[Freeipa-users] AD - Freeipa trust confusion

Jakub Hrozek jhrozek at redhat.com
Tue Jan 7 13:56:04 UTC 2014 

On Tue, Jan 07, 2014 at 08:51:49AM -0500, Simo Sorce wrote:
> On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote:
> > On Fri, 03 Jan 2014, Simo Sorce wrote:
> > >On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote:
> > >> On Thu, Jan 02, 2014 at 08:06:31PM +0000, Andrew Holway wrote:
> > >> > /var/log/sssd/*
> > >> > this is using bob at host (prattle.com is the windows domain)
> > >> > https://gist.github.com/anonymous/ff817a251948ff58bdb1
> > >> >
> > >> > this is using bob at prattle.com@host (prattle.com is the windows domain)
> > >>
> > >> Thanks, these logs have somewhat more info than those in the other
> > >> thread.
> > >>
> > >> It seems that Winbind on the IPA server has trouble talking to the AD
> > >> server:
> > >>
> > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status]
> > >> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working'
> > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]]
> > >> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as
> > >> 'working'
> > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done]
> > >> (0x0040): s2n exop request failed.
> > >>
> > >> (The s2n exop does a special LDAP call to IPA which in turn calls
> > >> winbind on the server).
> > >>
> > >> To generate the winbind logs on the server, can you do 'smbcontrol winbindd
> > >> debug 100', then request the trusted user. The winbind logs would be at
> > >> /var/log/samba/log.w*
> > >
> > >Don't use debug level 100, it will litter the tmp with packet dumps and
> > >[possibly fill the disk.
> > >
> > >Log level 10 is the max that is ever useful.
> > No, you are not right.
> > 
> > It looks in this case that there are some unfinished async tasks
> > associated with the outgoing socket and they prevent cli_negprot from
> > starting. On debug level 100 we see content of the packets sent by
> > smbd/winbindd in the log itself which will help to identify what
> > happens. On debug level 10 we simply have two lines in succession
> > telling that winbindd attempted to start cli_negprot and then failed it.
> 
> Yes it is ok to ask for 100 in specific cases if you find out it is
> really needed, but shouldn't normally be advised, the starting point is
> level 10, imo.
> 
> Simo.

I agree that 10 is a better default value to advice. To be honest, I
didn't try the debug level before I adviced it, I just copied what I had
in bash history on my IPA server. Sorry.

More information about the Freeipa-users mailing list