memberHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value > externalHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value > serverHostname > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value > ipaSshPubKey > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value > ipaHostgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_object_class has value > ipService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_proto has value > ipServiceProtocol > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value > ipaselinuxusermap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value > memberUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value > memberHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value > seeAlso > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value > ipaSELinuxUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value > ipaEnabledFlag > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value > userCategory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value > hostCategory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value > ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at > 1367024835.308454 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): ID backend target successfully loaded from > provider [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_domain has value > nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_server has value _srv_, > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hostname has value > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value > cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_host_search_base has value > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value > cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value > cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value > cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option krb5_realm has value > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_automount_location has value default > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value > cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_server has value > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_realm has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_ccachedir has value /tmp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_ccname_template has value > FILE:%d/krb5cc_%U_XXXXXX > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_auth_timeout has value 15 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_keytab has value /etc/krb5.keytab > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_validate is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_kpasswd has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_backup_kpasswd has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_store_password_if_offline is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_renewable_lifetime has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_lifetime has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_renew_interval has value 0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_use_fast has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_fast_principal has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_auth_options] (0x0400): Option krb5_realm set to > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_uri has value ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok_type has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_service_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_search_base has value > ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value > 21600 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has > value 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_ip has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_schema has value ipa_v1 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has > value 300 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 3600 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cert has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_key has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_realm has value > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_minssf has value 56 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_server has value > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_realm has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_pwd_policy has value none > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_referrals is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option account_cache_expiration has value 0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_account_expire_policy has value ipa > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_order has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value > 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_auth_disable_tls_never_use_in_production is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_page_size has value 1000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value > 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no > value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is > FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_initgroups_use_matching_rule_in_chain is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [DEFAULT][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option krb5_realm set to > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Will look for host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM in default > keytab > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): trying to select the most > appropriate principal from keytab > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [match_principal] (0x1000): Principal matched to the sample (host/ > rhidmclient.nix.corpnonprd.xxxx.com at NIX.CORPNONPRD.xxxx.COM). > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): Selected primary: host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [select_principal_from_keytab] (0x0200): Selected realm: > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_user_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [USER][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [GROUP][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_netgroup_search_base set to > cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [NETGROUP][cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_HOST][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_HBAC][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_SELINUX][cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_id_options] (0x0400): Option ldap_group_search_base set to > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SERVICE][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_SUBDOMAINS][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [IPA_RANGES][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_entry_usn has value entryUSN > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has value lastUSN > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_object_class has value > posixAccount > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_name has value uid > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_home_directory has value > homeDirectory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_principal has value > krbPrincipalName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uuid has value nsUniqueId > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value > shadowLastChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value > shadowWarning > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value > shadowInactive > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value > shadowExpire > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value > krbLastPwdChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value > krbPasswordExpiration > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value > authorizedService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value > accountExpires > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value > userAccountControl > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value > loginDisabled > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has > value loginExpirationTime > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has > value loginAllowedTimeMap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has value > ipaSshPubKey > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_uuid has value nsUniqueId > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_object_class has value > ipaNisNetgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_user has value > memberUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_host has value > memberHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_member_ext_host has value > externalHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_domain has value nisDomainName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_netgroup_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_object_class has value ipaHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_fqdn has value fqdn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_serverhostname has value > serverHostname > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_member_of has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_ssh_public_key has value > ipaSshPubKey > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_host_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_objectclass has value > ipaHostgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_member has value member > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_memberof has value memberOf > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_hostgroup_uuid has value ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_object_class has value > ipService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_proto has value > ipServiceProtocol > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_object_class has value > ipaselinuxusermap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_user has value > memberUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_member_host has value > memberHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_see_also has value > seeAlso > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_selinux_user has value > ipaSELinuxUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_enabled has value > ipaEnabledFlag > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_user_category has value > userCategory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_host_category has value > hostCategory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ipa_selinux_usermap_uuid has value > ipaUniqueID > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_and_export_lifetime] (0x0200): No lifetime configured. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_and_export_lifetime] (0x0200): No lifetime configured. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_and_export_options] (0x0100): No kpasswd server explicitly > configured, using the KDC or defaults. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_and_export_options] (0x0100): ccache is of type FILE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): AUTH backend target successfully loaded from > provider [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_domain has value > nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_server has value _srv_, > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hostname has value > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_dyndns_update is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_dyndns_iface has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_search_base has value > cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_host_search_base has value > cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_selinux_search_base has value > cn=selinux,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_subdomains_search_base has value > cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_master_domain_search_base has value > cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option krb5_realm has value > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_refresh has value 5 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_treat_deny_as has value DENY_ALL > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_hbac_support_srchost is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_automount_location has value default > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_copy_options] (0x0400): Option ipa_ranges_search_base has value > cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): ACCESS backend target successfully loaded from > provider [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): CHPASS backend target successfully loaded from > provider [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Loading backend [ldap] with path > [/usr/lib64/sssd/libsss_ldap.so]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_uri has value ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_bind_dn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok_type has value > password > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_default_authtok has no binary value. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_search_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_network_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_opt_timeout has value 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_reqcert has value hard > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_user_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_scope has value sub > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_search_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_service_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_search_base has value > ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_full_refresh_interval has value > 21600 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_smart_refresh_interval has > value 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_use_host_filter is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_hostnames has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_ip has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_netgroups is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sudo_include_regexp is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_autofs_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_schema has value rfc2307 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_offline_timeout has value 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_force_upper_case_realm is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_refresh_timeout has > value 300 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_purge_cache_timeout has value 10800 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacert has value /etc/ipa/ca.crt > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cacertdir has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cert has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_key has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_tls_cipher_suite has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_use_start_tls is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_id_mapping is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_mech has value GSSAPI > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_authid has value host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_realm has value > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_minssf has value -1 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_keytab has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_init_creds is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_server has value > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_backup_server has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_realm has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option krb5_canonicalize is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_pwd_policy has value none > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_referrals is TRUE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option account_cache_expiration has value 0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_dns_service_name has value ldap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_krb5_ticket_lifetime has value 86400 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_filter has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_netgroup_search_base has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_group_nesting_level has value 2 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_account_expire_policy has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_access_order has value filter > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_backup_uri has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_dns_service_name has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_chpass_update_last_change is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_enumeration_search_timeout has value > 60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_auth_disable_tls_never_use_in_production is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_page_size has value 1000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_deref_threshold has value 10 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_connection_expire_timeout has value > 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_disable_paging is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_autorid_compat is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_idmap_default_domain_sid has no > value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option ldap_groups_use_matching_rule_in_chain is > FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [dp_get_options] (0x0400): Option > ldap_initgroups_use_matching_rule_in_chain is FALSE > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_get_options] (0x0200): Search base not set, trying to discover it > later when connecting to the LDAP server. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_rootdse_last_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_object_class has value > posixAccount > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_name has value uid > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uid_number has value uidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_gecos has value gecos > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_home_directory has value > homeDirectory > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shell has value loginShell > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_principal has value > krbPrincipalName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_fullname has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_member_of has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_uuid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_primary_group has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_last_change has value > shadowLastChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_min has value shadowMin > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_max has value shadowMax > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_warning has value > shadowWarning > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_inactive has value > shadowInactive > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_expire has value > shadowExpire > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_shadow_flag has value shadowFlag > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_last_pwd_change has value > krbLastPwdChange > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_krb_password_expiration has value > krbPasswordExpiration > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_pwd_attribute has value pwdAttribute > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_service has value > authorizedService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_account_expires has value > accountExpires > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ad_user_account_control has value > userAccountControl > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_ns_account_lock has value nsAccountLock > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_authorized_host has value host > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_disabled has value > loginDisabled > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_expiration_time has > value loginExpirationTime > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_nds_login_allowed_time_map has > value loginAllowedTimeMap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_user_ssh_public_key has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_object_class has value posixGroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_pwd has value userPassword > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_gid_number has value gidNumber > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_member has value memberuid > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_uuid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_objectsid has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_group_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_object_class has value > nisNetgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_member has value > memberNisNetgroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_triple has value > nisNetgroupTriple > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_uuid has value nsUniqueId > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_netgroup_modify_timestamp has value > modifyTimestamp > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_object_class has value > ipService > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_port has value ipServicePort > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_proto has value > ipServiceProtocol > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_service_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sssm_ldap_id_init] (0x1000): Service name for discovery set to ldap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_new_service] (0x0400): Creating new service 'LDAP' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_urls_init] (0x0400): Added URI ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_add_server] (0x0080): Adding new server ' > didmsvrua01.nix.corpnonprd.xxxx.com', to service 'LDAP' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_gssapi_init] (0x0040): Missing krb5_realm option, will use libkrb > default > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_gssapi_get_default_realm] (0x1000): Will use default realm > NIX.CORPNONPRD.xxxx.COM > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_new_service] (0x0400): Creating new service 'KERBEROS' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_add_server] (0x0080): Adding new server ' > didmsvrua01.nix.corpnonprd.xxxx.com', to service 'KERBEROS' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [krb5_servers_init] (0x0400): Added Server > didmsvrua01.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at > 1367024835.331639 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_init] (0x2000): Initializing sudo LDAP back end > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_get_sudo_options] (0x0400): Search base not set, trying to discover > it later connecting to the LDAP server. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SUDO][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_object_class has value > sudoRole > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_name has value cn > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_command has value sudoCommand > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_host has value sudoHost > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_user has value sudoUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_option has value sudoOption > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_runasuser has value > sudoRunAsUser > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_runasgroup has value > sudoRunAsGroup > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_notbefore has value > sudoNotBefore > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_notafter has value > sudoNotAfter > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_order has value sudoOrder > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_sudorule_entry_usn has no value > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_get_ip_addresses] (0x2000): Found IP address: 10.137.216.163 in > network 10.137.216.160/28 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_get_hostnames_send] (0x2000): Found fqdn: > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_get_hostnames_send] (0x2000): Found hostname: rhidmclient > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): SUDO backend target successfully loaded from > provider [ldap]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sssm_ipa_autofs_init] (0x2000): Initializing IPA autofs handler > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_autofs_init] (0x2000): Initializing autofs LDAP back end > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_autofs_options] (0x1000): Option ldap_autofs_search_base set to > cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [AUTOFS][cn=default,cn=automount,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_autofs_map_object_class has value > automountMap > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_autofs_map_name has value > automountMapName > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_autofs_entry_object_class has value > automount > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_autofs_entry_key has value automountKey > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_map] (0x0400): Option ldap_autofs_entry_value has value > automountInformation > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_process_init] (0x2000): autofs backend target successfully loaded from > provider [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x0200): no module name found in confdb, using [ipa]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [load_backend_module] (0x1000): Backend [ipa] already loaded. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] [main] > (0x0400): Backend provider (nix.corpnonprd.xxxx.com) started! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1367024825 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_port_status] (0x1000): Port status of port 389 for server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'name not resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_step] (0x2000): Querying files > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ' > didmsvrua01.nix.corpnonprd.xxxx.com' in files > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'resolving name' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_step] (0x2000): Querying files > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record > of 'didmsvrua01.nix.corpnonprd.xxxx.com' in files > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_next] (0x0200): No more address families to retry > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_step] (0x2000): Querying DNS > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ' > didmsvrua01.nix.corpnonprd.xxxx.com' in DNS > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_timeout] (0x2000): 0x22fae20 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [id_callback] (0x0100): Got id ack and version (1) from Monitor > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [request_watch_destructor] (0x0400): Deleting request watch > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'name resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_uri_callback] (0x0400): Constructed uri 'ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [21]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectclass=*)][]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedLDAPVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedSASLMechanisms] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [domainControllerFunctionality] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [defaultNamingContext] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [highestCommittedUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[0x231b9d0], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[0x231b9d0], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[0x231b9d0], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_rootdse_done] (0x2000): Got rootdse > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_naming_context] (0x0200): Using value from [defaultNamingContext] as > naming context. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to > [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [DEFAULT][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to > [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [USER][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to > [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [GROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] > to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [NETGROUP][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] > to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [SERVICE][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] > to [dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [common_parse_search_base] (0x0100): Search base added: > [AUTOFS][dc=nix,dc=corpnonprd,dc=xxxx,dc=com][SUBTREE][] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ > rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service KERBEROS > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_port_status] (0x1000): Port status of port 0 for server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'neutral' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'name resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [create_tgt_req_send_buffer] (0x1000): buffer size: 83 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [15273] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [15273] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[(nil)], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Entering. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0x232a890. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 232A890 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x232ab50/0x2329930 (22), -/W (disabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_init] (0x0100): Set-up Backend ID timeout [0x232adc0] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Entering. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0x232c1e0. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 232C1E0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x232c4c0/0x2304f60 (23), -/W (disabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_init] (0x0100): Set-up Backend ID timeout [0x232c730] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Cancel DP ID timeout [0x232c730] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Added Frontend client [PAC] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Entering. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0x232dee0. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 232DEE0 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x232e540/0x232d8f0 (24), -/W (disabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_init] (0x0100): Set-up Backend ID timeout [0x232e7b0] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Entering. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0x232f540. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 232F540 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x232faf0/0x232e280 (25), -/W (disabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_init] (0x0100): Set-up Backend ID timeout [0x232fd60] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Cancel DP ID timeout [0x232fd60] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Added Frontend client [SUDO] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Entering. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0x2331b60. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_init_connection] (0x0200): Adding connection 2331B60 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_add_watch] (0x2000): 0x23321c0/0x23314a0 (26), -/W (disabled) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_init] (0x0100): Set-up Backend ID timeout [0x2332430] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Cancel DP ID timeout [0x232adc0] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Added Frontend client [SSH] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Cancel DP ID timeout [0x232e7b0] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Added Frontend client [PAM] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Cancel DP ID timeout [0x2332430] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [client_registration] (0x0100): Added Frontend client [NSS] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1367111223] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_cli_auth_step] (0x1000): the connection will expire at 1367025725 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x1000): Waiting for child [15273]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [15273] finished successfully. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_child_handler] (0x2000): waitpid failed [10]: No child processes > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with > base [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost= > rhidmclient.nix.corpnonprd.xxxx.com > )(sudoHost=rhidmclient)(sudoHost=10.137.216.163)(sudoHost= > 10.137.216.160/28)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > ]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_run_online_cb] (0x0080): Going online. Running callbacks. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[0x23293a0], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sudoCommand] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sudoHost] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sudoUser] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsUser] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sudoRunAsGroup] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[0x23293a0], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base > [ou=sudoers,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_load_sudoers_done] (0x0400): Received 1 rules > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_sudo_purge_byfilter] (0x0400): No rules matched > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_save_sudorule] (0x0400): Adding sudo rule sudotest > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in > cache > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo > rules > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [1020] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1367046425 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: > 1367025725 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[(nil)], ldap[0x231b510] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is > 'neutral' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is neutral > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0400): SRV resolution of service 'IPA'. Will use DNS > discovery domain 'nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._ > tcp.nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._ > tcp.nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [request_watch_destructor] (0x0400): Deleting request watch > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_done] (0x0400): Inserted server ' > didmsvrua01.nix.corpnonprd.xxxx.com:389' for service IPA > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as > 'resolved' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com:389/??base] with fd [27]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectclass=*)][]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedLDAPVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [supportedSASLMechanisms] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [domainControllerFunctionality] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [defaultNamingContext] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [highestCommittedUSN] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x233a300], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x233a300], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [defaultnamingcontext] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [vendorName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [vendorVersion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [dataversion] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [netscapemdsuffix] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [lastusn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x233a300], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_rootdse_done] (0x2000): Got rootdse > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_rootdse_done] (0x2000): Skipping auto-detection of match rule > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_send] (0x0400): Attempting kinit (default, host/ > rhidmclient.nix.corpnonprd.xxxx.com, NIX.CORPNONPRD.xxxx.COM, 86400) > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [create_tgt_req_send_buffer] (0x1000): buffer size: 83 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [15275] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [15275] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [delayed_online_authentication_callback] (0x0200): Backend is online, > starting delayed online authentication. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ > ccache_NIX.CORPNONPRD.xxxx.COM], expired on [1367111223] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_cli_auth_step] (0x0100): expire timeout is 900 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_cli_auth_step] (0x1000): the connection will expire at 1367025725 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ > rhidmclient.nix.corpnonprd.xxxx.com > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x1000): Waiting for child [15275]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [15275] finished successfully. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_child_handler] (0x2000): waitpid failed [10]: No child processes > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x22fab90], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x22fab90], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_update_subdomains] (0x0400): Adding sub-domain [CorpNonPrd.xxxx.com > ]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 6 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23175b0], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23175b0], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23175b0], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23175b0], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_update_ranges] (0x0400): Adding range > [NIX.CORPNONPRD.xxxx.COM_id_range]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_update_ranges] (0x0400): Adding range [CORPNONPRD.xxxx.COM_id_range]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 7 > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2317710], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2317710], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2317710], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:05 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_subdomains] (0x0400): Got get subdomains [not forced][] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234eec0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10 > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23284a0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23284a0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23284a0], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4099][1][name=nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPasswordExpiration] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginExpirationTime] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginAllowedTimeMap] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f570], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(ghost=nixadmin)) > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=nixadmin] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_initgr_next_base] (0x0400): Searching for users with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=nixadmin)(objectclass=posixAccount))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPasswordExpiration] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginExpirationTime] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginAllowedTimeMap] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2349d00], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(ghost=nixadmin)) > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:12 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835)(!(lastLogin=*)))) > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835))) > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at > 1367028435.309264 > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835)(!(lastLogin=*)))) > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367024835))) > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:15 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at > 1367035635.332616 > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4097][1][name=akhimji] > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13 > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2317710], ldap[0x2328500] > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), > (null) > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_uid] (0x0400): No such entry > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:19 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_subdomains] (0x0400): Got get subdomains [forced][ > corpnonprd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f920], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f920], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 15 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f230], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f230], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f230], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234f230], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ba80], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ba80], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ba80], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: su-l > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 1 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 11 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15305 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [krb5_auth_send] (0x0100): No ccache file for user [ > akhimji at CorpNonPrd.xxxx.com] found. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_port_status] (0x1000): Port status of port 389 for server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [15306] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [15306] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_subdomains] (0x0400): Got get subdomains [forced][CORPNONPRD] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for > [4098][1][idnumber=818800006] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=818800006)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23526a0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [nsUniqueId] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23526a0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_nested_group_process_deref_step] (0x0400): Falling back to individual > lookups > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_nested_group_process_noderef] (0x2000): Looking up missing DN > [cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_nested_get_user_send] (0x0080): Couldn't parse out user information > based on DN (null), falling back to an LDAP lookup > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectclass=posixAccount)][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2353820], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2353820], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=posixGroup)(cn=*))][cn=ad_admins_external,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23539c0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23539c0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_group] (0x0400): Processing group ad_admins > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_group] (0x2000): This is a posix group > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN > [cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] to > attributes of [ad_admins]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp > [20130424190620Z] to attributes of [ad_admins]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_ghost_members] (0x0400): The group has 1 members > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_ghost_members] (0x0400): Group has 1 members > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_group] (0x0400): Storing info for group ad_admins > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_grpmem] (0x1000): Adding member users to group [ad_admins] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_grpmem] (0x0040): Failed to save user ad_admins > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_save_groups] (0x0040): Failed to store group 0 members. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 20 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2350db0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), > (null) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b500], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), > (null) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2351520], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), > (null) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][3][44]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): TGT times are > [1367024840][1367024842][1367060840][1367111242]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][6][8]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [safe_remove_old_ccache_file] (0x0200): No old ccache, nothing to do > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x1000): Waiting for child [15306]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [15306] finished successfully. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_child_handler] (0x2000): waitpid failed [10]: No child processes > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: su-l > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15305 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_access_send] (0x0400): Performing access check for user [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com > ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 23 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2351b20], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2351b20], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= > rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > using OpenLDAP deref > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 24 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2368630], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2368630], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2368630], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 25 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 26 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b7e0], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= > rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= > rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 27 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberService] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x0020): > [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does > not map to either a user or group. Skipping > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_host_attrs_to_rule] (0x2000): Added host [ > rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_host_attrs_to_rule] (0x1000): [fqdn= > didmsvrua01.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > does not map to either a host or hostgroup. Skipping > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_eval_user_element] (0x1000): [1] groups for [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_selinux_handler] (0x0040): Cannot create op context > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) > [Internal Error (System error)] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_OPEN_SESSION > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: su-l > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15305 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_SETCRED > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: su-l > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: pts/1 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: nixadmin > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15305 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Sending result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4099][1][name=akhimji] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401108] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=59401108)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 28 > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2352150], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:22 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400512] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=59400512)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23528e0], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59400513] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=59400513)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2352150], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=59401113] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_next_base] (0x0400): Searching for groups with base > [cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(gidNumber=59401113)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 31 > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2352150], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_group_by_gid] (0x0400): No such entry > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:24 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_subdomains] (0x0400): Got get subdomains [forced][ > corpnonprd.xxxx.com] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTTrustedDomain][cn=trusts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 32 > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ab40], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ab40], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaIDRange][cn=ranges,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaBaseRID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaIDRangeSize] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 33 > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b5e0], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b5e0], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSecondaryBaseRID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b5e0], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaBaseRID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaIDRangeSize] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTTrustedDomainSID] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234b5e0], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [objectclass=ipaNTDomainAttrs][cn=ad,cn=etc,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTFlatName] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 34 > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ad10], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ad10], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTFlatName] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaNTSecurityIdentifier] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234ad10], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_subdomains_callback] (0x0400): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:28 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_AUTHENTICATE > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sudo > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 1 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 11 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15331 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [cc_residual_is_used] (0x1000): User [59401108] is still active, reusing > ccache [/tmp/krb5cc_59401108_XYHO4h]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_port_status] (0x1000): Port status of port 389 for server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 > seconds > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [get_server_status] (0x1000): Status of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' is 'working' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x1000): Saving the first resolved server > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_resolve_server_process] (0x0200): Found address for server > didmsvrua01.nix.corpnonprd.xxxx.com: [10.137.216.162] TTL 1200 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_resolve_callback] (0x0400): Constructed uri 'ldap:// > didmsvrua01.nix.corpnonprd.xxxx.com' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [krb5_find_ccache_step] (0x0080): Saved ccache > FILE:/tmp/krb5cc_59401108_XYHO4h if of different type than ccache in > configuration file, reusing the old ccache > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Setting up signal handler up for pid [15332] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_handler_setup] (0x2000): Signal handler set up for pid [15332] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [write_pipe_handler] (0x0400): All data has been sent! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [read_pipe_handler] (0x0400): EOF received, client finished > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][3][44]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741822][30]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): TGT times are > [1367024850][1367024852][1367060850][1367111252]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [parse_krb5_child_response] (0x1000): child response [0][6][8]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [fo_set_port_status] (0x0100): Marking port 389 of server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [set_server_common_status] (0x0100): Marking server ' > didmsvrua01.nix.corpnonprd.xxxx.com' as 'working' > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the > same, no one will be deleted. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x1000): Waiting for child [15332]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [child_sig_handler] (0x0100): child [15332] finished successfully. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_child_handler] (0x2000): waitpid failed [10]: No child processes > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler] (0x0100): Got request with the following data > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): command: PAM_ACCT_MGMT > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): domain: CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): user: akhimji at CorpNonPrd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): service: sudo > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): tty: /dev/pts/1 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): ruser: akhimji at corpnonprd.xxxx.com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): rhost: > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): authtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok type: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): newauthtok size: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): priv: 0 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [pam_print_data] (0x0100): cli_pid: 15331 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_access_send] (0x0400): Performing access check for user [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user > [akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaHost)(fqdn=rhidmclient.nix.corpnonprd.xxxx.com > ))][cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 35 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23672d0], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x23672d0], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn= > rhidmclient.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > using OpenLDAP deref > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no > filter][fqdn=rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 36 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2370520], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2370520], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_parse_entry] (0x0400): Got deref control > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_deref] (0x1000): Dereferenced DN: > ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_x_deref_parse_entry] (0x0400): All deref results from a single > control parsed > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2370520], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_service_info_next] (0x0400): Sending request for next search > base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACService)] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACService)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 37 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search > base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(objectClass=ipaHBACServiceGroup)] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 38 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [member] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [member] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x2366910], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: > [cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= > rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(|(hostCategory=all)(memberHost=fqdn= > rhidmclient.nix.corpnonprd.xxxx.com > ,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=ca686218-ac49-11e2-b2da-0050569a7aa2,cn=sudorules,cn=sudo,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=b4b8650c-ac4a-11e2-8386-0050569a7aa2,cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)(memberHost=ipauniqueid=1f8e4e36-ac51-11e2-90ff-0050569a7aa2,cn=ng,cn=alt,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)))][cn=hbac,dc=nix,dc=corpnonprd,dc=xxxx,dc=com]. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 39 > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [cn] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberService] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [sourceHostCategory] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[0x234a870], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg > set > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_get_generic_ext_done] (0x1000): Total count [0] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_attrs_to_rule] (0x1000): Processing rule [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): No such entry > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x0020): > [uid=atest,cn=users,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] does > not map to either a user or group. Skipping > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): Search users with filter: > (&(objectclass=user)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_users] (0x2000): No such entry > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_groups] (0x2000): Search groups with filter: > (&(objectclass=group)(originalDN=cn=ad_admins,cn=groups,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com)) > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [ad_admins] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service group [Sudo] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [su] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_service_attrs_to_rule] (0x2000): Added service [su-l] to rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_host_attrs_to_rule] (0x2000): Added host [ > rhidmclient.nix.corpnonprd.xxxx.com] to rule [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_host_attrs_to_rule] (0x1000): [fqdn= > didmsvrua01.nix.corpnonprd.xxxx.com,cn=computers,cn=accounts,dc=nix,dc=corpnonprd,dc=xxxx,dc=com] > does not map to either a host or hostgroup. Skipping > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule > [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_eval_user_element] (0x1000): [1] groups for [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [hbac_eval_user_element] (0x1000): Added group [ad_admins] for user [ > akhimji at CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [test_HBAC] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) > [Success] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_process_result] (0x2000): Trace: ldap_result found nothing! > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sysdb_search_user_by_name] (0x0400): No such entry > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sss_selinux_extract_user] (0x0040): sysdb_search_user_by_name failed. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_selinux_handler] (0x0040): Cannot create op context > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, ) > [Internal Error (System error)] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd.xxxx.com > ] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd.xxxx.com] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [ipa_get_subdomain_account_info_send] (0x0400): Initgroups requests are not > handled by the IPA provider but are resolved by the responder directly from > the cache. > (Fri Apr 26 21:07:32 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup > failed > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232c4c0/0x230d8e0 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232c4c0/0x2304f60 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0020): Unknown client removed ... > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232faf0/0x232e2d0 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232faf0/0x232e280 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0400): Removed SUDO client > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232ab50/0x2325620 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232ab50/0x2329930 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0400): Removed SSH client > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232e540/0x232d940 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x232e540/0x232d8f0 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0400): Removed PAM client > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x23321c0/0x23314f0 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x23321c0/0x23314a0 > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [be_client_destructor] (0x0400): Removed NSS client > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/ > kpasswdinfo.NIX.CORPNONPRD.xxxx.COM], [2][No such file or directory] > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_handle_release] (0x2000): Trace: sh[0x2318a00], connected[1], > ops[(nil)], ldap[0x231b510], destructor_lock[0], release_memory[0] > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sdap_handle_release] (0x2000): Trace: sh[0x233acc0], connected[1], > ops[(nil)], ldap[0x2328500], destructor_lock[0], release_memory[0] > (Fri Apr 26 21:07:38 2013) [sssd[be[nix.corpnonprd.xxxx.com]]] > [sbus_remove_watch] (0x2000): 0x22fa210/0x22fb860 > > > > > > > > > > > > > > > On Fri, Apr 26, 2013 at 7:50 AM, Pavel B?ezina wrote: > >> On 04/25/2013 04:16 PM, Aly Khimji wrote: >> >>> Hey guys, >>> >>> So selinux has been in permissive mode this whole time. >>> >>> As per your request, I first log in with a local user (local to the >>> system), and then attempt to su'd to the AD user which worked. >>> I then attempted to sudo -l which failed. I have sanitized and provided >>> logs below. debugging is at 8, so hopefully its ok and not too verbose. >>> >>> ldap, krb5, and sssd logs are only logs with data in them. >>> >>> Thanks for you help guys, >>> >>> nixadmin is the localuser >>> akhimji is the AD trust user >>> >> >> Hi, >> the sssd_be log says that one sudo rules has been downloaded. Is that >> correct? Other things are unfortunately hidden in sssd_sudo.log, >> sssd_nss.log and sssd_pam.log. >> >> Can you put debug_level = 8 also to [sudo], [nss] and [pam] sections of >> your sssd.conf and re-run the test, please? Hopefully, that will reveal >> more. >> >> What groups are atest and btest users part of? How goes their membership >> hierarchy? Can you send us ldif of ou=sudoers,dc=nix,dc=** >> corpnonprd,dc=xxxx,dc=com? >> >> Thank you. >> >> >>> On Thu, Apr 25, 2013 at 6:38 AM, Pavel B?ezina >> > wrote: >>> >>> On 04/24/2013 07:20 PM, Aly Khimji wrote: >>> >>> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >>> >]]] >>> [be_pam_handler_callback] >>> >>> (0x0100): Backend returned: (0, 0, ) [Success] >>> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >>> >]]] >>> [sss_selinux_extract_user] >>> (0x0040): sysdb_search_user_by_name failed. >>> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >>> >]]] >>> [ipa_selinux_handler] >>> >>> (0x0040): Cannot create op context >>> (Wed Apr 24 13:07:35 2013) [sssd[be[nix.corpnonprd.xxxx._**_com >>> >]]] >>> [be_pam_handler_callback] >>> >>> (0x0100): Backend returned: (3, 4, ) [Internal Error >>> (System error)] >>> >>> >>> Hi, >>> this looks like a selinux problem to me. What happens when you set >>> selinux to permissive? >>> >>> Also does this problem occur only with sudo, or other services are >>> affected too (id, authentication, ssh)? >>> >>> Can you please perform following commands? It will remove cache and >>> logs so do it in a safe non-production environment. >>> >>> As root: >>> # service stop sssd >>> # rm -f /var/lib/sss/db/* /var/lib/sss/mc/* /var/log/sssd/* >>> # service sssd start >>> >>> As normal user: >>> $ su ad-user at trusted-domain >>> $ sudo -l >>> $ exit >>> >>> And send us the sanitized logs (all of them). >>> >>> Thank you. >>> >>> >>> >>> >>> >>> >>> >>> ______________________________**___________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> > >>> https://www.redhat.com/__**mailman/listinfo/freeipa-users >>> >>> **> >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbrezina at redhat.com Mon Apr 29 19:11:25 2013 From: pbrezina at redhat.com (=?UTF-8?B?UGF2ZWwgQsWZZXppbmE=?=) Date: Mon, 29 Apr 2013 21:11:25 +0200 Subject: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO In-Reply-To: References: <51780FF5.4090301@redhat.com> <5179079A.9020904@redhat.com> <517A6A0E.3000801@redhat.com> Message-ID: <517EC5DD.1000507@redhat.com> On 04/29/2013 08:31 PM, Aly Khimji wrote: > Hey Pavel/Guys, > > Do you see anything in the new logs that might help? > > I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that > reports this issue exactly. > However its reported as fixed but I am still having the same issue. I am > building out a new test environment and I am also deploying a FC18 > client which seems to have newer sssd/libsss_sudo packages that i > suppose haven't made it up stream yet > > Currently installed on my client > > libsss_sudo-1.9.2-82.7.el6_4.x86_64 > sssd-client-1.9.2-82.7.el6_4.x86_64 > libsss_idmap-1.9.2-82.7.el6_4.x86_64 > libsss_autofs-1.9.2-82.el6.x86_64 > sssd-1.9.2-82.7.el6_4.x86_64 > > I've increased the logging to 10, just incase it helps. here it the > sss_sudo log for a login, then sudo attempt > > > Thx > > Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. From gmatz at collective.com Tue Apr 30 16:08:01 2013 From: gmatz at collective.com (Guy Matz) Date: Tue, 30 Apr 2013 12:08:01 -0400 Subject: [Freeipa-users] Dynamic DNS Message-ID: <517FEC61.7040407@collective.com> hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? I've been trying for days following instructions from various freeipa and redhat docs! I've set up keytabs, set up /etc/rndc.key, set Dynamic update to True and put the following in my BIND update policy: grant host\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; grant host\047ipadevmstr.collmedia.net at COLLMEDIA.NET wildcard * ANY; I keep getting: # nsupdate -g a_update update failed: REFUSED update failed: REFUSED [root at ipadevmstr ~]# cat a_update server ipadevmstr.collmedia.net zone collmedia.net. update add client.collmedia.net. 86400 IN A 192.168.8.120 send update delete client.collmedia.net. IN A send tail /var/log/messages Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) Any help would be GREATLY appreciated . . . Thanks a lot, Guy From lroot at redhat.com Tue Apr 30 16:22:00 2013 From: lroot at redhat.com (Lynn Root) Date: Tue, 30 Apr 2013 09:22:00 -0700 Subject: [Freeipa-users] Dynamic DNS In-Reply-To: <517FEC61.7040407@collective.com> References: <517FEC61.7040407@collective.com> Message-ID: <4BB637BE-C112-43BE-A96A-46FC68F6CDDE@redhat.com> Hi Guy! I've been working with this recently - maybe I can help. Have you enrolled the ipadevmstr.collmedia.net as a service with `ipa service-add DNS/ipadevmstr.collmedia.net`? On the client, can you `kinit -kt $dnskeytab -p DNS/ipadevmstr.collmedia.net` just fine? You'll have to kinit before you can do `nsupdate -g a_update`. If all else fails, on the IPA Server, what does your kdc log say in /var/log/krb5kdc.log? HTH, Lynn Root @roguelynn Associate Software Engineer On Apr 30, 2013, at 9:08 AM, Guy Matz wrote: > hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? I've been trying for days following instructions from various freeipa and redhat docs! I've set up keytabs, set up /etc/rndc.key, set Dynamic update to True and put the following in my BIND update policy: > grant host\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; > grant host\047ipadevmstr.collmedia.net at COLLMEDIA.NET wildcard * ANY; > > I keep getting: > > # nsupdate -g a_update > update failed: REFUSED > update failed: REFUSED > [root at ipadevmstr ~]# cat a_update > server ipadevmstr.collmedia.net > zone collmedia.net. > update add client.collmedia.net. 86400 IN A 192.168.8.120 > send > update delete client.collmedia.net. IN A > send > > tail /var/log/messages > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: query: collmedia.net IN SOA - (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: updating zone 'collmedia.net/IN': update failed: rejected by secure update (REFUSED) > > Any help would be GREATLY appreciated . . . > > Thanks a lot, > Guy > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From john.moyer at digitalreasoning.com Tue Apr 30 16:30:12 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 12:30:12 -0400 Subject: [Freeipa-users] automember issues Message-ID: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? Thanks, _____________________________________________________ John Moyer -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon.williams at thehelpfulcat.com Tue Apr 30 16:47:57 2013 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Tue, 30 Apr 2013 17:47:57 +0100 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: References: Message-ID: Hi I don't know if anyone has tried what I want to do, I really just want to know if it's possible at the moment. A few pointers to any information would be helpful too! I have an existing FreeIPA server running on a CentOS machine. It is used to authenticate all users on the network. This works very well, but setting up Windows workstations is a bit of a pain. I also want to provide some network storage for the windows machines. To this end, I would like to set up a Samba 4 server as a slave to FreeIPA so that the Windows workstations could join an AD domain controlled by Samba 4, but actually authenticating against FreeIPA. I really want to keep FreeIPA in the driving seat, but would love to be able to make the Windows workstations behave as though they were on a domain. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 30 17:01:13 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 20:01:13 +0300 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: References: Message-ID: <20130430170112.GL7607@redhat.com> On Tue, 30 Apr 2013, Simon Williams wrote: >Hi > >I don't know if anyone has tried what I want to do, I really just want to >know if it's possible at the moment. A few pointers to any information >would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. >I have an existing FreeIPA server running on a CentOS machine. It is used >to authenticate all users on the network. This works very well, but setting >up Windows workstations is a bit of a pain. I also want to provide some >network storage for the windows machines. To this end, I would like to set >up a Samba 4 server as a slave to FreeIPA so that the Windows workstations >could join an AD domain controlled by Samba 4, but actually authenticating >against FreeIPA. I really want to keep FreeIPA in the driving seat, but >would love to be able to make the Windows workstations behave as though >they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy From JR.Aquino at citrix.com Tue Apr 30 17:21:22 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 17:21:22 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> Message-ID: On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: "enrolledby" ? "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrix.com http://www.citrixonline.com "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrix.com http://www.citrixonline.com Thanks, _____________________________________________________ John Moyer _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From simo at redhat.com Tue Apr 30 17:25:44 2013 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Apr 2013 13:25:44 -0400 Subject: [Freeipa-users] Dynamic DNS In-Reply-To: <517FEC61.7040407@collective.com> References: <517FEC61.7040407@collective.com> Message-ID: <1367342744.10084.525.camel@willson.li.ssimo.org> On Tue, 2013-04-30 at 12:08 -0400, Guy Matz wrote: > hi! Anyone out there gotten Dynamic DNS freeipa-managed DNS server? > I've been trying for days following instructions from various freeipa > and redhat docs! I've set up keytabs, set up /etc/rndc.key, set > Dynamic update to True and put the following in my BIND update policy: > grant host\047foreman.collmedia.net at COLLMEDIA.NET wildcard * ANY; > grant host\047ipadevmstr.collmedia.net at COLLMEDIA.NET wildcard * ANY; This looks good, you've put these in LDAP right ? Can you show the attributes as retrieved from a ldapsearch just to check the formatting is correct ? > I keep getting: > > # nsupdate -g a_update > update failed: REFUSED > update failed: REFUSED > [root at ipadevmstr ~]# cat a_update > server ipadevmstr.collmedia.net > zone collmedia.net. > update add client.collmedia.net. 86400 IN A > 192.168.8.120 > send > update delete client.collmedia.net. IN A > send shouldn't you delete first add second ? > tail /var/log/messages > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: > query: collmedia.net IN SOA - (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37600: > query: 692300375.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#52609: > updating zone 'collmedia.net/IN': update failed: rejected by secure > update (REFUSED) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#26141: > query: collmedia.net IN SOA - (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#40423: > query: 718499086.sig-ipadevmstr.collmedia.net ANY TKEY -T (192.168.8.111) > Apr 30 11:52:32 ipadevmstr named[9349]: client 192.168.8.111#37000: > updating zone 'collmedia.net/IN': update failed: rejected by secure > update (REFUSED) Something seem wrong with the Access Control policy ... Simo. -- Simo Sorce * Red Hat, Inc * New York From john.moyer at digitalreasoning.com Tue Apr 30 17:41:19 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 13:41:19 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> Message-ID: Yep, enrolledby is what I'm using, but I have been adding them manually since it hasn't been working. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: > > On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: > > Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? > > > That -should- be enough to catch new hosts that are built by the 'build' user. > > Can you verify that the Attribute you are matching on is: "enrolledby" ? > > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GXPN | GIAC Exploit Researcher and Advanced Penetration Tester > GCIH | GIAC Certified Incident Handler > GWAPT | GIAC WebApp Penetration Tester > > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrix.com > http://www.citrixonline.com > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GXPN | GIAC Exploit Researcher and Advanced Penetration Tester > GCIH | GIAC Certified Incident Handler > GWAPT | GIAC WebApp Penetration Tester > > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrix.com > http://www.citrixonline.com > > > > Thanks, > _____________________________________________________ > John Moyer > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From deanhunter at comcast.net Tue Apr 30 15:57:52 2013 From: deanhunter at comcast.net (Dean Hunter) Date: Tue, 30 Apr 2013 10:57:52 -0500 Subject: [Freeipa-users] Upgrade Test Case Message-ID: <1367337472.1692.7.camel@developer.hunter.org> I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? From john.moyer at digitalreasoning.com Tue Apr 30 17:43:53 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 13:43:53 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> Message-ID: <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: > > On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: > > Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? > > > That -should- be enough to catch new hosts that are built by the 'build' user. > > Can you verify that the Attribute you are matching on is: "enrolledby" ? > > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GXPN | GIAC Exploit Researcher and Advanced Penetration Tester > GCIH | GIAC Certified Incident Handler > GWAPT | GIAC WebApp Penetration Tester > > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrix.com > http://www.citrixonline.com > > "Keeping your head in the cloud" > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jr Aquino | Sr. Information Security Specialist > GXPN | GIAC Exploit Researcher and Advanced Penetration Tester > GCIH | GIAC Certified Incident Handler > GWAPT | GIAC WebApp Penetration Tester > > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 > T: +1 805.690.3478 > C: +1 805.717.0365 > jr.aquino at citrix.com > http://www.citrixonline.com > > > > Thanks, > _____________________________________________________ > John Moyer > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From JR.Aquino at citrix.com Tue Apr 30 17:48:43 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 17:48:43 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> Message-ID: <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> On Apr 30, 2013, at 10:43 AM, John Moyer wrote: > One thing to add is that this build user only has the following access: > > Host Administrators > Host enrollment > > Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. > The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. > Thanks, > _____________________________________________________ > John Moyer > On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: > >> >> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >> >> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >> >> >> That -should- be enough to catch new hosts that are built by the 'build' user. >> >> Can you verify that the Attribute you are matching on is: "enrolledby" ? >> >> >> "Keeping your head in the cloud" >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Jr Aquino | Sr. Information Security Specialist >> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >> GCIH | GIAC Certified Incident Handler >> GWAPT | GIAC WebApp Penetration Tester >> >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >> T: +1 805.690.3478 >> C: +1 805.717.0365 >> jr.aquino at citrix.com >> http://www.citrixonline.com >> >> "Keeping your head in the cloud" >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> Jr Aquino | Sr. Information Security Specialist >> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >> GCIH | GIAC Certified Incident Handler >> GWAPT | GIAC WebApp Penetration Tester >> >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >> T: +1 805.690.3478 >> C: +1 805.717.0365 >> jr.aquino at citrix.com >> http://www.citrixonline.com >> >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > From john.moyer at digitalreasoning.com Tue Apr 30 17:52:45 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 13:52:45 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> Message-ID: <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> Not a problem, here is the output ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=build ---------------------------- Number of entries returned 1 ---------------------------- Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: > On Apr 30, 2013, at 10:43 AM, John Moyer > wrote: > >> One thing to add is that this build user only has the following access: >> >> Host Administrators >> Host enrollment >> >> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >> > > The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. > > Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? > > If we are missing something or if we have any bugs in there, we need to get them identified and fixed. > > >> Thanks, >> _____________________________________________________ >> John Moyer >> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >> >>> >>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>> >>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>> >>> >>> That -should- be enough to catch new hosts that are built by the 'build' user. >>> >>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>> >>> >>> "Keeping your head in the cloud" >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Jr Aquino | Sr. Information Security Specialist >>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>> GCIH | GIAC Certified Incident Handler >>> GWAPT | GIAC WebApp Penetration Tester >>> >>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>> T: +1 805.690.3478 >>> C: +1 805.717.0365 >>> jr.aquino at citrix.com >>> http://www.citrixonline.com >>> >>> "Keeping your head in the cloud" >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Jr Aquino | Sr. Information Security Specialist >>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>> GCIH | GIAC Certified Incident Handler >>> GWAPT | GIAC WebApp Penetration Tester >>> >>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>> T: +1 805.690.3478 >>> C: +1 805.717.0365 >>> jr.aquino at citrix.com >>> http://www.citrixonline.com >>> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> > From rcritten at redhat.com Tue Apr 30 17:55:12 2013 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Apr 2013 13:55:12 -0400 Subject: [Freeipa-users] Upgrade Test Case In-Reply-To: <1367337472.1692.7.camel@developer.hunter.org> References: <1367337472.1692.7.camel@developer.hunter.org> Message-ID: <51800580.6090602@redhat.com> Dean Hunter wrote: > I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might > be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I > tried to rebuild it from scratch, as I imagined larger installations > would not be able to rebuild. I thought the test cases for FreeIPA Test > Day might have instructions for the upgrade, but I did not find an > upgrade test case. > > Is an upgrade as trivial as pointing yum to a different set of > repositories and updating? It should work like previous Fedora updates. Just upgrade the distro in-place it should upgrade FreeIPA as well, to 3.2 beta1. https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Fedora_18_-.3E_Fedora_19_.28pre_release_branched.29 rob From abokovoy at redhat.com Tue Apr 30 17:55:26 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 20:55:26 +0300 Subject: [Freeipa-users] Upgrade Test Case In-Reply-To: <1367337472.1692.7.camel@developer.hunter.org> References: <1367337472.1692.7.camel@developer.hunter.org> Message-ID: <20130430175526.GM7607@redhat.com> On Tue, 30 Apr 2013, Dean Hunter wrote: >I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might >be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I >tried to rebuild it from scratch, as I imagined larger installations >would not be able to rebuild. I thought the test cases for FreeIPA Test >Day might have instructions for the upgrade, but I did not find an >upgrade test case. > >Is an upgrade as trivial as pointing yum to a different set of >repositories and updating? Apart from general F18->F19 upgrade issues (if any), there is Kerberos change from 1.10 to 1.11 which brings change in KDC driver ABI. As result, you will need to restart KDC after upgrade. -- / Alexander Bokovoy From nkinder at redhat.com Tue Apr 30 17:56:46 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 30 Apr 2013 10:56:46 -0700 Subject: [Freeipa-users] automember issues In-Reply-To: <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> Message-ID: <518005DE.10500@redhat.com> On 04/30/2013 10:48 AM, JR Aquino wrote: > On Apr 30, 2013, at 10:43 AM, John Moyer > wrote: > >> One thing to add is that this build user only has the following access: >> >> Host Administrators >> Host enrollment >> >> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >> > The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. This is correct. The user doesn't matter, as the operation that deals with the group membership is done internally by the AutoMember plug-in. > > Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? > > If we are missing something or if we have any bugs in there, we need to get them identified and fixed. > > >> Thanks, >> _____________________________________________________ >> John Moyer >> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >> >>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>> >>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>> >>> >>> That -should- be enough to catch new hosts that are built by the 'build' user. >>> >>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>> >>> >>> "Keeping your head in the cloud" >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Jr Aquino | Sr. Information Security Specialist >>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>> GCIH | GIAC Certified Incident Handler >>> GWAPT | GIAC WebApp Penetration Tester >>> >>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>> T: +1 805.690.3478 >>> C: +1 805.717.0365 >>> jr.aquino at citrix.com >>> http://www.citrixonline.com >>> >>> "Keeping your head in the cloud" >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Jr Aquino | Sr. Information Security Specialist >>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>> GCIH | GIAC Certified Incident Handler >>> GWAPT | GIAC WebApp Penetration Tester >>> >>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>> T: +1 805.690.3478 >>> C: +1 805.717.0365 >>> jr.aquino at citrix.com >>> http://www.citrixonline.com >>> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> From JR.Aquino at citrix.com Tue Apr 30 17:57:46 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 17:57:46 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> Message-ID: On Apr 30, 2013, at 10:52 AM, John Moyer wrote: > Not a problem, here is the output > > ipa automember-find --type=hostgroup > --------------- > 1 rules matched > --------------- > Automember Rule: test-group > Inclusive Regex: enrolledby=build > ---------------------------- > Number of entries returned 1 > ---------------------------- > interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? > > > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: > >> On Apr 30, 2013, at 10:43 AM, John Moyer >> wrote: >> >>> One thing to add is that this build user only has the following access: >>> >>> Host Administrators >>> Host enrollment >>> >>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>> >> >> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >> >> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >> >> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >> >> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>> >>>> >>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>> >>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>> >>>> >>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>> >>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>> >>>> >>>> "Keeping your head in the cloud" >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> Jr Aquino | Sr. Information Security Specialist >>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>> GCIH | GIAC Certified Incident Handler >>>> GWAPT | GIAC WebApp Penetration Tester >>>> >>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>> T: +1 805.690.3478 >>>> C: +1 805.717.0365 >>>> jr.aquino at citrix.com >>>> http://www.citrixonline.com >>>> >>>> "Keeping your head in the cloud" >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> Jr Aquino | Sr. Information Security Specialist >>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>> GCIH | GIAC Certified Incident Handler >>>> GWAPT | GIAC WebApp Penetration Tester >>>> >>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>> T: +1 805.690.3478 >>>> C: +1 805.717.0365 >>>> jr.aquino at citrix.com >>>> http://www.citrixonline.com >>>> >>>> >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >> > From john.moyer at digitalreasoning.com Tue Apr 30 18:02:37 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 14:02:37 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> Message-ID: <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: > On Apr 30, 2013, at 10:52 AM, John Moyer > wrote: > >> Not a problem, here is the output >> >> ipa automember-find --type=hostgroup >> --------------- >> 1 rules matched >> --------------- >> Automember Rule: test-group >> Inclusive Regex: enrolledby=build >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> > > interesting. > > When you do an: ipa host-show test-hostname.example.com --all --raw > > Does it clearly show that enrolledby=build? > >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >> >>> On Apr 30, 2013, at 10:43 AM, John Moyer >>> wrote: >>> >>>> One thing to add is that this build user only has the following access: >>>> >>>> Host Administrators >>>> Host enrollment >>>> >>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>> >>> >>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>> >>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>> >>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>> >>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>> >>>>> >>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>> >>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>> >>>>> >>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>> >>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>> >>>>> >>>>> "Keeping your head in the cloud" >>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>> Jr Aquino | Sr. Information Security Specialist >>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>> GCIH | GIAC Certified Incident Handler >>>>> GWAPT | GIAC WebApp Penetration Tester >>>>> >>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>> T: +1 805.690.3478 >>>>> C: +1 805.717.0365 >>>>> jr.aquino at citrix.com >>>>> http://www.citrixonline.com >>>>> >>>>> "Keeping your head in the cloud" >>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>> Jr Aquino | Sr. Information Security Specialist >>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>> GCIH | GIAC Certified Incident Handler >>>>> GWAPT | GIAC WebApp Penetration Tester >>>>> >>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>> T: +1 805.690.3478 >>>>> C: +1 805.717.0365 >>>>> jr.aquino at citrix.com >>>>> http://www.citrixonline.com >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>> >> > From JR.Aquino at citrix.com Tue Apr 30 18:07:00 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 18:07:00 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> Message-ID: <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> On Apr 30, 2013, at 11:02 AM, John Moyer wrote: > It comes back with a ton of stuff the row you are probably interested in is this one: > > enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: > >> On Apr 30, 2013, at 10:52 AM, John Moyer >> wrote: >> >>> Not a problem, here is the output >>> >>> ipa automember-find --type=hostgroup >>> --------------- >>> 1 rules matched >>> --------------- >>> Automember Rule: test-group >>> Inclusive Regex: enrolledby=build >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> >> >> interesting. >> >> When you do an: ipa host-show test-hostname.example.com --all --raw >> >> Does it clearly show that enrolledby=build? >> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>> >>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>> wrote: >>>> >>>>> One thing to add is that this build user only has the following access: >>>>> >>>>> Host Administrators >>>>> Host enrollment >>>>> >>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>> >>>> >>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>> >>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>> >>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>> >>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>> >>>>>> >>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>> >>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>> >>>>>> >>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>> >>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>> >>>>>> >>>>>> "Keeping your head in the cloud" >>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>> GCIH | GIAC Certified Incident Handler >>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>> >>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>> T: +1 805.690.3478 >>>>>> C: +1 805.717.0365 >>>>>> jr.aquino at citrix.com >>>>>> http://www.citrixonline.com >>>>>> >>>>>> "Keeping your head in the cloud" >>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>> GCIH | GIAC Certified Incident Handler >>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>> >>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>> T: +1 805.690.3478 >>>>>> C: +1 805.717.0365 >>>>>> jr.aquino at citrix.com >>>>>> http://www.citrixonline.com >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>> >>>> >>> >> > From john.moyer at digitalreasoning.com Tue Apr 30 18:12:12 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 14:12:12 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> Message-ID: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com ---------------------------- Number of entries returned 1 ---------------------------- Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: > On Apr 30, 2013, at 11:02 AM, John Moyer > wrote: > >> It comes back with a ton of stuff the row you are probably interested in is this one: >> >> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com > > Bingo! > > Ok, try to adjust your automember rule. > > Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com > > See if that does the trick > >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >> >>> On Apr 30, 2013, at 10:52 AM, John Moyer >>> wrote: >>> >>>> Not a problem, here is the output >>>> >>>> ipa automember-find --type=hostgroup >>>> --------------- >>>> 1 rules matched >>>> --------------- >>>> Automember Rule: test-group >>>> Inclusive Regex: enrolledby=build >>>> ---------------------------- >>>> Number of entries returned 1 >>>> ---------------------------- >>>> >>> >>> interesting. >>> >>> When you do an: ipa host-show test-hostname.example.com --all --raw >>> >>> Does it clearly show that enrolledby=build? >>> >>>> >>>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>> >>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>> wrote: >>>>> >>>>>> One thing to add is that this build user only has the following access: >>>>>> >>>>>> Host Administrators >>>>>> Host enrollment >>>>>> >>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>> >>>>> >>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>> >>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>> >>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>> >>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>> >>>>>>> >>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>> >>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>> >>>>>>> >>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>> >>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>> >>>>>>> >>>>>>> "Keeping your head in the cloud" >>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>> >>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>> T: +1 805.690.3478 >>>>>>> C: +1 805.717.0365 >>>>>>> jr.aquino at citrix.com >>>>>>> http://www.citrixonline.com >>>>>>> >>>>>>> "Keeping your head in the cloud" >>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>> >>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>> T: +1 805.690.3478 >>>>>>> C: +1 805.717.0365 >>>>>>> jr.aquino at citrix.com >>>>>>> http://www.citrixonline.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> Freeipa-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>>>> >>>>> >>>> >>> >> > From JR.Aquino at citrix.com Tue Apr 30 18:17:36 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 18:17:36 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> Message-ID: On Apr 30, 2013, at 11:12 AM, John Moyer wrote: > I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. > > This is the new output of that command you had me run earlier: > > ipa automember-find --type=hostgroup > --------------- > 1 rules matched > --------------- > Automember Rule: test-group > Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com > ---------------------------- > Number of entries returned 1 > ---------------------------- > Interesting. What about if you just do something silly like: ".*build.*" Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? > > > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: > >> On Apr 30, 2013, at 11:02 AM, John Moyer >> wrote: >> >>> It comes back with a ton of stuff the row you are probably interested in is this one: >>> >>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >> >> Bingo! >> >> Ok, try to adjust your automember rule. >> >> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com >> >> See if that does the trick >> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >>> >>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>> wrote: >>>> >>>>> Not a problem, here is the output >>>>> >>>>> ipa automember-find --type=hostgroup >>>>> --------------- >>>>> 1 rules matched >>>>> --------------- >>>>> Automember Rule: test-group >>>>> Inclusive Regex: enrolledby=build >>>>> ---------------------------- >>>>> Number of entries returned 1 >>>>> ---------------------------- >>>>> >>>> >>>> interesting. >>>> >>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>> >>>> Does it clearly show that enrolledby=build? >>>> >>>>> >>>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>>> >>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>> wrote: >>>>>> >>>>>>> One thing to add is that this build user only has the following access: >>>>>>> >>>>>>> Host Administrators >>>>>>> Host enrollment >>>>>>> >>>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>>> >>>>>> >>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>>> >>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>>> >>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>>> >>>>>>>> >>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>>> >>>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>>> >>>>>>>> >>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>>> >>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>>> >>>>>>>> >>>>>>>> "Keeping your head in the cloud" >>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>> >>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>> T: +1 805.690.3478 >>>>>>>> C: +1 805.717.0365 >>>>>>>> jr.aquino at citrix.com >>>>>>>> http://www.citrixonline.com >>>>>>>> >>>>>>>> "Keeping your head in the cloud" >>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>> >>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>> T: +1 805.690.3478 >>>>>>>> C: +1 805.717.0365 >>>>>>>> jr.aquino at citrix.com >>>>>>>> http://www.citrixonline.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> _____________________________________________________ >>>>>>>> John Moyer >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Freeipa-users mailing list >>>>>>>> Freeipa-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From simon.williams at thehelpfulcat.com Tue Apr 30 18:03:22 2013 From: simon.williams at thehelpfulcat.com (simon.williams at thehelpfulcat.com) Date: Tue, 30 Apr 2013 18:03:22 +0000 Subject: [Freeipa-users] =?utf-8?q?Samba_4_with_IPA?= In-Reply-To: <20130430170112.GL7607@redhat.com> References: , <20130430170112.GL7607@redhat.com> Message-ID: <51800b2e.c624b40a.1f6a.16c6@mx.google.com> That is actually pretty good news. The real requirement is network storage for the Windows workstations secured by FreeIPA authentication. If I read what you?ve said correctly this is possible now. I can live with the magical incantations to enrol any new Windows machines for now. There are a few things that would work better if Windows thought it was logging on to a domain, but we have lived without those features for the last year. Once a Windows machine has been set up correctly, which can be a bit hit and miss, the authentication works flawlessly . It sounds as though I can set up the file server now and then extend it to do the AD DC bit when it is ready. I don?t suppose there is a Samba 4 + FreeIPA 3 file server HowTo anywhere is there? Sent from Windows Mail From: Alexander Bokovoy Sent: ?Tuesday?, ?30? ?April? ?2013 ?18?:?01 To: Simon Williams Cc: freeipa-users On Tue, 30 Apr 2013, Simon Williams wrote: >Hi > >I don't know if anyone has tried what I want to do, I really just want to >know if it's possible at the moment. A few pointers to any information >would be helpful too! Short answer: not possible right now if by 'Samba 4' you mean Samba AD DC. >I have an existing FreeIPA server running on a CentOS machine. It is used >to authenticate all users on the network. This works very well, but setting >up Windows workstations is a bit of a pain. I also want to provide some >network storage for the windows machines. To this end, I would like to set >up a Samba 4 server as a slave to FreeIPA so that the Windows workstations >could join an AD domain controlled by Samba 4, but actually authenticating >against FreeIPA. I really want to keep FreeIPA in the driving seat, but >would love to be able to make the Windows workstations behave as though >they were on a domain. So you describe above several disconnected cases: 1. Samba file server (smbd) authenticating against FreeIPA. 2. Samba AD DC controlling its own Active Directory-compatible deployment trusting FreeIPA deployment. (1) is possible to implement with few caveats and some details are still rough. We have plans on making the experience smoother for FreeIPA 3.3+ or so. For now, if there is cross-realm trust with Active Directory, each IPA master which serves as domain controller (after ipa-adtrust-install was run on it) could serve as file server but access control setup is a bit complex. (2) is not possible right now due to the fact that Samba AD DC does not support cross-forest trusts right now. There is certain amount of work to be done to implement needed logic in Samba. -- / Alexander Bokovoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From john.moyer at digitalreasoning.com Tue Apr 30 18:23:02 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 14:23:02 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> Message-ID: <96F92939-A1C6-4DF3-B9D6-A102E7C006A4@digitalreasoning.com> Ha! I tried .*build and build.* before contacting you guys, I didn't try .*build.* That worked, it automatically added the machine to the group! Thanks!!!!! That will save me soooo much time! Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:17 PM, JR Aquino wrote: > On Apr 30, 2013, at 11:12 AM, John Moyer > wrote: > >> I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. >> >> This is the new output of that command you had me run earlier: >> >> ipa automember-find --type=hostgroup >> --------------- >> 1 rules matched >> --------------- >> Automember Rule: test-group >> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> > > Interesting. > > What about if you just do something silly like: ".*build.*" > > Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? > >> >> >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: >> >>> On Apr 30, 2013, at 11:02 AM, John Moyer >>> wrote: >>> >>>> It comes back with a ton of stuff the row you are probably interested in is this one: >>>> >>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >>> >>> Bingo! >>> >>> Ok, try to adjust your automember rule. >>> >>> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com >>> >>> See if that does the trick >>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >>>> >>>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>>> wrote: >>>>> >>>>>> Not a problem, here is the output >>>>>> >>>>>> ipa automember-find --type=hostgroup >>>>>> --------------- >>>>>> 1 rules matched >>>>>> --------------- >>>>>> Automember Rule: test-group >>>>>> Inclusive Regex: enrolledby=build >>>>>> ---------------------------- >>>>>> Number of entries returned 1 >>>>>> ---------------------------- >>>>>> >>>>> >>>>> interesting. >>>>> >>>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>>> >>>>> Does it clearly show that enrolledby=build? >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> >>>>>> >>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>>>> >>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>>> wrote: >>>>>>> >>>>>>>> One thing to add is that this build user only has the following access: >>>>>>>> >>>>>>>> Host Administrators >>>>>>>> Host enrollment >>>>>>>> >>>>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>>>> >>>>>>> >>>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>>>> >>>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>>>> >>>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>>>> >>>>>>> >>>>>>>> Thanks, >>>>>>>> _____________________________________________________ >>>>>>>> John Moyer >>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>>>> >>>>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>>>> >>>>>>>>> >>>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>>>> >>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>>>> >>>>>>>>> >>>>>>>>> "Keeping your head in the cloud" >>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>> >>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>> T: +1 805.690.3478 >>>>>>>>> C: +1 805.717.0365 >>>>>>>>> jr.aquino at citrix.com >>>>>>>>> http://www.citrixonline.com >>>>>>>>> >>>>>>>>> "Keeping your head in the cloud" >>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>> >>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>> T: +1 805.690.3478 >>>>>>>>> C: +1 805.717.0365 >>>>>>>>> jr.aquino at citrix.com >>>>>>>>> http://www.citrixonline.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> _____________________________________________________ >>>>>>>>> John Moyer >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Freeipa-users mailing list >>>>>>>>> Freeipa-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From JR.Aquino at citrix.com Tue Apr 30 18:24:53 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 18:24:53 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <96F92939-A1C6-4DF3-B9D6-A102E7C006A4@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> <96F92939-A1C6-4DF3-B9D6-A102E7C006A4@digitalreasoning.com> Message-ID: <59D028B8-52C9-4668-8B2A-DE3323E98D2E@citrixonline.com> On Apr 30, 2013, at 11:23 AM, John Moyer wrote: > Ha! I tried .*build and build.* before contacting you guys, I didn't try .*build.* > > That worked, it automatically added the machine to the group! > > Thanks!!!!! That will save me soooo much time! > Not a problem John, thanks for your patience! Glad to be of help! I'm very happy to see that some of the stuff that I use daily saves other folks time and headaches too! -JR > > Thanks, > _____________________________________________________ > John Moyer > > > On Apr 30, 2013, at 2:17 PM, JR Aquino wrote: > >> On Apr 30, 2013, at 11:12 AM, John Moyer >> wrote: >> >>> I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. >>> >>> This is the new output of that command you had me run earlier: >>> >>> ipa automember-find --type=hostgroup >>> --------------- >>> 1 rules matched >>> --------------- >>> Automember Rule: test-group >>> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> >> >> Interesting. >> >> What about if you just do something silly like: ".*build.*" >> >> Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? >> >>> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: >>> >>>> On Apr 30, 2013, at 11:02 AM, John Moyer >>>> wrote: >>>> >>>>> It comes back with a ton of stuff the row you are probably interested in is this one: >>>>> >>>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> Bingo! >>>> >>>> Ok, try to adjust your automember rule. >>>> >>>> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> See if that does the trick >>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >>>>> >>>>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>>>> wrote: >>>>>> >>>>>>> Not a problem, here is the output >>>>>>> >>>>>>> ipa automember-find --type=hostgroup >>>>>>> --------------- >>>>>>> 1 rules matched >>>>>>> --------------- >>>>>>> Automember Rule: test-group >>>>>>> Inclusive Regex: enrolledby=build >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> >>>>>> >>>>>> interesting. >>>>>> >>>>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>>>> >>>>>> Does it clearly show that enrolledby=build? >>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> >>>>>>> >>>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>>>>> >>>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>>>> wrote: >>>>>>>> >>>>>>>>> One thing to add is that this build user only has the following access: >>>>>>>>> >>>>>>>>> Host Administrators >>>>>>>>> Host enrollment >>>>>>>>> >>>>>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>>>>> >>>>>>>> >>>>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>>>>> >>>>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>>>>> >>>>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>>>>> >>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> _____________________________________________________ >>>>>>>>> John Moyer >>>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>>>>> >>>>>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>>>>> >>>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>>> T: +1 805.690.3478 >>>>>>>>>> C: +1 805.717.0365 >>>>>>>>>> jr.aquino at citrix.com >>>>>>>>>> http://www.citrixonline.com >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>>> T: +1 805.690.3478 >>>>>>>>>> C: +1 805.717.0365 >>>>>>>>>> jr.aquino at citrix.com >>>>>>>>>> http://www.citrixonline.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> _____________________________________________________ >>>>>>>>>> John Moyer >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Freeipa-users mailing list >>>>>>>>>> Freeipa-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From dpal at redhat.com Tue Apr 30 18:25:20 2013 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 30 Apr 2013 14:25:20 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> Message-ID: <51800C90.1020606@redhat.com> On 04/30/2013 02:17 PM, JR Aquino wrote: > On Apr 30, 2013, at 11:12 AM, John Moyer > wrote: > >> I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. >> >> This is the new output of that command you had me run earlier: >> >> ipa automember-find --type=hostgroup >> --------------- >> 1 rules matched >> --------------- >> Automember Rule: test-group >> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> > Interesting. > > What about if you just do something silly like: ".*build.*" > > Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. > >> >> Thanks, >> _____________________________________________________ >> John Moyer >> >> >> On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: >> >>> On Apr 30, 2013, at 11:02 AM, John Moyer >>> wrote: >>> >>>> It comes back with a ton of stuff the row you are probably interested in is this one: >>>> >>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >>> Bingo! >>> >>> Ok, try to adjust your automember rule. >>> >>> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com >>> >>> See if that does the trick >>> >>>> Thanks, >>>> _____________________________________________________ >>>> John Moyer >>>> >>>> >>>> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >>>> >>>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>>> wrote: >>>>> >>>>>> Not a problem, here is the output >>>>>> >>>>>> ipa automember-find --type=hostgroup >>>>>> --------------- >>>>>> 1 rules matched >>>>>> --------------- >>>>>> Automember Rule: test-group >>>>>> Inclusive Regex: enrolledby=build >>>>>> ---------------------------- >>>>>> Number of entries returned 1 >>>>>> ---------------------------- >>>>>> >>>>> interesting. >>>>> >>>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>>> >>>>> Does it clearly show that enrolledby=build? >>>>> >>>>>> >>>>>> Thanks, >>>>>> _____________________________________________________ >>>>>> John Moyer >>>>>> >>>>>> >>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>>>> >>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>>> wrote: >>>>>>> >>>>>>>> One thing to add is that this build user only has the following access: >>>>>>>> >>>>>>>> Host Administrators >>>>>>>> Host enrollment >>>>>>>> >>>>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>>>> >>>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>>>> >>>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>>>> >>>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>>>> >>>>>>> >>>>>>>> Thanks, >>>>>>>> _____________________________________________________ >>>>>>>> John Moyer >>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>>>> >>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>>>> >>>>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>>>> >>>>>>>>> >>>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>>>> >>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>>>> >>>>>>>>> >>>>>>>>> "Keeping your head in the cloud" >>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>> >>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>> T: +1 805.690.3478 >>>>>>>>> C: +1 805.717.0365 >>>>>>>>> jr.aquino at citrix.com >>>>>>>>> http://www.citrixonline.com >>>>>>>>> >>>>>>>>> "Keeping your head in the cloud" >>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>> >>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>> T: +1 805.690.3478 >>>>>>>>> C: +1 805.717.0365 >>>>>>>>> jr.aquino at citrix.com >>>>>>>>> http://www.citrixonline.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> _____________________________________________________ >>>>>>>>> John Moyer >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Freeipa-users mailing list >>>>>>>>> Freeipa-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From abokovoy at redhat.com Tue Apr 30 18:37:32 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 21:37:32 +0300 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <51800b2e.c624b40a.1f6a.16c6@mx.google.com> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> Message-ID: <20130430183731.GN7607@redhat.com> On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote: >That is actually pretty good news. The real requirement is network >storage for the Windows workstations secured by FreeIPA authentication. >If I read what you?ve said correctly this is possible now. I can live >with the magical incantations to enrol any new Windows machines for >now. There are a few things that would work better if Windows thought >it was logging on to a domain, but we have lived without those features >for the last year. Once a Windows machine has been set up correctly, >which can be a bit hit and miss, the authentication works flawlessly . To be clear, we have not tested this combination so you'll be in uncharted waters. Since TGT for these users would still be issued by FreeIPA KDC, it would include MS-PAC with SIDs of these users in FreeIPA domain -- once you have run ipa-adtrust-install, of course. Thus, smbd on IPA master would be able to recognize them as FreeIPA users regardless where they come from -- IPA or Windows machines, as long as Kerberos is in use. Any reports of how such setup would actually behave are welcomed. >It sounds as though I can set up the file server now and then extend it >to do the AD DC bit when it is ready. >I don?t suppose there is a Samba 4 + FreeIPA 3 file server HowTo >anywhere is there? The only requirements for simplistic setup is to: 1. run file server on IPA master (you can make a dedicated replica for that) 2. run ipa-adtrust-install on that master to setup Samba configuration and enable KDC + directory server to handle SIDs 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master uses registry backend to store smb.conf configuration. See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares for sample how to work with 'net conf setparm'. For 'valid users' I guess you can use simply user names since these would be our local ones. Again, this is completely untested right now. -- / Alexander Bokovoy From abokovoy at redhat.com Tue Apr 30 19:17:27 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 22:17:27 +0300 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <20130430183731.GN7607@redhat.com> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> <20130430183731.GN7607@redhat.com> Message-ID: <20130430191727.GO7607@redhat.com> On Tue, 30 Apr 2013, Alexander Bokovoy wrote: >On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote: >>That is actually pretty good news. The real requirement is network >>storage for the Windows workstations secured by FreeIPA authentication. >>If I read what you?ve said correctly this is possible now. I can live >>with the magical incantations to enrol any new Windows machines for >>now. There are a few things that would work better if Windows thought >>it was logging on to a domain, but we have lived without those features >>for the last year. Once a Windows machine has been set up correctly, >>which can be a bit hit and miss, the authentication works flawlessly . >To be clear, we have not tested this combination so you'll be in uncharted >waters. > >Since TGT for these users would still be issued by FreeIPA KDC, it would >include MS-PAC with SIDs of these users in FreeIPA domain -- once you >have run ipa-adtrust-install, of course. Thus, smbd on IPA master would >be able to recognize them as FreeIPA users regardless where they come >from -- IPA or Windows machines, as long as Kerberos is in use. > >Any reports of how such setup would actually behave are welcomed. > >>It sounds as though I can set up the file server now and then extend it >>to do the AD DC bit when it is ready. > >>I don?t suppose there is a Samba 4 + FreeIPA 3 file server HowTo >>anywhere is there? >The only requirements for simplistic setup is to: >1. run file server on IPA master (you can make a dedicated replica for that) >2. run ipa-adtrust-install on that master to setup Samba configuration > and enable KDC + directory server to handle SIDs >3. use 'net conf setparm ...' to setup shares, since Samba on IPA master > uses registry backend to store smb.conf configuration. > >See >http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares >for sample how to work with 'net conf setparm'. > >For 'valid users' I guess you can use simply user names since these >would be our local ones. > >Again, this is completely untested right now. So, I tried quick test for this, using admins group: 1. Setup shared space, apply SELinux context and modify ACLs: [root at red samba-4.0.5]# mkdir /srv/testshare [root at red samba-4.0.5]# chcon -t samba_share_t /srv/testshare [root at red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare [root at red samba-4.0.5]# getfacl /srv/testshare getfacl: Removing leading '/' from absolute path names # file: srv/testshare # owner: root # group: root user::rwx group::r-x group:admins:rwx mask::rwx other::r-x 2. Create actual Samba share: [root at red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N 3. Obtain TGT for Kerberos identity (admin, belongs to admins group): [root at red samba-4.0.5]# kinit Password for admin at BIRD.CLONE: [root at red samba-4.0.5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin at BIRD.CLONE Valid starting Expires Service principal 30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE at BIRD.CLONE Now try connecting to //red.bird.clone/testshare and use it (I've copied few files in several sessions, showing last one): [root at red samba-4.0.5]# smbclient -k //red.bird.clone/testshare lp_load_ex: changing to config backend registry Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] smb: \> dir . D 0 Tue Apr 30 22:06:51 2013 .. D 0 Tue Apr 30 21:40:04 2013 foobar.txt N 0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \> put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt (182,6 kb/s) (average 182,6 kb/s) smb: \> dir . D 0 Tue Apr 30 22:10:35 2013 .. D 0 Tue Apr 30 21:40:04 2013 WHATSNEW.txt A 47112 Tue Apr 30 22:10:35 2013 foobar.txt N 0 Tue Apr 30 21:51:54 2013 README A 7998 Tue Apr 30 22:06:51 2013 40918 blocks of size 262144. 19277 blocks available smb: \> Check status of the last copied file, notice permissions and SELinux contet: [root at red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: ?/srv/testshare/WHATSNEW.txt? Size: 47112 Blocks: 96 IO Block: 4096 regular file Device: fc03h/64515d Inode: 153050 Links: 1 Access: (0744/-rwxr--r--) Uid: (1564400000/ admin) Gid: (1564400000/ admins) Context: system_u:object_r:samba_share_t:s0 Access: 2013-04-30 22:10:35.484270784 +0300 Modify: 2013-04-30 22:10:35.580239030 +0300 Change: 2013-04-30 22:10:35.579270116 +0300 Birth: - -- / Alexander Bokovoy From john.moyer at digitalreasoning.com Tue Apr 30 19:23:36 2013 From: john.moyer at digitalreasoning.com (John Moyer) Date: Tue, 30 Apr 2013 15:23:36 -0400 Subject: [Freeipa-users] automember issues In-Reply-To: <51800C90.1020606@redhat.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> <51800C90.1020606@redhat.com> Message-ID: <59273BDE-2902-4F5A-B1C3-97E106233126@digitalreasoning.com> So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal wrote: > On 04/30/2013 02:17 PM, JR Aquino wrote: >> On Apr 30, 2013, at 11:12 AM, John Moyer >> wrote: >> >>> I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. >>> >>> This is the new output of that command you had me run earlier: >>> >>> ipa automember-find --type=hostgroup >>> --------------- >>> 1 rules matched >>> --------------- >>> Automember Rule: test-group >>> Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com >>> ---------------------------- >>> Number of entries returned 1 >>> ---------------------------- >>> >> Interesting. >> >> What about if you just do something silly like: ".*build.*" >> >> Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? > > > Don't you need to specify target group? > It might be that the filter is working but it is not placing it anywhere > because nothing is specifying where to place it. > > >> >>> >>> Thanks, >>> _____________________________________________________ >>> John Moyer >>> >>> >>> On Apr 30, 2013, at 2:07 PM, JR Aquino wrote: >>> >>>> On Apr 30, 2013, at 11:02 AM, John Moyer >>>> wrote: >>>> >>>>> It comes back with a ton of stuff the row you are probably interested in is this one: >>>>> >>>>> enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> Bingo! >>>> >>>> Ok, try to adjust your automember rule. >>>> >>>> Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com >>>> >>>> See if that does the trick >>>> >>>>> Thanks, >>>>> _____________________________________________________ >>>>> John Moyer >>>>> >>>>> >>>>> On Apr 30, 2013, at 1:57 PM, JR Aquino wrote: >>>>> >>>>>> On Apr 30, 2013, at 10:52 AM, John Moyer >>>>>> wrote: >>>>>> >>>>>>> Not a problem, here is the output >>>>>>> >>>>>>> ipa automember-find --type=hostgroup >>>>>>> --------------- >>>>>>> 1 rules matched >>>>>>> --------------- >>>>>>> Automember Rule: test-group >>>>>>> Inclusive Regex: enrolledby=build >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> >>>>>> interesting. >>>>>> >>>>>> When you do an: ipa host-show test-hostname.example.com --all --raw >>>>>> >>>>>> Does it clearly show that enrolledby=build? >>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> _____________________________________________________ >>>>>>> John Moyer >>>>>>> >>>>>>> >>>>>>> On Apr 30, 2013, at 1:48 PM, JR Aquino wrote: >>>>>>> >>>>>>>> On Apr 30, 2013, at 10:43 AM, John Moyer >>>>>>>> wrote: >>>>>>>> >>>>>>>>> One thing to add is that this build user only has the following access: >>>>>>>>> >>>>>>>>> Host Administrators >>>>>>>>> Host enrollment >>>>>>>>> >>>>>>>>> Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. >>>>>>>>> >>>>>>>> The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. >>>>>>>> >>>>>>>> Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? >>>>>>>> >>>>>>>> If we are missing something or if we have any bugs in there, we need to get them identified and fixed. >>>>>>>> >>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> _____________________________________________________ >>>>>>>>> John Moyer >>>>>>>>> On Apr 30, 2013, at 1:21 PM, JR Aquino wrote: >>>>>>>>> >>>>>>>>>> On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: >>>>>>>>>> >>>>>>>>>> Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> That -should- be enough to catch new hosts that are built by the 'build' user. >>>>>>>>>> >>>>>>>>>> Can you verify that the Attribute you are matching on is: "enrolledby" ? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>>> T: +1 805.690.3478 >>>>>>>>>> C: +1 805.717.0365 >>>>>>>>>> jr.aquino at citrix.com >>>>>>>>>> http://www.citrixonline.com >>>>>>>>>> >>>>>>>>>> "Keeping your head in the cloud" >>>>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>>>>>>> Jr Aquino | Sr. Information Security Specialist >>>>>>>>>> GXPN | GIAC Exploit Researcher and Advanced Penetration Tester >>>>>>>>>> GCIH | GIAC Certified Incident Handler >>>>>>>>>> GWAPT | GIAC WebApp Penetration Tester >>>>>>>>>> >>>>>>>>>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 >>>>>>>>>> T: +1 805.690.3478 >>>>>>>>>> C: +1 805.717.0365 >>>>>>>>>> jr.aquino at citrix.com >>>>>>>>>> http://www.citrixonline.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> _____________________________________________________ >>>>>>>>>> John Moyer >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Freeipa-users mailing list >>>>>>>>>> Freeipa-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From JR.Aquino at citrix.com Tue Apr 30 19:27:33 2013 From: JR.Aquino at citrix.com (JR Aquino) Date: Tue, 30 Apr 2013 19:27:33 +0000 Subject: [Freeipa-users] automember issues In-Reply-To: <59273BDE-2902-4F5A-B1C3-97E106233126@digitalreasoning.com> References: <347C62DA-69A7-4FA9-BA3C-A64632C0604D@digitalreasoning.com> <71F9C0BA-2662-4434-9A7A-321B356F47FC@digitalreasoning.com> <940AADC4-26FB-4358-B0DF-4004C48B3FF9@citrixonline.com> <014B8A2C-A1DA-4218-A912-ECBE32088519@digitalreasoning.com> <63AA87DF-43E6-4944-AE22-923B6B7A9079@digitalreasoning.com> <55DD7B8E-CC80-4AC0-9B01-00BCAC96DA2B@citrixonline.com> <51800C90.1020606@redhat.com> <59273BDE-2902-4F5A-B1C3-97E106233126@digitalreasoning.com> Message-ID: I've got about 30mins before I get into my next meeting. Are you able to hop into IRC in Freenode to work in realtime on #freeipa? "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrix.com http://www.citrixonline.com On Apr 30, 2013, at 12:23 PM, John Moyer > wrote: So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal > wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer > wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com ---------------------------- Number of entries returned 1 ---------------------------- Interesting. What about if you just do something silly like: ".*build.*" Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino > wrote: On Apr 30, 2013, at 11:02 AM, John Moyer > wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino > wrote: On Apr 30, 2013, at 10:52 AM, John Moyer > wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --------------- 1 rules matched --------------- Automember Rule: test-group Inclusive Regex: enrolledby=build ---------------------------- Number of entries returned 1 ---------------------------- interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino > wrote: On Apr 30, 2013, at 10:43 AM, John Moyer > wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _____________________________________________________ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino > wrote: On Apr 30, 2013, at 9:30 AM, John Moyer > wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called "build" then it should add it to a specific server group. I put in an inclusive rule and the expression is just "build", but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: "enrolledby" ? "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrix.com http://www.citrixonline.com "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 C: +1 805.717.0365 jr.aquino at citrix.com http://www.citrixonline.com Thanks, _____________________________________________________ John Moyer _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users From abokovoy at redhat.com Tue Apr 30 19:37:15 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 22:37:15 +0300 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <20130430191727.GO7607@redhat.com> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> <20130430183731.GN7607@redhat.com> <20130430191727.GO7607@redhat.com> Message-ID: <20130430193714.GP7607@redhat.com> On Tue, 30 Apr 2013, Alexander Bokovoy wrote: >On Tue, 30 Apr 2013, Alexander Bokovoy wrote: >>On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.com wrote: >>>That is actually pretty good news. The real requirement is network >>>storage for the Windows workstations secured by FreeIPA authentication. >>>If I read what you?ve said correctly this is possible now. I can live >>>with the magical incantations to enrol any new Windows machines for >>>now. There are a few things that would work better if Windows thought >>>it was logging on to a domain, but we have lived without those features >>>for the last year. Once a Windows machine has been set up correctly, >>>which can be a bit hit and miss, the authentication works flawlessly . >>To be clear, we have not tested this combination so you'll be in uncharted >>waters. >> >>Since TGT for these users would still be issued by FreeIPA KDC, it would >>include MS-PAC with SIDs of these users in FreeIPA domain -- once you >>have run ipa-adtrust-install, of course. Thus, smbd on IPA master would >>be able to recognize them as FreeIPA users regardless where they come >>from -- IPA or Windows machines, as long as Kerberos is in use. >> >>Any reports of how such setup would actually behave are welcomed. >> >>>It sounds as though I can set up the file server now and then extend it >>>to do the AD DC bit when it is ready. >> >>>I don?t suppose there is a Samba 4 + FreeIPA 3 file server HowTo >>>anywhere is there? >>The only requirements for simplistic setup is to: >>1. run file server on IPA master (you can make a dedicated replica for that) >>2. run ipa-adtrust-install on that master to setup Samba configuration >> and enable KDC + directory server to handle SIDs >>3. use 'net conf setparm ...' to setup shares, since Samba on IPA master >> uses registry backend to store smb.conf configuration. >> >>See >>http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Using_Samba_shares >>for sample how to work with 'net conf setparm'. >> >>For 'valid users' I guess you can use simply user names since these >>would be our local ones. >> >>Again, this is completely untested right now. >So, I tried quick test for this, using admins group: > >1. Setup shared space, apply SELinux context and modify ACLs: >[root at red samba-4.0.5]# mkdir /srv/testshare >[root at red samba-4.0.5]# chcon -t samba_share_t /srv/testshare >[root at red samba-4.0.5]# setfacl -m g:admins:rwx /srv/testshare >[root at red samba-4.0.5]# getfacl /srv/testshare >getfacl: Removing leading '/' from absolute path names ># file: srv/testshare ># owner: root ># group: root >user::rwx >group::r-x >group:admins:rwx >mask::rwx >other::r-x > >2. Create actual Samba share: >[root at red samba-4.0.5]# net conf addshare testshare /srv/testshare writeable=y guest_ok=N > >3. Obtain TGT for Kerberos identity (admin, belongs to admins group): >[root at red samba-4.0.5]# kinit >Password for admin at BIRD.CLONE: [root at red samba-4.0.5]# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: admin at BIRD.CLONE > >Valid starting Expires Service principal >30.04.2013 22:10:13 01.05.2013 22:10:11 krbtgt/BIRD.CLONE at BIRD.CLONE > >Now try connecting to //red.bird.clone/testshare and use it (I've copied >few files in several sessions, showing last one): > >[root at red samba-4.0.5]# smbclient -k //red.bird.clone/testshare >lp_load_ex: changing to config backend registry >Domain=[BIRD] OS=[Unix] Server=[Samba 4.0.5] >smb: \> dir > . D 0 Tue Apr 30 22:06:51 2013 > .. D 0 Tue Apr 30 21:40:04 2013 > foobar.txt N 0 Tue Apr 30 21:51:54 2013 > README A 7998 Tue Apr 30 22:06:51 2013 > > 40918 blocks of size 262144. 19277 blocks available >smb: \> put WHATSNEW.txt putting file WHATSNEW.txt as \WHATSNEW.txt >(182,6 kb/s) (average 182,6 kb/s) >smb: \> dir > . D 0 Tue Apr 30 22:10:35 2013 > .. D 0 Tue Apr 30 21:40:04 2013 > WHATSNEW.txt A 47112 Tue Apr 30 22:10:35 2013 > foobar.txt N 0 Tue Apr 30 21:51:54 2013 > README A 7998 Tue Apr 30 22:06:51 2013 > > 40918 blocks of size 262144. 19277 blocks available >smb: \> > >Check status of the last copied file, notice permissions and SELinux >contet: >[root at red samba-4.0.5]# stat /srv/testshare/WHATSNEW.txt File: >?/srv/testshare/WHATSNEW.txt? > Size: 47112 Blocks: 96 IO Block: 4096 regular file >Device: fc03h/64515d Inode: 153050 Links: 1 >Access: (0744/-rwxr--r--) Uid: (1564400000/ admin) Gid: (1564400000/ admins) >Context: system_u:object_r:samba_share_t:s0 >Access: 2013-04-30 22:10:35.484270784 +0300 >Modify: 2013-04-30 22:10:35.580239030 +0300 >Change: 2013-04-30 22:10:35.579270116 +0300 > Birth: - .... And for those who are too enjoyed -- this only works for FreeIPA own users. AD users, coming through a trust, are not supported this way yet, only through explicit 'valid users = USER-SID' right now. It is due to the fact that smbd doesn't yet know how to convert back gid/uid of the AD user to a SID since these users have automatically generated gid/uid which aren't stored anywhere. We need to add some smart logic to ipasam module to handle it. [2013/04/30 22:20:03.878564, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (12): SID[ 0]: S-1-5-21-3502988750-125904550-3683905862-500 SID[ 1]: S-1-5-21-3502988750-125904550-3683905862-513 SID[ 2]: S-1-5-21-3502988750-125904550-3683905862-520 SID[ 3]: S-1-5-21-3502988750-125904550-3683905862-512 SID[ 4]: S-1-5-21-3502988750-125904550-3683905862-519 SID[ 5]: S-1-5-21-3502988750-125904550-3683905862-518 SID[ 6]: S-1-18-1 SID[ 7]: S-1-5-21-1492269836-2180264219-1113070302-1004 SID[ 8]: S-1-1-0 SID[ 9]: S-1-5-2 SID[ 10]: S-1-5-11 SID[ 11]: S-1-22-1-1442800500 Privileges (0x 0): Rights (0x 0): [2013/04/30 22:20:03.879021, 5] ../source3/auth/token_util.c:528(debug_unix_user_token) UNIX token of user 1442800500 Primary group is 1442800500 and contains 0 supplementary groups [2013/04/30 22:20:03.879198, 5] ../source3/smbd/uid.c:373(change_to_user_internal) Impersonated user: uid=(1442800500,1442800500), gid=(0,1442800500) and then [2013/04/30 22:20:03.951270, 5] ../source3/passdb/lookup_sid.c:1212(gid_to_sid) gid_to_sid: winbind failed to find a sid for gid 1564400004 ... [2013/04/30 22:20:03.951488, 5] ../source3/lib/smbldap.c:1249(smbldap_search_ext) smbldap_search_ext: base => [dc=bird,dc=clone], filter => [(&(gidNumber=1564400004)(objectClass=ipaNTGroupAttrs))], scope => [2] [2013/04/30 22:20:03.952132, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (1442800500, 1442800500) - sec_ctx_stack_ndx = 0 [2013/04/30 22:20:03.952214, 3] ../source3/smbd/open.c:791(open_file) Error opening file README.downgrade (NT_STATUS_ACCESS_DENIED) (local_flags=578) (flags=578) I.e. attempt to write file while being a process under uid 1442800500 and gid 1442800500 fails. This is uid of Administrator at AD.LAN, AD user, and gid of his/her primary group, which are automatically generated based on its SID. [root at red samba-4.0.5]# id Administrator at ad.lan uid=1442800500(administrator at ad.lan) gid=1442800500(administrator at ad.lan) groups=1442800500(administrator at ad.lan),1442800519(enterprise admins at ad.lan),1442800512(domain admins at ad.lan),1564400004(ad_members) -- / Alexander Bokovoy From simo at redhat.com Tue Apr 30 19:46:06 2013 From: simo at redhat.com (Simo Sorce) Date: Tue, 30 Apr 2013 15:46:06 -0400 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <20130430193714.GP7607@redhat.com> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> <20130430183731.GN7607@redhat.com> <20130430191727.GO7607@redhat.com> <20130430193714.GP7607@redhat.com> Message-ID: <1367351166.10084.526.camel@willson.li.ssimo.org> On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: > > We need to add some smart logic to ipasam module to handle it. > The logic for trusted users needs to go into winbindd or sssd, ipasam is only about our own domain. Simo. -- Simo Sorce * Red Hat, Inc * New York From simon.williams at thehelpfulcat.com Tue Apr 30 19:54:31 2013 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Tue, 30 Apr 2013 20:54:31 +0100 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <20130430183731.GN7607@redhat.com> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> <20130430183731.GN7607@redhat.com> Message-ID: Thanks for all your help. I'll give it a go and see how far I get. On 30 Apr 2013 19:37, "Alexander Bokovoy" wrote: > On Tue, 30 Apr 2013, simon.williams at thehelpfulcat.**comwrote: > >> That is actually pretty good news. The real requirement is network >> storage for the Windows workstations secured by FreeIPA authentication. >> If I read what you?ve said correctly this is possible now. I can live >> with the magical incantations to enrol any new Windows machines for >> now. There are a few things that would work better if Windows thought >> it was logging on to a domain, but we have lived without those features >> for the last year. Once a Windows machine has been set up correctly, >> which can be a bit hit and miss, the authentication works flawlessly . >> > To be clear, we have not tested this combination so you'll be in uncharted > waters. > > Since TGT for these users would still be issued by FreeIPA KDC, it would > include MS-PAC with SIDs of these users in FreeIPA domain -- once you > have run ipa-adtrust-install, of course. Thus, smbd on IPA master would > be able to recognize them as FreeIPA users regardless where they come > from -- IPA or Windows machines, as long as Kerberos is in use. > > Any reports of how such setup would actually behave are welcomed. > > It sounds as though I can set up the file server now and then extend it >> to do the AD DC bit when it is ready. >> > > I don?t suppose there is a Samba 4 + FreeIPA 3 file server HowTo >> anywhere is there? >> > The only requirements for simplistic setup is to: > 1. run file server on IPA master (you can make a dedicated replica for > that) > 2. run ipa-adtrust-install on that master to setup Samba configuration > and enable KDC + directory server to handle SIDs > 3. use 'net conf setparm ...' to setup shares, since Samba on IPA master > uses registry backend to store smb.conf configuration. > > See > http://www.freeipa.org/page/**Howto/IPAv3_AD_trust_setup#** > Using_Samba_shares > for sample how to work with 'net conf setparm'. > > For 'valid users' I guess you can use simply user names since these > would be our local ones. > > Again, this is completely untested right now. > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Tue Apr 30 19:54:50 2013 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 30 Apr 2013 22:54:50 +0300 Subject: [Freeipa-users] Samba 4 with IPA In-Reply-To: <1367351166.10084.526.camel@willson.li.ssimo.org> References: <20130430170112.GL7607@redhat.com> <51800b2e.c624b40a.1f6a.16c6@mx.google.com> <20130430183731.GN7607@redhat.com> <20130430191727.GO7607@redhat.com> <20130430193714.GP7607@redhat.com> <1367351166.10084.526.camel@willson.li.ssimo.org> Message-ID: <20130430195450.GQ7607@redhat.com> On Tue, 30 Apr 2013, Simo Sorce wrote: >On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote: >> >> We need to add some smart logic to ipasam module to handle it. >> >The logic for trusted users needs to go into winbindd or sssd, ipasam is >only about our own domain. In SSSD 1.10 there is new SID translation interface in libsss_nss_idmap that we can use to build such logic. I only pointed to ipasam because this is a place where we know everything about all IPA trusts and idranges and which gets contacted if winbindd is unable to resolve uid/gid to SID. A fallback case. For SSSD-based solution we would need to differentiate between it being installed on IPA master with ipa-adtrust-install configuration and other machines to avoid loops as SSSD on IPA master asks winbindd currently for SID translation and other SSSDs ask IPA's extdom plugin on Directory server side. -- / Alexander Bokovoy