From Steven.Jones at vuw.ac.nz Thu May 1 00:02:13 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 1 May 2014 00:02:13 +0000 Subject: [Freeipa-users] RHEL7 IPA servers In-Reply-To: <53617D09.6020201@sri.com> References: <53617D09.6020201@sri.com> Message-ID: <1398902532240.49149@vuw.ac.nz> Hi, Any thoughts / issues on upgrading RHEL6.5 IPA servers to RHEL7 when it comes out? ie from the process of doing it, mixing issues ie 1 RHEL7 master with 2 x 6.5 masters? new capabilities making it a must have? that wont be on 6.5? regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From rcritten at redhat.com Thu May 1 14:44:27 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 May 2014 10:44:27 -0400 Subject: [Freeipa-users] Biasing which master clients talk to first In-Reply-To: <1398891611066.44084@vuw.ac.nz> References: <535E8DB0.4050302@damascusgrp.com> <535E8EF0.9040606@damascusgrp.com> <1398706356.10424.64.camel@willson.li.ssimo.org> <535E932D.40703@damascusgrp.com> <1398707597.10424.68.camel@willson.li.ssimo.org> , <535E9863.7070509@damascusgrp.com> <1398738881766.69636@vuw.ac.nz>, <1398776164.10424.77.camel@willson.li.ssimo.org> <1398891611066.44084@vuw.ac.nz> Message-ID: <53625DCB.30908@redhat.com> Steven Jones wrote: > Hi, > > We have a master at our DR site which is "further way" than our 2 local masters, is there a way (in DNS say) that we could "encourage" clients to use the closer IPA masters? > > eg > > host -t SRV _ldap._tcp.ods.vuw.ac.nz > _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa3 > _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa2 > _ldap._tcp.ods.vuw.ac.nz has SRV record 1 100 389 serveripa1 > > ? > > or what would be the best way? You're looking for DNS site support. IPA doesn't currently support this. For details see ticket https://fedorahosted.org/freeipa/ticket/2008 rob From cbulist at gmail.com Thu May 1 15:54:56 2014 From: cbulist at gmail.com (cbulist at gmail.com) Date: Thu, 01 May 2014 10:54:56 -0500 Subject: [Freeipa-users] migrating from OpenLDAP to freeIPA Message-ID: <53626E50.7030501@gmail.com> Hi, I am trying to migrate my database from OpenLDAP to freeIPA (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts to import the group (all the users were imported without problem). This is the command that I am using for import: ipa migrate-ds --with-compat --user-container="ou=People,dc=sample,dc=com" --group-container="ou=Group,dc=sample,dc=com" --bind-dn="cn=Manager,dc=sample,dc=com" ldap://openldap.sample.com ipa: ERROR: group LDAP search did not return any result (search base: ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) This is how looks a group in openldap database: dn: cn=ftp,ou=Group,dc=sample,dc=com objectClass: posixGroup objectClass: top cn: ftp userPassword: {crypt}x gidNumber: 50 I tried migrate it without compat support and I got the same error. Any clue about this problem? Thanks in advance!... From JR.Aquino at citrix.com Thu May 1 16:30:44 2014 From: JR.Aquino at citrix.com (JR Aquino) Date: Thu, 1 May 2014 16:30:44 +0000 Subject: [Freeipa-users] Automembership not working In-Reply-To: References: Message-ID: <15A666FD-0E8E-4599-AD4A-3D12A933558D@citrix.com> I don't believe that the attribute is an OU. try performing a: ipa group-show engineering --all --raw I believe that your automember rule wants to be cn=^Engineering "You cannot hope to secure that which you do not first understand" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino Manager Operation Services, Infrastructure and Application Security GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Systems, Inc | 7408 Hollister Avenue | Goleta, CA 93117 SaaS Division T: +1 805.690.3478 jr.aquino at citrix.com http://www.citrix.com On Apr 30, 2014, at 2:10 PM, Dimitar Georgievski wrote: > Hi, > > I am trying to create rules to place users in given user groups based on the value of their ou (Organization Unit) field in their profiles. For some reason it is not working, and I am trying to understand why. > > The rule is very simple and looks like this > ipa automember-find engineering > Grouping Type: group > --------------- > 1 rules matched > --------------- > Description: Add automatically Engineering users to engineering User Group > Automember Rule: engineering > Inclusive Regex: ou=^Engineering > > With this rule in place I would expect all the new users with ou=Engineering to be automatically placed in the engineering user group. > > I am using FreeIPA v3.0.0 on CentOS 6.5 > > Thanks > > Dimitar > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rcritten at redhat.com Thu May 1 16:58:59 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 01 May 2014 12:58:59 -0400 Subject: [Freeipa-users] migrating from OpenLDAP to freeIPA In-Reply-To: <53626E50.7030501@gmail.com> References: <53626E50.7030501@gmail.com> Message-ID: <53627D53.2020500@redhat.com> cbulist at gmail.com wrote: > Hi, > > I am trying to migrate my database from OpenLDAP to freeIPA > (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts > to import the group (all the users were imported without problem). > This is the command that I am using for import: > > ipa migrate-ds --with-compat --user-container="ou=People,dc=sample,dc=com" --group-container="ou=Group,dc=sample,dc=com" --bind-dn="cn=Manager,dc=sample,dc=com" ldap://openldap.sample.com > > ipa: ERROR: group LDAP search did not return any result (search base: > ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) > > > > This is how looks a group in openldap database: > > dn: cn=ftp,ou=Group,dc=sample,dc=com > objectClass: posixGroup > objectClass: top > cn: ftp > userPassword: {crypt}x > gidNumber: 50 > > I tried migrate it without compat support and I got the same error. > Any clue about this problem? Thanks in advance!... We look for RFC2307(bis) groups with an objectclass of either groupOfUniqueNames or groupOfNames. How does your group have any members without one of these? You should be able to pull these in with --groupobjectclass=posixgroup rob From deanhunter at comcast.net Thu May 1 20:07:20 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Thu, 01 May 2014 15:07:20 -0500 Subject: [Freeipa-users] sudo and NIS domain name Message-ID: <1398974840.3113.5.camel@host.hunter.org> I just noticed that I had been incorrectly setting the NIS domain name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be successfully retrieving and using sudo rules from FreeIPA. Is sudo still using NIS-style netgroups? Is there still a requirement to set the NIS domain name? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu May 1 20:27:15 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2014 16:27:15 -0400 Subject: [Freeipa-users] About OTP In-Reply-To: <1398902332588.65864@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902332588.65864@vuw.ac.nz> Message-ID: <5362AE23.3020209@redhat.com> On 04/30/2014 07:58 PM, Steven Jones wrote: > Hi, > > We want to use 2FA tokens and cant because of a Kerberos issue. I assume if this hasnt been upgraded yet that you cant get the passthrough? What is the issue you are facing? For OTP to work you need latest Kerberos. It is not RHEL yet. RHEL7 will have the OTP foundation but we do not plan to support it until later. You can play with latest bits in Fedora - they are pretty stable though there are some known issues being worked on. And please do not reuse the existing threads. > > I'll we interested to know if that is now not the case or at least an idea when it will be GA. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University ITS, > > Level 8 Rankin Brown Building, > > Wellington, NZ > > 6012 > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Thu May 1 20:28:39 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2014 16:28:39 -0400 Subject: [Freeipa-users] RHEL7 IPA servers In-Reply-To: <1398902532240.49149@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz> Message-ID: <5362AE77.5040902@redhat.com> On 04/30/2014 08:02 PM, Steven Jones wrote: > Hi, > > Any thoughts / issues on upgrading RHEL6.5 IPA servers to RHEL7 when it comes out? > > ie from the process of doing it, mixing issues ie 1 RHEL7 master with 2 x 6.5 masters? new capabilities making it a must have? that wont be on 6.5? There is a migration procedure. Over a reasonable short period of time days/weeks you start introducing RHEL7 replicas and removing 6.5 ones. It will be documented. > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University ITS, > > Level 8 Rankin Brown Building, > > Wellington, NZ > > 6012 > > 0064 4 463 6272 > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Thu May 1 20:30:51 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2014 16:30:51 -0400 Subject: [Freeipa-users] Integrating with Smart Cards In-Reply-To: <53617D09.6020201@sri.com> References: <53617D09.6020201@sri.com> Message-ID: <5362AEFB.1010909@redhat.com> On 04/30/2014 06:45 PM, Leigh Moulder wrote: > Hi all, > I'm very new to FreeIPA, so I hope this isn't answered in > documentation somewhere already. > > I'm working to get my infrastructure DIACAP approved, and part of this > process includes unique user accounts with smart card integration. I > was hoping that since FreeIPA utilizes Dogtag, I'd be able to use it > for essentially everything, from LDAP, to certificate store, to smart > card management. Unfortunately, the only references I was able to > find were a handful of emails from a few years ago. > > I was wondering what the status of smart card integration was, and if > it was completed yet. If so, where can I find the documentation to > configure it. And if it's not currently in the works, does anyone > know a viable solution. I'm currently running everything on RHEL 6.5, > but would really rather stay away from their directory and certificate > servers. Right now, I can't justify the price they're quoting me. The short answer is: we do not have it yet, we want to build it but other things have been taking precedence so far. Are you willing to put a skin into the game and do some development? We can help you and guide you with what actually can be done short term and long term. > > Thanks in Advance, > Leigh > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu May 1 20:32:52 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 01 May 2014 16:32:52 -0400 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1398974840.3113.5.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> Message-ID: <5362AF74.8050300@redhat.com> On 05/01/2014 04:07 PM, Dean Hunter wrote: > I just noticed that I had been incorrectly setting the NIS domain name > since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to be > successfully retrieving and using sudo rules from FreeIPA. Is sudo > still using NIS-style netgroups? Is there still a requirement to set > the NIS domain name? I think NIS domain is needed for netgroups. If you are not using netgroups in the sudo rules but just user groups you should be fine. Is this the case with you? If not please provide the logs and config. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cbulist at gmail.com Thu May 1 20:34:37 2014 From: cbulist at gmail.com (cbulist at gmail.com) Date: Thu, 01 May 2014 15:34:37 -0500 Subject: [Freeipa-users] migrating from OpenLDAP to freeIPA In-Reply-To: <53627D53.2020500@redhat.com> References: <53626E50.7030501@gmail.com> <53627D53.2020500@redhat.com> Message-ID: <5362AFDD.4090804@gmail.com> Hi Rob, Thanks so much for your help!. Our openLDAP uses memberuid attribute because we migrated the original database from NIS server. Your tip worked great. Just let me correct a typo error: --group-objectclass="posixgroup" Thanks again, cbu On 05/01/2014 11:58 AM, Rob Crittenden wrote: > cbulist at gmail.com wrote: >> Hi, >> >> I am trying to migrate my database from OpenLDAP to freeIPA >> (ipa-server-3.0.0-37.el6.x86_64) but I get an error when freeIPA starts >> to import the group (all the users were imported without problem). >> This is the command that I am using for import: >> >> ipa migrate-ds --with-compat --user-container="ou=People,dc=sample,dc=com" --group-container="ou=Group,dc=sample,dc=com" --bind-dn="cn=Manager,dc=sample,dc=com" ldap://openldap.sample.com >> >> ipa: ERROR: group LDAP search did not return any result (search base: >> ou=Group,dc=sample,dc=com, objectclass: groupofuniquenames, groupofnames) >> >> >> >> This is how looks a group in openldap database: >> >> dn: cn=ftp,ou=Group,dc=sample,dc=com >> objectClass: posixGroup >> objectClass: top >> cn: ftp >> userPassword: {crypt}x >> gidNumber: 50 >> >> I tried migrate it without compat support and I got the same error. >> Any clue about this problem? Thanks in advance!... > We look for RFC2307(bis) groups with an objectclass of either > groupOfUniqueNames or groupOfNames. How does your group have any members > without one of these? > > You should be able to pull these in with --groupobjectclass=posixgroup > > rob From deanhunter at comcast.net Thu May 1 20:53:04 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Thu, 01 May 2014 15:53:04 -0500 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <5362AF74.8050300@redhat.com> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> Message-ID: <1398977584.3113.15.camel@host.hunter.org> On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > On 05/01/2014 04:07 PM, Dean Hunter wrote: > > > > > I just noticed that I had been incorrectly setting the NIS domain > > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > > be successfully retrieving and using sudo rules from FreeIPA. Is > > sudo still using NIS-style netgroups? Is there still a requirement > > to set the NIS domain name? > > > I think NIS domain is needed for netgroups. If you are not using > netgroups in the sudo rules but just user groups you should be fine. > Is this the case with you? > If not please provide the logs and config. > I am not aware of using netgroups, either the IPA object or any other kind. I just remember that when I was first configuring sudo to retrieve rules from IPA it would not work until I set nisdomainname in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the manual: Even though sudo uses NIS-style netgroups, it is not necessary to have a NIS server installed. Netgroups require that a NIS domain be named in their configuration, so sudo requires that a NIS domain be named for netgroups. However, that NIS domain does not actually need to exist. With Fedora 20 I can no longer find the emulation of rc.local that existed in Fedora 19. I did find fedora-domainname.service and started and enabled it but neglected to configure /etc/sysconfig/network. Yet IPA sudo rules appear to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri May 2 06:57:28 2014 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 02 May 2014 08:57:28 +0200 Subject: [Freeipa-users] Biasing which master clients talk to first In-Reply-To: <53625DCB.30908@redhat.com> References: <535E8DB0.4050302@damascusgrp.com> <535E8EF0.9040606@damascusgrp.com> <1398706356.10424.64.camel@willson.li.ssimo.org> <535E932D.40703@damascusgrp.com> <1398707597.10424.68.camel@willson.li.ssimo.org> , <535E9863.7070509@damascusgrp.com> <1398738881766.69636@vuw.ac.nz>, <1398776164.10424.77.camel@willson.li.ssimo.org> <1398891611066.44084@vuw.ac.nz> <53625DCB.30908@redhat.com> Message-ID: <536341D8.4090604@redhat.com> On 1.5.2014 16:44, Rob Crittenden wrote: > Steven Jones wrote: >> Hi, >> >> We have a master at our DR site which is "further way" than our 2 local >> masters, is there a way (in DNS say) that we could "encourage" clients to >> use the closer IPA masters? >> >> eg >> >> host -t SRV _ldap._tcp.ods.vuw.ac.nz >> _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa3 >> _ldap._tcp.ods.vuw.ac.nz has SRV record 0 100 389 serveripa2 >> _ldap._tcp.ods.vuw.ac.nz has SRV record 1 100 389 serveripa1 >> >> ? >> >> or what would be the best way? > > You're looking for DNS site support. IPA doesn't currently support this. For > details see ticket https://fedorahosted.org/freeipa/ticket/2008 This is not entirely correct. Sites support is necessary if you want to use different priorities for different clients. Is it your case, Steven? SRV records shown above should route all requests *from all clients* to (serveripa3 or serveripa2). Serveripa1 should be used only as fallback if neither serveripa3 nor serverip2 is available. It is a bug (not related to sites support at all) if this doesn't work. Steven, please tell us what is your use case. BTW how did you test it? Did you use SSSD/"ipa"command/something else? -- Petr^2 Spacek From leigh.moulder at sri.com Fri May 2 14:37:41 2014 From: leigh.moulder at sri.com (Leigh Moulder) Date: Fri, 2 May 2014 07:37:41 -0700 Subject: [Freeipa-users] Integrating with Smart Cards In-Reply-To: <5362AEFB.1010909@redhat.com> References: <53617D09.6020201@sri.com> <5362AEFB.1010909@redhat.com> Message-ID: <5363ADB5.4040305@sri.com> Hi Dmitri, Thanks for the response. As frustrating as it is, I think my management team is looking for an out-of-the box solution right now. But I'll take a look at your contributors page and download the source and see if I can convince them that this would be a good route. Leigh On 5/1/2014 1:30 PM, Dmitri Pal wrote: > On 04/30/2014 06:45 PM, Leigh Moulder wrote: >> Hi all, >> I'm very new to FreeIPA, so I hope this isn't answered in >> documentation somewhere already. >> >> I'm working to get my infrastructure DIACAP approved, and part of >> this process includes unique user accounts with smart card >> integration. I was hoping that since FreeIPA utilizes Dogtag, I'd be >> able to use it for essentially everything, from LDAP, to certificate >> store, to smart card management. Unfortunately, the only references >> I was able to find were a handful of emails from a few years ago. >> >> I was wondering what the status of smart card integration was, and if >> it was completed yet. If so, where can I find the documentation to >> configure it. And if it's not currently in the works, does anyone >> know a viable solution. I'm currently running everything on RHEL >> 6.5, but would really rather stay away from their directory and >> certificate servers. Right now, I can't justify the price they're >> quoting me. > > The short answer is: we do not have it yet, we want to build it but > other things have been taking precedence so far. > > Are you willing to put a skin into the game and do some development? > We can help you and guide you with what actually can be done short > term and long term. > > >> >> Thanks in Advance, >> Leigh >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4027 bytes Desc: S/MIME Cryptographic Signature URL: From deanhunter at comcast.net Fri May 2 15:03:05 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Fri, 02 May 2014 10:03:05 -0500 Subject: [Freeipa-users] Failed to start Directory Service Message-ID: <1399042985.4780.9.camel@host.hunter.org> [root at ipa ~]# systemctl status ipa.service ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) Active: failed (Result: exit-code) since Fri 2014-05-02 09:18:13 CDT; 31min ago Process: 2468 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE) Main PID: 2468 (code=exited, status=1/FAILURE) CGroup: /system.slice/ipa.service May 02 09:18:13 ipa.hunter.org ipactl[2468]: Failed to start Directory Service: May 02 09:18:13 ipa.hunter.org ipactl[2468]: Starting Directory Service May 02 09:18:13 ipa.hunter.org systemd[1]: ipa.service: main process exited,...E May 02 09:18:13 ipa.hunter.org systemd[1]: Failed to start Identity, Policy,.... May 02 09:18:13 ipa.hunter.org systemd[1]: Unit ipa.service entered failed s.... Hint: Some lines were ellipsized, use -l to show in full. [root at ipa ~]# tail /var/log/dirsrv/slapd-HUNTER-ORG/errors [02/May/2014:08:36:49 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [02/May/2014:08:42:57 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 starting up [02/May/2014:08:42:57 -0500] - WARNING: changelog: entry cache size 2097152B is less than db size 2236416B; We recommend to increase the entry cache size nsslapd-cachememsize. [02/May/2014:08:42:57 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [02/May/2014:09:01:36 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 starting up [02/May/2014:09:01:36 -0500] - WARNING: changelog: entry cache size 2097152B is less than db size 2236416B; We recommend to increase the entry cache size nsslapd-cachememsize. [02/May/2014:09:01:36 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [02/May/2014:09:13:12 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 starting up [02/May/2014:09:13:13 -0500] - WARNING: changelog: entry cache size 2097152B is less than db size 2236416B; We recommend to increase the entry cache size nsslapd-cachememsize. [02/May/2014:09:13:13 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [root at ipa ~]# I have a small test database populated with less than 50 ipa commands for all users, hosts, etc. Is there any way to recover from this or would it be simpler to rebuild? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Sat May 3 10:36:26 2014 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 3 May 2014 12:36:26 +0200 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1398977584.3113.15.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> Message-ID: <20140503103625.GA21000@mail.corp.redhat.com> On (01/05/14 15:53), Dean Hunter wrote: >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> > >> > I just noticed that I had been incorrectly setting the NIS domain >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> > sudo still using NIS-style netgroups? Is there still a requirement >> > to set the NIS domain name? >> >> >> I think NIS domain is needed for netgroups. If you are not using >> netgroups in the sudo rules but just user groups you should be fine. >> Is this the case with you? >> If not please provide the logs and config. >> > >I am not aware of using netgroups, either the IPA object or any other >kind. I just remember that when I was first configuring sudo to >retrieve rules from IPA it would not work until I set nisdomainname >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >manual: > > > Even though sudo uses NIS-style netgroups, it is not necessary > to have a NIS server installed. Netgroups require that a NIS > domain be named in their configuration, so sudo requires that a > NIS domain be named for netgroups. However, that NIS domain does > not actually need to exist. > > >With Fedora 20 I can no longer find the emulation of rc.local that >existed in Fedora 19. I did find fedora-domainname.service and started >and enabled it but neglected to configure /etc/sysconfig/network. Yet >IPA sudo rules appear to work. > Hope It helps you http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html LS From deanhunter at comcast.net Sat May 3 15:39:17 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Sat, 03 May 2014 10:39:17 -0500 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <20140503103625.GA21000@mail.corp.redhat.com> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> Message-ID: <1399131557.4170.12.camel@host.hunter.org> On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > On (01/05/14 15:53), Dean Hunter wrote: > >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> > >> > > >> > I just noticed that I had been incorrectly setting the NIS domain > >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > >> > be successfully retrieving and using sudo rules from FreeIPA. Is > >> > sudo still using NIS-style netgroups? Is there still a requirement > >> > to set the NIS domain name? > >> > >> > >> I think NIS domain is needed for netgroups. If you are not using > >> netgroups in the sudo rules but just user groups you should be fine. > >> Is this the case with you? > >> If not please provide the logs and config. > >> > > > >I am not aware of using netgroups, either the IPA object or any other > >kind. I just remember that when I was first configuring sudo to > >retrieve rules from IPA it would not work until I set nisdomainname > >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >manual: > > > > > > Even though sudo uses NIS-style netgroups, it is not necessary > > to have a NIS server installed. Netgroups require that a NIS > > domain be named in their configuration, so sudo requires that a > > NIS domain be named for netgroups. However, that NIS domain does > > not actually need to exist. > > > > > >With Fedora 20 I can no longer find the emulation of rc.local that > >existed in Fedora 19. I did find fedora-domainname.service and started > >and enabled it but neglected to configure /etc/sysconfig/network. Yet > >IPA sudo rules appear to work. > > > Hope It helps you > http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > > LS Thank you. Now that you point it out, I remember that this thread is where I first learned about fedora-domainname.service. I see: You would also need to set NIS domain name, otherwise SUDO will not correctly recognize SUDO rules targeted on host groups, instead of hosts: which explains when sudo would need the NIS domain name. Since my sudo rules address user groups I guess there is no requirement for NIS domain name since they are working just fine: ipa sudorule-add desktop-admins --desc "Desktop Administrators" ipa sudorule-mod desktop-admins --cmdcat all ipa sudorule-add-host desktop-admins --hostgroups desktops ipa sudorule-add-option desktop-admins --sudooption "! authenticate" ipa sudorule-add-runasuser desktop-admins --users root ipa sudorule-add-runasgroup desktop-admins --groups root ipa sudorule-add-user desktop-admins --groups desktop-admins ipa sudorule-add server-admins --desc "Server Administrators" ipa sudorule-mod server-admins --cmdcat all ipa sudorule-add-host server-admins --hostgroups servers ipa sudorule-add-option server-admins --sudooption "! authenticate" ipa sudorule-add-runasuser server-admins --users root ipa sudorule-add-runasgroup server-admins --groups root ipa sudorule-add-user server-admins --groups server-admins However, I was really asking whether there had been a change in sssd/sudo behavior as it was my recollection that my sudo rules did not work at all in early IPA 3.n releases unless the NIS domain name was configured. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Sat May 3 20:50:58 2014 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Sat, 3 May 2014 22:50:58 +0200 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1399131557.4170.12.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> Message-ID: <20140503205057.GA3378@mail.corp.redhat.com> On (03/05/14 10:39), Dean Hunter wrote: >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > >> On (01/05/14 15:53), Dean Hunter wrote: >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> >> >> > >> >> > I just noticed that I had been incorrectly setting the NIS domain >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> >> > sudo still using NIS-style netgroups? Is there still a requirement >> >> > to set the NIS domain name? >> >> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using >> >> netgroups in the sudo rules but just user groups you should be fine. >> >> Is this the case with you? >> >> If not please provide the logs and config. >> >> >> > >> >I am not aware of using netgroups, either the IPA object or any other >> >kind. I just remember that when I was first configuring sudo to >> >retrieve rules from IPA it would not work until I set nisdomainname >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >> >manual: >> > >> > >> > Even though sudo uses NIS-style netgroups, it is not necessary >> > to have a NIS server installed. Netgroups require that a NIS >> > domain be named in their configuration, so sudo requires that a >> > NIS domain be named for netgroups. However, that NIS domain does >> > not actually need to exist. >> > >> > >> >With Fedora 20 I can no longer find the emulation of rc.local that >> >existed in Fedora 19. I did find fedora-domainname.service and started >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet >> >IPA sudo rules appear to work. >> > >> Hope It helps you >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html >> >> LS > > >Thank you. Now that you point it out, I remember that this thread is >where I first learned about fedora-domainname.service. I see: > > You would also need to set NIS domain name, otherwise SUDO will > not correctly recognize SUDO rules targeted on host groups, ^^^^^^^^^^^^^^ This is important part > instead of hosts: > >which explains when sudo would need the NIS domain name. Since my sudo >rules address user groups I guess there is no requirement for NIS domain >name since they are working just fine: Your sudo rules use host groups. > > ipa sudorule-add desktop-admins --desc "Desktop > Administrators" > ipa sudorule-mod desktop-admins --cmdcat all > ipa sudorule-add-host desktop-admins --hostgroups desktops > ipa sudorule-add-option desktop-admins --sudooption "! > authenticate" > ipa sudorule-add-runasuser desktop-admins --users root > ipa sudorule-add-runasgroup desktop-admins --groups root > ipa sudorule-add-user desktop-admins --groups > desktop-admins > > ipa sudorule-add server-admins --desc "Server > Administrators" > ipa sudorule-mod server-admins --cmdcat all > ipa sudorule-add-host server-admins --hostgroups servers hostgroups are reason why you need to configure NIS domain name. hostgroups are also available as netgroups in compat tree and sudo reads information from netgroups. > ipa sudorule-add-option server-admins --sudooption "! > authenticate" > ipa sudorule-add-runasuser server-admins --users root > ipa sudorule-add-runasgroup server-admins --groups root > ipa sudorule-add-user server-admins --groups > server-admins > >However, I was really asking whether there had been a change in >sssd/sudo behavior as it was my recollection that my sudo rules did not >work at all in early IPA 3.n releases unless the NIS domain name was >configured. > LS From deanhunter at comcast.net Sun May 4 15:02:40 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Sun, 04 May 2014 10:02:40 -0500 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <20140503205057.GA3378@mail.corp.redhat.com> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> Message-ID: <1399215760.2613.7.camel@host.hunter.org> On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: > On (03/05/14 10:39), Dean Hunter wrote: > >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > > > >> On (01/05/14 15:53), Dean Hunter wrote: > >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> >> > >> >> > > >> >> > I just noticed that I had been incorrectly setting the NIS domain > >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is > >> >> > sudo still using NIS-style netgroups? Is there still a requirement > >> >> > to set the NIS domain name? > >> >> > >> >> > >> >> I think NIS domain is needed for netgroups. If you are not using > >> >> netgroups in the sudo rules but just user groups you should be fine. > >> >> Is this the case with you? > >> >> If not please provide the logs and config. > >> >> > >> > > >> >I am not aware of using netgroups, either the IPA object or any other > >> >kind. I just remember that when I was first configuring sudo to > >> >retrieve rules from IPA it would not work until I set nisdomainname > >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >> >manual: > >> > > >> > > >> > Even though sudo uses NIS-style netgroups, it is not necessary > >> > to have a NIS server installed. Netgroups require that a NIS > >> > domain be named in their configuration, so sudo requires that a > >> > NIS domain be named for netgroups. However, that NIS domain does > >> > not actually need to exist. > >> > > >> > > >> >With Fedora 20 I can no longer find the emulation of rc.local that > >> >existed in Fedora 19. I did find fedora-domainname.service and started > >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet > >> >IPA sudo rules appear to work. > >> > > >> Hope It helps you > >> http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > >> > >> LS > > > > > >Thank you. Now that you point it out, I remember that this thread is > >where I first learned about fedora-domainname.service. I see: > > > > You would also need to set NIS domain name, otherwise SUDO will > > not correctly recognize SUDO rules targeted on host groups, > ^^^^^^^^^^^^^^ > This is important part > > instead of hosts: > > > >which explains when sudo would need the NIS domain name. Since my sudo > >rules address user groups I guess there is no requirement for NIS domain > >name since they are working just fine: > Your sudo rules use host groups. > > > > > ipa sudorule-add desktop-admins --desc "Desktop > > Administrators" > > ipa sudorule-mod desktop-admins --cmdcat all > > ipa sudorule-add-host desktop-admins --hostgroups desktops > > ipa sudorule-add-option desktop-admins --sudooption "! > > authenticate" > > ipa sudorule-add-runasuser desktop-admins --users root > > ipa sudorule-add-runasgroup desktop-admins --groups root > > ipa sudorule-add-user desktop-admins --groups > > desktop-admins > > > > ipa sudorule-add server-admins --desc "Server > > Administrators" > > ipa sudorule-mod server-admins --cmdcat all > > ipa sudorule-add-host server-admins --hostgroups servers > hostgroups are reason why you need to configure NIS domain name. > hostgroups are also available as netgroups in compat tree and sudo reads > information from netgroups. > > > ipa sudorule-add-option server-admins --sudooption "! > > authenticate" > > ipa sudorule-add-runasuser server-admins --users root > > ipa sudorule-add-runasgroup server-admins --groups root > > ipa sudorule-add-user server-admins --groups > > server-admins > > > >However, I was really asking whether there had been a change in > >sssd/sudo behavior as it was my recollection that my sudo rules did not > >work at all in early IPA 3.n releases unless the NIS domain name was > >configured. > > > > LS I hear you and that is what I expected. However, the actual behavior seems to have changed with 3.3.4 and now 3.3.5. [dean at desktop ~]$ domainname --nis domainname: Local domain name not set [dean at desktop ~]$ sudo -l Matching Defaults entries for dean on desktop: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dean may run the following commands on desktop: (root : root) NOPASSWD: ALL [dean at desktop ~]$ I think this is a good thing. I would just like to confirm that this is the new expected behavior and that I have not done something wrong. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Sun May 4 21:01:11 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Sun, 4 May 2014 21:01:11 +0000 Subject: [Freeipa-users] winsync failure In-Reply-To: <5362AE77.5040902@redhat.com> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> Message-ID: <1399237270628.79@vuw.ac.nz> ====== [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication ====== Any ideas why please? it looked like it transferred about 1900 odd records then bombed out. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From yamakasi.014 at gmail.com Sun May 4 21:22:54 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Sun, 4 May 2014 23:22:54 +0200 Subject: [Freeipa-users] Dovecot/Postfix Auth, howto not working ? Message-ID: Hi Guys, I'm trying to auth Dovecot agains FreeIPA using this tut: http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On (and also Postfix using this: https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/(as it should be working with dovecot at the end I believe) I'm having some issues here and get the following errors no matter what I do: May 4 23:13:18 mail-01 dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one May 4 23:13:18 mail-01 postfix/smtpd[2949]: error: open database /etc/aliases.db: No such file or directory May 4 23:13:18 mail-01 postfix/smtpd[2949]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled May 4 23:13:18 mail-01 dovecot: master: Error: service(auth): command startup failed, throttling May 4 23:13:18 mail-01 postfix/smtpd[2949]: connect from unknown[xxx.xxx.xxx.xxx] May 4 23:13:28 mail-01 dovecot: imap-login: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx May 4 23:13:28 mail-01 postfix/smtpd[2949]: fatal: no SASL authentication mechanisms May 4 23:13:29 mail-01 postfix/master[1627]: warning: process /usr/lib/postfix/smtpd pid 2949 exit status 1 May 4 23:13:29 mail-01 postfix/master[1627]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling May 4 23:14:18 mail-01 dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one May 4 23:14:18 mail-01 dovecot: master: Error: service(auth): command startup failed, throttling May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max connection rate 1/60s for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max connection count 1 for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max cache size 1 at May 4 23:13:18 Outside the issue that it cannot find the aliasses db, I'm kinda stuck here... the tut should be working "out of the box", but I have the feeling I'm missing something here. I hope someone can help me out! Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 5 13:57:54 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2014 09:57:54 -0400 Subject: [Freeipa-users] winsync failure In-Reply-To: <1399237270628.79@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>, <5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz> Message-ID: <536798E2.9090506@redhat.com> Steven Jones wrote: > ====== > [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] > Failed to start replication > ====== > > Any ideas why please? it looked like it transferred about 1900 odd records then bombed out. It sort of sounds like the AD server went away, but check the 389-ds access and error logs for any more information. rob From rcritten at redhat.com Mon May 5 14:02:45 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2014 10:02:45 -0400 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1399215760.2613.7.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> <1399215760.2613.7.camel@host.hunter.org> Message-ID: <53679A05.5050602@redhat.com> Dean Hunter wrote: > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: >> On (03/05/14 10:39), Dean Hunter wrote: >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: >> > >> >> On (01/05/14 15:53), Dean Hunter wrote: >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> >> >> >> >> > >> >> >> > I just noticed that I had been incorrectly setting the NIS domain >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement >> >> >> > to set the NIS domain name? >> >> >> >> >> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using >> >> >> netgroups in the sudo rules but just user groups you should be fine. >> >> >> Is this the case with you? >> >> >> If not please provide the logs and config. >> >> >> >> >> > >> >> >I am not aware of using netgroups, either the IPA object or any other >> >> >kind. I just remember that when I was first configuring sudo to >> >> >retrieve rules from IPA it would not work until I set nisdomainname >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >> >> >manual: >> >> > >> >> > >> >> > Even though sudo uses NIS-style netgroups, it is not necessary >> >> > to have a NIS server installed. Netgroups require that a NIS >> >> > domain be named in their configuration, so sudo requires that a >> >> > NIS domain be named for netgroups. However, that NIS domain does >> >> > not actually need to exist. >> >> > >> >> > >> >> >With Fedora 20 I can no longer find the emulation of rc.local that >> >> >existed in Fedora 19. I did find fedora-domainname.service and started >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet >> >> >IPA sudo rules appear to work. >> >> > >> >> Hope It helps you >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html >> >> >> >> LS >> > >> > >> >Thank you. Now that you point it out, I remember that this thread is >> >where I first learned about fedora-domainname.service. I see: >> > >> > You would also need to set NIS domain name, otherwise SUDO will >> > not correctly recognize SUDO rules targeted on host groups, >> ^^^^^^^^^^^^^^ >> This is important part >> > instead of hosts: >> > >> >which explains when sudo would need the NIS domain name. Since my sudo >> >rules address user groups I guess there is no requirement for NIS domain >> >name since they are working just fine: >> Your sudo rules use host groups. >> >> > >> > ipa sudorule-add desktop-admins --desc "Desktop >> > Administrators" >> > ipa sudorule-mod desktop-admins --cmdcat all >> > ipa sudorule-add-host desktop-admins --hostgroups desktops >> > ipa sudorule-add-option desktop-admins --sudooption "! >> > authenticate" >> > ipa sudorule-add-runasuser desktop-admins --users root >> > ipa sudorule-add-runasgroup desktop-admins --groups root >> > ipa sudorule-add-user desktop-admins --groups >> > desktop-admins >> > >> > ipa sudorule-add server-admins --desc "Server >> > Administrators" >> > ipa sudorule-mod server-admins --cmdcat all >> > ipa sudorule-add-host server-admins --hostgroups servers >> hostgroups are reason why you need to configure NIS domain name. >> hostgroups are also available as netgroups in compat tree and sudo reads >> information from netgroups. >> >> > ipa sudorule-add-option server-admins --sudooption "! >> > authenticate" >> > ipa sudorule-add-runasuser server-admins --users root >> > ipa sudorule-add-runasgroup server-admins --groups root >> > ipa sudorule-add-user server-admins --groups >> > server-admins >> > >> >However, I was really asking whether there had been a change in >> >sssd/sudo behavior as it was my recollection that my sudo rules did not >> >work at all in early IPA 3.n releases unless the NIS domain name was >> >configured. >> > >> >> LS > > I hear you and that is what I expected. However, the actual behavior > seems to have changed with 3.3.4 and now 3.3.5. > > [dean at desktop ~]$ domainname --nis > domainname: Local domain name not set > > [dean at desktop ~]$ sudo -l > Matching Defaults entries for dean on desktop: > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME > HISTSIZE INPUTRC > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG > LC_ADDRESS > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS > _XKB_CHARSET > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > User dean may run the following commands on desktop: > (root : root) NOPASSWD: ALL > > [dean at desktop ~]$ > > I think this is a good thing. I would just like to confirm that this is > the new expected behavior and that I have not done something wrong. We'd need to see your sudo rules to know for sure. I don't think anything changed in the IPA code to change this behavior, but we herd a lot of cats so something in another package may be different. rob From rcritten at redhat.com Mon May 5 14:51:18 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 05 May 2014 10:51:18 -0400 Subject: [Freeipa-users] Failed to start Directory Service In-Reply-To: <1399042985.4780.9.camel@host.hunter.org> References: <1399042985.4780.9.camel@host.hunter.org> Message-ID: <5367A566.8060006@redhat.com> Dean Hunter wrote: > [root at ipa ~]# systemctl status ipa.service > ipa.service - Identity, Policy, Audit > Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled) > Active: failed (Result: exit-code) since Fri 2014-05-02 09:18:13 > CDT; 31min ago > Process: 2468 ExecStart=/usr/sbin/ipactl start (code=exited, > status=1/FAILURE) > Main PID: 2468 (code=exited, status=1/FAILURE) > CGroup: /system.slice/ipa.service > > May 02 09:18:13 ipa.hunter.org ipactl[2468]: Failed to start Directory > Service: > May 02 09:18:13 ipa.hunter.org ipactl[2468]: Starting Directory Service > May 02 09:18:13 ipa.hunter.org systemd[1]: ipa.service: main process > exited,...E > May 02 09:18:13 ipa.hunter.org systemd[1]: Failed to start Identity, > Policy,.... > May 02 09:18:13 ipa.hunter.org systemd[1]: Unit ipa.service entered > failed s.... > Hint: Some lines were ellipsized, use -l to show in full. > [root at ipa ~]# tail /var/log/dirsrv/slapd-HUNTER-ORG/errors > [02/May/2014:08:36:49 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [02/May/2014:08:42:57 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 > starting up > [02/May/2014:08:42:57 -0500] - WARNING: changelog: entry cache size > 2097152B is less than db size 2236416B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [02/May/2014:08:42:57 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [02/May/2014:09:01:36 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 > starting up > [02/May/2014:09:01:36 -0500] - WARNING: changelog: entry cache size > 2097152B is less than db size 2236416B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [02/May/2014:09:01:36 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [02/May/2014:09:13:12 -0500] - 389-Directory/1.3.2.13 B2014.073.1715 > starting up > [02/May/2014:09:13:13 -0500] - WARNING: changelog: entry cache size > 2097152B is less than db size 2236416B; We recommend to increase the > entry cache size nsslapd-cachememsize. > [02/May/2014:09:13:13 -0500] - Detected Disorderly Shutdown last time > Directory Server was running, recovering database. > [root at ipa ~]# > > I have a small test database populated with less than 50 ipa commands > for all users, hosts, etc. Is there any way to recover from this or > would it be simpler to rebuild? It looks to me that 389-ds is crashing. It may be possible to recover, I'd start with http://directory.fedoraproject.org/wiki/FAQ#Debugging_Crashes Let's see if we can get a core and a stack trace to see what's going on. rob From Steven.Jones at vuw.ac.nz Mon May 5 21:02:57 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 5 May 2014 21:02:57 +0000 Subject: [Freeipa-users] winsync failure In-Reply-To: <536798E2.9090506@redhat.com> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>,<536798E2.9090506@redhat.com> Message-ID: <1399323776936.71397@vuw.ac.nz> Hi, Thanks that confirms my thought as well. In a cloned test environment the sync took 25mins, in 2 hours I got 2000 out of 8000 records, so something was very slow. So the only change/variable is the network. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Rob Crittenden Sent: Tuesday, 6 May 2014 1:57 a.m. To: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] winsync failure Steven Jones wrote: > ====== > [vuwunicoipam002.ods.vuw.ac.nz] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] > Failed to start replication > ====== > > Any ideas why please? it looked like it transferred about 1900 odd records then bombed out. It sort of sounds like the AD server went away, but check the 389-ds access and error logs for any more information. rob From dpal at redhat.com Mon May 5 22:20:02 2014 From: dpal at redhat.com (Dmitri Pal) Date: Mon, 05 May 2014 18:20:02 -0400 Subject: [Freeipa-users] Dovecot/Postfix Auth, howto not working ? In-Reply-To: References: Message-ID: <53680E92.60600@redhat.com> On 05/04/2014 05:22 PM, Matt . wrote: > Hi Guys, > > I'm trying to auth Dovecot agains FreeIPA using this tut: > > http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On > > (and also Postfix using this: > https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ > (as it should be working with dovecot at the end I believe) > > I'm having some issues here and get the following errors no matter > what I do: > > May 4 23:13:18 mail-01 dovecot: auth: Fatal: No passdbs specified in > configuration file. LOGIN mechanism needs one > May 4 23:13:18 mail-01 postfix/smtpd[2949]: error: open database > /etc/aliases.db: No such file or directory > May 4 23:13:18 mail-01 postfix/smtpd[2949]: warning: dict_nis_init: > NIS domain name not set - NIS lookups disabled > May 4 23:13:18 mail-01 dovecot: master: Error: service(auth): command > startup failed, throttling > May 4 23:13:18 mail-01 postfix/smtpd[2949]: connect from > unknown[xxx.xxx.xxx.xxx] > May 4 23:13:28 mail-01 dovecot: imap-login: Disconnected (no auth > attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx > May 4 23:13:28 mail-01 postfix/smtpd[2949]: fatal: no SASL > authentication mechanisms > May 4 23:13:29 mail-01 postfix/master[1627]: warning: process > /usr/lib/postfix/smtpd pid 2949 exit status 1 > May 4 23:13:29 mail-01 postfix/master[1627]: warning: > /usr/lib/postfix/smtpd: bad command startup -- throttling > May 4 23:14:18 mail-01 dovecot: auth: Fatal: No passdbs specified in > configuration file. LOGIN mechanism needs one > May 4 23:14:18 mail-01 dovecot: master: Error: service(auth): command > startup failed, throttling > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max > connection rate 1/60s for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max > connection count 1 for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max cache > size 1 at May 4 23:13:18 > > Outside the issue that it cannot find the aliasses db, I'm kinda stuck > here... the tut should be working "out of the box", but I have the > feeling I'm missing something here. > > I hope someone can help me out! > > Thanks! > > Matt > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I am not a specialist but it seems that no authentication methods are configured. See the SASL line. Can it be that the authentication mechanism is configured as SASL instead of GSSAPI? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Mon May 5 23:21:59 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Mon, 5 May 2014 23:21:59 +0000 Subject: [Freeipa-users] IPA compatibility to win2k12r2 In-Reply-To: <1399323776936.71397@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>, <536798E2.9090506@redhat.com>, <1399323776936.71397@vuw.ac.nz> Message-ID: <1399332118741.19539@vuw.ac.nz> Hi, We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? Anything to watch out for? regards Steven From rcritten at redhat.com Tue May 6 12:23:39 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 06 May 2014 08:23:39 -0400 Subject: [Freeipa-users] IPA compatibility to win2k12r2 In-Reply-To: <1399332118741.19539@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>, <5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>, <536798E2.9090506@redhat.com>, <1399323776936.71397@vuw.ac.nz> <1399332118741.19539@vuw.ac.nz> Message-ID: <5368D44B.3010003@redhat.com> Steven Jones wrote: > Hi, > > We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? > > Anything to watch out for? Do you mean with winsync, trusts, or both? rob From tmaugh at boingo.com Tue May 6 20:45:03 2014 From: tmaugh at boingo.com (Todd Maugh) Date: Tue, 6 May 2014 20:45:03 +0000 Subject: [Freeipa-users] SSSD Cacheing issues Message-ID: Hello Guys, Im having a problem with a one off my clients, t seems the sssd cache keeps having a problem and is blocking users from authenticating, I am able to solve it by stopping sssd clearing out the cache in /var/lib/sss/db with a rm -rf * and then restarting the sssd. I'm not sure what logs to look at I checked out the var/log/sssd and they are all 0 file size and gave me nothing to look at. Has any one seen this before, does any one have any clues on trouble shooting. Thanks -Todd Maugh Tmaugh at boingo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Steven.Jones at vuw.ac.nz Tue May 6 23:19:40 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Tue, 6 May 2014 23:19:40 +0000 Subject: [Freeipa-users] IPA compatibility to win2k12r2 In-Reply-To: <5368D44B.3010003@redhat.com> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>, <536798E2.9090506@redhat.com>, <1399323776936.71397@vuw.ac.nz> <1399332118741.19539@vuw.ac.nz>,<5368D44B.3010003@redhat.com> Message-ID: <1399418380331.30337@vuw.ac.nz> Hi, Both, but especially the former. RHEL6.5 documentation seems to only talk about win2k8. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Rob Crittenden Sent: Wednesday, 7 May 2014 12:23 a.m. To: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA compatibility to win2k12r2 Steven Jones wrote: > Hi, > > We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? > > Anything to watch out for? Do you mean with winsync, trusts, or both? rob From Johan.Petersson at sscspace.com Wed May 7 05:27:32 2014 From: Johan.Petersson at sscspace.com (Johan Petersson) Date: Wed, 7 May 2014 05:27:32 +0000 Subject: [Freeipa-users] IPA compatibility to win2k12r2 In-Reply-To: <1399418380331.30337@vuw.ac.nz> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>, <536798E2.9090506@redhat.com>, <1399323776936.71397@vuw.ac.nz> <1399332118741.19539@vuw.ac.nz>, <5368D44B.3010003@redhat.com>, <1399418380331.30337@vuw.ac.nz> Message-ID: <558C15177F5E714F83334217C9A197DF016C523C4F@SSC-MBX2.ssc.internal> Hi, I have a working sync configuration between Windows 2012 Server and IPA on RHEL 6.5 and have not seen any problems at all. Sync works great and Windows 2012 works perfect together with Samba for file sharing as well. My suggestion is to set up a test environment that are as close as possible to the one you will upgrade and confirm it works for all your special needs before upgrading. Regards, Johan ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, May 07, 2014 01:19 To: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA compatibility to win2k12r2 Hi, Both, but especially the former. RHEL6.5 documentation seems to only talk about win2k8. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Rob Crittenden Sent: Wednesday, 7 May 2014 12:23 a.m. To: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA compatibility to win2k12r2 Steven Jones wrote: > Hi, > > We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? > > Anything to watch out for? Do you mean with winsync, trusts, or both? rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. From lslebodn at redhat.com Wed May 7 06:34:17 2014 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 7 May 2014 08:34:17 +0200 Subject: [Freeipa-users] SSSD Cacheing issues In-Reply-To: References: Message-ID: <20140507063416.GA13226@mail.corp.redhat.com> On (06/05/14 20:45), Todd Maugh wrote: >Hello Guys, > > Im having a problem with a one off my clients, t seems the sssd cache keeps having a problem and is blocking users from authenticating, I am able to solve it by stopping sssd clearing out the cache in /var/lib/sss/db with a rm -rf * and then restarting the sssd. Wnich version of sssd? > >I'm not sure what logs to look at I checked out the var/log/sssd and they are all 0 file size and gave me nothing to look at. > debugging is turned off by default in sssd. To enable debugging, you should add "debug_level = 7" into appropriate section. In this case, I would say pam and domain. There is also possibility to enable debugging on the fly with command line utility sss_debuglevel. sss_debuglevel is part of package sssd-tools, which isn't installed by default with sssd sh# sss_debuglevel 7 >Has any one seen this before, does any one have any clues on trouble shooting. It is hard to say where problem can be. We will need to see log files. LS From szymon.jazy at gmail.com Wed May 7 08:31:12 2014 From: szymon.jazy at gmail.com (Szymon Jazy) Date: Wed, 7 May 2014 10:31:12 +0200 Subject: [Freeipa-users] sudorules - allow all and exclude some Message-ID: Hello, Is there a proper way in sudo rules to allow any command and exclude only some groups? Something like: %test_group ALL= (ALL) ALL, !SU, !SHELLS If I try to do this (gui/cli) I get an error: ipa: ERROR: commands cannot be added when command category='all' Non proper way (bug ?) is to first add deny groups and after that add allow all :) It should be fixed in this, but it seems to still work (freeipa-server-3.3.4-3) https://fedorahosted.org/freeipa/ticket/1440 Thanks Szymon -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 7 09:17:54 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 7 May 2014 11:17:54 +0200 Subject: [Freeipa-users] sudorules - allow all and exclude some In-Reply-To: References: Message-ID: <20140507091754.GE5744@hendrix.brq.redhat.com> On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > Hello, > Is there a proper way in sudo rules to allow any command and exclude only > some groups? > Something like: > %test_group ALL= (ALL) ALL, !SU, !SHELLS > If I try to do this (gui/cli) I get an error: > ipa: ERROR: commands cannot be added when command category='all' > > Non proper way (bug ?) is to first add deny groups and after that add allow > all :) > It should be fixed in this, but it seems to still work > (freeipa-server-3.3.4-3) > https://fedorahosted.org/freeipa/ticket/1440 > > Thanks > Szymon Hi Szymon, freeipa-users might be a good place to ask this question. As you noticed, plain sudo does support this functionality, but I'm not completely sure about IPA's UI. The IPA developers would know, I'm sure. From jhrozek at redhat.com Wed May 7 09:24:25 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 7 May 2014 11:24:25 +0200 Subject: [Freeipa-users] sudorules - allow all and exclude some In-Reply-To: <20140507091754.GE5744@hendrix.brq.redhat.com> References: <20140507091754.GE5744@hendrix.brq.redhat.com> Message-ID: <20140507092425.GG5744@hendrix.brq.redhat.com> On Wed, May 07, 2014 at 11:17:54AM +0200, Jakub Hrozek wrote: > On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > > Hello, > > Is there a proper way in sudo rules to allow any command and exclude only > > some groups? > > Something like: > > %test_group ALL= (ALL) ALL, !SU, !SHELLS > > If I try to do this (gui/cli) I get an error: > > ipa: ERROR: commands cannot be added when command category='all' > > > > Non proper way (bug ?) is to first add deny groups and after that add allow > > all :) > > It should be fixed in this, but it seems to still work > > (freeipa-server-3.3.4-3) > > https://fedorahosted.org/freeipa/ticket/1440 > > > > Thanks > > Szymon > > Hi Szymon, > > freeipa-users might be a good place to ask this question. As you > noticed, plain sudo does support this functionality, but I'm not > completely sure about IPA's UI. The IPA developers would know, I'm sure. Obviously, I was going to respond to Szymon's same question on sssd-users and missed that he forwarded the question to freeipa-users as well. Sorry for the noise.. From rcritten at redhat.com Wed May 7 13:15:24 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 07 May 2014 09:15:24 -0400 Subject: [Freeipa-users] sudorules - allow all and exclude some In-Reply-To: References: Message-ID: <536A31EC.1010100@redhat.com> Szymon Jazy wrote: > Hello, > Is there a proper way in sudo rules to allow any command and exclude > only some groups? > Something like: > %test_group ALL= (ALL) ALL, !SU, !SHELLS > If I try to do this (gui/cli) I get an error: > ipa: ERROR: commands cannot be added when command category='all' Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340 > Non proper way (bug ?) is to first add deny groups and after that add > allow all :) > It should be fixed in this, but it seems to still work > (freeipa-server-3.3.4-3) > https://fedorahosted.org/freeipa/ticket/1440 Right, it was an incomplete fix. I opened https://fedorahosted.org/freeipa/ticket/4341 to address that, though to be coordianted with 4340 so we don't remove your workaround first. rob From szymon.jazy at gmail.com Wed May 7 13:17:41 2014 From: szymon.jazy at gmail.com (Szymon Jazy) Date: Wed, 7 May 2014 15:17:41 +0200 Subject: [Freeipa-users] sudorules - allow all and exclude some In-Reply-To: <536A31EC.1010100@redhat.com> References: <536A31EC.1010100@redhat.com> Message-ID: Ok, thanks. 2014-05-07 15:15 GMT+02:00 Rob Crittenden : > Szymon Jazy wrote: > >> Hello, >> Is there a proper way in sudo rules to allow any command and exclude >> only some groups? >> Something like: >> %test_group ALL= (ALL) ALL, !SU, !SHELLS >> If I try to do this (gui/cli) I get an error: >> ipa: ERROR: commands cannot be added when command category='all' >> > > Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340 > > > Non proper way (bug ?) is to first add deny groups and after that add >> allow all :) >> It should be fixed in this, but it seems to still work >> (freeipa-server-3.3.4-3) >> https://fedorahosted.org/freeipa/ticket/1440 >> > > Right, it was an incomplete fix. I opened https://fedorahosted.org/ > freeipa/ticket/4341 to address that, though to be coordianted with 4340 > so we don't remove your workaround first. > > rob > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed May 7 13:45:39 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 07 May 2014 09:45:39 -0400 Subject: [Freeipa-users] SSSD Cacheing issues In-Reply-To: <20140507063416.GA13226@mail.corp.redhat.com> References: <20140507063416.GA13226@mail.corp.redhat.com> Message-ID: <536A3903.7090402@redhat.com> On 05/07/2014 02:34 AM, Lukas Slebodnik wrote: > On (06/05/14 20:45), Todd Maugh wrote: >> Hello Guys, >> >> Im having a problem with a one off my clients, t seems the sssd cache keeps having a problem and is blocking users from authenticating, I am able to solve it by stopping sssd clearing out the cache in /var/lib/sss/db with a rm -rf * and then restarting the sssd. > Wnich version of sssd? > >> I'm not sure what logs to look at I checked out the var/log/sssd and they are all 0 file size and gave me nothing to look at. >> > debugging is turned off by default in sssd. > To enable debugging, you should add "debug_level = 7" into appropriate section. > In this case, I would say pam and domain. > > There is also possibility to enable debugging on the fly with command line > utility sss_debuglevel. sss_debuglevel is part of package sssd-tools, which > isn't installed by default with sssd > > sh# sss_debuglevel 7 > >> Has any one seen this before, does any one have any clues on trouble shooting. > It is hard to say where problem can be. We will need to see log files. One of the possible reasons for this can be for example the situation when you create/remove/create same (test) user(s) on the server with different UIDs. These users would have trouble getting in without cleaning the cache. > > LS > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dbmacartney at gmail.com Thu May 8 20:36:35 2014 From: dbmacartney at gmail.com (Dale Macartney) Date: Thu, 08 May 2014 21:36:35 +0100 Subject: [Freeipa-users] Dovecot/Postfix Auth, howto not working ? In-Reply-To: References: Message-ID: <536BEAD3.40204@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/04/2014 10:22 PM, Matt . wrote: > Hi Guys, > > I'm trying to auth Dovecot agains FreeIPA using this tut: > > http://www.freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On > > (and also Postfix using this: https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/ (as it should be working with dovecot at the end I believe) > > I'm having some issues here and get the following errors no matter what I do: Hi Matt Apologies for the delayed response. >> May 4 23:13:28 mail-01 dovecot: imap-login: Disconnected (no auth attempts): rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx This particular log output is consistent with a failed login attempt when using SSL, however the Dovecot howto will setup StartTLS and not SSL. Could you please confirm how you are testing this setup? OS version of both IPA server and mail server, OS version and also mail client of the workstation. I'm setting up a new demo lab with these how tos at present to verify the steps on RHEL 6.5 to ensure there are no changes required. Dale > May 4 23:13:28 mail-01 postfix/smtpd[2949]: fatal: no SASL authentication mechanisms > May 4 23:13:29 mail-01 postfix/master[1627]: warning: process /usr/lib/postfix/smtpd pid 2949 exit status 1 > May 4 23:13:29 mail-01 postfix/master[1627]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling > May 4 23:14:18 mail-01 dovecot: auth: Fatal: No passdbs specified in configuration file. LOGIN mechanism needs one > May 4 23:14:18 mail-01 dovecot: master: Error: service(auth): command startup failed, throttling > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max connection rate 1/60s for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max connection count 1 for (smtp:xxx.xxx.xxx.xxx) at May 4 23:13:18 > May 4 23:15:09 mail-01 postfix/anvil[2952]: statistics: max cache size 1 at May 4 23:13:18 > > Outside the issue that it cannot find the aliasses db, I'm kinda stuck here... the tut should be working "out of the box", but I have the feeling I'm missing something here. > > I hope someone can help me out! > > Thanks! > > Matt > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTa+rJAAoJEAJsWS61tB+qbHIP/jO5VYmc7wzTo0btdV5DqU5T 1UdqrqeCrZAOppJLJdkCq/nQpbz2SATkTgaT1++uIJRoLVb5NeVkpM70dMD4o7mB 3tAIUp0FtYZOi71flaPNIFzjv2aTybE0Ctp4bg8dhBa/LrdPtp4kBTWpAaUKH07X ahSuZ1wyOPPAXRtC2Aa7dbfVIRIuowzm6XEQPj7ocJfF0GOHId10JzHg2oTPm5yD ICs95tyyA5qzkx1t6f5iWPOReEVbb3MXMXAisNMblZriQ6I/gOAH4HhvCWD4ZU+a X3wkrL3aPgQTzLVX9fJvvrGDDDAml0ZieNCKxPEjwwt0RrTcs9FzoHVvZeZjW0PM 011YFP30dNSvK1qqJRlWwgSErDbdbaNQv6lIfpE6jDZlpaLv9Os+RqPo/DMIaLGO ZTccGe2fo2+774uU4c0ogINSk14xkt1K1KGkVpfyzpTVFlKSNBxt06QA/9iu9iWm v4l5rzJ+cxLWFltGobkSWuJQVGXkcI2VpYzZNVCYpkb4B79VziX/7euZfnjErlRu PPMlmlzCQ9wJtoBAqYaMWtl9oOpJbMrwwXHh3bVDzGgXUXRRh7+i8ARihpKXwbmk jz/Mjm3o7Y1rUTC83qLb90CB0E+59DYrt8CVpT+YKiMjOHLcqI2B/MyUtqma84Sd xegOX8dy/zWnoJRdTpvm =80WR -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dbmacartney.vcf Type: text/x-vcard Size: 4 bytes Desc: not available URL: From Steven.Jones at vuw.ac.nz Thu May 8 21:14:00 2014 From: Steven.Jones at vuw.ac.nz (Steven Jones) Date: Thu, 8 May 2014 21:14:00 +0000 Subject: [Freeipa-users] IPA compatibility to win2k12r2 In-Reply-To: <558C15177F5E714F83334217C9A197DF016C523C4F@SSC-MBX2.ssc.internal> References: <53617D09.6020201@sri.com> <1398902532240.49149@vuw.ac.nz>,<5362AE77.5040902@redhat.com> <1399237270628.79@vuw.ac.nz>, <536798E2.9090506@redhat.com>, <1399323776936.71397@vuw.ac.nz> <1399332118741.19539@vuw.ac.nz>, <5368D44B.3010003@redhat.com>, <1399418380331.30337@vuw.ac.nz>, <558C15177F5E714F83334217C9A197DF016C523C4F@SSC-MBX2.ssc.internal> Message-ID: <1399583637700.10482@vuw.ac.nz> Hi While Im sure it works, bitter experience has taught me that I am not going to deploy anything in Production that doesnt have full vendor support, especially IPA. So until win2k12r2 is supported, I wont touch it. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Johan Petersson Sent: Wednesday, 7 May 2014 5:27 p.m. To: Steven Jones; Rob Crittenden; freeipa-users at redhat.com Subject: RE: [Freeipa-users] IPA compatibility to win2k12r2 Hi, I have a working sync configuration between Windows 2012 Server and IPA on RHEL 6.5 and have not seen any problems at all. Sync works great and Windows 2012 works perfect together with Samba for file sharing as well. My suggestion is to set up a test environment that are as close as possible to the one you will upgrade and confirm it works for all your special needs before upgrading. Regards, Johan ________________________________________ From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz] Sent: Wednesday, May 07, 2014 01:19 To: Rob Crittenden; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA compatibility to win2k12r2 Hi, Both, but especially the former. RHEL6.5 documentation seems to only talk about win2k8. regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Rob Crittenden Sent: Wednesday, 7 May 2014 12:23 a.m. To: Steven Jones; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA compatibility to win2k12r2 Steven Jones wrote: > Hi, > > We are currently on win2k3r2 and are upgrading to win2k12R2, is IPA compatible with win2k12r2? > > Anything to watch out for? Do you mean with winsync, trusts, or both? rob _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. From deanhunter at comcast.net Fri May 9 00:46:05 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Thu, 08 May 2014 19:46:05 -0500 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <53679A05.5050602@redhat.com> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> <1399215760.2613.7.camel@host.hunter.org> <53679A05.5050602@redhat.com> Message-ID: <1399596365.2579.3.camel@host.hunter.org> On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote: > Dean Hunter wrote: > > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: > >> On (03/05/14 10:39), Dean Hunter wrote: > >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > >> > > >> >> On (01/05/14 15:53), Dean Hunter wrote: > >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> >> >> > >> >> >> > > >> >> >> > I just noticed that I had been incorrectly setting the NIS domain > >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is > >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement > >> >> >> > to set the NIS domain name? > >> >> >> > >> >> >> > >> >> >> I think NIS domain is needed for netgroups. If you are not using > >> >> >> netgroups in the sudo rules but just user groups you should be fine. > >> >> >> Is this the case with you? > >> >> >> If not please provide the logs and config. > >> >> >> > >> >> > > >> >> >I am not aware of using netgroups, either the IPA object or any other > >> >> >kind. I just remember that when I was first configuring sudo to > >> >> >retrieve rules from IPA it would not work until I set nisdomainname > >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >> >> >manual: > >> >> > > >> >> > > >> >> > Even though sudo uses NIS-style netgroups, it is not necessary > >> >> > to have a NIS server installed. Netgroups require that a NIS > >> >> > domain be named in their configuration, so sudo requires that a > >> >> > NIS domain be named for netgroups. However, that NIS domain does > >> >> > not actually need to exist. > >> >> > > >> >> > > >> >> >With Fedora 20 I can no longer find the emulation of rc.local that > >> >> >existed in Fedora 19. I did find fedora-domainname.service and started > >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet > >> >> >IPA sudo rules appear to work. > >> >> > > >> >> Hope It helps you > >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > >> >> > >> >> LS > >> > > >> > > >> >Thank you. Now that you point it out, I remember that this thread is > >> >where I first learned about fedora-domainname.service. I see: > >> > > >> > You would also need to set NIS domain name, otherwise SUDO will > >> > not correctly recognize SUDO rules targeted on host groups, > >> ^^^^^^^^^^^^^^ > >> This is important part > >> > instead of hosts: > >> > > >> >which explains when sudo would need the NIS domain name. Since my sudo > >> >rules address user groups I guess there is no requirement for NIS domain > >> >name since they are working just fine: > >> Your sudo rules use host groups. > >> > >> > > >> > ipa sudorule-add desktop-admins --desc "Desktop > >> > Administrators" > >> > ipa sudorule-mod desktop-admins --cmdcat all > >> > ipa sudorule-add-host desktop-admins --hostgroups desktops > >> > ipa sudorule-add-option desktop-admins --sudooption "! > >> > authenticate" > >> > ipa sudorule-add-runasuser desktop-admins --users root > >> > ipa sudorule-add-runasgroup desktop-admins --groups root > >> > ipa sudorule-add-user desktop-admins --groups > >> > desktop-admins > >> > > >> > ipa sudorule-add server-admins --desc "Server > >> > Administrators" > >> > ipa sudorule-mod server-admins --cmdcat all > >> > ipa sudorule-add-host server-admins --hostgroups servers > >> hostgroups are reason why you need to configure NIS domain name. > >> hostgroups are also available as netgroups in compat tree and sudo reads > >> information from netgroups. > >> > >> > ipa sudorule-add-option server-admins --sudooption "! > >> > authenticate" > >> > ipa sudorule-add-runasuser server-admins --users root > >> > ipa sudorule-add-runasgroup server-admins --groups root > >> > ipa sudorule-add-user server-admins --groups > >> > server-admins > >> > > >> >However, I was really asking whether there had been a change in > >> >sssd/sudo behavior as it was my recollection that my sudo rules did not > >> >work at all in early IPA 3.n releases unless the NIS domain name was > >> >configured. > >> > > >> > >> LS > > > > I hear you and that is what I expected. However, the actual behavior > > seems to have changed with 3.3.4 and now 3.3.5. > > > > [dean at desktop ~]$ domainname --nis > > domainname: Local domain name not set > > > > [dean at desktop ~]$ sudo -l > > Matching Defaults entries for dean on desktop: > > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME > > HISTSIZE INPUTRC > > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG > > LC_ADDRESS > > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT > > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS > > _XKB_CHARSET > > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > > > > User dean may run the following commands on desktop: > > (root : root) NOPASSWD: ALL > > > > [dean at desktop ~]$ > > > > I think this is a good thing. I would just like to confirm that this is > > the new expected behavior and that I have not done something wrong. > > We'd need to see your sudo rules to know for sure. > > I don't think anything changed in the IPA code to change this behavior, > but we herd a lot of cats so something in another package may be different. > > rob The sudo rules are listed above. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 9 02:22:16 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 08 May 2014 22:22:16 -0400 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1399596365.2579.3.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> <1399215760.2613.7.camel@host.hunter.org> <53679A05.5050602@redhat.com> <1399596365.2579.3.camel@host.hunter.org> Message-ID: <536C3BD8.509@redhat.com> Dean Hunter wrote: > On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote: >> Dean Hunter wrote: >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: >> >> On (03/05/14 10:39), Dean Hunter wrote: >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: >> >> > >> >> >> On (01/05/14 15:53), Dean Hunter wrote: >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> >> >> >> >> >> >> > >> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement >> >> >> >> > to set the NIS domain name? >> >> >> >> >> >> >> >> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using >> >> >> >> netgroups in the sudo rules but just user groups you should be fine. >> >> >> >> Is this the case with you? >> >> >> >> If not please provide the logs and config. >> >> >> >> >> >> >> > >> >> >> >I am not aware of using netgroups, either the IPA object or any other >> >> >> >kind. I just remember that when I was first configuring sudo to >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname >> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >> >> >> >manual: >> >> >> > >> >> >> > >> >> >> > Even though sudo uses NIS-style netgroups, it is not necessary >> >> >> > to have a NIS server installed. Netgroups require that a NIS >> >> >> > domain be named in their configuration, so sudo requires that a >> >> >> > NIS domain be named for netgroups. However, that NIS domain does >> >> >> > not actually need to exist. >> >> >> > >> >> >> > >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that >> >> >> >existed in Fedora 19. I did find fedora-domainname.service and started >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet >> >> >> >IPA sudo rules appear to work. >> >> >> > >> >> >> Hope It helps you >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html >> >> >> >> >> >> LS >> >> > >> >> > >> >> >Thank you. Now that you point it out, I remember that this thread is >> >> >where I first learned about fedora-domainname.service. I see: >> >> > >> >> > You would also need to set NIS domain name, otherwise SUDO will >> >> > not correctly recognize SUDO rules targeted on host groups, >> >> ^^^^^^^^^^^^^^ >> >> This is important part >> >> > instead of hosts: >> >> > >> >> >which explains when sudo would need the NIS domain name. Since my sudo >> >> >rules address user groups I guess there is no requirement for NIS domain >> >> >name since they are working just fine: >> >> Your sudo rules use host groups. >> >> >> >> > >> >> > ipa sudorule-add desktop-admins --desc "Desktop >> >> > Administrators" >> >> > ipa sudorule-mod desktop-admins --cmdcat all >> >> > ipa sudorule-add-host desktop-admins --hostgroups desktops >> >> > ipa sudorule-add-option desktop-admins --sudooption "! >> >> > authenticate" >> >> > ipa sudorule-add-runasuser desktop-admins --users root >> >> > ipa sudorule-add-runasgroup desktop-admins --groups root >> >> > ipa sudorule-add-user desktop-admins --groups >> >> > desktop-admins >> >> > >> >> > ipa sudorule-add server-admins --desc "Server >> >> > Administrators" >> >> > ipa sudorule-mod server-admins --cmdcat all >> >> > ipa sudorule-add-host server-admins --hostgroups servers >> >> hostgroups are reason why you need to configure NIS domain name. >> >> hostgroups are also available as netgroups in compat tree and sudo reads >> >> information from netgroups. >> >> >> >> > ipa sudorule-add-option server-admins --sudooption "! >> >> > authenticate" >> >> > ipa sudorule-add-runasuser server-admins --users root >> >> > ipa sudorule-add-runasgroup server-admins --groups root >> >> > ipa sudorule-add-user server-admins --groups >> >> > server-admins >> >> > >> >> >However, I was really asking whether there had been a change in >> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not >> >> >work at all in early IPA 3.n releases unless the NIS domain name was >> >> >configured. >> >> > >> >> >> >> LS >> > >> > I hear you and that is what I expected. However, the actual behavior >> > seems to have changed with 3.3.4 and now 3.3.5. >> > >> > [dean at desktop ~]$ domainname --nis >> > domainname: Local domain name not set >> > >> > [dean at desktop ~]$ sudo -l >> > Matching Defaults entries for dean on desktop: >> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME >> > HISTSIZE INPUTRC >> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG >> > LC_ADDRESS >> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT >> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER >> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS >> > _XKB_CHARSET >> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> > >> > User dean may run the following commands on desktop: >> > (root : root) NOPASSWD: ALL >> > >> > [dean at desktop ~]$ >> > >> > I think this is a good thing. I would just like to confirm that this is >> > the new expected behavior and that I have not done something wrong. >> >> We'd need to see your sudo rules to know for sure. >> >> I don't think anything changed in the IPA code to change this behavior, >> but we herd a lot of cats so something in another package may be different. >> >> rob > > The sudo rules are listed above. > It is incomplete at best. There is no user dean mentioned in those rules, where does that come from? Some group membership I can only assume. Does getent netgroup servers or desktops actually return a valid tuple? rob From lslebodn at redhat.com Fri May 9 08:28:19 2014 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 9 May 2014 10:28:19 +0200 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <1399596365.2579.3.camel@host.hunter.org> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> <1399215760.2613.7.camel@host.hunter.org> <53679A05.5050602@redhat.com> <1399596365.2579.3.camel@host.hunter.org> Message-ID: <20140509082818.GC3065@mail.corp.redhat.com> On (08/05/14 19:46), Dean Hunter wrote: >On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote: > >> Dean Hunter wrote: >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: >> >> On (03/05/14 10:39), Dean Hunter wrote: >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: >> >> > >> >> >> On (01/05/14 15:53), Dean Hunter wrote: >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: >> >> >> >> >> >> >> >> > >> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is >> >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement >> >> >> >> > to set the NIS domain name? >> >> >> >> >> >> >> >> >> >> >> >> I think NIS domain is needed for netgroups. If you are not using >> >> >> >> netgroups in the sudo rules but just user groups you should be fine. >> >> >> >> Is this the case with you? >> >> >> >> If not please provide the logs and config. >> >> >> >> >> >> >> > >> >> >> >I am not aware of using netgroups, either the IPA object or any other >> >> >> >kind. I just remember that when I was first configuring sudo to >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname >> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the >> >> >> >manual: >> >> >> > >> >> >> > >> >> >> > Even though sudo uses NIS-style netgroups, it is not necessary >> >> >> > to have a NIS server installed. Netgroups require that a NIS >> >> >> > domain be named in their configuration, so sudo requires that a >> >> >> > NIS domain be named for netgroups. However, that NIS domain does >> >> >> > not actually need to exist. >> >> >> > >> >> >> > >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that >> >> >> >existed in Fedora 19. I did find fedora-domainname.service and started >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet >> >> >> >IPA sudo rules appear to work. >> >> >> > >> >> >> Hope It helps you >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html >> >> >> >> >> >> LS >> >> > >> >> > >> >> >Thank you. Now that you point it out, I remember that this thread is >> >> >where I first learned about fedora-domainname.service. I see: >> >> > >> >> > You would also need to set NIS domain name, otherwise SUDO will >> >> > not correctly recognize SUDO rules targeted on host groups, >> >> ^^^^^^^^^^^^^^ >> >> This is important part >> >> > instead of hosts: >> >> > >> >> >which explains when sudo would need the NIS domain name. Since my sudo >> >> >rules address user groups I guess there is no requirement for NIS domain >> >> >name since they are working just fine: >> >> Your sudo rules use host groups. >> >> >> >> > >> >> > ipa sudorule-add desktop-admins --desc "Desktop >> >> > Administrators" >> >> > ipa sudorule-mod desktop-admins --cmdcat all >> >> > ipa sudorule-add-host desktop-admins --hostgroups desktops >> >> > ipa sudorule-add-option desktop-admins --sudooption "! >> >> > authenticate" >> >> > ipa sudorule-add-runasuser desktop-admins --users root >> >> > ipa sudorule-add-runasgroup desktop-admins --groups root >> >> > ipa sudorule-add-user desktop-admins --groups >> >> > desktop-admins >> >> > >> >> > ipa sudorule-add server-admins --desc "Server >> >> > Administrators" >> >> > ipa sudorule-mod server-admins --cmdcat all >> >> > ipa sudorule-add-host server-admins --hostgroups servers >> >> hostgroups are reason why you need to configure NIS domain name. >> >> hostgroups are also available as netgroups in compat tree and sudo reads >> >> information from netgroups. >> >> >> >> > ipa sudorule-add-option server-admins --sudooption "! >> >> > authenticate" >> >> > ipa sudorule-add-runasuser server-admins --users root >> >> > ipa sudorule-add-runasgroup server-admins --groups root >> >> > ipa sudorule-add-user server-admins --groups >> >> > server-admins >> >> > >> >> >However, I was really asking whether there had been a change in >> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not >> >> >work at all in early IPA 3.n releases unless the NIS domain name was >> >> >configured. >> >> > >> >> >> >> LS >> > >> > I hear you and that is what I expected. However, the actual behavior >> > seems to have changed with 3.3.4 and now 3.3.5. >> > >> > [dean at desktop ~]$ domainname --nis >> > domainname: Local domain name not set >> > >> > [dean at desktop ~]$ sudo -l >> > Matching Defaults entries for dean on desktop: >> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME >> > HISTSIZE INPUTRC >> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG >> > LC_ADDRESS >> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT >> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER >> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS >> > _XKB_CHARSET >> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin >> > >> > User dean may run the following commands on desktop: >> > (root : root) NOPASSWD: ALL >> > >> > [dean at desktop ~]$ >> > >> > I think this is a good thing. I would just like to confirm that this is >> > the new expected behavior and that I have not done something wrong. >> >> We'd need to see your sudo rules to know for sure. >> >> I don't think anything changed in the IPA code to change this behavior, >> but we herd a lot of cats so something in another package may be different. >> >> rob > > >The sudo rules are listed above. > FYI [root ~]# ipa sudorule-add-host --help Usage: ipa [global-options] sudorule-add-host SUDORULE-NAME [options] Add hosts and hostgroups affected by Sudo Rule. Options: -h, --help show this help message and exit --all Retrieve and print all attributes from the server. Affects command output. //will work without nisdomainname configured --raw Print entries as stored on the server. Only affects output format. --hosts=STR hosts to add //will work without nisdomainname configured --hostgroups=STR host groups to add //will *NOT* work without nisdomainname configured LS From richard at fohnet.co.uk Fri May 9 14:50:52 2014 From: richard at fohnet.co.uk (Richard Clark) Date: Fri, 9 May 2014 15:50:52 +0100 Subject: [Freeipa-users] Hardening freeipa on the internet In-Reply-To: <535A18A3.1060202@redhat.com> References: <535A18A3.1060202@redhat.com> Message-ID: <20140509145052.GA23742@fohnet.co.uk> On Fri, Apr 25, 2014 at 10:11:15AM +0200, Martin Kosek wrote: > > Does anybody know about other precautions that should be made besides standard > hardening (SELinux, firewall, log audits)? > I've been running IPA on AWS for a while, replicating within regions as well as inter-region and also a regular datacentre. Not using IPA DNS services, but instead using Route53 (managed by puppet). All in all have been pretty impressed with the stability of it. As well as disabling anonymous binds, you should also disallow plain-text connections. This is done in /etc/dirsrv/slapd-PROD-TELNIC-NET/dse.ldif Find nsslapd-minssf, and change this from '0' to '56' With this enabled, all clients will need to communicate via STARTTLS or LDAPS. The only caveat to this is in 3.0, this affects only the regular slapd instance, and not the CA slapd which replicates over plain-text only. This is apparently fixed in 3.2. Cheers, -- Richard Clark richard at fohnet.co.uk -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: Digital signature URL: From deanhunter at comcast.net Fri May 9 21:55:51 2014 From: deanhunter at comcast.net (Dean Hunter) Date: Fri, 09 May 2014 16:55:51 -0500 Subject: [Freeipa-users] sudo and NIS domain name In-Reply-To: <20140509082818.GC3065@mail.corp.redhat.com> References: <1398974840.3113.5.camel@host.hunter.org> <5362AF74.8050300@redhat.com> <1398977584.3113.15.camel@host.hunter.org> <20140503103625.GA21000@mail.corp.redhat.com> <1399131557.4170.12.camel@host.hunter.org> <20140503205057.GA3378@mail.corp.redhat.com> <1399215760.2613.7.camel@host.hunter.org> <53679A05.5050602@redhat.com> <1399596365.2579.3.camel@host.hunter.org> <20140509082818.GC3065@mail.corp.redhat.com> Message-ID: <1399672551.2588.13.camel@host.hunter.org> On Fri, 2014-05-09 at 10:28 +0200, Lukas Slebodnik wrote: > On (08/05/14 19:46), Dean Hunter wrote: > >On Mon, 2014-05-05 at 10:02 -0400, Rob Crittenden wrote: > > > >> Dean Hunter wrote: > >> > On Sat, 2014-05-03 at 22:50 +0200, Lukas Slebodnik wrote: > >> >> On (03/05/14 10:39), Dean Hunter wrote: > >> >> >On Sat, 2014-05-03 at 12:36 +0200, Lukas Slebodnik wrote: > >> >> > > >> >> >> On (01/05/14 15:53), Dean Hunter wrote: > >> >> >> >On Thu, 2014-05-01 at 16:32 -0400, Dmitri Pal wrote: > >> >> >> >> On 05/01/2014 04:07 PM, Dean Hunter wrote: > >> >> >> >> > >> >> >> >> > > >> >> >> >> > I just noticed that I had been incorrectly setting the NIS domain > >> >> >> >> > name since upgrading to Fedora 20 and FreeIPA 3.3.4, yet I appear to > >> >> >> >> > be successfully retrieving and using sudo rules from FreeIPA. Is > >> >> >> >> > sudo still using NIS-style netgroups? Is there still a requirement > >> >> >> >> > to set the NIS domain name? > >> >> >> >> > >> >> >> >> > >> >> >> >> I think NIS domain is needed for netgroups. If you are not using > >> >> >> >> netgroups in the sudo rules but just user groups you should be fine. > >> >> >> >> Is this the case with you? > >> >> >> >> If not please provide the logs and config. > >> >> >> >> > >> >> >> > > >> >> >> >I am not aware of using netgroups, either the IPA object or any other > >> >> >> >kind. I just remember that when I was first configuring sudo to > >> >> >> >retrieve rules from IPA it would not work until I set nisdomainname > >> >> >> >in /etc/rc.d/rc.local. Here is the quote from section 14.4 of the > >> >> >> >manual: > >> >> >> > > >> >> >> > > >> >> >> > Even though sudo uses NIS-style netgroups, it is not necessary > >> >> >> > to have a NIS server installed. Netgroups require that a NIS > >> >> >> > domain be named in their configuration, so sudo requires that a > >> >> >> > NIS domain be named for netgroups. However, that NIS domain does > >> >> >> > not actually need to exist. > >> >> >> > > >> >> >> > > >> >> >> >With Fedora 20 I can no longer find the emulation of rc.local that > >> >> >> >existed in Fedora 19. I did find fedora-domainname.service and started > >> >> >> >and enabled it but neglected to configure /etc/sysconfig/network. Yet > >> >> >> >IPA sudo rules appear to work. > >> >> >> > > >> >> >> Hope It helps you > >> >> >>http://www.redhat.com/archives/freeipa-users/2014-April/msg00248.html > >> >> >> > >> >> >> LS > >> >> > > >> >> > > >> >> >Thank you. Now that you point it out, I remember that this thread is > >> >> >where I first learned about fedora-domainname.service. I see: > >> >> > > >> >> > You would also need to set NIS domain name, otherwise SUDO will > >> >> > not correctly recognize SUDO rules targeted on host groups, > >> >> ^^^^^^^^^^^^^^ > >> >> This is important part > >> >> > instead of hosts: > >> >> > > >> >> >which explains when sudo would need the NIS domain name. Since my sudo > >> >> >rules address user groups I guess there is no requirement for NIS domain > >> >> >name since they are working just fine: > >> >> Your sudo rules use host groups. > >> >> > >> >> > > >> >> > ipa sudorule-add desktop-admins --desc "Desktop > >> >> > Administrators" > >> >> > ipa sudorule-mod desktop-admins --cmdcat all > >> >> > ipa sudorule-add-host desktop-admins --hostgroups desktops > >> >> > ipa sudorule-add-option desktop-admins --sudooption "! > >> >> > authenticate" > >> >> > ipa sudorule-add-runasuser desktop-admins --users root > >> >> > ipa sudorule-add-runasgroup desktop-admins --groups root > >> >> > ipa sudorule-add-user desktop-admins --groups > >> >> > desktop-admins > >> >> > > >> >> > ipa sudorule-add server-admins --desc "Server > >> >> > Administrators" > >> >> > ipa sudorule-mod server-admins --cmdcat all > >> >> > ipa sudorule-add-host server-admins --hostgroups servers > >> >> hostgroups are reason why you need to configure NIS domain name. > >> >> hostgroups are also available as netgroups in compat tree and sudo reads > >> >> information from netgroups. > >> >> > >> >> > ipa sudorule-add-option server-admins --sudooption "! > >> >> > authenticate" > >> >> > ipa sudorule-add-runasuser server-admins --users root > >> >> > ipa sudorule-add-runasgroup server-admins --groups root > >> >> > ipa sudorule-add-user server-admins --groups > >> >> > server-admins > >> >> > > >> >> >However, I was really asking whether there had been a change in > >> >> >sssd/sudo behavior as it was my recollection that my sudo rules did not > >> >> >work at all in early IPA 3.n releases unless the NIS domain name was > >> >> >configured. > >> >> > > >> >> > >> >> LS > >> > > >> > I hear you and that is what I expected. However, the actual behavior > >> > seems to have changed with 3.3.4 and now 3.3.5. > >> > > >> > [dean at desktop ~]$ domainname --nis > >> > domainname: Local domain name not set > >> > > >> > [dean at desktop ~]$ sudo -l > >> > Matching Defaults entries for dean on desktop: > >> > requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME > >> > HISTSIZE INPUTRC > >> > KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG > >> > LC_ADDRESS > >> > LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT > >> > LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER > >> > LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS > >> > _XKB_CHARSET > >> > XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin > >> > > >> > User dean may run the following commands on desktop: > >> > (root : root) NOPASSWD: ALL > >> > > >> > [dean at desktop ~]$ > >> > > >> > I think this is a good thing. I would just like to confirm that this is > >> > the new expected behavior and that I have not done something wrong. > >> > >> We'd need to see your sudo rules to know for sure. > >> > >> I don't think anything changed in the IPA code to change this behavior, > >> but we herd a lot of cats so something in another package may be different. > >> > >> rob > > > > > >The sudo rules are listed above. > > > FYI > [root ~]# ipa sudorule-add-host --help > Usage: ipa [global-options] sudorule-add-host SUDORULE-NAME [options] > > Add hosts and hostgroups affected by Sudo Rule. > Options: > -h, --help show this help message and exit > --all Retrieve and print all attributes from the server. Affects > command output. > //will work without nisdomainname configured > > --raw Print entries as stored on the server. Only affects output > format. > --hosts=STR hosts to add > //will work without nisdomainname configured > > --hostgroups=STR host groups to add > //will *NOT* work without nisdomainname configured > > LS Lukas and Rob, I thank you for your responses. I believe I understand what you are trying to say. As near as I understand it, I AM using host groups in my sudo rules. I do NOT have an NIS domain name configured. Yet, the rules are working. ipa group-add desktop-admins --desc "Desktop Administrators" ipa group-add server-admins --desc "Server Administrators" ipa group-add-member desktop-admins --users dean ipa group-add-member server-admins --users dean ipa hostgroup-add desktops --desc Desktops ipa hostgroup-add servers --desc Servers ipa hostgroup-add-member desktops --hosts desktop.hunter.org ipa hostgroup-add-member desktops --hosts test.hunter.org ipa hostgroup-add-member servers --hosts host.hunter.org ipa hostgroup-add-member servers --hosts ipa.hunter.org ipa hostgroup-add-member servers --hosts lamp.hunter.org ipa sudorule-add desktop-admins --desc "Desktop Administrators" ipa sudorule-mod desktop-admins --cmdcat all ipa sudorule-add-host desktop-admins --hostgroups desktops ipa sudorule-add-option desktop-admins --sudooption "! authenticate" ipa sudorule-add-runasuser desktop-admins --users root ipa sudorule-add-runasgroup desktop-admins --groups root ipa sudorule-add-user desktop-admins --groups desktop-admins ipa sudorule-add server-admins --desc "Server Administrators" ipa sudorule-mod server-admins --cmdcat all ipa sudorule-add-host server-admins --hostgroups servers ipa sudorule-add-option server-admins --sudooption "! authenticate" ipa sudorule-add-runasuser server-admins --users root ipa sudorule-add-runasgroup server-admins --groups root ipa sudorule-add-user server-admins --groups server-admins [dean at host ~]$ domainname --nis domainname: Local domain name not set [dean at host ~]$ sudo -l Matching Defaults entries for dean on host: requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User dean may run the following commands on host: (root : root) NOPASSWD: ALL [dean at host ~]$ -------------- next part -------------- An HTML attachment was scrubbed... URL: From harvero at gmail.com Mon May 12 14:11:45 2014 From: harvero at gmail.com (Bob) Date: Mon, 12 May 2014 10:11:45 -0400 Subject: [Freeipa-users] DNS SOA Records Message-ID: We use nsupdate to to move the location of some of our services around. For instance there might be two servers that exchange roles, like serv.east.abc.com and serv.west.abc.com and we will have a service name like wiki.abc.com. The owner of the application has been given an nsupdate key that allows them to update and delete on the the wiki.abc.com and have that records contain either an "A" record for one or the other of the two servers. I am very concerned that there might come a time when the SOA primary master server for this dynamic domain might be down when the application owner needs to do their nsupdate. One observation that we see is that Window AD and DNS make every AD DNS server an SOA for any domain that it servers. That any dynamic DNS update can be serviced by any Domain controller and that this update is replicated with LDAP to the other DCs. It was our hope that we could use IPA for our DNS servers for this dynamic domain. That we would have multiple forward statements from our main DNS servers to the IPA DNS servers and that any IPA server would be the SOA. This way the nsupdate would be processed by any available IPA server in the event that one or more of these IPA DNS servers would be down or unreachable. Is there a way to make each IPA system a SOA for the same domain and still have the DNS records replicate between them? thanks, Bob Harvey -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Mon May 12 14:31:28 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Mon, 12 May 2014 09:31:28 -0500 Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? Message-ID: <41b36be1161f07141be0e75e06e7a1@ip-10-0-3-240> An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 12 15:36:10 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 12 May 2014 11:36:10 -0400 Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? In-Reply-To: <41b36be1161f07141be0e75e06e7a1@ip-10-0-3-240> References: <41b36be1161f07141be0e75e06e7a1@ip-10-0-3-240> Message-ID: <5370EA6A.7030409@redhat.com> Chris Whittle wrote: > I am working on my mac setups and am wanting to ping the server every so > often and check to see if their user is enabled or disabled. If > Disabled then I will show them the login screen, log them out or > something else.. What I need is how to check to see if they are enabled > or not through bash... Anyone done sometime similar? It depends on the tools you have. Probably the most common tool would be ldapsearch. It also depends on your configuration. I'm not very familiar with configuring macos, so here is my best shot. Assuming you have a host keytab, you can do something like: $ kinit host/fqdn.example.com -kt /etc/krb5.keytab $ ldapsearch -LLL -Y GSSAPI -b uid=someuser,cn=users,cn=accounts,dc=example,dc=com nsaccountlock If the value of nsaccountlock is TRUE then the account is disabled. Note that this is an operational attribute so you need to request it specifically. The possible values are: - nothing, the attribute hasn't been set yet - FALSE, the user is enabled - TRUE, the user is disabled You can replace -Y GSSAPI with -x to do an anonymous search. rob From mrorourke at earthlink.net Mon May 12 21:31:48 2014 From: mrorourke at earthlink.net (Michael ORourke) Date: Mon, 12 May 2014 17:31:48 -0400 (GMT-04:00) Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? Message-ID: <8640985.1399930309440.JavaMail.root@elwamui-lapwing.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Tue May 13 12:52:08 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Tue, 13 May 2014 07:52:08 -0500 Subject: [Freeipa-users] Bash script to see if user is enabled or disabled? In-Reply-To: <8640985.1399930309440.JavaMail.root@elwamui-lapwing.atl.sa.earthlink.net> References: <8640985.1399930309440.JavaMail.root@elwamui-lapwing.atl.sa.earthlink.net> Message-ID: Thanks everyone... Between what you guys said and some research i ended up doing this http://serverfault.com/questions/594443/how-can-i-force-a-mac-mobile-account-user-to-be-logged-out-or-locked-out-when-th/594773#594773 On Mon, May 12, 2014 at 4:31 PM, Michael ORourke wrote: > I wrote a script to query IPA for accounts with passwords that are about > to expire (so I can nag them with an email to reset their password), and I > also added logic in my script to ignore accounts that are disabled. So I > needed a way to query my IPA server for this info. I came up with 2 > solutions for checking if the account is disabled. > 1. Do an LDAP query on the user and check for an attribute called > "nsAccountLock". If it is TRUE, then the account is disabled. If it is > FALSE or not defined, then the account is enabled. > 2. On a box with the IPA CLI tools installed, run the following command, > "ipa user-status username". However, if you have several replicated IPA > servers, you will see the status of the account on each IPA server along > with the account status. > > I hope this helps. > > -Mike > > -----Original Message----- > From: Chris Whittle > Sent: May 12, 2014 10:31 AM > To: freeipa-users > Subject: [Freeipa-users] Bash script to see if user is enabled or > disabled? > > I am working on my mac setups and am wanting to ping the server every so > often and check to see if their user is enabled or disabled. If Disabled > then I will show them the login screen, log them out or something else.. > What I need is how to check to see if they are enabled or not through > bash... Anyone done sometime similar? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harvero at gmail.com Tue May 13 13:59:31 2014 From: harvero at gmail.com (Bob) Date: Tue, 13 May 2014 09:59:31 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: Message-ID: Is there anyway to do a nsupdate of a DNS records in a IPA server using a TSIG key without having a kerberos ticket? We were going to swap out bind in favor of IPA, but we need to be able to nsupdates. On Mon, May 12, 2014 at 10:11 AM, Bob wrote: > We use nsupdate to to move the location of some of our services around. > For instance there might be two servers that exchange roles, like > serv.east.abc.com and serv.west.abc.com and we will have a service name > like wiki.abc.com. The owner of the application has been given an > nsupdate key that allows them to update and delete on the the wiki.abc.comand have that records contain either an "A" record for one or the other of > the two servers. > > I am very concerned that there might come a time when the SOA primary > master server for this dynamic domain might be down when the application > owner needs to do their nsupdate. > > One observation that we see is that Window AD and DNS make every AD DNS > server an SOA for any domain that it servers. That any dynamic DNS update > can be serviced by any Domain controller and that this update is replicated > with LDAP to the other DCs. > > It was our hope that we could use IPA for our DNS servers for this dynamic > domain. That we would have multiple forward statements from our main DNS > servers to the IPA DNS servers and that any IPA server would be the SOA. > This way the nsupdate would be processed by any available IPA server in the > event that one or more of these IPA DNS servers would be down or > unreachable. > > Is there a way to make each IPA system a SOA for the same domain and still > have the DNS records replicate between them? > > thanks, > > Bob Harvey > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue May 13 14:04:43 2014 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 13 May 2014 10:04:43 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: Message-ID: <5372267B.7060603@redhat.com> On 05/13/2014 09:59 AM, Bob wrote: > Is there anyway to do a nsupdate of a DNS records in a IPA server > using a TSIG key without having a kerberos ticket? > > We were going to swap out bind in favor of IPA, but we need to be able > to nsupdates. > If you are using IPA you can give you clients keytabs. It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll your clients using ipa-client-install. If you have other operating systems some exploration would be required but it should be doable too. > > On Mon, May 12, 2014 at 10:11 AM, Bob > wrote: > > We use nsupdate to to move the location of some of our services > around. For instance there might be two servers that exchange > roles, like serv.east.abc.com and > serv.west.abc.com and we will have a > service name like wiki.abc.com . The owner of > the application has been given an nsupdate key that allows them to > update and delete on the the wiki.abc.com > and have that records contain either an "A" record for one or the > other of the two servers. > > I am very concerned that there might come a time when the SOA > primary master server for this dynamic domain might be down when > the application owner needs to do their nsupdate. > > One observation that we see is that Window AD and DNS make every > AD DNS server an SOA for any domain that it servers. That any > dynamic DNS update can be serviced by any Domain controller and > that this update is replicated with LDAP to the other DCs. > > It was our hope that we could use IPA for our DNS servers for this > dynamic domain. That we would have multiple forward statements > from our main DNS servers to the IPA DNS servers and that any IPA > server would be the SOA. This way the nsupdate would be processed > by any available IPA server in the event that one or more of these > IPA DNS servers would be down or unreachable. > > Is there a way to make each IPA system a SOA for the same domain > and still have the DNS records replicate between them? > > thanks, > > Bob Harvey > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From harvero at gmail.com Tue May 13 14:57:21 2014 From: harvero at gmail.com (Bob) Date: Tue, 13 May 2014 10:57:21 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: <5372267B.7060603@redhat.com> References: <5372267B.7060603@redhat.com> Message-ID: I have many dozens of TSIG keys declared in our current bind. There are hundreds of records that have been granted to those keys. All of this predates me and I do not know who has these keys. The scope of trying to work with the owners of these keys to convert their processes to to use kerberos would be a large effort. It was my hope to use IPA / IDM to provide multi master DNS, with each server being a SOA. But this becomes a lot less desirable as a solution if I have to track down our key holders. On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal wrote: > On 05/13/2014 09:59 AM, Bob wrote: > > Is there anyway to do a nsupdate of a DNS records in a IPA server using > a TSIG key without having a kerberos ticket? > > We were going to swap out bind in favor of IPA, but we need to be able to > nsupdates. > > > If you are using IPA you can give you clients keytabs. > It is all automatic with RHEL, Fedora, Centos for last 5 years. Enroll > your clients using ipa-client-install. > If you have other operating systems some exploration would be required but > it should be doable too. > > > On Mon, May 12, 2014 at 10:11 AM, Bob wrote: > >> We use nsupdate to to move the location of some of our services >> around. For instance there might be two servers that exchange roles, like >> serv.east.abc.com and serv.west.abc.com and we will have a service name >> like wiki.abc.com. The owner of the application has been given an >> nsupdate key that allows them to update and delete on the the >> wiki.abc.com and have that records contain either an "A" record for one >> or the other of the two servers. >> >> I am very concerned that there might come a time when the SOA primary >> master server for this dynamic domain might be down when the application >> owner needs to do their nsupdate. >> >> One observation that we see is that Window AD and DNS make every AD DNS >> server an SOA for any domain that it servers. That any dynamic DNS update >> can be serviced by any Domain controller and that this update is replicated >> with LDAP to the other DCs. >> >> It was our hope that we could use IPA for our DNS servers for this >> dynamic domain. That we would have multiple forward statements from our >> main DNS servers to the IPA DNS servers and that any IPA server would be >> the SOA. This way the nsupdate would be processed by any available IPA >> server in the event that one or more of these IPA DNS servers would be down >> or unreachable. >> >> Is there a way to make each IPA system a SOA for the same domain and >> still have the DNS records replicate between them? >> >> thanks, >> >> Bob Harvey >> > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From loris at lgs.com.ve Tue May 13 17:38:45 2014 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 13 May 2014 13:08:45 -0430 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: <5372267B.7060603@redhat.com> Message-ID: <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> El mar, 13-05-2014 a las 10:57 -0400, Bob escribi?: > I have many dozens of TSIG keys declared in our current bind. There > are hundreds of records that have been granted to those keys. All of > this predates me and I do not know who has these keys. The scope of > trying to work with the owners of these keys to convert their > processes to to use kerberos would be a large effort. It was my hope > to use IPA / IDM to provide multi master DNS, with each server being a > SOA. But this becomes a lot less desirable as a solution if I have to > track down our key holders. You can keep using your TSIG keys with IPA if that is what you're looking for. Just declare your TSIG keys in your IPA dns "update-policy" just as you would do with plain bind: ipa dnszone-mod example.com --update-policy="grant key1. subdomain a.example.com.; grant key2. name b.example.com.;" Also in IPA every DNS presents a different SOA, each with the name of the server being queried, so it can be used as a true multimaster DNS solution. Hope this helps > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal wrote: > On 05/13/2014 09:59 AM, Bob wrote: > > > Is there anyway to do a nsupdate of a DNS records in a IPA > > server using a TSIG key without having a kerberos ticket? > > > > > > We were going to swap out bind in favor of IPA, but we need > > to be able to nsupdates. > > > > > > > > > If you are using IPA you can give you clients keytabs. > It is all automatic with RHEL, Fedora, Centos for last 5 > years. Enroll your clients using ipa-client-install. > If you have other operating systems some exploration would be > required but it should be doable too. > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob > > wrote: > > We use nsupdate to to move the location of some of > > our services around. For instance there might be two > > servers that exchange roles, like serv.east.abc.com > > and serv.west.abc.com and we will have a service > > name like wiki.abc.com. The owner of the application > > has been given an nsupdate key that allows them to > > update and delete on the the wiki.abc.com and have > > that records contain either an "A" record for one or > > the other of the two servers. > > > > > > I am very concerned that there might come a time > > when the SOA primary master server for this dynamic > > domain might be down when the application owner > > needs to do their nsupdate. > > > > > > One observation that we see is that Window AD and > > DNS make every AD DNS server an SOA for any domain > > that it servers. That any dynamic DNS update can be > > serviced by any Domain controller and that this > > update is replicated with LDAP to the other DCs. > > > > > > It was our hope that we could use IPA for our DNS > > servers for this dynamic domain. That we would have > > multiple forward statements from our main DNS > > servers to the IPA DNS servers and that any IPA > > server would be the SOA. This way the nsupdate would > > be processed by any available IPA server in the > > event that one or more of these IPA DNS servers > > would be down or unreachable. > > > > > > Is there a way to make each IPA system a SOA for the > > same domain and still have the DNS records replicate > > between them? > > > > > > thanks, > > > > > > Bob Harvey > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5727 bytes Desc: not available URL: From harvero at gmail.com Tue May 13 18:04:27 2014 From: harvero at gmail.com (Bob) Date: Tue, 13 May 2014 14:04:27 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> Message-ID: I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. But my nsupdate results in this in the daemon log: May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing keytab file [default]: Principal [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key table It almost works. On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria wrote: > El mar, 13-05-2014 a las 10:57 -0400, Bob escribi?: > > I have many dozens of TSIG keys declared in our current bind. There > > are hundreds of records that have been granted to those keys. All of > > this predates me and I do not know who has these keys. The scope of > > trying to work with the owners of these keys to convert their > > processes to to use kerberos would be a large effort. It was my hope > > to use IPA / IDM to provide multi master DNS, with each server being a > > SOA. But this becomes a lot less desirable as a solution if I have to > > track down our key holders. > > You can keep using your TSIG keys with IPA if that is what you're > looking for. Just declare your TSIG keys in your IPA dns "update-policy" > just as you would do with plain bind: > > ipa dnszone-mod example.com --update-policy="grant key1. subdomain > a.example.com.; grant key2. name b.example.com.;" > > Also in IPA every DNS presents a different SOA, each with the name of > the server being queried, so it can be used as a true multimaster DNS > solution. > > Hope this helps > > > > > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal wrote: > > On 05/13/2014 09:59 AM, Bob wrote: > > > > > Is there anyway to do a nsupdate of a DNS records in a IPA > > > server using a TSIG key without having a kerberos ticket? > > > > > > > > > We were going to swap out bind in favor of IPA, but we need > > > to be able to nsupdates. > > > > > > > > > > > > > > > If you are using IPA you can give you clients keytabs. > > It is all automatic with RHEL, Fedora, Centos for last 5 > > years. Enroll your clients using ipa-client-install. > > If you have other operating systems some exploration would be > > required but it should be doable too. > > > > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob > > > wrote: > > > We use nsupdate to to move the location of some of > > > our services around. For instance there might be two > > > servers that exchange roles, like serv.east.abc.com > > > and serv.west.abc.com and we will have a service > > > name like wiki.abc.com. The owner of the application > > > has been given an nsupdate key that allows them to > > > update and delete on the the wiki.abc.com and have > > > that records contain either an "A" record for one or > > > the other of the two servers. > > > > > > > > > I am very concerned that there might come a time > > > when the SOA primary master server for this dynamic > > > domain might be down when the application owner > > > needs to do their nsupdate. > > > > > > > > > One observation that we see is that Window AD and > > > DNS make every AD DNS server an SOA for any domain > > > that it servers. That any dynamic DNS update can be > > > serviced by any Domain controller and that this > > > update is replicated with LDAP to the other DCs. > > > > > > > > > It was our hope that we could use IPA for our DNS > > > servers for this dynamic domain. That we would have > > > multiple forward statements from our main DNS > > > servers to the IPA DNS servers and that any IPA > > > server would be the SOA. This way the nsupdate would > > > be processed by any available IPA server in the > > > event that one or more of these IPA DNS servers > > > would be down or unreachable. > > > > > > > > > Is there a way to make each IPA system a SOA for the > > > same domain and still have the DNS records replicate > > > between them? > > > > > > > > > thanks, > > > > > > > > > Bob Harvey > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said > a faster horse" - Henry Ford > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harvero at gmail.com Tue May 13 18:12:03 2014 From: harvero at gmail.com (Bob) Date: Tue, 13 May 2014 14:12:03 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> Message-ID: I ran ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name test.vh1.vzwnet.com.;" I then execute the nsupdate: [root at nj51rhidms16v ~]# ./bobtest.sh ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) [root at nj51rhidms16v ~]# cat ./bobtest.sh #!/bin/ksh # keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== print "update add test.vh1.vzwnet.com 90 CNAME txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile [root at nj51rhidms16v log]# tail daemon May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing keytab file [default]: Principal [host/ nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to key table May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing keytab file [default]: Principal [host/ nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to key table May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing keytab file [default]: Principal [host/ nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing to key table On Tue, May 13, 2014 at 2:04 PM, Bob wrote: > > I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. > > But my nsupdate results in this in the daemon log: > > > > May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN: sending notifies (serial 1399928642) > May 12 17:08:44 nj51rhidms16v named[27438]: client 10.194.96.47#26576: request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) > May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing keytab file [default]: Principal [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. Unable to create GSSAPI-encrypted LDAP connection. > May 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to key table > > > It almost works. > > > > On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria wrote: > >> El mar, 13-05-2014 a las 10:57 -0400, Bob escribi?: >> > I have many dozens of TSIG keys declared in our current bind. There >> > are hundreds of records that have been granted to those keys. All of >> > this predates me and I do not know who has these keys. The scope of >> > trying to work with the owners of these keys to convert their >> > processes to to use kerberos would be a large effort. It was my hope >> > to use IPA / IDM to provide multi master DNS, with each server being a >> > SOA. But this becomes a lot less desirable as a solution if I have to >> > track down our key holders. >> >> You can keep using your TSIG keys with IPA if that is what you're >> looking for. Just declare your TSIG keys in your IPA dns "update-policy" >> just as you would do with plain bind: >> >> ipa dnszone-mod example.com --update-policy="grant key1. subdomain >> a.example.com.; grant key2. name b.example.com.;" >> >> Also in IPA every DNS presents a different SOA, each with the name of >> the server being queried, so it can be used as a true multimaster DNS >> solution. >> >> Hope this helps >> >> >> >> > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal wrote: >> > On 05/13/2014 09:59 AM, Bob wrote: >> > >> > > Is there anyway to do a nsupdate of a DNS records in a IPA >> > > server using a TSIG key without having a kerberos ticket? >> > > >> > > >> > > We were going to swap out bind in favor of IPA, but we need >> > > to be able to nsupdates. >> > > >> > > >> > > >> > >> > >> > If you are using IPA you can give you clients keytabs. >> > It is all automatic with RHEL, Fedora, Centos for last 5 >> > years. Enroll your clients using ipa-client-install. >> > If you have other operating systems some exploration would be >> > required but it should be doable too. >> > >> > > >> > > On Mon, May 12, 2014 at 10:11 AM, Bob >> > > wrote: >> > > We use nsupdate to to move the location of some of >> > > our services around. For instance there might be two >> > > servers that exchange roles, like serv.east.abc.com >> > > and serv.west.abc.com and we will have a service >> > > name like wiki.abc.com. The owner of the application >> > > has been given an nsupdate key that allows them to >> > > update and delete on the the wiki.abc.com and have >> > > that records contain either an "A" record for one or >> > > the other of the two servers. >> > > >> > > >> > > I am very concerned that there might come a time >> > > when the SOA primary master server for this dynamic >> > > domain might be down when the application owner >> > > needs to do their nsupdate. >> > > >> > > >> > > One observation that we see is that Window AD and >> > > DNS make every AD DNS server an SOA for any domain >> > > that it servers. That any dynamic DNS update can be >> > > serviced by any Domain controller and that this >> > > update is replicated with LDAP to the other DCs. >> > > >> > > >> > > It was our hope that we could use IPA for our DNS >> > > servers for this dynamic domain. That we would have >> > > multiple forward statements from our main DNS >> > > servers to the IPA DNS servers and that any IPA >> > > server would be the SOA. This way the nsupdate would >> > > be processed by any available IPA server in the >> > > event that one or more of these IPA DNS servers >> > > would be down or unreachable. >> > > >> > > >> > > Is there a way to make each IPA system a SOA for the >> > > same domain and still have the DNS records replicate >> > > between them? >> > > >> > > >> > > thanks, >> > > >> > > >> > > Bob Harvey >> > > >> > > >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > Freeipa-users mailing list >> > > Freeipa-users at redhat.com >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > >> > -- >> > Thank you, >> > Dmitri Pal >> > >> > Sr. Engineering Manager IdM portfolio >> > Red Hat, Inc. >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > >> > >> > _______________________________________________ >> > Freeipa-users mailing list >> > Freeipa-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve >> Links Global Services, C.A. http://www.lgs.com.ve >> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve >> ------------------------------------------------------------ >> "If I'd asked my customers what they wanted, they'd have said >> a faster horse" - Henry Ford >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jasondbecker at gmail.com Tue May 13 19:17:29 2014 From: jasondbecker at gmail.com (Jason Becker) Date: Tue, 13 May 2014 13:17:29 -0600 Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? Message-ID: I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). Where do I change the verbosity of access logging? This doc: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html discusses turning on global debugging but doesn't help me. The same doc links to: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html which tells me that I need to change the nsslapd-accesslog-level but the link on that page is a 404. So what do I need to do to change the level? I would assume that setting the level to 4 would be indicated if 256 is too verbose but can someone please confirm? I tried looking in the Configuration tab of the admin GUI but I get thrown: IPA Error 4204 limits exceeded for this query Not sure what's going on there, might be symptomatic of the high load the server is under due to iowait perhaps... Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 13 19:28:06 2014 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 May 2014 15:28:06 -0400 (EDT) Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: References: Message-ID: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> ----- Original Message ----- > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > Where do I change the verbosity of access logging? Why do you need to change the verbosity of access logging? Do you mean error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > This doc: > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > discusses turning on global debugging but doesn't help me. The same doc links > to: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > which tells me that I need to change the nsslapd-accesslog-level but the link > on that page is a 404. > > So what do I need to do to change the level? I would assume that setting the > level to 4 would be indicated if 256 is too verbose but can someone please > confirm? > > I tried looking in the Configuration tab of the admin GUI but I get thrown: > > IPA Error 4204 > > limits exceeded for this query > > Not sure what's going on there, might be symptomatic of the high load the > server is under due to iowait perhaps... > > Thanks! > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From dpal at redhat.com Tue May 13 19:32:24 2014 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 13 May 2014 15:32:24 -0400 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> Message-ID: <53727348.9010803@redhat.com> On 05/13/2014 02:12 PM, Bob wrote: > I ran > > ipa dnszone-mod vh1.vzwnet.com > --update-policy="grant bob-key name test.vh1.vzwnet.com.;" > > I then execute the nsupdate: > > [root at nj51rhidms16v ~]# ./bobtest.sh > ; TSIG error with server: tsig indicates error > update failed: NOTAUTH(BADKEY) > > > [root at nj51rhidms16v ~]# cat ./bobtest.sh > #!/bin/ksh > # > keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== > print "update add test.vh1.vzwnet.com 90 > CNAME txslxngda5.nss.vzwnet.com > \n"|nsupdate -y $keyfile > > [root at nj51rhidms16v log]# tail daemon > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > ] was not > found. Unable to create GSSAPI-encrypted LDAP connection. > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing > to key table > May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program > /usr/sbin/rhn_check > May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program > /usr/sbin/rhn_check > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > ] was not > found. Unable to create GSSAPI-encrypted LDAP connection. > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing > to key table > May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program > /usr/sbin/rhn_check > May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: > request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > ] was not > found. Unable to create GSSAPI-encrypted LDAP connection. > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing > to key table > > > Several things: The sssd failures indicate that you might have installed and configured SSSD via ipa-client and then wiped out the keytab, probably to emulate nsupdate without a keytab. I am not sure it is relevant but I suggest that you try nsupdate from an unenrolled machine. If machine is enrolled the nsupdate would work anyways so you need to deal with the situation when you a running nspudate from a machine that does not have ipa-client configured so trying on a clean system would be better. Can you validate that the key is actually correct on the both sides? > > > > On Tue, May 13, 2014 at 2:04 PM, Bob > wrote: > > > I added: "grant bob-key nametest.vh1.vzwnet.com .;" in the IPA GUI. > > > But my nsupdate results in this in the daemon log: > > > > May 12 17:04:02 nj51rhidms16v named[27438]: zone vh1.vzwnet.com/IN > : sending notifies (serial 1399928642) > May 12 17:08:44 nj51rhidms16v named[27438]: client > 10.194.96.47#26576: request has invalid signature: TSIG bob-key: > tsig verify failure (BADKEY) May 12 17:15:16 nj51rhidms16v > [sssd[ldap_child[10162]]]: Error processing keytab file [default]: > Principal [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > ] was not > found. Unable to create GSSAPI-encrypted LDAP connection. May 12 > 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error writing to > key table > > It almost works. > > > > On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria > > wrote: > > El mar, 13-05-2014 a las 10:57 -0400, Bob escribi?: > > I have many dozens of TSIG keys declared in our current > bind. There > > are hundreds of records that have been granted to those > keys. All of > > this predates me and I do not know who has these keys. The > scope of > > trying to work with the owners of these keys to convert their > > processes to to use kerberos would be a large effort. It was > my hope > > to use IPA / IDM to provide multi master DNS, with each > server being a > > SOA. But this becomes a lot less desirable as a solution if > I have to > > track down our key holders. > > You can keep using your TSIG keys with IPA if that is what you're > looking for. Just declare your TSIG keys in your IPA dns > "update-policy" > just as you would do with plain bind: > > ipa dnszone-mod example.com > --update-policy="grant key1. subdomain > a.example.com .; grant key2. name > b.example.com.;" > > Also in IPA every DNS presents a different SOA, each with the > name of > the server being queried, so it can be used as a true > multimaster DNS > solution. > > Hope this helps > > > > > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal > > wrote: > > On 05/13/2014 09:59 AM, Bob wrote: > > > > > Is there anyway to do a nsupdate of a DNS records > in a IPA > > > server using a TSIG key without having a kerberos > ticket? > > > > > > > > > We were going to swap out bind in favor of IPA, > but we need > > > to be able to nsupdates. > > > > > > > > > > > > > > > If you are using IPA you can give you clients keytabs. > > It is all automatic with RHEL, Fedora, Centos for last 5 > > years. Enroll your clients using ipa-client-install. > > If you have other operating systems some exploration > would be > > required but it should be doable too. > > > > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob > > > > > wrote: > > > We use nsupdate to to move the location of > some of > > > our services around. For instance there > might be two > > > servers that exchange roles, like > serv.east.abc.com > > > and serv.west.abc.com > and we will have a service > > > name like wiki.abc.com > . The owner of the application > > > has been given an nsupdate key that allows > them to > > > update and delete on the the wiki.abc.com > and have > > > that records contain either an "A" record > for one or > > > the other of the two servers. > > > > > > > > > I am very concerned that there might come > a time > > > when the SOA primary master server for > this dynamic > > > domain might be down when the application > owner > > > needs to do their nsupdate. > > > > > > > > > One observation that we see is that Window > AD and > > > DNS make every AD DNS server an SOA for > any domain > > > that it servers. That any dynamic DNS > update can be > > > serviced by any Domain controller and that > this > > > update is replicated with LDAP to the > other DCs. > > > > > > > > > It was our hope that we could use IPA for > our DNS > > > servers for this dynamic domain. That we > would have > > > multiple forward statements from our main DNS > > > servers to the IPA DNS servers and that > any IPA > > > server would be the SOA. This way the > nsupdate would > > > be processed by any available IPA server > in the > > > event that one or more of these IPA DNS > servers > > > would be down or unreachable. > > > > > > > > > Is there a way to make each IPA system a > SOA for the > > > same domain and still have the DNS records > replicate > > > between them? > > > > > > > > > thanks, > > > > > > > > > Bob Harvey > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve > > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve > > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said > a faster horse" - Henry Ford > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 13 19:36:36 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 13 May 2014 15:36:36 -0400 Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: References: Message-ID: <53727444.8060200@redhat.com> Jason Becker wrote: > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > Where do I change the verbosity of access logging? > > This doc: > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > discusses turning on global debugging but doesn't help me. The same doc > links to: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > which tells me that I need to change the nsslapd-accesslog-level but the > link on that page is a 404. > > So what do I need to do to change the level? I would assume that setting > the level to 4 would be indicated if 256 is too verbose but can someone > please confirm? 256 is the default. I found this documented in a slightly older release at https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.0/html/Configuration_and_Command_Reference/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-cnconfig-nsslapd_accesslog_level > > I tried looking in the Configuration tab of the admin GUI but I get thrown: > > IPA Error 4204 > > limits exceeded for this query > > Not sure what's going on there, might be symptomatic of the high load > the server is under due to iowait perhaps... Yes. And I guess ironically you can configure the timeout but without being able to display the page this can be hard using our tools, which enforce that timeout. This data lives at cn=ipaConfig,cn=etc,dc=example,dc=com . You can use ldapmodify to change this if the IPA tools keep timing out while trying. rob From jasondbecker at gmail.com Tue May 13 19:57:59 2014 From: jasondbecker at gmail.com (Jason Becker) Date: Tue, 13 May 2014 13:57:59 -0600 Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> References: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> Message-ID: On Tue, May 13, 2014 at 1:28 PM, Richard Megginson wrote: > ----- Original Message ----- > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > Where do I change the verbosity of access logging? > > > Why do you need to change the verbosity of access logging? Do you mean > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > I do mean access logging. I want to change it because it's too verbose :-) . It's causing high load / iowait on the server. Based on the link you sent if I crafted an ldif like: dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-accesslog-level: 4 that would presumably get me what I want. Does it require a dirsrv restart? Please advise. Thanks! > > > > > This doc: > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > discusses turning on global debugging but doesn't help me. The same doc > links > > to: > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > which tells me that I need to change the nsslapd-accesslog-level but the > link > > on that page is a 404. > > > > So what do I need to do to change the level? I would assume that setting > the > > level to 4 would be indicated if 256 is too verbose but can someone > please > > confirm? > > > > I tried looking in the Configuration tab of the admin GUI but I get > thrown: > > > > IPA Error 4204 > > > > limits exceeded for this query > > > > Not sure what's going on there, might be symptomatic of the high load the > > server is under due to iowait perhaps... > > > > Thanks! > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 13 20:26:44 2014 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 May 2014 16:26:44 -0400 (EDT) Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: References: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> Message-ID: <528533413.4836258.1400012804378.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > wrote: > > > ----- Original Message ----- > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > Where do I change the verbosity of access logging? > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > I do mean access logging. I want to change it because it's too verbose :-) > . It's causing high load / iowait on the server. There isn't a way to change the access log level to make it less verbose. You can turn it off completely nsslapd-accesslog-enabled: off Note that the access log is buffered, specifically to reduce the I/O load. If that buffered load is _still_ too high, then you might want to investigate replacing the access log file with a named pipe, then writing a small bit of python code to filter out only the events you are interested in. See https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > Based on the link you sent if I crafted an ldif like: > > dn: cn=config > changetype: modify > replace: nsslapd-accesslog-level > nsslapd-accesslog-level: 4 > > that would presumably get me what I want. I don't think so. The error log levels are completely different than the access log levels, in that there are no access log levels. > > Does it require a dirsrv restart? No, but . . . > > Please advise. > > Thanks! > > > > > > > > > > > This doc: > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > discusses turning on global debugging but doesn't help me. The same doc > > links > > > to: > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > which tells me that I need to change the nsslapd-accesslog-level but the > > link > > > on that page is a 404. > > > > > > So what do I need to do to change the level? I would assume that setting > > the > > > level to 4 would be indicated if 256 is too verbose but can someone > > please > > > confirm? > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > thrown: > > > > > > IPA Error 4204 > > > > > > limits exceeded for this query > > > > > > Not sure what's going on there, might be symptomatic of the high load the > > > server is under due to iowait perhaps... > > > > > > Thanks! > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > From jasondbecker at gmail.com Tue May 13 21:27:19 2014 From: jasondbecker at gmail.com (Jason Becker) Date: Tue, 13 May 2014 15:27:19 -0600 Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: <528533413.4836258.1400012804378.JavaMail.zimbra@redhat.com> References: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> <528533413.4836258.1400012804378.JavaMail.zimbra@redhat.com> Message-ID: On Tue, May 13, 2014 at 2:26 PM, Richard Megginson wrote: > ----- Original Message ----- > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > wrote: > > > > > ----- Original Message ----- > > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > I do mean access logging. I want to change it because it's too verbose > :-) > > . It's causing high load / iowait on the server. > > There isn't a way to change the access log level to make it less verbose. > You can turn it off completely nsslapd-accesslog-enabled: off > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: 4" is just as verbose as "nsslapd-accesslog-level: 256"? Or that there is literally no way to change the level despite the fact that there are levels? Cheers > Note that the access log is buffered, specifically to reduce the I/O load. > If that buffered load is _still_ too high, then you might want to > investigate replacing the access log file with a named pipe, then writing a > small bit of python code to filter out only the events you are interested > in. See > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > Based on the link you sent if I crafted an ldif like: > > > > dn: cn=config > > changetype: modify > > replace: nsslapd-accesslog-level > > nsslapd-accesslog-level: 4 > > > > that would presumably get me what I want. > > I don't think so. The error log levels are completely different than the > access log levels, in that there are no access log levels. > > > > > Does it require a dirsrv restart? > > No, but . . . > > > > > Please advise. > > > > Thanks! > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > discusses turning on global debugging but doesn't help me. The same > doc > > > links > > > > to: > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level but > the > > > link > > > > on that page is a 404. > > > > > > > > So what do I need to do to change the level? I would assume that > setting > > > the > > > > level to 4 would be indicated if 256 is too verbose but can someone > > > please > > > > confirm? > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > > thrown: > > > > > > > > IPA Error 4204 > > > > > > > > limits exceeded for this query > > > > > > > > Not sure what's going on there, might be symptomatic of the high > load the > > > > server is under due to iowait perhaps... > > > > > > > > Thanks! > > > > > > > > _______________________________________________ > > > > Freeipa-users mailing list > > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 13 21:35:35 2014 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 May 2014 17:35:35 -0400 (EDT) Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: References: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> <528533413.4836258.1400012804378.JavaMail.zimbra@redhat.com> Message-ID: <1485846436.4865416.1400016935119.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On Tue, May 13, 2014 at 2:26 PM, Richard Megginson > wrote: > > > ----- Original Message ----- > > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > > wrote: > > > > > > > ----- Original Message ----- > > > > > I am using FreeIPA 3.0.0 on RHEL 6 (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > > > > Why do you need to change the verbosity of access logging? Do you mean > > > > error logging? If so, see http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > > > > I do mean access logging. I want to change it because it's too verbose > > :-) > > > . It's causing high load / iowait on the server. > > > > There isn't a way to change the access log level to make it less verbose. > > You can turn it off completely nsslapd-accesslog-enabled: off > > > > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: 4" > is just as verbose as "nsslapd-accesslog-level: 256"? Yes. > Or that there is > literally no way to change the level despite the fact that there are levels? Yes, you can change the level. You can make it much more verbose than it is already. I don't think this is what you want. https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level So you could, for example, change the level to 4, and log internal operations. 1) That may be much more verbose than the default of 256 2) That may not be particularly useful to you. If the purpose of changing the access logging level is to reduce the I/O, then no, there is no level which will reduce the verbosity but still give you some sort of useful data in the access log. If you want to reduce the verbosity, but still have some sort of useful information, then you'll have to use the named pipe log script to filter out only those events which are useful to you. > > Cheers > > > > > Note that the access log is buffered, specifically to reduce the I/O load. > > If that buffered load is _still_ too high, then you might want to > > investigate replacing the access log file with a named pipe, then writing a > > small bit of python code to filter out only the events you are interested > > in. See > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > > > > Based on the link you sent if I crafted an ldif like: > > > > > > dn: cn=config > > > changetype: modify > > > replace: nsslapd-accesslog-level > > > nsslapd-accesslog-level: 4 > > > > > > that would presumably get me what I want. > > > > I don't think so. The error log levels are completely different than the > > access log levels, in that there are no access log levels. > > > > > > > > Does it require a dirsrv restart? > > > > No, but . . . > > > > > > > > Please advise. > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > > > discusses turning on global debugging but doesn't help me. The same > > doc > > > > links > > > > > to: > > > > > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level but > > the > > > > link > > > > > on that page is a 404. > > > > > > > > > > So what do I need to do to change the level? I would assume that > > setting > > > > the > > > > > level to 4 would be indicated if 256 is too verbose but can someone > > > > please > > > > > confirm? > > > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I get > > > > thrown: > > > > > > > > > > IPA Error 4204 > > > > > > > > > > limits exceeded for this query > > > > > > > > > > Not sure what's going on there, might be symptomatic of the high > > load the > > > > > server is under due to iowait perhaps... > > > > > > > > > > Thanks! > > > > > > > > > > _______________________________________________ > > > > > Freeipa-users mailing list > > > > > Freeipa-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > From jasondbecker at gmail.com Tue May 13 21:41:38 2014 From: jasondbecker at gmail.com (Jason Becker) Date: Tue, 13 May 2014 15:41:38 -0600 Subject: [Freeipa-users] Where do I change the nsslapd-accesslog-level? In-Reply-To: <1485846436.4865416.1400016935119.JavaMail.zimbra@redhat.com> References: <808581761.4817116.1400009286379.JavaMail.zimbra@redhat.com> <528533413.4836258.1400012804378.JavaMail.zimbra@redhat.com> <1485846436.4865416.1400016935119.JavaMail.zimbra@redhat.com> Message-ID: On Tue, May 13, 2014 at 3:35 PM, Richard Megginson wrote: > > > ----- Original Message ----- > > On Tue, May 13, 2014 at 2:26 PM, Richard Megginson > > wrote: > > > > > ----- Original Message ----- > > > > On Tue, May 13, 2014 at 1:28 PM, Richard Megginson > > > > wrote: > > > > > > > > > ----- Original Message ----- > > > > > > I am using FreeIPA 3.0.0 on RHEL 6 > (ipa-server-3.0.0-37.el6.x86_64). > > > > > > > > > > > > Where do I change the verbosity of access logging? > > > > > > > > > > > > > > > Why do you need to change the verbosity of access logging? Do you > mean > > > > > error logging? If so, see > http://port389.org/wiki/FAQ#Troubleshooting > > > > > > > > > > > > > I do mean access logging. I want to change it because it's too > verbose > > > :-) > > > > . It's causing high load / iowait on the server. > > > > > > There isn't a way to change the access log level to make it less > verbose. > > > You can turn it off completely nsslapd-accesslog-enabled: off > > > > > > > Sorry, you've confused me. Are you saying that "nsslapd-accesslog-level: > 4" > > is just as verbose as "nsslapd-accesslog-level: 256"? > > Yes. > > > Or that there is > > literally no way to change the level despite the fact that there are > levels? > > Yes, you can change the level. You can make it much more verbose than it > is already. I don't think this is what you want. > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_level > > So you could, for example, change the level to 4, and log internal > operations. 1) That may be much more verbose than the default of 256 2) > That may not be particularly useful to you. > > If the purpose of changing the access logging level is to reduce the I/O, > then no, there is no level which will reduce the verbosity but still give > you some sort of useful data in the access log. > > If you want to reduce the verbosity, but still have some sort of useful > information, then you'll have to use the named pipe log script to filter > out only those events which are useful to you. > Thanks for the clarification. I was working on the assumption that indeed "nsslapd-accesslog-level: 4" would be less verbose but still provide some sort of useful data in the access log. Cheers > > > > > Cheers > > > > > > > > > Note that the access log is buffered, specifically to reduce the I/O > load. > > > If that buffered load is _still_ too high, then you might want to > > > investigate replacing the access log file with a named pipe, then > writing a > > > small bit of python code to filter out only the events you are > interested > > > in. See > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-named-pipe.html > > > > > > > > > > > Based on the link you sent if I crafted an ldif like: > > > > > > > > dn: cn=config > > > > changetype: modify > > > > replace: nsslapd-accesslog-level > > > > nsslapd-accesslog-level: 4 > > > > > > > > that would presumably get me what I want. > > > > > > I don't think so. The error log levels are completely different than > the > > > access log levels, in that there are no access log levels. > > > > > > > > > > > Does it require a dirsrv restart? > > > > > > No, but . . . > > > > > > > > > > > Please advise. > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This doc: > > > > > > > > > > > > > > > > > > > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/server-config.html > > > > > > > > > > > > discusses turning on global debugging but doesn't help me. The > same > > > doc > > > > > links > > > > > > to: > > > > > > > > > > > > > > > > > > > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Configuration_and_Command-Line_Tool_Reference/logs-reference.html > > > > > > > > > > > > which tells me that I need to change the nsslapd-accesslog-level > but > > > the > > > > > link > > > > > > on that page is a 404. > > > > > > > > > > > > So what do I need to do to change the level? I would assume that > > > setting > > > > > the > > > > > > level to 4 would be indicated if 256 is too verbose but can > someone > > > > > please > > > > > > confirm? > > > > > > > > > > > > I tried looking in the Configuration tab of the admin GUI but I > get > > > > > thrown: > > > > > > > > > > > > IPA Error 4204 > > > > > > > > > > > > limits exceeded for this query > > > > > > > > > > > > Not sure what's going on there, might be symptomatic of the high > > > load the > > > > > > server is under due to iowait perhaps... > > > > > > > > > > > > Thanks! > > > > > > > > > > > > _______________________________________________ > > > > > > Freeipa-users mailing list > > > > > > Freeipa-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed May 14 08:57:04 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 14 May 2014 10:57:04 +0200 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: <53727348.9010803@redhat.com> References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> <53727348.9010803@redhat.com> Message-ID: <53732FE0.60605@redhat.com> On 13.5.2014 21:32, Dmitri Pal wrote: > On 05/13/2014 02:12 PM, Bob wrote: >> I ran >> >> ipa dnszone-mod vh1.vzwnet.com >> --update-policy="grant bob-key name test.vh1.vzwnet.com.;" >> >> I then execute the nsupdate: >> >> [root at nj51rhidms16v ~]# ./bobtest.sh >> ; TSIG error with server: tsig indicates error >> update failed: NOTAUTH(BADKEY) >> >> >> [root at nj51rhidms16v ~]# cat ./bobtest.sh >> #!/bin/ksh >> # >> keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== >> print "update add test.vh1.vzwnet.com 90 CNAME >> txslxngda5.nss.vzwnet.com \n"|nsupdate -y >> $keyfile >> >> [root at nj51rhidms16v log]# tail daemon >> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing >> keytab file [default]: Principal >> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM >> ] was not found. >> Unable to create GSSAPI-encrypted LDAP connection. >> May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to >> key table >> May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check >> May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check >> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing >> keytab file [default]: Principal >> [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM >> ] was not found. >> Unable to create GSSAPI-encrypted LDAP connection. >> May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to >> key table >> May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check >> May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: All errors above are irrelevant to nsupdate. It points to an problem with SSSD configuration but this should not affect nsupdate with TSIG at all. >> request has invalid signature: TSIG bob-key: tsig verify failure (BADKEY) >> May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error processing My best guess is that you have modified update-policy to reference key "bob-key" but the key is not defined in named.conf. Unfortunately, IPA doesn't support TSIG keys in LDAP. You have to define all keys on all servers in named.conf manually: Add something like: key "bob-key" { algorithm hmac-md5; secret ""; }; and restart named. Then it should work. If you want to see support for TSIG keys in LDAP then please open a FreeIPA ticket: https://fedorahosted.org/freeipa/newticket To speed things up, please describe your use case (in detail) and propose user interface. Also, please note that hmac-md5 is not "the most secure algorithm in the world". GSS-TSIG should be more secure. I would recommend you to gradually migrate from TSIG to GSS-TSIG. Have a nice day! -- Petr^2 Spacek From zhu_junca at yahoo.ca Wed May 14 22:12:24 2014 From: zhu_junca at yahoo.ca (Carl E. Ma) Date: Wed, 14 May 2014 18:12:24 -0400 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <53550FD1.2090203@redhat.com> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> Message-ID: <5373EA48.6060006@yahoo.ca> Hello, Recently I realized our centos 6 freeipa clients hangs randomly. With some research, the issue is related to autofs bug, which was mentioned year ago - Automount fails for IPA user when kerberos ticket is expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). This ticket was closed with comment - "closed defect: invalid". My workaround is extending ticket_lifetime to 24h and renew_lifetime to 365d. I wonder whether there is better solution or some insights of this bug. Thanks, carl > From dpal at redhat.com Wed May 14 22:12:48 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 May 2014 18:12:48 -0400 Subject: [Freeipa-users] External collaboration edits In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> References: <82E7C9A01FD0764CACDD35D10F5DFB6E6B00D0@001FSN2MPN1-044.001f.mgd2.msft.net> Message-ID: <5373EA60.5010207@redhat.com> On 04/19/2014 07:46 PM, Nordgren, Bryce L -FS wrote: > > I've run out of time for today, but the external collaboration pages > are slowly evolving. > > http://www.freeipa.org/page/External_Users_in_IPA > > Dimitri observed that my RFE page was too long. I observe it also has > too much stuff unrelated to the actual meat of the RFE. So I factored > out most of the Kerberos stuff into a different page. I also tried to > focus the RFE to just creating entries in LDAP for external users so > they can: a] participate in POSIX groups; and b] have locally-defined > POSIX attributes. > > http://www.freeipa.org/page/Collaboration_with_Kerberos > > This is where all the Kerberos stuff went. I also added in "Option A" > from Petr's email. Option B will come along later, when I pick this up > again. Mechanism three has more to do with Ipsilon than IPA, and basic > functions required of the Ipsilon gateway server are articulated there > (regardless of the particular authentication method.) > > Send comments to the list. I really appreciate Option A! Send more > stuff I didn't think of. > Hello, I finally read the pages, sorry for the delay. great writeup! Here are some comments. 1) You are right that we need to have a record in IPA to be able to have a DN and take over some of the posix attributes. We already have this use case and this is a high priority. We call it views: https://fedorahosted.org/freeipa/ticket/3979 Once this is implemented we will have mechanism to have a local entry without credential for the external user. 2) The second issue is provisioning as automatic as possible. And this is where there will be some issues. If we want to leverage Kerberos trusts then two things should happen: a) the trust should first be established b) the home realm should be accessible for the KDC in the collaboration domain. This rises practical operational questions about what is the home domain. If the home domain is another collaboration domain then user is natively have been created in that domain and has his credential in that domain. Hm but that violates the idea that the collaboration domains have external "auto-provisioned users". If the home domain is the internal domain than most likely the cross forest trust can't be established because admin of the internal domain would not want to expose his domain to somebody's external domain on the internet. So IMO the kerberos based auto-provisioning falls apart. However if we use a gateway that would allow a person to self register and use technologies similar to OpenID then we would be able to create his own account. The gateway would check that the user is from some trusted source that is configured for that domain. We would have to figure that part out. But IMO this component is external to IPA. It is a similar gateway to Ipsilon. I suspect that as we move forward Ipsilon will transform from an IdP server to being a collection of "gateway services". One would be able to deploy IdP instances, Kerberos -> cert service, account registration service etc. This would rely on some of the functionality in IPA but can evolve independently. IMO if we go this path and you are interested in contributing to this effort we can start prototyping such service. We can start simple: create a service that allows one to authenticate using google or facebook and once user authenticated agains one of them call an ipa user-add against IPA. That would be a good first step towards what you want to accomplish. Then it can be enhanced to redirect to an external IdP (Ipsilon). Then the setup will be: * User connects to the self registration portal. * Portal reditrects him to the IdP that is configured for the portal * IdP performas an authentication against user home domain and creates assertion * Assertion is presented to the registration portal * The portal gets user infor from the assertion and adds a user It also seems that OpenID connect might be quite relevant here. So exploring how it can be used in in conjunction with registration portal would be another path. 3) The problem of the credential yet stays open. If the user can be created in different ways it might not be quite easy for the user to know or remember that he must use his kerberos/Google/facebook or other credential wit ha specific domain. May be we should consider creating a full user also with a password or OTP token to access the collaboration domain. Then user would always know that he needs to use his token. I wonder if actually just OTP would be a good option in this case. It can be provisioned to the freeOTP app at the moment of the user registration. Bottom line: let us do practical steps in the right direction. The whole project seems to have too many weak points to try to solve it as a single use case. I would rather focus on building technologies that would gradually make life of collaboration domains easier and get there over time. Thanks Dmitri > Bryce > > > > > > This electronic message contains information generated by the USDA > solely for the intended recipients. Any unauthorized interception of > this message or the use or disclosure of the information it contains > may violate the law and subject the violator to civil or criminal > penalties. If you believe you have received this message in error, > please notify the sender and delete the email immediately. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Wed May 14 22:25:03 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 14 May 2014 18:25:03 -0400 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <5373EA48.6060006@yahoo.ca> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> <5373EA48.6060006@yahoo.ca> Message-ID: <5373ED3F.5010606@redhat.com> On 05/14/2014 06:12 PM, Carl E. Ma wrote: > Hello, > > Recently I realized our centos 6 freeipa clients hangs randomly. With > some research, the issue is related to autofs bug, which was mentioned > year ago - Automount fails for IPA user when kerberos ticket is > expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). > This ticket was closed with comment - "closed defect: invalid". > > My workaround is extending ticket_lifetime to 24h and renew_lifetime > to 365d. I wonder whether there is better solution or some insights of > this bug. > > Thanks, > > carl >> > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Read about GSS proxy. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From supratiksekhar at gmail.com Thu May 15 07:21:13 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Thu, 15 May 2014 12:51:13 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot Message-ID: Hi I followed the instructions mentioned in http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD trust with IPA server. I successfully established the trust and also able to list all AD users but after I rebooted the system "wbinfo --onlie-status" returns offline for AD domain and "wbinfo -u" also not returning anything. Is there anything I need to change to make it work across reboots? -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu May 15 07:36:54 2014 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 15 May 2014 09:36:54 +0200 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <5373ED3F.5010606@redhat.com> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> <5373EA48.6060006@yahoo.ca> <5373ED3F.5010606@redhat.com> Message-ID: <53746E96.4040508@redhat.com> On 15.5.2014 00:25, Dmitri Pal wrote: > On 05/14/2014 06:12 PM, Carl E. Ma wrote: >> Hello, >> >> Recently I realized our centos 6 freeipa clients hangs randomly. With some >> research, the issue is related to autofs bug, which was mentioned year ago - >> Automount fails for IPA user when kerberos ticket is expired, ssh hangs >> (https://fedorahosted.org/freeipa/ticket/2980). This ticket was closed with >> comment - "closed defect: invalid". >> >> My workaround is extending ticket_lifetime to 24h and renew_lifetime to >> 365d. I wonder whether there is better solution or some insights of this bug. >> >> Thanks, >> >> carl > > Read about GSS proxy. Presentation & video is linked from project home page: https://fedorahosted.org/gss-proxy/ -- Petr^2 Spacek From jhrozek at redhat.com Thu May 15 07:40:07 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 15 May 2014 09:40:07 +0200 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: <53732FE0.60605@redhat.com> References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> <53727348.9010803@redhat.com> <53732FE0.60605@redhat.com> Message-ID: <20140515074007.GA29987@hendrix.redhat.com> On Wed, May 14, 2014 at 10:57:04AM +0200, Petr Spacek wrote: > On 13.5.2014 21:32, Dmitri Pal wrote: > >On 05/13/2014 02:12 PM, Bob wrote: > >>I ran > >> > >>ipa dnszone-mod vh1.vzwnet.com > >>--update-policy="grant bob-key name test.vh1.vzwnet.com.;" > >> > >>I then execute the nsupdate: > >> > >>[root at nj51rhidms16v ~]# ./bobtest.sh > >>; TSIG error with server: tsig indicates error > >>update failed: NOTAUTH(BADKEY) > >> > >> > >>[root at nj51rhidms16v ~]# cat ./bobtest.sh > >>#!/bin/ksh > >># > >>keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== > >>print "update add test.vh1.vzwnet.com 90 CNAME > >>txslxngda5.nss.vzwnet.com \n"|nsupdate -y > >>$keyfile > >> > >>[root at nj51rhidms16v log]# tail daemon > >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error processing > >>keytab file [default]: Principal > >>[host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > >>] was not found. > >>Unable to create GSSAPI-encrypted LDAP connection. > >>May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing to > >>key table > >>May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running program /usr/sbin/rhn_check > >>May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running program /usr/sbin/rhn_check > >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error processing > >>keytab file [default]: Principal > >>[host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM > >>] was not found. > >>Unable to create GSSAPI-encrypted LDAP connection. > >>May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing to > >>key table > >>May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running program /usr/sbin/rhn_check > >>May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: > All errors above are irrelevant to nsupdate. It points to an problem > with SSSD configuration but this should not affect nsupdate with > TSIG at all. Hi, sorry to come late to the thread, I'm catching up on freeipa-users. I agree with Petr that this is a generic failure related to a wrong keytab. Does "klist -k" list the keys you would expect to have in the keytab? Does "kinit -k" allow you to kinit using the keytab? I would expect one or both of them to fail, in which case you should either re-enroll the client or just fetch a new keytab using ipa-getkeytab. From jhrozek at redhat.com Thu May 15 07:44:40 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 15 May 2014 09:44:40 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: Message-ID: <20140515074440.GB29987@hendrix.redhat.com> On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: > Hi > > I followed the instructions mentioned in > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD > trust with IPA server. > > I successfully established the trust and also able to list all AD users but > after I > rebooted the system "wbinfo --onlie-status" returns offline for AD domain > and > "wbinfo -u" also not returning anything. > > Is there anything I need to change to make it work across reboots? Did IPA start at all according to the ipactl status? Are you able to to see native IPA users with "ipa user-show" ? What is the IPA version you are using? From supratiksekhar at gmail.com Thu May 15 09:10:57 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Thu, 15 May 2014 14:40:57 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> Message-ID: Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the below error. [root at master packages]# wbinfo -n 'AD\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name AD\Domain Admins On Thu, May 15, 2014 at 1:28 PM, Supratik Goswami wrote: > "ipactls status" shows all in running state. > > [root at master packages]# ipactl status > Directory Service: RUNNING > KDC Service: RUNNING > KPASSWD Service: RUNNING > DNS Service: RUNNING > MEMCACHE Service: RUNNING > HTTP Service: RUNNING > CA Service: RUNNING > ADTRUST Service: RUNNING > EXTID Service: RUNNING > > "ipa user-show" also shows the user > > [root at master packages]# ipa user-show > User login: admin > User login: admin > Last name: Administrator > Home directory: /home/admin > Login shell: /bin/bash > UID: 602600000 > GID: 602600000 > Account disabled: False > Password: True > Member of groups: admins, trust admins > Kerberos keys available: True > > I am using IPA version 3.0.0. > > > > > On Thu, May 15, 2014 at 1:14 PM, Jakub Hrozek wrote: > >> On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: >> > Hi >> > >> > I followed the instructions mentioned in >> > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD >> > trust with IPA server. >> > >> > I successfully established the trust and also able to list all AD users >> but >> > after I >> > rebooted the system "wbinfo --onlie-status" returns offline for AD >> domain >> > and >> > "wbinfo -u" also not returning anything. >> > >> > Is there anything I need to change to make it work across reboots? >> >> Did IPA start at all according to the ipactl status? Are you able to to >> see native IPA users with "ipa user-show" ? >> >> What is the IPA version you are using? >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Thu May 15 13:46:28 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 May 2014 09:46:28 -0400 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <5373ED3F.5010606@redhat.com> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> <5373EA48.6060006@yahoo.ca> <5373ED3F.5010606@redhat.com> Message-ID: <5374C534.2050005@redhat.com> Dmitri Pal wrote: > On 05/14/2014 06:12 PM, Carl E. Ma wrote: >> Hello, >> >> Recently I realized our centos 6 freeipa clients hangs randomly. With >> some research, the issue is related to autofs bug, which was mentioned >> year ago - Automount fails for IPA user when kerberos ticket is >> expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). >> This ticket was closed with comment - "closed defect: invalid". >> >> My workaround is extending ticket_lifetime to 24h and renew_lifetime >> to 365d. I wonder whether there is better solution or some insights of >> this bug. >> >> Thanks, >> >> carl > > Read about GSS proxy. > I don't believe gss-proxy is available for RHEL-6 and backporting is unlikely. The ticket is closed but the associated BZ is still open, https://bugzilla.redhat.com/show_bug.cgi?id=846109 and has some debugging tips and other recommendations. rob From jhrozek at redhat.com Thu May 15 14:33:35 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 15 May 2014 16:33:35 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> Message-ID: <20140515143335.GE29987@hendrix.redhat.com> On Thu, May 15, 2014 at 02:40:57PM +0530, Supratik Goswami wrote: > Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the > below error. > > [root at master packages]# wbinfo -n 'AD\Domain Admins' > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name AD\Domain Admins Does ipa trust-find and trust-show still show the trust relationship? The next step I'd try is getting some more debug information from winbind. Set: "smbcontrol winbindd debug 10" Then check out the samba logs at /var/log/samba/* From trevor.t.kates at dom.com Thu May 15 14:51:44 2014 From: trevor.t.kates at dom.com (Trevor T Kates (Services - 6)) Date: Thu, 15 May 2014 14:51:44 +0000 Subject: [Freeipa-users] ldapwhoami Error: Unsupported Extended Operation Message-ID: Hello, all: I'm using IPA 3.0.0-26 on CentOS 6.4: ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 kernel: 2.6.32-358.18.1.el6.x86_64 My current setup has four masters replicating to each other and I seem to have run into a problem with ldapwhoami on my clients. $ ldapwhoami SASL/GSSAPI authentication started SASL username: testuser at EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: unsupported extended operation Result: Protocol error (2) Additional info: unsupported extended operation The slapd log on one of my masters shows: [15/May/2014:10:22:01 -0400] conn=35293 fd=95 slot=95 connection from 10.203.1.121 to 10.203.1.221 [15/May/2014:10:22:01 -0400] conn=35293 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [15/May/2014:10:22:01 -0400] conn=35293 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [15/May/2014:10:22:01 -0400] conn=35293 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [15/May/2014:10:22:01 -0400] conn=35293 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [15/May/2014:10:22:01 -0400] conn=35293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [15/May/2014:10:22:01 -0400] conn=35293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testuser,cn=users,cn=accounts,dc=example,dc=com" [15/May/2014:10:22:01 -0400] conn=35293 op=3 EXT oid="1.3.6.1.4.1.4203.1.11.3" [15/May/2014:10:22:01 -0400] conn=35293 op=3 RESULT err=2 tag=120 nentries=0 etime=0 [15/May/2014:10:22:01 -0400] conn=35293 op=4 UNBIND [15/May/2014:10:22:01 -0400] conn=35293 op=4 fd=95 closed - U1 This is a partial debug from the ldapwhoami command: ldap_read: want=36, got=36 0000: 01 02 04 00 04 1e 75 6e 73 75 70 70 6f 72 74 65 ......unsupporte 0010: 64 20 65 78 74 65 6e 64 65 64 20 6f 70 65 72 61 d extended opera 0020: 74 69 6f 6e tion ber_get_next: tag 0x30 len 42 contents: ber_dump: buf=0x834e888 ptr=0x834e888 end=0x834e8b2 len=42 0000: 02 01 04 78 25 0a 01 02 04 00 04 1e 75 6e 73 75 ...x%.......unsu 0010: 70 70 6f 72 74 65 64 20 65 78 74 65 6e 64 65 64 pported extended 0020: 20 6f 70 65 72 61 74 69 6f 6e operation read1msg: ld 0x83410e0 msgid 4 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x834e888 ptr=0x834e88b end=0x834e8b2 len=39 0000: 78 25 0a 01 02 04 00 04 1e 75 6e 73 75 70 70 6f x%.......unsuppo 0010: 72 74 65 64 20 65 78 74 65 6e 64 65 64 20 6f 70 rted extended op 0020: 65 72 61 74 69 6f 6e eration read1msg: ld 0x83410e0 0 new referrals read1msg: mark request completed, ld 0x83410e0 msgid 4 request done: ld 0x83410e0 msgid 4 res_errno: 2, res_error: , res_matched: <> ldap_free_request (origid 4, msgid 4) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x834e888 ptr=0x834e88b end=0x834e8b2 len=39 0000: 78 25 0a 01 02 04 00 04 1e 75 6e 73 75 70 70 6f x%.......unsuppo 0010: 72 74 65 64 20 65 78 74 65 6e 64 65 64 20 6f 70 rted extended op 0020: 65 72 61 74 69 6f 6e eration ber_scanf fmt (}) ber: ber_dump: buf=0x834e888 ptr=0x834e8b2 end=0x834e8b2 len=0 ldap_err2string ldap_parse_result: Protocol error (2) additional info: unsupported extended operation ldap_err2string Result: Protocol error (2) Additional info: unsupported extended operation Any help you can offer to guide me in fixing this problem would be appreciated. Thank you for your time! Trevor T. Kates CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. From rcritten at redhat.com Thu May 15 16:02:03 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 15 May 2014 12:02:03 -0400 Subject: [Freeipa-users] ldapwhoami Error: Unsupported Extended Operation In-Reply-To: References: Message-ID: <5374E4FB.60100@redhat.com> Trevor T Kates (Services - 6) wrote: > Hello, all: > > I'm using IPA 3.0.0-26 on CentOS 6.4: > > ipa-server-3.0.0-26.el6_4.4.x86_64 > ipa-client-3.0.0-26.el6_4.4.x86_64 > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > > kernel: 2.6.32-358.18.1.el6.x86_64 > > My current setup has four masters replicating to each other and I seem to have run into a problem with ldapwhoami on my clients. > > > $ ldapwhoami > SASL/GSSAPI authentication started > SASL username: testuser at EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > ldap_parse_result: Protocol error (2) > additional info: unsupported extended operation > Result: Protocol error (2) > Additional info: unsupported extended operation > > > Any help you can offer to guide me in fixing this problem would be appreciated. Thank you for your time! The operation is not available in the version of 389-ds in RHEL 6.x. It was added in the 1.3.2 release in https://fedorahosted.org/389/ticket/123 rob From trevor.t.kates at dom.com Thu May 15 16:22:38 2014 From: trevor.t.kates at dom.com (Trevor T Kates (Services - 6)) Date: Thu, 15 May 2014 16:22:38 +0000 Subject: [Freeipa-users] ldapwhoami Error: Unsupported Extended Operation In-Reply-To: <5374E4FB.60100@redhat.com> References: <5374E4FB.60100@redhat.com> Message-ID: > -----Original Message----- > From: Rob Crittenden [mailto:rcritten at redhat.com] > Sent: Thursday, May 15, 2014 12:02 PM > To: Trevor T Kates (Services - 6); freeipa-users at redhat.com > Subject: Re: [Freeipa-users] ldapwhoami Error: Unsupported Extended > Operation > > Trevor T Kates (Services - 6) wrote: > > Hello, all: > > > > I'm using IPA 3.0.0-26 on CentOS 6.4: > > > > ipa-server-3.0.0-26.el6_4.4.x86_64 > > ipa-client-3.0.0-26.el6_4.4.x86_64 > > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > > > > kernel: 2.6.32-358.18.1.el6.x86_64 > > > > My current setup has four masters replicating to each other and I seem to > have run into a problem with ldapwhoami on my clients. > > > > > > $ ldapwhoami > > SASL/GSSAPI authentication started > > SASL username: testuser at EXAMPLE.COM > > SASL SSF: 56 > > SASL data security layer installed. > > ldap_parse_result: Protocol error (2) > > additional info: unsupported extended operation > > Result: Protocol error (2) > > Additional info: unsupported extended operation > > > > > > Any help you can offer to guide me in fixing this problem would be > appreciated. Thank you for your time! > > The operation is not available in the version of 389-ds in RHEL 6.x. It > was added in the 1.3.2 release in https://fedorahosted.org/389/ticket/123 Ah, thanks! I won't worry about it then. I thought I had broken something with the directory. > rob Trevor T. Kates CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. From supratiksekhar at gmail.com Thu May 15 18:27:46 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Thu, 15 May 2014 23:57:46 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140515143335.GE29987@hendrix.redhat.com> References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> Message-ID: > > Does ipa trust-find and trust-show still show the trust relationship? > Yes, it is listing the AD domain. After setting the debug level to 10 I got the below message after running the command "wbinfo -n 'AD\Domain Admins' " ==> /var/log/samba/log.winbindd <== [2014/05/15 18:23:42.437167, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:827(new_connection) accepted socket 20 [2014/05/15 18:23:42.437556, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INTERFACE_VERSION [2014/05/15 18:23:42.437667, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:393(winbindd_interface_version) [ 2591]: request interface version [2014/05/15 18:23:42.437816, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INTERFACE_VERSION]: delivered response to client [2014/05/15 18:23:42.438223, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2014/05/15 18:23:42.438352, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:426(winbindd_priv_pipe_dir) [ 2591]: request location of privileged pipe [2014/05/15 18:23:42.438486, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2014/05/15 18:23:42.438954, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:827(new_connection) accepted socket 22 [2014/05/15 18:23:42.439261, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:875(winbind_client_request_read) closing socket 20, client exited [2014/05/15 18:23:42.439576, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INTERFACE_VERSION [2014/05/15 18:23:42.439912, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:393(winbindd_interface_version) [ 2591]: request interface version [2014/05/15 18:23:42.440177, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INTERFACE_VERSION]: delivered response to client [2014/05/15 18:23:42.500902, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn INFO [2014/05/15 18:23:42.501152, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:381(winbindd_info) [ 2591]: request misc info [2014/05/15 18:23:42.501397, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:INFO]: delivered response to client [2014/05/15 18:23:42.501707, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn NETBIOS_NAME [2014/05/15 18:23:42.502077, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:414(winbindd_netbios_name) [ 2591]: request netbios name [2014/05/15 18:23:42.502323, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:NETBIOS_NAME]: delivered response to client [2014/05/15 18:23:42.502619, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn DOMAIN_NAME [2014/05/15 18:23:42.502990, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:403(winbindd_domain_name) [ 2591]: request domain name [2014/05/15 18:23:42.503243, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:DOMAIN_NAME]: delivered response to client [2014/05/15 18:23:42.503545, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:677(process_request) process_request: request fn DOMAIN_INFO [2014/05/15 18:23:42.503884, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:235(winbindd_domain_info) [ 2591]: domain_info [IPA] [2014/05/15 18:23:42.504237, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:DOMAIN_INFO]: delivered response to client [2014/05/15 18:23:42.504515, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:650(process_request) process_request: Handling async request 2591:LOOKUPNAME [2014/05/15 18:23:42.504741, 3, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send) lookupname AD\Domain Admins [2014/05/15 18:23:42.505128, 1, pid=1570, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName in: struct wbint_LookupName domain : * domain : 'AD' name : * name : 'DOMAIN ADMINS' flags : 0x00000000 (0) [2014/05/15 18:23:42.506145, 1, pid=1570, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:282(ndr_print_function_debug) wbint_LookupName: struct wbint_LookupName out: struct wbint_LookupName type : * type : SID_NAME_USE_NONE (0) sid : * sid : S-0-0 result : NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2014/05/15 18:23:42.507132, 5, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_lookupname.c:104(winbindd_lookupname_recv) Could not convert sid S-0-0: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2014/05/15 18:23:42.507365, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:712(wb_request_done) wb_request_done[2591:LOOKUPNAME]: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND [2014/05/15 18:23:42.508971, 10, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:773(winbind_client_response_written) winbind_client_response_written[2591:LOOKUPNAME]: delivered response to client [2014/05/15 18:23:42.509242, 6, pid=1570, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:875(winbind_client_request_read) On Thu, May 15, 2014 at 8:03 PM, Jakub Hrozek wrote: > On Thu, May 15, 2014 at 02:40:57PM +0530, Supratik Goswami wrote: > > Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the > > below error. > > > > [root at master packages]# wbinfo -n 'AD\Domain Admins' > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name AD\Domain Admins > > Does ipa trust-find and trust-show still show the trust relationship? > > The next step I'd try is getting some more debug information from > winbind. Set: > "smbcontrol winbindd debug 10" > > Then check out the samba logs at /var/log/samba/* > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 16 08:48:09 2014 From: sbose at redhat.com (Sumit Bose) Date: Fri, 16 May 2014 10:48:09 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> Message-ID: <20140516084809.GC4640@localhost.localdomain> On Thu, May 15, 2014 at 11:57:46PM +0530, Supratik Goswami wrote: > > > > Does ipa trust-find and trust-show still show the trust relationship? > > > > Yes, it is listing the AD domain. > > After setting the debug level to 10 I got the below message after running > the command "wbinfo -n 'AD\Domain Admins' " > The log.wb-DOMAIN is needed here to identify why winbindd is not able to reach the DC. Have you checked if DNS is still working and can resolve SRV records for the AD domain, e.g. dig SRV _ldap._tcp.AD.DNS.DOMAIN should return IP addresses for your DCs. bye, Sumit > > From supratiksekhar at gmail.com Fri May 16 10:59:33 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Fri, 16 May 2014 16:29:33 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140516084809.GC4640@localhost.localdomain> References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> Message-ID: Yes DNS is working fine and is able to return the IP address of the AD server. [root at master samba]# dig SRV _ldap._tcp.ad.idm.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ tcp.ad.idm.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.ad.idm.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 master.ad.idm.example.com. ;; ADDITIONAL SECTION: master.ad.idm.example.com. 3600 IN A 10.255.0.4 ;; Query time: 1 msec ;; SERVER: 10.255.0.4#53(10.255.0.4) ;; WHEN: Fri May 16 10:46:23 2014 ;; MSG SIZE rcvd: 106 In my case AD is the netbios name of the AD domain. Please find the log message from the file log.wb-AD. [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/debug.c:331(debug_dump_status) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 [2014/05/16 10:50:37.543303, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:306(get_timed_events_timeout) timed_events_timeout: 4/879652 [2014/05/16 10:50:37.543423, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:306(get_timed_events_timeout) timed_events_timeout: 4/879521 [2014/05/16 10:50:42.428450, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "check_domain_online_handler" 0x1753150 [2014/05/16 10:50:42.428642, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:299(check_domain_online_handler) check_domain_online_handler: called for domain AD (online = False) [2014/05/16 10:50:42.430896, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 1030 - private_data=(nil) [2014/05/16 10:50:42.431077, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:308(messaging_register) Overriding messaging pointer for type 1030 - private_data=(nil) [2014/05/16 10:50:42.431167, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:293(messaging_register) Registering messaging pointer for type 1031 - private_data=(nil) [2014/05/16 10:50:42.431253, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:308(messaging_register) Overriding messaging pointer for type 1031 - private_data=(nil) [2014/05/16 10:50:43.442198, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:75(messaging_tdb_signal_handler) messaging_tdb_signal_handler: sig[10] count[1] msgs[1] [2014/05/16 10:50:43.442306, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:496(message_dispatch) message_dispatch: received_messages = 1 [2014/05/16 10:50:43.442460, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:242(messaging_tdb_fetch) messaging_tdb_fetch: [2014/05/16 10:50:43.442575, 1, pid=3305, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug) result: struct messaging_array num_messages : 0x00000001 (1) messages: ARRAY(1) messages: struct messaging_rec msg_version : 0x00000002 (2) msg_type : MSG_WINBIND_TRY_TO_GO_ONLINE (1030) dest: struct server_id pid : 0x0000000000000ce9 (3305) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) src: struct server_id pid : 0x0000000000000f4a (3914) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) buf : DATA_BLOB length=3 [0000] 41 44 00 AD. [2014/05/16 10:50:43.443463, 5, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:155(msg_try_to_go_online) msg_try_to_go_online: received for domain AD. [2014/05/16 10:50:43.443556, 3, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1730(connection_ok) connection_ok: Connection to for domain AD is not connected [2014/05/16 10:50:43.443692, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:208(saf_fetch) saf_fetch: failed to find server for "AD" domain [2014/05/16 10:50:43.443792, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:1560(cm_open_connection) cm_open_connection: dcname is '' for domain AD [2014/05/16 10:50:43.443912, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3289(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name AD (sitename NULL) [2014/05/16 10:50:43.444041, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:208(saf_fetch) saf_fetch: failed to find server for "AD" domain [2014/05/16 10:50:43.444136, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) get_dc_list: preferred server list: ", *" [2014/05/16 10:50:43.444224, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2598(internal_resolve_name) internal_resolve_name: looking up AD#1c (sitename (null)) [2014/05/16 10:50:43.444332, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:160(namecache_fetch) no entry for AD#1C found. [2014/05/16 10:50:43.444426, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2266(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name AD<0x1c> [2014/05/16 10:50:43.444525, 3, pid=3305, effective(0, 0), real(0, 0)] ../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr) resolve_lmhosts: Attempting lmhosts lookup for name AD<0x1c> [2014/05/16 10:50:43.444653, 4, pid=3305, effective(0, 0), real(0, 0)] ../libcli/nbt/lmhosts.c:111(getlmhostsent) getlmhostsent: lmhost entry: 127.0.0.1 localhost [2014/05/16 10:50:43.444854, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2068(resolve_wins_send) resolve_wins: WINS server resolution selected and no WINS servers listed. [2014/05/16 10:50:43.444959, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2315(resolve_hosts) resolve_hosts: not appropriate for name type <0x1c> [2014/05/16 10:50:43.445052, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1806(name_resolve_bcast_send) name_resolve_bcast: Attempting broadcast lookup for name AD<0x1c> [2014/05/16 10:50:43.445243, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:43.445352, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 124928 SO_RCVBUF = 124928 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. [2014/05/16 10:50:43.447711, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:43.448042, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:43.448178, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x17515b0 [2014/05/16 10:50:43.448403, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:43.448513, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 124928 SO_RCVBUF = 124928 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. [2014/05/16 10:50:43.449329, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:43.449442, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:44.449727, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750c10 [2014/05/16 10:50:44.449994, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1753b90 [2014/05/16 10:50:44.450115, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3123(get_dc_list) Adding 0 DC's from auto lookup [2014/05/16 10:50:44.450208, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3134(get_dc_list) get_dc_list: no servers found [2014/05/16 10:50:44.450294, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3289(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name ad.idm.example.com(sitename NULL) [2014/05/16 10:50:44.450435, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:208(saf_fetch) saf_fetch: failed to find server for "ad.idm.example.com" domain [2014/05/16 10:50:44.450531, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) get_dc_list: preferred server list: ", *" [2014/05/16 10:50:44.450620, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2598(internal_resolve_name) internal_resolve_name: looking up ad.idm.example.com#1c (sitename (null)) [2014/05/16 10:50:44.450733, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:165(namecache_fetch) name ad.idm.example.com#1C found. [2014/05/16 10:50:44.450946, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1110(remove_duplicate_addrs2) remove_duplicate_addrs2: looking for duplicate address/port pairs [2014/05/16 10:50:44.451046, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3123(get_dc_list) Adding 1 DC's from auto lookup [2014/05/16 10:50:44.451155, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache) check_negative_conn_cache returning result 0 for domain ad.idm.example.comserver 10.255.0.4 [2014/05/16 10:50:44.451254, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1110(remove_duplicate_addrs2) remove_duplicate_addrs2: looking for duplicate address/port pairs [2014/05/16 10:50:44.451342, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3239(get_dc_list) get_dc_list: returning 1 ip addresses in an ordered list [2014/05/16 10:50:44.451427, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3240(get_dc_list) get_dc_list: 10.255.0.4:389 [2014/05/16 10:50:44.451530, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache) check_negative_conn_cache returning result 0 for domain AD server 10.255.0.4 [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) Connecting to 10.255.0.4 at port 445 [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/clidgram.c:333(nbt_getdc_send) No nmbd found [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:916(name_status_find) name_status_find: looking up AD#1c at 10.255.0.4 [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:299(namecache_status_fetch) namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750470 [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1750590 [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:962(name_status_find) name_status_find: name not found [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout = Fri May 16 10:51:54 2014 (60 seconds ahead) [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:189(add_failed_connection_entry) add_failed_connection_entry: added domain AD (10.255.0.4) to failed conn cache [2014/05/16 10:50:54.455853, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:246(gencache_del) Deleting cache entry (key = SAFJOIN/DOMAIN/AD) [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:246(gencache_del) Deleting cache entry (key = SAF/DOMAIN/AD) [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com,10.255.0.4 and timeout = Fri May 16 10:51:54 2014 (60 seconds ahead) [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:189(add_failed_connection_entry) add_failed_connection_entry: added domain ad.idm.example.com (10.255.0.4) to failed conn cache [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:246(gencache_del) Deleting cache entry (key = SAFJOIN/DOMAIN/AD.IDM.WEBYOG.COM) [2014/05/16 10:50:54.456433, 10, pid=3305, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:246(gencache_del) Deleting cache entry (key = SAF/DOMAIN/AD.IDM.WEBYOG.COM) [2014/05/16 10:50:54.456601, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3289(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name AD (sitename NULL) [2014/05/16 10:50:54.456761, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:208(saf_fetch) saf_fetch: failed to find server for "AD" domain [2014/05/16 10:50:54.456876, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) get_dc_list: preferred server list: ", *" [2014/05/16 10:50:54.456966, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2598(internal_resolve_name) internal_resolve_name: looking up AD#1c (sitename (null)) [2014/05/16 10:50:54.457072, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:160(namecache_fetch) no entry for AD#1C found. [2014/05/16 10:50:54.457240, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2266(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name AD<0x1c> [2014/05/16 10:50:54.457332, 3, pid=3305, effective(0, 0), real(0, 0)] ../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr) resolve_lmhosts: Attempting lmhosts lookup for name AD<0x1c> [2014/05/16 10:50:54.457446, 4, pid=3305, effective(0, 0), real(0, 0)] ../libcli/nbt/lmhosts.c:111(getlmhostsent) getlmhostsent: lmhost entry: 127.0.0.1 localhost [2014/05/16 10:50:54.457644, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2068(resolve_wins_send) resolve_wins: WINS server resolution selected and no WINS servers listed. [2014/05/16 10:50:54.457745, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2315(resolve_hosts) resolve_hosts: not appropriate for name type <0x1c> [2014/05/16 10:50:54.457854, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1806(name_resolve_bcast_send) name_resolve_bcast: Attempting broadcast lookup for name AD<0x1c> [2014/05/16 10:50:54.458057, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:54.458163, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 124928 SO_RCVBUF = 124928 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. [2014/05/16 10:50:54.458970, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:54.459086, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:54.459182, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1752640 [2014/05/16 10:50:54.459354, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:499(open_socket_in) bind succeeded on port 0 [2014/05/16 10:50:54.459458, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/util_net.c:848(print_socket_options) Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 1 SO_BROADCAST = 1 Could not test socket option TCP_NODELAY. Could not test socket option TCP_KEEPCNT. Could not test socket option TCP_KEEPIDLE. Could not test socket option TCP_KEEPINTVL. IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 1 SO_SNDBUF = 124928 SO_RCVBUF = 124928 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 Could not test socket option TCP_QUICKACK. Could not test socket option TCP_DEFER_ACCEPT. [2014/05/16 10:50:54.460242, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) async_connect failed: No such file or directory [2014/05/16 10:50:54.460363, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:600(nb_trans_got_reader) nmbd not around [2014/05/16 10:50:55.460608, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x174f480 [2014/05/16 10:50:55.460853, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/events.c:216(run_events_poll) Running timed event "tevent_req_timedout" 0x1753c10 [2014/05/16 10:50:55.460977, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3123(get_dc_list) Adding 0 DC's from auto lookup [2014/05/16 10:50:55.461070, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3134(get_dc_list) get_dc_list: no servers found [2014/05/16 10:50:55.461157, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3289(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name ad.idm.example.com(sitename NULL) [2014/05/16 10:50:55.461297, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:208(saf_fetch) saf_fetch: failed to find server for "ad.idm.example.com" domain [2014/05/16 10:50:55.461391, 3, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) get_dc_list: preferred server list: ", *" [2014/05/16 10:50:55.461480, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:2598(internal_resolve_name) internal_resolve_name: looking up ad.idm.example.com#1c (sitename (null)) [2014/05/16 10:50:55.461593, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namecache.c:165(namecache_fetch) name ad.idm.example.com#1C found. [2014/05/16 10:50:55.461788, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1110(remove_duplicate_addrs2) remove_duplicate_addrs2: looking for duplicate address/port pairs [2014/05/16 10:50:55.461904, 8, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3123(get_dc_list) Adding 1 DC's from auto lookup [2014/05/16 10:50:55.462020, 9, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/conncache.c:150(check_negative_conn_cache) check_negative_conn_cache returning result -1073741823 for domain ad.idm.example.com server 10.255.0.4 [2014/05/16 10:50:55.462115, 5, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3175(get_dc_list) get_dc_list: negative entry 10.255.0.4 removed from DC list [2014/05/16 10:50:55.462200, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:1110(remove_duplicate_addrs2) remove_duplicate_addrs2: looking for duplicate address/port pairs [2014/05/16 10:50:55.462284, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3239(get_dc_list) get_dc_list: returning 0 ip addresses in an ordered list [2014/05/16 10:50:55.462367, 4, pid=3305, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3240(get_dc_list) get_dc_list: [2014/05/16 10:50:55.462457, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:3456(set_global_winbindd_state_offline) set_global_winbindd_state_offline: offline requested. [2014/05/16 10:50:55.462551, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:3467(set_global_winbindd_state_offline) set_global_winbindd_state_offline: rejecting. [2014/05/16 10:50:55.462634, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:351(set_domain_offline) set_domain_offline: called for domain AD [2014/05/16 10:50:55.462724, 10, pid=3305, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:395(set_domain_offline) set_domain_offline: added event handler for domain AD [2014/05/16 10:50:55.462817, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:75(messaging_tdb_signal_handler) messaging_tdb_signal_handler: sig[10] count[2] msgs[1] [2014/05/16 10:50:55.462923, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:496(message_dispatch) message_dispatch: received_messages = 1 [2014/05/16 10:50:55.463051, 10, pid=3305, effective(0, 0), real(0, 0)] ../source3/lib/messages_local.c:242(messaging_tdb_fetch) messaging_tdb_fetch: [2014/05/16 10:50:55.463140, 1, pid=3305, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:245(ndr_print_debug) result: struct messaging_array num_messages : 0x00000002 (2) messages: ARRAY(2) messages: struct messaging_rec msg_version : 0x00000002 (2) msg_type : MSG_DEBUG (1) dest: struct server_id pid : 0x0000000000000ce9 (3305) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) src: struct server_id pid : 0x0000000000000c85 (3205) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) buf : DATA_BLOB length=3 [0000] 31 31 00 11. messages: struct messaging_rec msg_version : 0x00000002 (2) msg_type : MSG_DEBUG (1) dest: struct server_id pid : 0x0000000000000ce9 (3305) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) src: struct server_id pid : 0x0000000000000c85 (3205) task_id : 0x00000000 (0) vnn : 0xffffffff (4294967295) unique_id : 0x0000000000000000 (0) buf : DATA_BLOB length=2 [0000] 31 00 1. [2014/05/16 10:50:55.464485, 3, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/debug_s3.c:72(debug_message) INFO: Remote set of debug to `11' (pid 3305 from pid 3205) [2014/05/16 10:50:55.464605, 5, pid=3305, effective(0, 0), real(0, 0)] ../lib/util/debug.c:331(debug_dump_status) On Fri, May 16, 2014 at 2:18 PM, Sumit Bose wrote: > On Thu, May 15, 2014 at 11:57:46PM +0530, Supratik Goswami wrote: > > > > > > Does ipa trust-find and trust-show still show the trust relationship? > > > > > > > Yes, it is listing the AD domain. > > > > After setting the debug level to 10 I got the below message after running > > the command "wbinfo -n 'AD\Domain Admins' " > > > > The log.wb-DOMAIN is needed here to identify why winbindd is not able to > reach the DC. > > Have you checked if DNS is still working and can resolve SRV records for > the AD domain, e.g. > > dig SRV _ldap._tcp.AD.DNS.DOMAIN > > should return IP addresses for your DCs. > > bye, > Sumit > > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 16 13:44:08 2014 From: sbose at redhat.com (Sumit Bose) Date: Fri, 16 May 2014 15:44:08 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> Message-ID: <20140516134408.GF4640@localhost.localdomain> On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: > Yes DNS is working fine and is able to return the IP address of the AD > server. > > [root at master samba]# dig SRV _ldap._tcp.ad.idm.example.com > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ > tcp.ad.idm.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > ;_ldap._tcp.ad.idm.example.com. IN SRV > > ;; ANSWER SECTION: > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 > master.ad.idm.example.com. > > ;; ADDITIONAL SECTION: > master.ad.idm.example.com. 3600 IN A 10.255.0.4 > > ;; Query time: 1 msec > ;; SERVER: 10.255.0.4#53(10.255.0.4) > ;; WHEN: Fri May 16 10:46:23 2014 > ;; MSG SIZE rcvd: 106 > > > > In my case AD is the netbios name of the AD domain. Please find the log > message from the file log.wb-AD. > > ... > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/util_sock.c:585(open_socket_out_send) > Connecting to 10.255.0.4 at port 445 > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) > No nmbd found > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:916(name_status_find) > name_status_find: looking up AD#1c at 10.255.0.4 > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namecache.c:299(namecache_status_fetch) > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/util_sock.c:499(open_socket_in) > bind succeeded on port 0 > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) > async_connect failed: No such file or directory > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) > nmbd not around > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750470 > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/lib/events.c:216(run_events_poll) > Running timed event "tevent_req_timedout" 0x1750590 > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/namequery.c:962(name_status_find) > name_status_find: name not found > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout = > Fri May 16 10:51:54 2014 > (60 seconds ahead) > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > add_failed_connection_entry: added domain AD (10.255.0.4) to failed conn > cache > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > Deleting cache entry (key = SAFJOIN/DOMAIN/AD) > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > Deleting cache entry (key = SAF/DOMAIN/AD) > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com,10.255.0.4 > and timeout = Fri May 16 10:51:54 2014 > (60 seconds ahead) > [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)] > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > add_failed_connection_entry: added domain ad.idm.example.com (10.255.0.4) > to failed conn cache > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0), > class=tdb] ../source3/lib/gencache.c:246(gencache_del) looks like the connection to 10.255.0.4 timed out after 10 seconds. Is there a firewall which might drop the packets? bye, Sumit From supratiksekhar at gmail.com Fri May 16 13:56:39 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Fri, 16 May 2014 19:26:39 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140516134408.GF4640@localhost.localdomain> References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> Message-ID: The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. I disabled the firewall but still the problem is there :-( On Fri, May 16, 2014 at 7:14 PM, Sumit Bose wrote: > On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: > > Yes DNS is working fine and is able to return the IP address of the AD > > server. > > > > [root at master samba]# dig SRV _ldap._tcp.ad.idm.example.com > > > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ > > tcp.ad.idm.example.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; QUESTION SECTION: > > ;_ldap._tcp.ad.idm.example.com. IN SRV > > > > ;; ANSWER SECTION: > > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 > > master.ad.idm.example.com. > > > > ;; ADDITIONAL SECTION: > > master.ad.idm.example.com. 3600 IN A 10.255.0.4 > > > > ;; Query time: 1 msec > > ;; SERVER: 10.255.0.4#53(10.255.0.4) > > ;; WHEN: Fri May 16 10:46:23 2014 > > ;; MSG SIZE rcvd: 106 > > > > > > > > In my case AD is the netbios name of the AD domain. Please find the log > > message from the file log.wb-AD. > > > > > > ... > > > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] > > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/util_sock.c:585(open_socket_out_send) > > Connecting to 10.255.0.4 at port 445 > > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) > > No nmbd found > > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:916(name_status_find) > > name_status_find: looking up AD#1c at 10.255.0.4 > > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namecache.c:299(namecache_status_fetch) > > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. > > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/util_sock.c:499(open_socket_in) > > bind succeeded on port 0 > > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) > > async_connect failed: No such file or directory > > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) > > nmbd not around > > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750470 > > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/lib/events.c:216(run_events_poll) > > Running timed event "tevent_req_timedout" 0x1750590 > > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/namequery.c:962(name_status_find) > > name_status_find: name not found > > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), > > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and timeout > = > > Fri May 16 10:51:54 2014 > > (60 seconds ahead) > > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > > add_failed_connection_entry: added domain AD (10.255.0.4) to failed > conn > > cache > > > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > > Deleting cache entry (key = SAFJOIN/DOMAIN/AD) > > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), > > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > > Deleting cache entry (key = SAF/DOMAIN/AD) > > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0), > > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) > > Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com > ,10.255.0.4 > > and timeout = Fri May 16 10:51:54 2014 > > (60 seconds ahead) > > [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)] > > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) > > add_failed_connection_entry: added domain ad.idm.example.com(10.255.0.4) > > to failed conn cache > > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0), > > class=tdb] ../source3/lib/gencache.c:246(gencache_del) > > looks like the connection to 10.255.0.4 timed out after 10 seconds. Is > there a firewall which might drop the packets? > > bye, > Sumit > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Sat May 17 02:08:41 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Fri, 16 May 2014 21:08:41 -0500 Subject: [Freeipa-users] Theming FreeIPA Message-ID: Is there a doc anywhere? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Sat May 17 02:22:36 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Fri, 16 May 2014 21:22:36 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? Message-ID: I have an existing key and crt that has be successfully installed on other subdomain servers... Where is the best place to start? -------------- next part -------------- An HTML attachment was scrubbed... URL: From cto at sshchicago.org Sat May 17 14:27:24 2014 From: cto at sshchicago.org (Christopher Swingler) Date: Sat, 17 May 2014 09:27:24 -0500 Subject: [Freeipa-users] Theming FreeIPA In-Reply-To: References: Message-ID: <7F54E015-01CE-433B-BA23-03D54DB4EF57@sshchicago.org> Short and to the point, but I have the same question. :) On May 16, 2014, at 9:08 PM, Chris Whittle wrote: > Is there a doc anywhere? > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From cwhittl at gmail.com Sat May 17 18:26:44 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Sat, 17 May 2014 13:26:44 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? Message-ID: Let me be more specific... I just want to use my wildcard ssl for the UI so that it doesn't give an error we you access it, anyone done this before? -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sun May 18 16:31:43 2014 From: simo at redhat.com (Simo Sorce) Date: Sun, 18 May 2014 12:31:43 -0400 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: References: Message-ID: <1400430703.3833.0.camel@willson.li.ssimo.org> On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: > Let me be more specific... I just want to use my wildcard ssl for the UI so > that it doesn't give an error we you access it, anyone done this before? I think this has been posted on the list already, however all you need to do is to replace the apache certs, they are in a nss database located in /etc/httpd/alias, you can use certutil to deal with the database. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York From cwhittl at gmail.com Mon May 19 01:31:38 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Sun, 18 May 2014 20:31:38 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: <1400430703.3833.0.camel@willson.li.ssimo.org> References: <1400430703.3833.0.camel@willson.li.ssimo.org> Message-ID: Thanks Simo, I'm finding a lot of posts on certs but none that really tells me what I need to do... Any more help would be extremely appreciated. On Sun, May 18, 2014 at 11:31 AM, Simo Sorce wrote: > On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: > > Let me be more specific... I just want to use my wildcard ssl for the UI > so > > that it doesn't give an error we you access it, anyone done this before? > > I think this has been posted on the list already, however all you need > to do is to replace the apache certs, they are in a nss database located > in /etc/httpd/alias, you can use certutil to deal with the database. > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Mon May 19 01:40:51 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Sun, 18 May 2014 20:40:51 -0500 Subject: [Freeipa-users] Free IPA and Google Apps In-Reply-To: <1398435500.2628.489.camel@willson.li.ssimo.org> References: <535A16C1.6050808@redhat.com> <1398429565.2628.469.camel@willson.li.ssimo.org> <535A6342.8070306@redhat.com> <1398433896.2628.486.camel@willson.li.ssimo.org> <535A6A83.2000306@redhat.com> <1398435500.2628.489.camel@willson.li.ssimo.org> Message-ID: Anything new on ipsilon? On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce wrote: > On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: > > On 04/25/2014 09:51 AM, Simo Sorce wrote: > > > On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: > > >> On 04/25/2014 08:39 AM, Simo Sorce wrote: > > >>> On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: > > >>>> Thanks Martin, I found a few notes on FreeIPA and GADS but most > were people > > >>>> saying not to do it on principal but nothing saying if it's > possible or not. > > >>>> > > >>>> I like the SAML option, including the mysterious ipsilon (Is there > anything > > >>>> more than the git repo yet?), but wonder how much control it has. > > >>> At the moment no control at all. > > >>> > > >>>> Does it just allow them to SSO using their LDAP credentials? > > >>> Yes. > > >>> > > >>>> If I disable a user in LDAP does it only recognize that only during > login > > >>>> or is it smart enough to kill their Google Apps sessions and make > them > > >>>> login again? > > >>> At the moment no, in future, perhaps we can develop a plugin that > will > > >>> call a SSO logout to the remote applications the user logged into, > but > > >>> this will require the server to be more stateful. This feature is not > > >>> available in the current code. > > >>> > > >>> Simo. > > >>> > > >>> > > >>> _______________________________________________ > > >>> Freeipa-users mailing list > > >>> Freeipa-users at redhat.com > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> > > >> Simo, how much Ipsilon is ready for a POC like this? > > >> I understand it is probably somewhere between alpha and beta quality > but > > >> it might be a good exercise to try to set it up for a real use case. > > >> What do you think? > > > It can be tried, but I need to write some documentation on how to set > it > > > up first :-) > > > > > > Simo. > > > > > Hint-hint, nudge-nudge :-) > > I know, I know. > I got done with lasso and mod_auth_mellon patches, now I can go back to > Ipsilon. > > If Jan gives me the go, I will cut a first release and start writing > instruction, file for Fedora packages and all that > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Mon May 19 01:58:09 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Sun, 18 May 2014 20:58:09 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: References: <1400430703.3833.0.camel@willson.li.ssimo.org> Message-ID: Actually is this it? http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP On Sun, May 18, 2014 at 8:31 PM, Chris Whittle wrote: > Thanks Simo, I'm finding a lot of posts on certs but none that really > tells me what I need to do... > Any more help would be extremely appreciated. > > > On Sun, May 18, 2014 at 11:31 AM, Simo Sorce wrote: > >> On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: >> > Let me be more specific... I just want to use my wildcard ssl for the >> UI so >> > that it doesn't give an error we you access it, anyone done this before? >> >> I think this has been posted on the list already, however all you need >> to do is to replace the apache certs, they are in a nss database located >> in /etc/httpd/alias, you can use certutil to deal with the database. >> >> HTH, >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 19 07:01:18 2014 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 May 2014 09:01:18 +0200 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: References: Message-ID: <5379AC3E.8040309@redhat.com> On 05/17/2014 04:22 AM, Chris Whittle wrote: > I have an existing key and crt that has be successfully installed on other > subdomain servers... Where is the best place to start? To start what? :-) Without knowing what you want to achieve, I would like to point you to our training presentation describing different FreeIPA Certificate infrastructure integration procedures: http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf I would like to especially point you to the CA-less integration type. HTH, Martin From mkosek at redhat.com Mon May 19 07:05:56 2014 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 19 May 2014 09:05:56 +0200 Subject: [Freeipa-users] Theming FreeIPA In-Reply-To: <7F54E015-01CE-433B-BA23-03D54DB4EF57@sshchicago.org> References: <7F54E015-01CE-433B-BA23-03D54DB4EF57@sshchicago.org> Message-ID: <5379AD54.4000900@redhat.com> On 05/17/2014 04:27 PM, Christopher Swingler wrote: > Short and to the point, but I have the same question. :) > > > On May 16, 2014, at 9:08 PM, Chris Whittle wrote: > >> Is there a doc anywhere? CC-ing Petr Vobornik to help with that. You can already achieve some theming with overriding the CSS + utilizing Web UI plugins we already have in FreeIPA Web UI. Note that Web UI in FreeIPA 4.0 will change extensively as it migrated to Patternfly project, I wonder if there are more theming options then. Martin From cwhittl at gmail.com Mon May 19 10:43:55 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Mon, 19 May 2014 05:43:55 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: <5379AC3E.8040309@redhat.com> References: <5379AC3E.8040309@redhat.com> Message-ID: All I am trying to fix right now is so when the user comes to the web ui they have a valid cert. On May 19, 2014 2:01 AM, "Martin Kosek" wrote: > On 05/17/2014 04:22 AM, Chris Whittle wrote: > > I have an existing key and crt that has be successfully installed on > other > > subdomain servers... Where is the best place to start? > > To start what? :-) Without knowing what you want to achieve, I would like > to > point you to our training presentation describing different FreeIPA > Certificate > infrastructure integration procedures: > > > http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf > > I would like to especially point you to the CA-less integration type. > > HTH, > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Mon May 19 10:51:05 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 19 May 2014 06:51:05 -0400 Subject: [Freeipa-users] IPA down hard. Kerberos? Message-ID: <5379E219.6060407@damascusgrp.com> Happy Monday to me -- I came in this morning to find all 3 of my IPA replicas are down. When I tried to start one of them, I got this: [root at ipa1 ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' and 'journalctl -xn' for details. Failed to start krb5kdc Service Shutting down Aborting ipactl [root at ipa1 ~]# systemctl status krb5kdc.service krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) Active: failed (Result: exit-code) since Mon 2014-05-19 06:46:24 EDT; 51s ago Process: 1835 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) May 19 06:46:24 ipa1.foo.net systemd[1]: krb5kdc.service: control process exited, code=exited status=1 May 19 06:46:24 ipa1.foo.net systemd[1]: Failed to start Kerberos 5 KDC. May 19 06:46:24 ipa1.foo.net systemd[1]: Unit krb5kdc.service entered failed state. May 19 06:46:24 ipa1.foo.net systemd[1]: Stopped Kerberos 5 KDC. [root at ipa1 ~]# journalctl -xn -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon 2014-05-19 06:47:03 EDT. -- May 19 06:46:42 ipa1.foo.net ntpd_intres[526]: host name not found: 2.fedora.pool.ntp.org May 19 06:46:58 ipa1.foo.net sshd[1855]: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 May 19 06:47:00 ipa1.foo.net sshd[1855]: Accepted password for root from 192.168.2.13 port 42299 ssh2 May 19 06:47:00 ipa1.foo.net systemd[1]: Starting Session 5 of user root. -- Subject: Unit session-5.scope has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit session-5.scope has begun starting up. May 19 06:47:00 ipa1.foo.net systemd-logind[495]: New session 5 of user root. -- Subject: A new session 5 has been created for user root -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat -- -- A new session with the ID 5 has been created for the user root. -- -- The leading process of the session is 1855. May 19 06:47:00 ipa1.foo.net systemd[1]: Started Session 5 of user root. -- Subject: Unit session-5.scope has finished start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit session-5.scope has finished starting up. -- -- The start-up result is done. May 19 06:47:00 ipa1.foo.net sshd[1855]: pam_unix(sshd:session): session opened for user root by (uid=0) May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped 389 Directory Server WEDGEOFLI-ME.. -- Subject: Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down. May 19 06:47:03 ipa1.foo.net systemd[1]: Stopping 389 Directory Server. -- Subject: Unit dirsrv.target has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv.target has begun shutting down. May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped target 389 Directory Server. -- Subject: Unit dirsrv.target has finished shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit dirsrv.target has finished shutting down. [root at ipa1 ~]# Any thoughts on where to look next? There's nothing at all logged in /var/log/krb5kdc.log when I try to start it up, and there are so many pieces to this that I'm not sure where to focus my efforts. Thanks! -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 51f7de33e4b08d2bdb8b4860 Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From supratiksekhar at gmail.com Mon May 19 10:59:24 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Mon, 19 May 2014 16:29:24 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> Message-ID: Hi Let me start from the beginning once again. Let me explain you what steps I followed during the setup. I am setting up the environment in Amazon AWS, both Windows AD server and Linux IPA configured in EC2. For configuring Windows 2008 I selected Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release Media (ami-8997afe0). I followed the steps from http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the domain names similar as in the example. IPA server hostname: ipaserver IPA domain: ipadomain.example.com IPA NetBIOS: IPADOMAIN AD DC hostname: adserver AD domain: addomain.example.com AD NetBIOS: ADDOMAIN 1. Updated the system and install the packages. # yum update -y # yum install -y "*ipa-server" "*ipa-server-trust-ad" samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap List of important packages installed during the update are as follows. bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 bind-dyndb-ldap x86_64 2.3-5.el6 ipa-server x86_64 3.0.0-37.el6 ipa-server-trust-ad x86_64 3.0.0-37.el6 ipa-admintools x86_64 3.0.0-37.el6 ipa-client x86_64 3.0.0-37.el6 ipa-pki-ca-theme noarch 9.0.3-7.el6 ipa-pki-common-theme noarch 9.0.3-7.el6 ipa-python x86_64 3.0.0-37.el6 ipa-server-selinux x86_64 3.0.0-37.el6 samba4-client x86_64 4.0.0-61.el6_5.rc4 samba4-winbind x86_64 4.0.0-61.el6_5.rc4 samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 samba4 x86_64 4.0.0-61.el6_5.rc4 samba4-common x86_64 4.0.0-61.el6_5.rc4 samba4-libs x86_64 4.0.0-61.el6_5.rc4 samba4-python x86_64 4.0.0-61.el6_5.rc4 389-ds-base x86_64 1.2.11.15-32.el6_5 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 certmonger x86_64 0.61-3.el6 krb5-server x86_64 1.10.3-15.el6_5.1 krb5-workstation x86_64 1.10.3-15.el6_5.1 sssd x86_64 1.9.2-129.el6_5.4 sssd-client x86_64 1.9.2-129.el6_5.4 2. System details [root at ipaserver ~]# hostname ipaserver.ipadomain.example.com [root at ipaserver ~]# cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m [root at ipaserver ~]# uname -a Linux ipaserver.ipadomain.example.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux [root at ipaserver ~]# cat /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.21.0.121 ipaserver.ipadomain.example.com ipaserver 3. Install IPA server [root at ipaserver ~]# ipa-server-install --domain=ipadomain.example.com--realm= IPADOMAIN.EXAMPLE.COM --setup-dns --no-forwarders The IPA Master Server will be configured with: Hostname: ipaserver.ipadomain.example.com IP address: 10.21.0.121 Domain name: ipadomain.example.com Realm name: IPADOMAIN.EXAMPLE.COM BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 0.21.10.in-addr.arpa. ... ... The install was successful and no errors during the installation. 4. Login as admin and verify IPA users are available to the system service [root at ipaserver ~]# kinit admin Password for admin at IPADOMAIN.EXAMPLE.COM: [root at ipaserver ~]# id admin uid=189600000(admin) gid=189600000(admins) groups=189600000(admins) [root at ipaserver ~]# getent passwd admin admin:*:189600000:189600000:Administrator:/home/admin:/bin/bash 5. Configure IPA server for cross-realm trust. [root at ipaserver ~]# ipa-adtrust-install --netbios-name=IPADOMAIN The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server ... ... All completed successfully. 6. I disabled the firewalls and also during the boot up. [root at ipaserver ~]# chkconfig --list iptables iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off 7. DNS configuration On windows: C:\Windows\system32>dnscmd 127.0.0.1 /ZoneAdd ipadomain.example.com/Forwarder 10.21.0.121 DNS Server 127.0.0.1 created zone ipadomain.example.com: Command completed successfully. On Linux: [root at ipaserver ~]# ipa dnszone-add addomain.example.com --name-server= adserver.addomain.example.com --admin-email='hostmaster at addomain.example.com' --force --forwarder=10.21.0.231 --forward-policy=only --ip-address=10.21.0.231 Zone name: addomain.example.com Authoritative nameserver: adserver.addomain.example.com Administrator e-mail address: hostmaster.addomain.example.com. SOA serial: 1400486308 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant IPADOMAIN.EXAMPLE.COM krb5-self * A; grant IPADOMAIN.EXAMPLE.COM krb5-self * AAAA; grant IPADOMAIN.EXAMPLE.COMkrb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; Zone forwarders: 10.21.0.231 Forward policy: only Verify DNS configuration: In Windows AD:- C:\Windows\system32>nslookup Default Server: localhost Address: 127.0.0.1 > set type=SRV > _ldap._tcp.addomain.example.com Server: localhost Address: 127.0.0.1 _ldap._tcp.addomain.example.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = adserver.addomain.example.com adserver.addomain.example.com internet address = 10.21.0.231 > _ldap._tcp.ipadomain.example.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _ldap._tcp.ipadomain.example.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = ipaserver.ipadomain.example.com ipaserver.ipadomain.example.com internet address = 10.21.0.121 > quit In Linux IPA:- [root at ipaserver ~]# dig SRV _ldap._tcp.addomain.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ tcp.addomain.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40705 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.addomain.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.addomain.example.com. 588 IN SRV 0 100 389 adserver.addomain.example.com. ;; ADDITIONAL SECTION: adserver.addomain.example.com. 3588 IN A 10.21.0.231 ;; Query time: 0 msec ;; SERVER: 10.21.0.121#53(10.21.0.121) ;; WHEN: Mon May 19 08:02:20 2014 ;; MSG SIZE rcvd: 114 [root at ipaserver ~]# dig SRV _ldap._tcp.ipadomain.example.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ tcp.ipadomain.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63334 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;_ldap._tcp.ipadomain.example.com. IN SRV ;; ANSWER SECTION: _ldap._tcp.ipadomain.example.com. 86400 IN SRV 0 100 389 ipaserver.ipadomain.example.com. ;; AUTHORITY SECTION: ipadomain.example.com. 86400 IN NS ipaserver.ipadomain.example.com. ;; ADDITIONAL SECTION: ipaserver.ipadomain.example.com. 1200 IN A 10.21.0.121 ;; Query time: 1 msec ;; SERVER: 10.21.0.121#53(10.21.0.121) ;; WHEN: Mon May 19 08:02:44 2014 ;; MSG SIZE rcvd: 131 8. Add trust with AD domain [root at ipaserver ~]# ipa trust-add --type=ad addomain.example.com --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------------------- Added Active Directory trust for realm "addomain.example.com" ------------------------------------------------------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified 9. Updated kerberos configuration. [root at ipaserver ~]# cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPADOMAIN.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] IPADOMAIN.EXAMPLE.COM = { kdc = ipaserver.ipadomain.example.com:88 master_kdc = ipaserver.ipadomain.example.com:88 admin_server = ipaserver.ipadomain.example.com:749 default_domain = ipadomain.example.com pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@ADDOMAIN.EXAMPLE.COM$)s/@ ADDOMAIN.EXAMPLE.COM/@addomain.example.com/ auth_to_local = DEFAULT } [domain_realm] .ipadomain.example.com = IPADOMAIN.EXAMPLE.COM ipadomain.example.com = IPADOMAIN.EXAMPLE.COM [dbmodules] IPADOMAIN.EXAMPLE.COM = { db_library = ipadb.so } 10. Allow AD users to access resources in IPA domain [root at ipaserver ~]# ipa group-add --desc='addomain.example.com admins external map' ad_admins_external --external -------------------------------- Added group "ad_admins_external" -------------------------------- Group name: ad_admins_external Description: addomain.example.com admins external map [root at ipaserver ~]# ipa group-add --desc='addomain.example.com admins' ad_admins ----------------------- Added group "ad_admins" ----------------------- Group name: ad_admins Description: addomain.example.com admins GID: 189600004 [root at ipaserver ~]# ipa group-add-member ad_admins_external --external 'ADDOMAIN\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: addomain.example.com admins external map External member: S-1-5-21-2212595442-2951398754-4232868618-512 ------------------------- Number of members added 1 ------------------------- [root at ipaserver ~]# ipa group-add-member ad_admins --groups ad_admins_external Group name: ad_admins Description: addomain.example.com admins GID: 189600004 Member groups: ad_admins_external ------------------------- Number of members added 1 ------------------------- 11. Verifying trust [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root at ipaserver ~]# wbinfo -u [root at ipaserver ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root at ipaserver ~]# ipa trust-show Realm name: ADDOMAIN.EXAMPLE.COM Realm name: addomain.example.com Domain NetBIOS name: ADDOMAIN Domain Security Identifier: S-1-5-21-2212595442-2951398754-4232868618 Trust direction: Two-way trust Trust type: Active Directory domain Please note the error message while verifying trust. I am stuck completely and not having any clue as why the setup is not working as expected. Any help in fixing this problem would be appreciated. On Fri, May 16, 2014 at 7:26 PM, Supratik Goswami wrote: > The IP 10.255.0.4 belongs to the Windows 2008 R2 system running AD DC. > I disabled the firewall but still the problem is there :-( > > > On Fri, May 16, 2014 at 7:14 PM, Sumit Bose wrote: > >> On Fri, May 16, 2014 at 04:29:33PM +0530, Supratik Goswami wrote: >> > Yes DNS is working fine and is able to return the IP address of the AD >> > server. >> > >> > [root at master samba]# dig SRV _ldap._tcp.ad.idm.example.com >> > >> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._ >> > tcp.ad.idm.example.com >> > ;; global options: +cmd >> > ;; Got answer: >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29147 >> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> > >> > ;; QUESTION SECTION: >> > ;_ldap._tcp.ad.idm.example.com. IN SRV >> > >> > ;; ANSWER SECTION: >> > _ldap._tcp.ad.idm.example.com. 600 IN SRV 0 100 389 >> > master.ad.idm.example.com. >> > >> > ;; ADDITIONAL SECTION: >> > master.ad.idm.example.com. 3600 IN A 10.255.0.4 >> > >> > ;; Query time: 1 msec >> > ;; SERVER: 10.255.0.4#53(10.255.0.4) >> > ;; WHEN: Fri May 16 10:46:23 2014 >> > ;; MSG SIZE rcvd: 106 >> > >> > >> > >> > In my case AD is the netbios name of the AD domain. Please find the log >> > message from the file log.wb-AD. >> > >> > >> >> ... >> >> > [2014/05/16 10:50:37.542420, 5, pid=3305, effective(0, 0), real(0, 0)] >> > [2014/05/16 10:50:44.451669, 3, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/util_sock.c:585(open_socket_out_send) >> > Connecting to 10.255.0.4 at port 445 >> > [2014/05/16 10:50:44.452793, 3, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/clidgram.c:333(nbt_getdc_send) >> > No nmbd found >> > [2014/05/16 10:50:44.452930, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:916(name_status_find) >> > name_status_find: looking up AD#1c at 10.255.0.4 >> > [2014/05/16 10:50:44.453044, 5, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namecache.c:299(namecache_status_fetch) >> > namecache_status_fetch: no entry for NBT/AD#1C.20.10.255.0.4 found. >> > [2014/05/16 10:50:44.453279, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/util_sock.c:499(open_socket_in) >> > bind succeeded on port 0 >> > [2014/05/16 10:50:44.453449, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/unexpected.c:546(nb_packet_reader_connected) >> > async_connect failed: No such file or directory >> > [2014/05/16 10:50:44.453564, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:600(nb_trans_got_reader) >> > nmbd not around >> > [2014/05/16 10:50:45.454766, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:46.456103, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:47.457451, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:48.458773, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:49.460093, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:50.461420, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:51.462723, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:52.464265, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:53.465546, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750470 >> > [2014/05/16 10:50:54.455168, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/lib/events.c:216(run_events_poll) >> > Running timed event "tevent_req_timedout" 0x1750590 >> > [2014/05/16 10:50:54.455385, 10, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/namequery.c:962(name_status_find) >> > name_status_find: name not found >> > [2014/05/16 10:50:54.455497, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) >> > Adding cache entry with key = NEG_CONN_CACHE/AD,10.255.0.4 and >> timeout = >> > Fri May 16 10:51:54 2014 >> > (60 seconds ahead) >> > [2014/05/16 10:50:54.455739, 9, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) >> > add_failed_connection_entry: added domain AD (10.255.0.4) to failed >> conn >> > cache >> >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> > Deleting cache entry (key = SAFJOIN/DOMAIN/AD) >> > [2014/05/16 10:50:54.455967, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> > Deleting cache entry (key = SAF/DOMAIN/AD) >> > [2014/05/16 10:50:54.456078, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:179(gencache_set_data_blob) >> > Adding cache entry with key = NEG_CONN_CACHE/ad.idm.example.com >> ,10.255.0.4 >> > and timeout = Fri May 16 10:51:54 2014 >> > (60 seconds ahead) >> > [2014/05/16 10:50:54.456236, 9, pid=3305, effective(0, 0), real(0, 0)] >> > ../source3/libsmb/conncache.c:189(add_failed_connection_entry) >> > add_failed_connection_entry: added domain ad.idm.example.com(10.255.0.4) >> > to failed conn cache >> > [2014/05/16 10:50:54.456330, 10, pid=3305, effective(0, 0), real(0, 0), >> > class=tdb] ../source3/lib/gencache.c:246(gencache_del) >> >> looks like the connection to 10.255.0.4 timed out after 10 seconds. Is >> there a firewall which might drop the packets? >> >> bye, >> Sumit >> > > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Mon May 19 11:15:29 2014 From: sbose at redhat.com (Sumit Bose) Date: Mon, 19 May 2014 13:15:29 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> Message-ID: <20140519111529.GP4640@localhost.localdomain> On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > Hi > > Let me start from the beginning once again. Let me explain you what steps I > followed during the setup. > > I am setting up the environment in Amazon AWS, both Windows AD server and > Linux IPA configured in EC2. > For configuring Windows 2008 I selected > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > Media (ami-8997afe0). > > I followed the steps from > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > domain names > similar as in the example. > > IPA server hostname: ipaserver > IPA domain: ipadomain.example.com > IPA NetBIOS: IPADOMAIN > > AD DC hostname: adserver > AD domain: addomain.example.com > AD NetBIOS: ADDOMAIN > > > 1. Updated the system and install the packages. > > # yum update -y > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > List of important packages installed during the update are as follows. > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > bind-dyndb-ldap x86_64 2.3-5.el6 > > ipa-server x86_64 3.0.0-37.el6 > ipa-server-trust-ad x86_64 3.0.0-37.el6 > ipa-admintools x86_64 3.0.0-37.el6 > ipa-client x86_64 3.0.0-37.el6 > ipa-pki-ca-theme noarch 9.0.3-7.el6 > ipa-pki-common-theme noarch 9.0.3-7.el6 > ipa-python x86_64 3.0.0-37.el6 > ipa-server-selinux x86_64 3.0.0-37.el6 > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > samba4 x86_64 4.0.0-61.el6_5.rc4 > samba4-common x86_64 4.0.0-61.el6_5.rc4 > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > samba4-python x86_64 4.0.0-61.el6_5.rc4 ah, sorry, I this might be a known issue, but I got on a wrong track because I thought it was working initially and only failed after reboot. Please try to set "client min protocol" and "client max protocol" in the samba configuration: net conf setparm global "client min protocol" smb2_02 net conf setparm global "client max protocol" smb2_02 restart winbind and try again. HTH bye, Sumit > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > certmonger x86_64 0.61-3.el6 > > krb5-server x86_64 1.10.3-15.el6_5.1 > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > sssd x86_64 1.9.2-129.el6_5.4 > sssd-client x86_64 1.9.2-129.el6_5.4 > > > From bret.wortman at damascusgrp.com Mon May 19 11:19:10 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 19 May 2014 07:19:10 -0400 Subject: [Freeipa-users] IPA down hard. Kerberos? In-Reply-To: <5379E219.6060407@damascusgrp.com> References: <5379E219.6060407@damascusgrp.com> Message-ID: <5379E8AE.8010307@damascusgrp.com> For completeness: [root at ipa1 ~]# rpm -qa | grep ipa libipa_hbac-python-1.11.5.1-1.fc20.x86_64 python-iniparse-0.4-9.fc20.noarch libipa_hbac-1.11.5.1-1.fc20.x86_64 freeipa-python-3.3.5-1.fc20.x86_64 freeipa-admintools-3.3.5-1.fc20.x86_64 freeipa-server-3.3.5-1.fc20.x86_64 sssd-ipa-1.11.5.1-1.fc20.x86_64 freeipa-client-3.3.5-1.fc20.x86_64 [root at ipa1 ~]# rpm -qa | grep krb krb5-libs-1.11.5-5.fc20.x86_64 pam_krb5-2.4.8-1.fc20.x86_64 sssd-krb5-1.11.5.1-1.fc20.x86_64 krb5-pkinit-1.11.5-5.fc20.x86_64 krb5-workstation-1.11.5-5.fc20.x86_64 python-krbV-1.0.90-7.fc20.x86_64 krb5-server-1.11.5-5.fc20.x86_64 sssd-krb5-common-1.11.5.1-1.fc20.x86_64 [root at ipa1 ~]# rpm -qa | grep 389 389-ds-base-libs-1.3.2.16-1.fc20.x86_64 389-ds-base-1.3.2.16-1.fc20.x86_64 [root at ipa1 ~]# On 05/19/2014 06:51 AM, Bret Wortman wrote: > Happy Monday to me -- I came in this morning to find all 3 of my IPA > replicas are down. When I tried to start one of them, I got this: > > [root at ipa1 ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' > and 'journalctl -xn' for details. > Failed to start krb5kdc Service > Shutting down > Aborting ipactl > [root at ipa1 ~]# systemctl status krb5kdc.service > krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) > Active: failed (Result: exit-code) since Mon 2014-05-19 06:46:24 > EDT; 51s ago > Process: 1835 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > May 19 06:46:24 ipa1.foo.net systemd[1]: krb5kdc.service: control > process exited, code=exited status=1 > May 19 06:46:24 ipa1.foo.net systemd[1]: Failed to start Kerberos 5 KDC. > May 19 06:46:24 ipa1.foo.net systemd[1]: Unit krb5kdc.service entered > failed state. > May 19 06:46:24 ipa1.foo.net systemd[1]: Stopped Kerberos 5 KDC. > [root at ipa1 ~]# journalctl -xn > -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon 2014-05-19 > 06:47:03 EDT. -- > May 19 06:46:42 ipa1.foo.net ntpd_intres[526]: host name not found: > 2.fedora.pool.ntp.org > May 19 06:46:58 ipa1.foo.net sshd[1855]: error: AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys returned status 1 > May 19 06:47:00 ipa1.foo.net sshd[1855]: Accepted password for root > from 192.168.2.13 port 42299 ssh2 > May 19 06:47:00 ipa1.foo.net systemd[1]: Starting Session 5 of user root. > -- Subject: Unit session-5.scope has begun with start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has begun starting up. > May 19 06:47:00 ipa1.foo.net systemd-logind[495]: New session 5 of > user root. > -- Subject: A new session 5 has been created for user root > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- Documentation: > http://www.freedesktop.org/wiki/Software/systemd/multiseat > -- > -- A new session with the ID 5 has been created for the user root. > -- > -- The leading process of the session is 1855. > May 19 06:47:00 ipa1.foo.net systemd[1]: Started Session 5 of user root. > -- Subject: Unit session-5.scope has finished start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has finished starting up. > -- > -- The start-up result is done. > May 19 06:47:00 ipa1.foo.net sshd[1855]: pam_unix(sshd:session): > session opened for user root by (uid=0) > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped 389 Directory Server > WEDGEOFLI-ME.. > -- Subject: Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopping 389 Directory Server. > -- Subject: Unit dirsrv.target has begun shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has begun shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped target 389 Directory > Server. > -- Subject: Unit dirsrv.target has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has finished shutting down. > [root at ipa1 ~]# > > Any thoughts on where to look next? There's nothing at all logged in > /var/log/krb5kdc.log when I try to start it up, and there are so many > pieces to this that I'm not sure where to focus my efforts. > > Thanks! > > > -- > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From pvoborni at redhat.com Mon May 19 11:30:51 2014 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 19 May 2014 13:30:51 +0200 Subject: [Freeipa-users] Theming FreeIPA In-Reply-To: <5379AD54.4000900@redhat.com> References: <7F54E015-01CE-433B-BA23-03D54DB4EF57@sshchicago.org> <5379AD54.4000900@redhat.com> Message-ID: <5379EB6B.6080700@redhat.com> On 19.5.2014 09:05, Martin Kosek wrote: > On 05/17/2014 04:27 PM, Christopher Swingler wrote: >> Short and to the point, but I have the same question. :) >> >> >> On May 16, 2014, at 9:08 PM, Chris Whittle wrote: >> >>> Is there a doc anywhere? > > CC-ing Petr Vobornik to help with that. You can already achieve some theming > with overriding the CSS + utilizing Web UI plugins we already have in FreeIPA > Web UI. Note that Web UI in FreeIPA 4.0 will change extensively as it > migrated to Patternfly project, I wonder if there are more theming options then. > > Martin > FreeIPA doesn't have an official theming support. But, as Martin mentioned, you can do some theming. Up to version 3.2 the only option was to change css files and images in /usr/share/ipa/ui Obviously this method is not ideal since it won't survive rpm update. Since version 3.2 it's possible to create a UI plugin [1] which would load additional css with override rules. This method is suitable only for minor theming - it's not very comfortable to create override rules for half of the application. PatternFly [2] will be used in FreeIPA 4.1, example of current development version: [3]. PatternFly is based on Bootstrap 3 which is probably the most used frontend framework -> people are familiar with Bootstrap theming. To speed up(start) development of proper theming support I suggest you create a new [RFE] ticket [4]. It would also help us to know what parts of the application you want to theme, i.e., just logos and background? [1] http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins [2] https://www.patternfly.org/ [3] http://pvoborni.fedorapeople.org/ui/ [4] https://fedorahosted.org/freeipa/newticket -- Petr Vobornik From cwhittl at gmail.com Mon May 19 11:35:01 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Mon, 19 May 2014 06:35:01 -0500 Subject: [Freeipa-users] Theming FreeIPA In-Reply-To: <5379EB6B.6080700@redhat.com> References: <7F54E015-01CE-433B-BA23-03D54DB4EF57@sshchicago.org> <5379AD54.4000900@redhat.com> <5379EB6B.6080700@redhat.com> Message-ID: I'm mostly interested in making it responsive and logos, colors and such. So it sounds like I'll be covered in 4 On May 19, 2014 6:30 AM, "Petr Vobornik" wrote: > On 19.5.2014 09:05, Martin Kosek wrote: > >> On 05/17/2014 04:27 PM, Christopher Swingler wrote: >> >>> Short and to the point, but I have the same question. :) >>> >>> >>> On May 16, 2014, at 9:08 PM, Chris Whittle wrote: >>> >>> Is there a doc anywhere? >>>> >>> >> CC-ing Petr Vobornik to help with that. You can already achieve some >> theming >> with overriding the CSS + utilizing Web UI plugins we already have in >> FreeIPA >> Web UI. Note that Web UI in FreeIPA 4.0 will change extensively as it >> migrated to Patternfly project, I wonder if there are more theming >> options then. >> >> Martin >> >> > FreeIPA doesn't have an official theming support. But, as Martin > mentioned, you can do some theming. > > Up to version 3.2 the only option was to change css files and images in > /usr/share/ipa/ui Obviously this method is not ideal since it won't survive > rpm update. > > Since version 3.2 it's possible to create a UI plugin [1] which would load > additional css with override rules. This method is suitable only for minor > theming - it's not very comfortable to create override rules for half of > the application. > > PatternFly [2] will be used in FreeIPA 4.1, example of current development > version: [3]. PatternFly is based on Bootstrap 3 which is probably the most > used frontend framework -> people are familiar with Bootstrap theming. > > To speed up(start) development of proper theming support I suggest you > create a new [RFE] ticket [4]. > > It would also help us to know what parts of the application you want to > theme, i.e., just logos and background? > > [1] http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins > [2] https://www.patternfly.org/ > [3] http://pvoborni.fedorapeople.org/ui/ > [4] https://fedorahosted.org/freeipa/newticket > -- > Petr Vobornik > -------------- next part -------------- An HTML attachment was scrubbed... URL: From supratiksekhar at gmail.com Mon May 19 12:10:49 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Mon, 19 May 2014 17:40:49 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140519111529.GP4640@localhost.localdomain> References: <20140515074440.GB29987@hendrix.redhat.com> <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> Message-ID: Initially after configuring the setup I rebooted once and I was thinking that it worked before the reboot but unfortunately it didn't work the first time itself. Still failing after running the commands. [root at ipaserver ~]# net conf setparm global "client min protocol" smb2_02 [root at ipaserver ~]# net conf setparm global "client max protocol" smb2_02 [root at ipaserver ~]# service winbind restart Shutting down Winbind services: [ OK ] Starting Winbind services: [ OK ] [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ADDOMAIN\Domain Admins [root at ipaserver ~]# wbinfo -u [root at ipaserver ~]# The issue is reproducible every time if anyone follows the steps as I have done. On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > Hi > > > > Let me start from the beginning once again. Let me explain you what > steps I > > followed during the setup. > > > > I am setting up the environment in Amazon AWS, both Windows AD server and > > Linux IPA configured in EC2. > > For configuring Windows 2008 I selected > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > > Media (ami-8997afe0). > > > > I followed the steps from > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > > domain names > > similar as in the example. > > > > IPA server hostname: ipaserver > > IPA domain: ipadomain.example.com > > IPA NetBIOS: IPADOMAIN > > > > AD DC hostname: adserver > > AD domain: addomain.example.com > > AD NetBIOS: ADDOMAIN > > > > > > 1. Updated the system and install the packages. > > > > # yum update -y > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > > > List of important packages installed during the update are as follows. > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > ipa-server x86_64 3.0.0-37.el6 > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > ipa-admintools x86_64 3.0.0-37.el6 > > ipa-client x86_64 3.0.0-37.el6 > > ipa-pki-ca-theme noarch 9.0.3-7.el6 > > ipa-pki-common-theme noarch 9.0.3-7.el6 > > ipa-python x86_64 3.0.0-37.el6 > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > ah, sorry, I this might be a known issue, but I got on a wrong track > because I thought it was working initially and only failed after reboot. > > Please try to set "client min protocol" and "client max protocol" in the > samba configuration: > > net conf setparm global "client min protocol" smb2_02 > net conf setparm global "client max protocol" smb2_02 > > restart winbind and try again. > > HTH > > bye, > Sumit > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > > > certmonger x86_64 0.61-3.el6 > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > > > sssd x86_64 1.9.2-129.el6_5.4 > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Mon May 19 12:15:28 2014 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 May 2014 08:15:28 -0400 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: References: <1400430703.3833.0.camel@willson.li.ssimo.org> Message-ID: <1400501728.3833.5.camel@willson.li.ssimo.org> On Sun, 2014-05-18 at 20:58 -0500, Chris Whittle wrote: > Actually is this it? > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I think so, yeah. Simo. > On Sun, May 18, 2014 at 8:31 PM, Chris Whittle wrote: > > > Thanks Simo, I'm finding a lot of posts on certs but none that really > > tells me what I need to do... > > Any more help would be extremely appreciated. > > > > > > On Sun, May 18, 2014 at 11:31 AM, Simo Sorce wrote: > > > >> On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: > >> > Let me be more specific... I just want to use my wildcard ssl for the > >> UI so > >> > that it doesn't give an error we you access it, anyone done this before? > >> > >> I think this has been posted on the list already, however all you need > >> to do is to replace the apache certs, they are in a nss database located > >> in /etc/httpd/alias, you can use certutil to deal with the database. > >> > >> HTH, > >> Simo. > >> > >> -- > >> Simo Sorce * Red Hat, Inc * New York > >> > >> > > -- Simo Sorce * Red Hat, Inc * New York From simo at redhat.com Mon May 19 12:16:14 2014 From: simo at redhat.com (Simo Sorce) Date: Mon, 19 May 2014 08:16:14 -0400 Subject: [Freeipa-users] Free IPA and Google Apps In-Reply-To: References: <535A16C1.6050808@redhat.com> <1398429565.2628.469.camel@willson.li.ssimo.org> <535A6342.8070306@redhat.com> <1398433896.2628.486.camel@willson.li.ssimo.org> <535A6A83.2000306@redhat.com> <1398435500.2628.489.camel@willson.li.ssimo.org> Message-ID: <1400501774.3833.6.camel@willson.li.ssimo.org> On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: > Anything new on ipsilon? I released 0.2.3: https://fedorahosted.org/ipsilon/ It is still a bit rough on the edges, but can be used. Simo. > On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce wrote: > > > On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: > > > On 04/25/2014 09:51 AM, Simo Sorce wrote: > > > > On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: > > > >> On 04/25/2014 08:39 AM, Simo Sorce wrote: > > > >>> On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: > > > >>>> Thanks Martin, I found a few notes on FreeIPA and GADS but most > > were people > > > >>>> saying not to do it on principal but nothing saying if it's > > possible or not. > > > >>>> > > > >>>> I like the SAML option, including the mysterious ipsilon (Is there > > anything > > > >>>> more than the git repo yet?), but wonder how much control it has. > > > >>> At the moment no control at all. > > > >>> > > > >>>> Does it just allow them to SSO using their LDAP credentials? > > > >>> Yes. > > > >>> > > > >>>> If I disable a user in LDAP does it only recognize that only during > > login > > > >>>> or is it smart enough to kill their Google Apps sessions and make > > them > > > >>>> login again? > > > >>> At the moment no, in future, perhaps we can develop a plugin that > > will > > > >>> call a SSO logout to the remote applications the user logged into, > > but > > > >>> this will require the server to be more stateful. This feature is not > > > >>> available in the current code. > > > >>> > > > >>> Simo. > > > >>> > > > >>> > > > >>> _______________________________________________ > > > >>> Freeipa-users mailing list > > > >>> Freeipa-users at redhat.com > > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > >> > > > >> Simo, how much Ipsilon is ready for a POC like this? > > > >> I understand it is probably somewhere between alpha and beta quality > > but > > > >> it might be a good exercise to try to set it up for a real use case. > > > >> What do you think? > > > > It can be tried, but I need to write some documentation on how to set > > it > > > > up first :-) > > > > > > > > Simo. > > > > > > > Hint-hint, nudge-nudge :-) > > > > I know, I know. > > I got done with lasso and mod_auth_mellon patches, now I can go back to > > Ipsilon. > > > > If Jan gives me the go, I will cut a first release and start writing > > instruction, file for Fedora packages and all that > > > > Simo. > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Simo Sorce * Red Hat, Inc * New York From bret.wortman at damascusgrp.com Mon May 19 12:52:08 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 19 May 2014 08:52:08 -0400 Subject: [Freeipa-users] IPA down hard. Kerberos? In-Reply-To: <5379E219.6060407@damascusgrp.com> References: <5379E219.6060407@damascusgrp.com> Message-ID: <5379FE78.7080303@damascusgrp.com> Okay, it looks like our /etc/krb5.conf file got overwritten by an overeager Puppet module that shouldn't have affected an IPA server but did. Can someone provide some guidance as to what this file is supposed to look like on an IPA server named "ipa1.foo.net" since ours is obviously completely wrong and I don't have an unadulterated server to look at for comparison? Thanks. Bret On 05/19/2014 06:51 AM, Bret Wortman wrote: > Happy Monday to me -- I came in this morning to find all 3 of my IPA > replicas are down. When I tried to start one of them, I got this: > > [root at ipa1 ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' > and 'journalctl -xn' for details. > Failed to start krb5kdc Service > Shutting down > Aborting ipactl > [root at ipa1 ~]# systemctl status krb5kdc.service > krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) > Active: failed (Result: exit-code) since Mon 2014-05-19 06:46:24 > EDT; 51s ago > Process: 1835 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > May 19 06:46:24 ipa1.foo.net systemd[1]: krb5kdc.service: control > process exited, code=exited status=1 > May 19 06:46:24 ipa1.foo.net systemd[1]: Failed to start Kerberos 5 KDC. > May 19 06:46:24 ipa1.foo.net systemd[1]: Unit krb5kdc.service entered > failed state. > May 19 06:46:24 ipa1.foo.net systemd[1]: Stopped Kerberos 5 KDC. > [root at ipa1 ~]# journalctl -xn > -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon 2014-05-19 > 06:47:03 EDT. -- > May 19 06:46:42 ipa1.foo.net ntpd_intres[526]: host name not found: > 2.fedora.pool.ntp.org > May 19 06:46:58 ipa1.foo.net sshd[1855]: error: AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys returned status 1 > May 19 06:47:00 ipa1.foo.net sshd[1855]: Accepted password for root > from 192.168.2.13 port 42299 ssh2 > May 19 06:47:00 ipa1.foo.net systemd[1]: Starting Session 5 of user root. > -- Subject: Unit session-5.scope has begun with start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has begun starting up. > May 19 06:47:00 ipa1.foo.net systemd-logind[495]: New session 5 of > user root. > -- Subject: A new session 5 has been created for user root > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- Documentation: > http://www.freedesktop.org/wiki/Software/systemd/multiseat > -- > -- A new session with the ID 5 has been created for the user root. > -- > -- The leading process of the session is 1855. > May 19 06:47:00 ipa1.foo.net systemd[1]: Started Session 5 of user root. > -- Subject: Unit session-5.scope has finished start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has finished starting up. > -- > -- The start-up result is done. > May 19 06:47:00 ipa1.foo.net sshd[1855]: pam_unix(sshd:session): > session opened for user root by (uid=0) > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped 389 Directory Server > WEDGEOFLI-ME.. > -- Subject: Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopping 389 Directory Server. > -- Subject: Unit dirsrv.target has begun shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has begun shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped target 389 Directory > Server. > -- Subject: Unit dirsrv.target has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has finished shutting down. > [root at ipa1 ~]# > > Any thoughts on where to look next? There's nothing at all logged in > /var/log/krb5kdc.log when I try to start it up, and there are so many > pieces to this that I'm not sure where to focus my efforts. > > Thanks! > > > -- > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From szymon.jazy at gmail.com Mon May 19 12:58:52 2014 From: szymon.jazy at gmail.com (Szymon Jazy) Date: Mon, 19 May 2014 14:58:52 +0200 Subject: [Freeipa-users] IPA down hard. Kerberos? In-Reply-To: <5379FE78.7080303@damascusgrp.com> References: <5379E219.6060407@damascusgrp.com> <5379FE78.7080303@damascusgrp.com> Message-ID: sth like: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] DOMAIN = { kdc = ipa1.foo.net:88 master_kdc = ipa1.foo.net:88 admin_server = ipa1.foo.net:749 default_domain = domain pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .domain = DOMAIN domain = DOMAIN [dbmodules] DOMAIN = { db_library = ipadb.so } Szymon 2014-05-19 14:52 GMT+02:00 Bret Wortman : > Okay, it looks like our /etc/krb5.conf file got overwritten by an > overeager Puppet module that shouldn't have affected an IPA server but did. > > Can someone provide some guidance as to what this file is supposed to look > like on an IPA server named "ipa1.foo.net" since ours is obviously > completely wrong and I don't have an unadulterated server to look at for > comparison? Thanks. > > > Bret > > On 05/19/2014 06:51 AM, Bret Wortman wrote: > > Happy Monday to me -- I came in this morning to find all 3 of my IPA > replicas are down. When I tried to start one of them, I got this: > > [root at ipa1 ~]# ipactl start > Existing service file detected! > Assuming stale, cleaning and proceeding > Starting Directory Service > Starting krb5kdc Service > Job for krb5kdc.service failed. See 'systemctl status krb5kdc.service' and > 'journalctl -xn' for details. > Failed to start krb5kdc Service > Shutting down > Aborting ipactl > [root at ipa1 ~]# systemctl status krb5kdc.service > krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) > Active: failed (Result: exit-code) since Mon 2014-05-19 06:46:24 EDT; > 51s ago > Process: 1835 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=1/FAILURE) > > May 19 06:46:24 ipa1.foo.net systemd[1]: krb5kdc.service: control process > exited, code=exited status=1 > May 19 06:46:24 ipa1.foo.net systemd[1]: Failed to start Kerberos 5 KDC. > May 19 06:46:24 ipa1.foo.net systemd[1]: Unit krb5kdc.service entered > failed state. > May 19 06:46:24 ipa1.foo.net systemd[1]: Stopped Kerberos 5 KDC. > [root at ipa1 ~]# journalctl -xn > -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon 2014-05-19 > 06:47:03 EDT. -- > May 19 06:46:42 ipa1.foo.net ntpd_intres[526]: host name not found: > 2.fedora.pool.ntp.org > May 19 06:46:58 ipa1.foo.net sshd[1855]: error: AuthorizedKeysCommand > /usr/bin/sss_ssh_authorizedkeys returned status 1 > May 19 06:47:00 ipa1.foo.net sshd[1855]: Accepted password for root from > 192.168.2.13 port 42299 ssh2 > May 19 06:47:00 ipa1.foo.net systemd[1]: Starting Session 5 of user root. > -- Subject: Unit session-5.scope has begun with start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has begun starting up. > May 19 06:47:00 ipa1.foo.net systemd-logind[495]: New session 5 of user > root. > -- Subject: A new session 5 has been created for user root > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- Documentation: > http://www.freedesktop.org/wiki/Software/systemd/multiseat > -- > -- A new session with the ID 5 has been created for the user root. > -- > -- The leading process of the session is 1855. > May 19 06:47:00 ipa1.foo.net systemd[1]: Started Session 5 of user root. > -- Subject: Unit session-5.scope has finished start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit session-5.scope has finished starting up. > -- > -- The start-up result is done. > May 19 06:47:00 ipa1.foo.net sshd[1855]: pam_unix(sshd:session): session > opened for user root by (uid=0) > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped 389 Directory Server > WEDGEOFLI-ME.. > -- Subject: Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv at WEDGEOFLI-ME.service has finished shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopping 389 Directory Server. > -- Subject: Unit dirsrv.target has begun shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has begun shutting down. > May 19 06:47:03 ipa1.foo.net systemd[1]: Stopped target 389 Directory > Server. > -- Subject: Unit dirsrv.target has finished shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit dirsrv.target has finished shutting down. > [root at ipa1 ~]# > > Any thoughts on where to look next? There's nothing at all logged in > /var/log/krb5kdc.log when I try to start it up, and there are so many > pieces to this that I'm not sure where to focus my efforts. > > Thanks! > > > -- > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: From bret.wortman at damascusgrp.com Mon May 19 13:01:07 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 19 May 2014 09:01:07 -0400 Subject: [Freeipa-users] IPA down hard. Kerberos? In-Reply-To: References: <5379E219.6060407@damascusgrp.com> <5379FE78.7080303@damascusgrp.com> Message-ID: <537A0093.4060102@damascusgrp.com> Yep, it was that [dbmodules] section that bit us. Thanks! On 05/19/2014 08:58 AM, Szymon Jazy wrote: > sth like: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DOMAIN > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > DOMAIN = { > kdc = ipa1.foo.net:88 > master_kdc = ipa1.foo.net:88 > admin_server = ipa1.foo.net:749 > default_domain = domain > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .domain = DOMAIN > domain = DOMAIN > > [dbmodules] > DOMAIN = { > db_library = ipadb.so > } > > > Szymon > > 2014-05-19 14:52 GMT+02:00 Bret Wortman >: > > Okay, it looks like our /etc/krb5.conf file got overwritten by an > overeager Puppet module that shouldn't have affected an IPA server > but did. > > Can someone provide some guidance as to what this file is supposed > to look like on an IPA server named "ipa1.foo.net > " since ours is obviously completely wrong > and I don't have an unadulterated server to look at for > comparison? Thanks. > > > Bret > > On 05/19/2014 06:51 AM, Bret Wortman wrote: >> Happy Monday to me -- I came in this morning to find all 3 of my >> IPA replicas are down. When I tried to start one of them, I got this: >> >> [root at ipa1 ~]# ipactl start >> Existing service file detected! >> Assuming stale, cleaning and proceeding >> Starting Directory Service >> Starting krb5kdc Service >> Job for krb5kdc.service failed. See 'systemctl status >> krb5kdc.service' and 'journalctl -xn' for details. >> Failed to start krb5kdc Service >> Shutting down >> Aborting ipactl >> [root at ipa1 ~]# systemctl status krb5kdc.service >> krb5kdc.service - Kerberos 5 KDC >> Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled) >> Active: failed (Result: exit-code) since Mon 2014-05-19 >> 06:46:24 EDT; 51s ago >> Process: 1835 ExecStart=/usr/sbin/krb5kdc -P >> /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE) >> >> May 19 06:46:24 ipa1.foo.net systemd[1]: >> krb5kdc.service: control process exited, code=exited status=1 >> May 19 06:46:24 ipa1.foo.net systemd[1]: >> Failed to start Kerberos 5 KDC. >> May 19 06:46:24 ipa1.foo.net systemd[1]: >> Unit krb5kdc.service entered failed state. >> May 19 06:46:24 ipa1.foo.net systemd[1]: >> Stopped Kerberos 5 KDC. >> [root at ipa1 ~]# journalctl -xn >> -- Logs begin at Tue 2014-05-13 09:50:44 EDT, end at Mon >> 2014-05-19 06:47:03 EDT. -- >> May 19 06:46:42 ipa1.foo.net >> ntpd_intres[526]: host name not found: 2.fedora.pool.ntp.org >> >> May 19 06:46:58 ipa1.foo.net sshd[1855]: >> error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys >> returned status 1 >> May 19 06:47:00 ipa1.foo.net sshd[1855]: >> Accepted password for root from 192.168.2.13 port 42299 ssh2 >> May 19 06:47:00 ipa1.foo.net systemd[1]: >> Starting Session 5 of user root. >> -- Subject: Unit session-5.scope has begun with start-up >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit session-5.scope has begun starting up. >> May 19 06:47:00 ipa1.foo.net >> systemd-logind[495]: New session 5 of user root. >> -- Subject: A new session 5 has been created for user root >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- Documentation: >> http://www.freedesktop.org/wiki/Software/systemd/multiseat >> -- >> -- A new session with the ID 5 has been created for the user root. >> -- >> -- The leading process of the session is 1855. >> May 19 06:47:00 ipa1.foo.net systemd[1]: >> Started Session 5 of user root. >> -- Subject: Unit session-5.scope has finished start-up >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit session-5.scope has finished starting up. >> -- >> -- The start-up result is done. >> May 19 06:47:00 ipa1.foo.net sshd[1855]: >> pam_unix(sshd:session): session opened for user root by (uid=0) >> May 19 06:47:03 ipa1.foo.net systemd[1]: >> Stopped 389 Directory Server WEDGEOFLI-ME.. >> -- Subject: Unit dirsrv at WEDGEOFLI-ME.service >> has finished shutting down >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit dirsrv at WEDGEOFLI-ME.service >> has finished shutting down. >> May 19 06:47:03 ipa1.foo.net systemd[1]: >> Stopping 389 Directory Server. >> -- Subject: Unit dirsrv.target has begun shutting down >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit dirsrv.target has begun shutting down. >> May 19 06:47:03 ipa1.foo.net systemd[1]: >> Stopped target 389 Directory Server. >> -- Subject: Unit dirsrv.target has finished shutting down >> -- Defined-By: systemd >> -- Support: >> http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> -- >> -- Unit dirsrv.target has finished shutting down. >> [root at ipa1 ~]# >> >> Any thoughts on where to look next? There's nothing at all logged >> in /var/log/krb5kdc.log when I try to start it up, and there are >> so many pieces to this that I'm not sure where to focus my efforts. >> >> Thanks! >> >> >> -- >> *Bret Wortman* >> >> http://damascusgrp.com/ >> http://about.me/wortmanbret >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From loris at lgs.com.ve Tue May 13 18:56:58 2014 From: loris at lgs.com.ve (Loris Santamaria) Date: Tue, 13 May 2014 14:26:58 -0430 Subject: [Freeipa-users] DNS SOA Records In-Reply-To: References: <5372267B.7060603@redhat.com> <1400002725.2973.15.camel@toron.pzo.lgs.com.ve> Message-ID: <1400007418.2973.22.camel@toron.pzo.lgs.com.ve> El mar, 13-05-2014 a las 14:12 -0400, Bob escribi?: > I ran > > ipa dnszone-mod vh1.vzwnet.com --update-policy="grant bob-key name > test.vh1.vzwnet.com.;" > > > I then execute the nsupdate: > > [root at nj51rhidms16v ~]# ./bobtest.sh > ; TSIG error with server: tsig indicates error > update failed: NOTAUTH(BADKEY) > > > [root at nj51rhidms16v ~]# cat ./bobtest.sh > #!/bin/ksh > # > keyfile=bob-key:hkVEYuIRUGaytJRHPd0tww== > print "update add test.vh1.vzwnet.com 90 CNAME > txslxngda5.nss.vzwnet.com\n"|nsupdate -y $keyfile Did you add the key to the bind configuration? As with plain bind configurations, named has to know the key to verify the transaction's signature. I usually put the keys in a file only readable by named and include this file from named.conf: In /etc/named.conf include "/etc/named/bob-key.conf"; and in /etc/named/bob-key.conf: key bob-key { algorithm hmac-md5; secret "hkVEYuIRUG....."; }; > [root at nj51rhidms16v log]# tail daemon > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 03:20:04 nj51rhidms16v [sssd[ldap_child[11987]]]: Error writing > to key table > May 13 04:45:42 nj51rhidms16v rhnsd[12406]: running > program /usr/sbin/rhn_check > May 13 08:45:42 nj51rhidms16v rhnsd[12962]: running > program /usr/sbin/rhn_check > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 12:08:55 nj51rhidms16v [sssd[ldap_child[13470]]]: Error writing > to key table > May 13 12:45:42 nj51rhidms16v rhnsd[13543]: running > program /usr/sbin/rhn_check > May 13 14:07:59 nj51rhidms16v named[27438]: client 10.194.96.47#15739: > request has invalid signature: TSIG bob-key: tsig verify failure > (BADKEY) > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error > processing keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not found. > Unable to create GSSAPI-encrypted LDAP connection. > May 13 14:11:24 nj51rhidms16v [sssd[ldap_child[13785]]]: Error writing > to key table > > > > > > > > On Tue, May 13, 2014 at 2:04 PM, Bob wrote: > > I added: "grant bob-key name test.vh1.vzwnet.com.;" in the IPA GUI. > > > But my nsupdate results in this in the daemon log: > > > > > May 12 17:04:02 nj51rhidms16v named[27438]: zone > vh1.vzwnet.com/IN: sending notifies (serial 1399928642) May 12 > 17:08:44 nj51rhidms16v named[27438]: client > 10.194.96.47#26576: request has invalid signature: TSIG > bob-key: tsig verify failure (BADKEY) May 12 17:15:16 > nj51rhidms16v [sssd[ldap_child[10162]]]: Error processing > keytab file [default]: Principal > [host/nj51rhidms16v.nss.vzwnet.com at IPA.NSS.VZWNET.COM] was not > found. Unable to create GSSAPI-encrypted LDAP connection. May > 12 17:15:16 nj51rhidms16v [sssd[ldap_child[10162]]]: Error > writing to key table > > > > It almost works. > > > On Tue, May 13, 2014 at 1:38 PM, Loris Santamaria > wrote: > > El mar, 13-05-2014 a las 10:57 -0400, Bob escribi?: > > I have many dozens of TSIG keys declared in our > current bind. There > > are hundreds of records that have been granted to > those keys. All of > > this predates me and I do not know who has these > keys. The scope of > > trying to work with the owners of these keys to > convert their > > processes to to use kerberos would be a large > effort. It was my hope > > to use IPA / IDM to provide multi master DNS, with > each server being a > > SOA. But this becomes a lot less desirable as a > solution if I have to > > track down our key holders. > > > You can keep using your TSIG keys with IPA if that is > what you're > looking for. Just declare your TSIG keys in your IPA > dns "update-policy" > just as you would do with plain bind: > > ipa dnszone-mod example.com --update-policy="grant > key1. subdomain > a.example.com.; grant key2. name b.example.com.;" > > Also in IPA every DNS presents a different SOA, each > with the name of > the server being queried, so it can be used as a true > multimaster DNS > solution. > > Hope this helps > > > > > On Tue, May 13, 2014 at 10:04 AM, Dmitri Pal > wrote: > > On 05/13/2014 09:59 AM, Bob wrote: > > > > > Is there anyway to do a nsupdate of a DNS > records in a IPA > > > server using a TSIG key without having a > kerberos ticket? > > > > > > > > > We were going to swap out bind in favor of > IPA, but we need > > > to be able to nsupdates. > > > > > > > > > > > > > > > If you are using IPA you can give you > clients keytabs. > > It is all automatic with RHEL, Fedora, > Centos for last 5 > > years. Enroll your clients using > ipa-client-install. > > If you have other operating systems some > exploration would be > > required but it should be doable too. > > > > > > > > On Mon, May 12, 2014 at 10:11 AM, Bob > > > > wrote: > > > We use nsupdate to to move the > location of some of > > > our services around. For instance > there might be two > > > servers that exchange roles, like > serv.east.abc.com > > > and serv.west.abc.com and we will > have a service > > > name like wiki.abc.com. The owner > of the application > > > has been given an nsupdate key > that allows them to > > > update and delete on the the > wiki.abc.com and have > > > that records contain either an "A" > record for one or > > > the other of the two servers. > > > > > > > > > I am very concerned that there > might come a time > > > when the SOA primary master server > for this dynamic > > > domain might be down when the > application owner > > > needs to do their nsupdate. > > > > > > > > > One observation that we see is > that Window AD and > > > DNS make every AD DNS server an > SOA for any domain > > > that it servers. That any dynamic > DNS update can be > > > serviced by any Domain controller > and that this > > > update is replicated with LDAP to > the other DCs. > > > > > > > > > It was our hope that we could use > IPA for our DNS > > > servers for this dynamic domain. > That we would have > > > multiple forward statements from > our main DNS > > > servers to the IPA DNS servers and > that any IPA > > > server would be the SOA. This way > the nsupdate would > > > be processed by any available IPA > server in the > > > event that one or more of these > IPA DNS servers > > > would be down or unreachable. > > > > > > > > > Is there a way to make each IPA > system a SOA for the > > > same domain and still have the DNS > records replicate > > > between them? > > > > > > > > > thanks, > > > > > > > > > Bob Harvey > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- > > Loris Santamaria linux user #70506 > xmpp:loris at lgs.com.ve > Links Global Services, C.A. > http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 > sip:103 at lgs.com.ve > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd > have said > a faster horse" - Henry Ford > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5727 bytes Desc: not available URL: From sbose at redhat.com Tue May 20 07:08:04 2014 From: sbose at redhat.com (Sumit Bose) Date: Tue, 20 May 2014 09:08:04 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> Message-ID: <20140520070803.GV4640@localhost.localdomain> On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > Initially after configuring the setup I rebooted once and I was thinking > that it worked before the reboot but unfortunately it didn't work the first > time itself. > > Still failing after running the commands. > > [root at ipaserver ~]# net conf setparm global "client min protocol" smb2_02 > [root at ipaserver ~]# net conf setparm global "client max protocol" smb2_02 > [root at ipaserver ~]# service winbind restart > > Shutting down Winbind services: [ OK ] > Starting Winbind services: [ OK ] > > [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name ADDOMAIN\Domain Admins > > [root at ipaserver ~]# wbinfo -u > [root at ipaserver ~]# > > The issue is reproducible every time if anyone follows the steps as I have > done. > It would be nice if you can send a second round of log files. Please stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, make sure 'log level' is 10 or higher, start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, put all *winbind* and *wb* log files in a tar/zip archive and send the archive. If you think the archive is too large for a mailing-list fell free to send them to me directly. bye, Sumit > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > Hi > > > > > > Let me start from the beginning once again. Let me explain you what > > steps I > > > followed during the setup. > > > > > > I am setting up the environment in Amazon AWS, both Windows AD server and > > > Linux IPA configured in EC2. > > > For configuring Windows 2008 I selected > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 (ami-df8e93b6) > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - Release > > > Media (ami-8997afe0). > > > > > > I followed the steps from > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also kept the > > > domain names > > > similar as in the example. > > > > > > IPA server hostname: ipaserver > > > IPA domain: ipadomain.example.com > > > IPA NetBIOS: IPADOMAIN > > > > > > AD DC hostname: adserver > > > AD domain: addomain.example.com > > > AD NetBIOS: ADDOMAIN > > > > > > > > > 1. Updated the system and install the packages. > > > > > > # yum update -y > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > samba4-winbind-clients samba4-winbind samba4-client bind bind-dyndb-ldap > > > > > > List of important packages installed during the update are as follows. > > > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > ipa-admintools x86_64 3.0.0-37.el6 > > > ipa-client x86_64 3.0.0-37.el6 > > > ipa-pki-ca-theme noarch 9.0.3-7.el6 > > > ipa-pki-common-theme noarch 9.0.3-7.el6 > > > ipa-python x86_64 3.0.0-37.el6 > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > because I thought it was working initially and only failed after reboot. > > > > Please try to set "client min protocol" and "client max protocol" in the > > samba configuration: > > > > net conf setparm global "client min protocol" smb2_02 > > net conf setparm global "client max protocol" smb2_02 > > > > restart winbind and try again. > > > > HTH > > > > bye, > > Sumit > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > > > > > sssd x86_64 1.9.2-129.el6_5.4 > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > -- > Warm Regards > > Supratik From supratiksekhar at gmail.com Tue May 20 07:47:42 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Tue, 20 May 2014 13:17:42 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140520070803.GV4640@localhost.localdomain> References: <20140515143335.GE29987@hendrix.redhat.com> <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> <20140520070803.GV4640@localhost.localdomain> Message-ID: PFA On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > Initially after configuring the setup I rebooted once and I was thinking > > that it worked before the reboot but unfortunately it didn't work the > first > > time itself. > > > > Still failing after running the commands. > > > > [root at ipaserver ~]# net conf setparm global "client min protocol" > smb2_02 > > [root at ipaserver ~]# net conf setparm global "client max protocol" > smb2_02 > > [root at ipaserver ~]# service winbind restart > > > > Shutting down Winbind services: [ OK ] > > Starting Winbind services: [ OK ] > > > > [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name ADDOMAIN\Domain Admins > > > > [root at ipaserver ~]# wbinfo -u > > [root at ipaserver ~]# > > > > The issue is reproducible every time if anyone follows the steps as I > have > > done. > > > > It would be nice if you can send a second round of log files. Please > stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, > make sure 'log level' is 10 or higher, > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > put all *winbind* and *wb* log files in a tar/zip archive and send the > archive. If you think the archive is too large for a mailing-list fell > free to send them to me directly. > > bye, > Sumit > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > Hi > > > > > > > > Let me start from the beginning once again. Let me explain you what > > > steps I > > > > followed during the setup. > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > server and > > > > Linux IPA configured in EC2. > > > > For configuring Windows 2008 I selected > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > (ami-df8e93b6) > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > Release > > > > Media (ami-8997afe0). > > > > > > > > I followed the steps from > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > kept the > > > > domain names > > > > similar as in the example. > > > > > > > > IPA server hostname: ipaserver > > > > IPA domain: ipadomain.example.com > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > AD DC hostname: adserver > > > > AD domain: addomain.example.com > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > # yum update -y > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > samba4-winbind-clients samba4-winbind samba4-client bind > bind-dyndb-ldap > > > > > > > > List of important packages installed during the update are as > follows. > > > > > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > > ipa-admintools x86_64 3.0.0-37.el6 > > > > ipa-client x86_64 3.0.0-37.el6 > > > > ipa-pki-ca-theme noarch 9.0.3-7.el6 > > > > ipa-pki-common-theme noarch 9.0.3-7.el6 > > > > ipa-python x86_64 3.0.0-37.el6 > > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > > because I thought it was working initially and only failed after > reboot. > > > > > > Please try to set "client min protocol" and "client max protocol" in > the > > > samba configuration: > > > > > > net conf setparm global "client min protocol" smb2_02 > > > net conf setparm global "client max protocol" smb2_02 > > > > > > restart winbind and try again. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > > > > > > > sssd x86_64 1.9.2-129.el6_5.4 > > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > > > > > > > > > -- > > Warm Regards > > > > Supratik > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: winbind-logs.tar.gz Type: application/x-gzip Size: 2353 bytes Desc: not available URL: From sbose at redhat.com Tue May 20 08:08:34 2014 From: sbose at redhat.com (Sumit Bose) Date: Tue, 20 May 2014 10:08:34 +0200 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> <20140520070803.GV4640@localhost.localdomain> Message-ID: <20140520080834.GX4640@localhost.localdomain> On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: > PFA somewhat switched the log level back to 1 doing parameter log level = 1 can you check that 'net conf list' shows 'log level 10', if not please set it with net conf setparm 'log level' 10 bye, Sumit > > > > > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > > Initially after configuring the setup I rebooted once and I was thinking > > > that it worked before the reboot but unfortunately it didn't work the > > first > > > time itself. > > > > > > Still failing after running the commands. > > > > > > [root at ipaserver ~]# net conf setparm global "client min protocol" > > smb2_02 > > > [root at ipaserver ~]# net conf setparm global "client max protocol" > > smb2_02 > > > [root at ipaserver ~]# service winbind restart > > > > > > Shutting down Winbind services: [ OK ] > > > Starting Winbind services: [ OK ] > > > > > > [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > > Could not lookup name ADDOMAIN\Domain Admins > > > > > > [root at ipaserver ~]# wbinfo -u > > > [root at ipaserver ~]# > > > > > > The issue is reproducible every time if anyone follows the steps as I > > have > > > done. > > > > > > > It would be nice if you can send a second round of log files. Please > > stop winbind, remove all *winbind* and *wb* log files in /var/log/samba, > > make sure 'log level' is 10 or higher, > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > > put all *winbind* and *wb* log files in a tar/zip archive and send the > > archive. If you think the archive is too large for a mailing-list fell > > free to send them to me directly. > > > > bye, > > Sumit > > > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose wrote: > > > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > > Hi > > > > > > > > > > Let me start from the beginning once again. Let me explain you what > > > > steps I > > > > > followed during the setup. > > > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > > server and > > > > > Linux IPA configured in EC2. > > > > > For configuring Windows 2008 I selected > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > > (ami-df8e93b6) > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > > Release > > > > > Media (ami-8997afe0). > > > > > > > > > > I followed the steps from > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > > kept the > > > > > domain names > > > > > similar as in the example. > > > > > > > > > > IPA server hostname: ipaserver > > > > > IPA domain: ipadomain.example.com > > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > > > AD DC hostname: adserver > > > > > AD domain: addomain.example.com > > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > > > # yum update -y > > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > > samba4-winbind-clients samba4-winbind samba4-client bind > > bind-dyndb-ldap > > > > > > > > > > List of important packages installed during the update are as > > follows. > > > > > > > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > > > ipa-admintools x86_64 3.0.0-37.el6 > > > > > ipa-client x86_64 3.0.0-37.el6 > > > > > ipa-pki-ca-theme noarch 9.0.3-7.el6 > > > > > ipa-pki-common-theme noarch 9.0.3-7.el6 > > > > > ipa-python x86_64 3.0.0-37.el6 > > > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > > > > > ah, sorry, I this might be a known issue, but I got on a wrong track > > > > because I thought it was working initially and only failed after > > reboot. > > > > > > > > Please try to set "client min protocol" and "client max protocol" in > > the > > > > samba configuration: > > > > > > > > net conf setparm global "client min protocol" smb2_02 > > > > net conf setparm global "client max protocol" smb2_02 > > > > > > > > restart winbind and try again. > > > > > > > > HTH > > > > > > > > bye, > > > > Sumit > > > > > > > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > > > > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > > > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > > > > > > > > > sssd x86_64 1.9.2-129.el6_5.4 > > > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Warm Regards > > > > > > Supratik > > > > > > -- > Warm Regards > > Supratik From supratiksekhar at gmail.com Tue May 20 08:57:25 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Tue, 20 May 2014 14:27:25 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: <20140520080834.GX4640@localhost.localdomain> References: <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> <20140520070803.GV4640@localhost.localdomain> <20140520080834.GX4640@localhost.localdomain> Message-ID: Yes, you are correct log level was set to 1. I have changed the log level value to 10 and collected the log files again, PFA. [root at ipaserver samba]# net conf setparm global 'log level' 10 [root at ipaserver samba]# net conf list [global] workgroup = IPADOMAIN realm = IPADOMAIN.EXAMPLE.COM kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes domain logons = yes max log size = 100000 log file = /var/log/samba/log.%m passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket disable spoolss = yes ldapsam:trusted = yes ldap ssl = off ldap suffix = dc=ipadomain,dc=example,dc=com ldap user suffix = cn=users,cn=accounts ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts rpc_server:epmapper = external rpc_server:lsarpc = external rpc_server:lsass = external rpc_server:lsasd = external rpc_server:samr = external rpc_server:netlogon = external rpc_server:tcpip = yes rpc_daemon:epmd = fork rpc_daemon:lsasd = fork client min protocol = smb2_02 client max protocol = smb2_02 log level = 10 [share] comment = Trust test share read only = no valid users = S-1-5-21-2212595442-2951398754-4232868618 path = /share On Tue, May 20, 2014 at 1:38 PM, Sumit Bose wrote: > On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: > > PFA > > somewhat switched the log level back to 1 > > doing parameter log level = 1 > > > can you check that 'net conf list' shows 'log level 10', if not please > set it with > > net conf setparm 'log level' 10 > > bye, > Sumit > > > > > > > > > > > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: > > > > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: > > > > Initially after configuring the setup I rebooted once and I was > thinking > > > > that it worked before the reboot but unfortunately it didn't work the > > > first > > > > time itself. > > > > > > > > Still failing after running the commands. > > > > > > > > [root at ipaserver ~]# net conf setparm global "client min protocol" > > > smb2_02 > > > > [root at ipaserver ~]# net conf setparm global "client max protocol" > > > smb2_02 > > > > [root at ipaserver ~]# service winbind restart > > > > > > > > Shutting down Winbind services: [ OK ] > > > > Starting Winbind services: [ OK ] > > > > > > > > [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' > > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > > > Could not lookup name ADDOMAIN\Domain Admins > > > > > > > > [root at ipaserver ~]# wbinfo -u > > > > [root at ipaserver ~]# > > > > > > > > The issue is reproducible every time if anyone follows the steps as I > > > have > > > > done. > > > > > > > > > > It would be nice if you can send a second round of log files. Please > > > stop winbind, remove all *winbind* and *wb* log files in > /var/log/samba, > > > make sure 'log level' is 10 or higher, > > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, > > > put all *winbind* and *wb* log files in a tar/zip archive and send the > > > archive. If you think the archive is too large for a mailing-list fell > > > free to send them to me directly. > > > > > > bye, > > > Sumit > > > > > > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose > wrote: > > > > > > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: > > > > > > Hi > > > > > > > > > > > > Let me start from the beginning once again. Let me explain you > what > > > > > steps I > > > > > > followed during the setup. > > > > > > > > > > > > I am setting up the environment in Amazon AWS, both Windows AD > > > server and > > > > > > Linux IPA configured in EC2. > > > > > > For configuring Windows 2008 I selected > > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 > > > (ami-df8e93b6) > > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - > > > Release > > > > > > Media (ami-8997afe0). > > > > > > > > > > > > I followed the steps from > > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also > > > kept the > > > > > > domain names > > > > > > similar as in the example. > > > > > > > > > > > > IPA server hostname: ipaserver > > > > > > IPA domain: ipadomain.example.com > > > > > > IPA NetBIOS: IPADOMAIN > > > > > > > > > > > > AD DC hostname: adserver > > > > > > AD domain: addomain.example.com > > > > > > AD NetBIOS: ADDOMAIN > > > > > > > > > > > > > > > > > > 1. Updated the system and install the packages. > > > > > > > > > > > > # yum update -y > > > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" > > > > > > samba4-winbind-clients samba4-winbind samba4-client bind > > > bind-dyndb-ldap > > > > > > > > > > > > List of important packages installed during the update are as > > > follows. > > > > > > > > > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 > > > > > > bind-dyndb-ldap x86_64 2.3-5.el6 > > > > > > > > > > > > ipa-server x86_64 3.0.0-37.el6 > > > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 > > > > > > ipa-admintools x86_64 3.0.0-37.el6 > > > > > > ipa-client x86_64 3.0.0-37.el6 > > > > > > ipa-pki-ca-theme noarch 9.0.3-7.el6 > > > > > > ipa-pki-common-theme noarch 9.0.3-7.el6 > > > > > > ipa-python x86_64 3.0.0-37.el6 > > > > > > ipa-server-selinux x86_64 3.0.0-37.el6 > > > > > > > > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 > > > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 > > > > > > > > > > ah, sorry, I this might be a known issue, but I got on a wrong > track > > > > > because I thought it was working initially and only failed after > > > reboot. > > > > > > > > > > Please try to set "client min protocol" and "client max protocol" > in > > > the > > > > > samba configuration: > > > > > > > > > > net conf setparm global "client min protocol" smb2_02 > > > > > net conf setparm global "client max protocol" smb2_02 > > > > > > > > > > restart winbind and try again. > > > > > > > > > > HTH > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 > > > > > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 > > > > > > > > > > > > certmonger x86_64 0.61-3.el6 > > > > > > > > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 > > > > > > krb5-workstation x86_64 1.10.3-15.el6_5.1 > > > > > > > > > > > > sssd x86_64 1.9.2-129.el6_5.4 > > > > > > sssd-client x86_64 1.9.2-129.el6_5.4 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Warm Regards > > > > > > > > Supratik > > > > > > > > > > > -- > > Warm Regards > > > > Supratik > > > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: winbind-logs-new.tar.gz Type: application/x-gzip Size: 12360 bytes Desc: not available URL: From devans01 at gmail.com Tue May 20 13:00:18 2014 From: devans01 at gmail.com (Dylan Evans) Date: Tue, 20 May 2014 14:00:18 +0100 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together Message-ID: Hello, I need some help with getting Samba and FreeIPA working together. I?ve been following the guide at http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but that seems quite out of date for IPAv3 and I need some help: 1. The guide deals with setting a Samba server SID for one Samba server, but as we have multiple stand-alone Samba3 servers, which SID do I use to create the DNA plugin? Can I enter more than 1 SID? Can I have more than 1 plugin (seems unlikely)? 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in IPAv3. What do I need to patch instead? I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which shows the need is there but I could do with getting it working ASAP. I may be missing something obvious but some help would be greatly appreciated! Thanks, Dylan. Background: Brief: Need to expand from the current single-office-ish NIS/YP scheme to a multi-location/multi-national auth scheme which FreeIPA seems ideally suited for. Requirement: To continue to provide console/SSH and GUI/X logins to Linux hosts, access to home and project directories via NFS from the Linux machines using autofs/automount and access to Samba file-shares from Windows machines but not using AD creds as this is a totally separate environment. Several locations will each have a FreeIPA replica server, NFS/Samba fileserver and ?application? server. Currently use 2 passwords for each user ? one for NIS, one for Samba ? and need to consolidate to one password for everything. Progress: Linux-based NFS stuff working fine ? automount of home and project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs as a prototyping environment but will probably use RHEL/CentOS 7 when available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and 3.3.5 on Fedora 20. From cwhittl at gmail.com Tue May 20 13:57:00 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Tue, 20 May 2014 08:57:00 -0500 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: <1400501728.3833.5.camel@willson.li.ssimo.org> References: <1400430703.3833.0.camel@willson.li.ssimo.org> <1400501728.3833.5.camel@willson.li.ssimo.org> Message-ID: If anyone is looking for this check out http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894 It worked great with the caveat or needing the NSS Database Password which was in "/etc/httpd/alias/pwdfile.txt" (per http://www.freeipa.org/page/V3/Drop_selfsign_functionality) Thanks On Mon, May 19, 2014 at 7:15 AM, Simo Sorce wrote: > On Sun, 2014-05-18 at 20:58 -0500, Chris Whittle wrote: > > Actually is this it? > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > I think so, yeah. > > Simo. > > > On Sun, May 18, 2014 at 8:31 PM, Chris Whittle > wrote: > > > > > Thanks Simo, I'm finding a lot of posts on certs but none that really > > > tells me what I need to do... > > > Any more help would be extremely appreciated. > > > > > > > > > On Sun, May 18, 2014 at 11:31 AM, Simo Sorce wrote: > > > > > >> On Sat, 2014-05-17 at 13:26 -0500, Chris Whittle wrote: > > >> > Let me be more specific... I just want to use my wildcard ssl for > the > > >> UI so > > >> > that it doesn't give an error we you access it, anyone done this > before? > > >> > > >> I think this has been posted on the list already, however all you need > > >> to do is to replace the apache certs, they are in a nss database > located > > >> in /etc/httpd/alias, you can use certutil to deal with the database. > > >> > > >> HTH, > > >> Simo. > > >> > > >> -- > > >> Simo Sorce * Red Hat, Inc * New York > > >> > > >> > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwhittl at gmail.com Tue May 20 18:33:23 2014 From: cwhittl at gmail.com (Chris Whittle) Date: Tue, 20 May 2014 13:33:23 -0500 Subject: [Freeipa-users] Free IPA and Google Apps In-Reply-To: <1400501774.3833.6.camel@willson.li.ssimo.org> References: <535A16C1.6050808@redhat.com> <1398429565.2628.469.camel@willson.li.ssimo.org> <535A6342.8070306@redhat.com> <1398433896.2628.486.camel@willson.li.ssimo.org> <535A6A83.2000306@redhat.com> <1398435500.2628.489.camel@willson.li.ssimo.org> <1400501774.3833.6.camel@willson.li.ssimo.org> Message-ID: Awesome... Can ipsilon be installed on the same server as FreeIPA? On Mon, May 19, 2014 at 7:16 AM, Simo Sorce wrote: > On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: > > Anything new on ipsilon? > > I released 0.2.3: https://fedorahosted.org/ipsilon/ > > It is still a bit rough on the edges, but can be used. > > Simo. > > > On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce wrote: > > > > > On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: > > > > On 04/25/2014 09:51 AM, Simo Sorce wrote: > > > > > On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: > > > > >> On 04/25/2014 08:39 AM, Simo Sorce wrote: > > > > >>> On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: > > > > >>>> Thanks Martin, I found a few notes on FreeIPA and GADS but most > > > were people > > > > >>>> saying not to do it on principal but nothing saying if it's > > > possible or not. > > > > >>>> > > > > >>>> I like the SAML option, including the mysterious ipsilon (Is > there > > > anything > > > > >>>> more than the git repo yet?), but wonder how much control it > has. > > > > >>> At the moment no control at all. > > > > >>> > > > > >>>> Does it just allow them to SSO using their LDAP credentials? > > > > >>> Yes. > > > > >>> > > > > >>>> If I disable a user in LDAP does it only recognize that only > during > > > login > > > > >>>> or is it smart enough to kill their Google Apps sessions and > make > > > them > > > > >>>> login again? > > > > >>> At the moment no, in future, perhaps we can develop a plugin that > > > will > > > > >>> call a SSO logout to the remote applications the user logged > into, > > > but > > > > >>> this will require the server to be more stateful. This feature > is not > > > > >>> available in the current code. > > > > >>> > > > > >>> Simo. > > > > >>> > > > > >>> > > > > >>> _______________________________________________ > > > > >>> Freeipa-users mailing list > > > > >>> Freeipa-users at redhat.com > > > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > >> > > > > >> Simo, how much Ipsilon is ready for a POC like this? > > > > >> I understand it is probably somewhere between alpha and beta > quality > > > but > > > > >> it might be a good exercise to try to set it up for a real use > case. > > > > >> What do you think? > > > > > It can be tried, but I need to write some documentation on how to > set > > > it > > > > > up first :-) > > > > > > > > > > Simo. > > > > > > > > > Hint-hint, nudge-nudge :-) > > > > > > I know, I know. > > > I got done with lasso and mod_auth_mellon patches, now I can go back to > > > Ipsilon. > > > > > > If Jan gives me the go, I will cut a first release and start writing > > > instruction, file for Fedora packages and all that > > > > > > Simo. > > > > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue May 20 20:33:51 2014 From: simo at redhat.com (Simo Sorce) Date: Tue, 20 May 2014 16:33:51 -0400 Subject: [Freeipa-users] Free IPA and Google Apps In-Reply-To: References: <535A16C1.6050808@redhat.com> <1398429565.2628.469.camel@willson.li.ssimo.org> <535A6342.8070306@redhat.com> <1398433896.2628.486.camel@willson.li.ssimo.org> <535A6A83.2000306@redhat.com> <1398435500.2628.489.camel@willson.li.ssimo.org> <1400501774.3833.6.camel@willson.li.ssimo.org> Message-ID: <1400618031.7561.9.camel@willson.li.ssimo.org> On Tue, 2014-05-20 at 13:33 -0500, Chris Whittle wrote: > Awesome... Can ipsilon be installed on the same server as FreeIPA? It should be possible, although I always used a separate server for my tests. Btw, use at least version 0.2.4, there are important bugs fixed there, although not all of the known ones are, I am planning 0.2.5 in a few days :-) Simo. > On Mon, May 19, 2014 at 7:16 AM, Simo Sorce wrote: > > > On Sun, 2014-05-18 at 20:40 -0500, Chris Whittle wrote: > > > Anything new on ipsilon? > > > > I released 0.2.3: https://fedorahosted.org/ipsilon/ > > > > It is still a bit rough on the edges, but can be used. > > > > Simo. > > > > > On Fri, Apr 25, 2014 at 9:18 AM, Simo Sorce wrote: > > > > > > > On Fri, 2014-04-25 at 10:00 -0400, Dmitri Pal wrote: > > > > > On 04/25/2014 09:51 AM, Simo Sorce wrote: > > > > > > On Fri, 2014-04-25 at 09:29 -0400, Dmitri Pal wrote: > > > > > >> On 04/25/2014 08:39 AM, Simo Sorce wrote: > > > > > >>> On Fri, 2014-04-25 at 07:27 -0500, Chris Whittle wrote: > > > > > >>>> Thanks Martin, I found a few notes on FreeIPA and GADS but most > > > > were people > > > > > >>>> saying not to do it on principal but nothing saying if it's > > > > possible or not. > > > > > >>>> > > > > > >>>> I like the SAML option, including the mysterious ipsilon (Is > > there > > > > anything > > > > > >>>> more than the git repo yet?), but wonder how much control it > > has. > > > > > >>> At the moment no control at all. > > > > > >>> > > > > > >>>> Does it just allow them to SSO using their LDAP credentials? > > > > > >>> Yes. > > > > > >>> > > > > > >>>> If I disable a user in LDAP does it only recognize that only > > during > > > > login > > > > > >>>> or is it smart enough to kill their Google Apps sessions and > > make > > > > them > > > > > >>>> login again? > > > > > >>> At the moment no, in future, perhaps we can develop a plugin that > > > > will > > > > > >>> call a SSO logout to the remote applications the user logged > > into, > > > > but > > > > > >>> this will require the server to be more stateful. This feature > > is not > > > > > >>> available in the current code. > > > > > >>> > > > > > >>> Simo. > > > > > >>> > > > > > >>> > > > > > >>> _______________________________________________ > > > > > >>> Freeipa-users mailing list > > > > > >>> Freeipa-users at redhat.com > > > > > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >> > > > > > >> Simo, how much Ipsilon is ready for a POC like this? > > > > > >> I understand it is probably somewhere between alpha and beta > > quality > > > > but > > > > > >> it might be a good exercise to try to set it up for a real use > > case. > > > > > >> What do you think? > > > > > > It can be tried, but I need to write some documentation on how to > > set > > > > it > > > > > > up first :-) > > > > > > > > > > > > Simo. > > > > > > > > > > > Hint-hint, nudge-nudge :-) > > > > > > > > I know, I know. > > > > I got done with lasso and mod_auth_mellon patches, now I can go back to > > > > Ipsilon. > > > > > > > > If Jan gives me the go, I will cut a first release and start writing > > > > instruction, file for Fedora packages and all that > > > > > > > > Simo. > > > > > > > > > > > > -- > > > > Simo Sorce * Red Hat, Inc * New York > > > > > > > > _______________________________________________ > > > > Freeipa-users mailing list > > > > Freeipa-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > -- Simo Sorce * Red Hat, Inc * New York From davis.goodman at digital-district.ca Wed May 21 06:36:57 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Wed, 21 May 2014 02:36:57 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode Message-ID: Hi, Lately I?ve been having issues of replication between my server and my 2 replicas. I decided I was going to delete my 2 replicas and start over keeping my master intact. I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) I tried deleting 1 replica after the other one to always keep one of the two available. I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. Unfortunately now I?m getting this error. ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) additional info: database is read-only I?m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn?t of much help. Any insights would be more than welcome. Davis Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gasp?, Suite 408 | Montr?al, QC H2T 2A4 T?l: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed May 21 06:45:36 2014 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 21 May 2014 08:45:36 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: Message-ID: <537C4B90.8010608@redhat.com> On 05/21/2014 08:36 AM, Davis Goodman wrote: > Hi, > > Lately I?ve been having issues of replication between my server and my 2 replicas. > > I decided I was going to delete my 2 replicas and start over keeping my master intact. > > I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) > > I tried deleting 1 replica after the other one to always keep one of the two available. > > I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. > > But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. > > I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. > > Unfortunately now I?m getting this error. > > ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int > Enter LDAP Password: > ldap_delete: Server is unwilling to perform (53) > additional info: database is read-only > > > > I?m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn?t of much help. > > Any insights would be more than welcome. > > > Davis Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an operation or an upgrade was interrupted and left the database put in read only mode? You can find out with this ldapsearch: ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base Check for nsslapd-readonly, it should be put to "off" in normal operation. Martin From davis.goodman at digital-district.ca Wed May 21 06:48:40 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Wed, 21 May 2014 02:48:40 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: <537C4B90.8010608@redhat.com> References: <537C4B90.8010608@redhat.com> Message-ID: <73DD4B8F-9BD6-4A74-AE4D-2265E2C451C6@digital-district.ca> Right on, it is. What would be the ldapmodify command to change it. I?m not the most used with the syntax! -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gasp?, Suite 408 | Montr?al, QC H2T 2A4 T?l: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 On May 21, 2014, at 2:45 , Martin Kosek wrote: > 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base -------------- next part -------------- An HTML attachment was scrubbed... URL: From davis.goodman at digital-district.ca Wed May 21 07:12:26 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Wed, 21 May 2014 03:12:26 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: <537C4B90.8010608@redhat.com> References: <537C4B90.8010608@redhat.com> Message-ID: On May 21, 2014, at 2:45 , Martin Kosek wrote: > On 05/21/2014 08:36 AM, Davis Goodman wrote: >> Hi, >> >> Lately I?ve been having issues of replication between my server and my 2 replicas. >> >> I decided I was going to delete my 2 replicas and start over keeping my master intact. >> >> I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) >> >> I tried deleting 1 replica after the other one to always keep one of the two available. >> >> I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. >> >> But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. >> >> I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. >> >> Unfortunately now I?m getting this error. >> >> ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >> Enter LDAP Password: >> ldap_delete: Server is unwilling to perform (53) >> additional info: database is read-only >> >> >> >> I?m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn?t of much help. >> >> Any insights would be more than welcome. >> >> >> Davis > > Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an > operation or an upgrade was interrupted and left the database put in read only > mode? > > You can find out with this ldapsearch: > > ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b > 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base > > Check for nsslapd-readonly, it should be put to "off" in normal operation. > > Martin Ok finally managed to modify the read-only flag. Could prepare my replicas and get them going. Everything seems fine but I?m getting this error while setting up the replicas. Should I be concerned about this one: Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [23/31]: adding replication acis [24/31]: setting Auto Member configuration [25/31]: enabling S4U2Proxy delegation ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 [26/31]: initializing group membership [27/31]: adding master entry [28/31]: configuring Posix uid/gid generation the rest seems to work fine. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Wed May 21 10:54:28 2014 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 21 May 2014 12:54:28 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: <537C4B90.8010608@redhat.com> Message-ID: <537C85E4.7010102@redhat.com> On 05/21/2014 09:12 AM, Davis Goodman wrote: > > > > > On May 21, 2014, at 2:45 , Martin Kosek wrote: > >> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>> Hi, >>> >>> Lately I?ve been having issues of replication between my server and my 2 replicas. >>> >>> I decided I was going to delete my 2 replicas and start over keeping my master intact. >>> >>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) >>> >>> I tried deleting 1 replica after the other one to always keep one of the two available. >>> >>> I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. >>> >>> But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. >>> >>> I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. >>> >>> Unfortunately now I?m getting this error. >>> >>> ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>> Enter LDAP Password: >>> ldap_delete: Server is unwilling to perform (53) >>> additional info: database is read-only >>> >>> >>> >>> I?m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn?t of much help. >>> >>> Any insights would be more than welcome. >>> >>> >>> Davis >> >> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an >> operation or an upgrade was interrupted and left the database put in read only >> mode? >> >> You can find out with this ldapsearch: >> >> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b >> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >> >> Check for nsslapd-readonly, it should be put to "off" in normal operation. >> >> Martin > Ok finally managed to modify the read-only flag. > > Could prepare my replicas and get them going. > > Everything seems fine but I?m getting this error while setting up the replicas. Should I be concerned about this one: > > Update in progress > Update in progress > Update in progress > Update in progress > Update in progress > Update in progress > Update succeeded > [23/31]: adding replication acis > [24/31]: setting Auto Member configuration > [25/31]: enabling S4U2Proxy delegation > ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 > [26/31]: initializing group membership > [27/31]: adding master entry > [28/31]: configuring Posix uid/gid generation > > > > the rest seems to work fine. You need to check ipareplica-install.log to see the real error. I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. Martin From davis.goodman at digital-district.ca Wed May 21 11:31:08 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Wed, 21 May 2014 07:31:08 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: <537C85E4.7010102@redhat.com> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> Message-ID: On May 21, 2014, at 6:54 , Martin Kosek wrote: > On 05/21/2014 09:12 AM, Davis Goodman wrote: >> >> >> >> >> On May 21, 2014, at 2:45 , Martin Kosek wrote: >> >>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>> Hi, >>>> >>>> Lately I?ve been having issues of replication between my server and my 2 replicas. >>>> >>>> I decided I was going to delete my 2 replicas and start over keeping my master intact. >>>> >>>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( it used to work) >>>> >>>> I tried deleting 1 replica after the other one to always keep one of the two available. >>>> >>>> I had to delete manually the replica host on the master with a bunch of ldapdelete command which worked fine. >>>> >>>> But after many unsuccessful trials of getting everyone to sync I decided to delete my two replicas. >>>> >>>> I went back to my master to use the ldapdelete to remove both host`s records so that I could start over. >>>> >>>> Unfortunately now I?m getting this error. >>>> >>>> ldapdelete -x -D "cn=Directory Manager" -W cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>> Enter LDAP Password: >>>> ldap_delete: Server is unwilling to perform (53) >>>> additional info: database is read-only >>>> >>>> >>>> >>>> I?m kinda stuck now with no replicas and no DNS. I could restore the backup prior to the start of the operation but with a master in read-only mode it wouldn?t of much help. >>>> >>>> Any insights would be more than welcome. >>>> >>>> >>>> Davis >>> >>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an >>> operation or an upgrade was interrupted and left the database put in read only >>> mode? >>> >>> You can find out with this ldapsearch: >>> >>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b >>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>> >>> Check for nsslapd-readonly, it should be put to "off" in normal operation. >>> >>> Martin >> Ok finally managed to modify the read-only flag. >> >> Could prepare my replicas and get them going. >> >> Everything seems fine but I?m getting this error while setting up the replicas. Should I be concerned about this one: >> >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update in progress >> Update succeeded >> [23/31]: adding replication acis >> [24/31]: setting Auto Member configuration >> [25/31]: enabling S4U2Proxy delegation >> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y /tmp/tmp4Svn9k' returned non-zero exit status 20 >> [26/31]: initializing group membership >> [27/31]: adding master entry >> [28/31]: configuring Posix uid/gid generation >> >> >> >> the rest seems to work fine. > > You need to check ipareplica-install.log to see the real error. > > I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and > "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. > > Martin > The first one is there: ldapsearch -D "cn=Directory Manager? -W -LLL -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr ict,dc=int memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT cn: ipa-http-delegation objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top But not the second one: ldapsearch -D "cn=Directory Manager? -W -LLL -x -b cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" No such object (32) Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int Also what is strange is that I got the error only on one of the replicas, the other one went through without any hiccups. Thanks for the help. Davis -- Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gasp?, Suite 408 | Montr?al, QC H2T 2A4 T?l: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_dd_small.png Type: image/png Size: 7313 bytes Desc: not available URL: From pspacek at redhat.com Wed May 21 12:17:32 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 21 May 2014 14:17:32 +0200 Subject: [Freeipa-users] be aware of name collision problem In-Reply-To: References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> Message-ID: <537C995C.7040403@redhat.com> Hello, On 21.5.2014 13:31, Davis Goodman wrote: > ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. You *should not* use domain names you don't own. (According to http://www.iana.org/cgi-bin/intreg/intreg.pl domain name 'ddistrict.int' is not registered. Policy for .int registration is on http://www.iana.org/domains/int/policy) It will cause problems with DNSSEC and it also prevents you from accessing resources on Internet under the colliding name. I guess that you want to have an internal sub-tree in DNS. The recommended practice is to use sub-domain of your public (properly registered) domain. E.g.: 'int.digital-district.ca' or even shorter 'i.digital-district.ca' I hope this will help you to avoid serious problems in the future. Have a nice day! -- Petr^2 Spacek From davis.goodman at digital-district.ca Wed May 21 13:46:00 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Wed, 21 May 2014 09:46:00 -0400 Subject: [Freeipa-users] be aware of name collision problem In-Reply-To: <537C995C.7040403@redhat.com> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537C995C.7040403@redhat.com> Message-ID: <6B9B5E4C-6C3D-485F-8651-4F48269337B4@digital-district.ca> -- On May 21, 2014, at 8:17 , Petr Spacek wrote: > Hello, > > On 21.5.2014 13:31, Davis Goodman wrote: >> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > > Please note that domain shadowing/hijacking/name collisions are *strongly* discouraged. > > You *should not* use domain names you don't own. (According to > http://www.iana.org/cgi-bin/intreg/intreg.pl > domain name 'ddistrict.int' is not registered. Policy for .int registration is on http://www.iana.org/domains/int/policy) > > It will cause problems with DNSSEC and it also prevents you from accessing resources on Internet under the colliding name. > > > I guess that you want to have an internal sub-tree in DNS. > The recommended practice is to use sub-domain of your public (properly registered) domain. E.g.: > > 'int.digital-district.ca' > or even shorter > 'i.digital-district.ca' > > I hope this will help you to avoid serious problems in the future. > > Have a nice day! > > -- > Petr^2 Spacek > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users Hi Peter, Gee, I didn?t even know the .int was a public suffix domain. I guess we?re kind of stuck now with it now but It?s good to know. Thanks for the info. Davis Goodman Directeur Informatique | IT Manager 5605 Avenue de Gasp?, Suite 408 | Montr?al, QC H2T 2A4 T?l: +1 (514) 360-3253 x104 Cell: +1 (514) 994-7360 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: logo_dd_small.png Type: image/png Size: 7313 bytes Desc: not available URL: From pspacek at redhat.com Wed May 21 13:58:06 2014 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 21 May 2014 15:58:06 +0200 Subject: [Freeipa-users] be aware of name collision problem In-Reply-To: <6B9B5E4C-6C3D-485F-8651-4F48269337B4@digital-district.ca> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537C995C.7040403@redhat.com> <6B9B5E4C-6C3D-485F-8651-4F48269337B4@digital-district.ca> Message-ID: <537CB0EE.6000604@redhat.com> On 21.5.2014 15:46, Davis Goodman wrote: > > > > -- > > > > > > > On May 21, 2014, at 8:17 , Petr Spacek > wrote: > >> Hello, >> >> On 21.5.2014 13:31, Davis Goodman wrote: >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >> >> Please note that domain shadowing/hijacking/name collisions are *strongly* >> discouraged. >> >> You *should not* use domain names you don't own. (According to >> http://www.iana.org/cgi-bin/intreg/intreg.pl >> domain name 'ddistrict.int' is not registered. Policy for .int registration is >> on http://www.iana.org/domains/int/policy) >> >> It will cause problems with DNSSEC and it also prevents you from accessing >> resources on Internet under the colliding name. >> >> >> I guess that you want to have an internal sub-tree in DNS. >> The recommended practice is to use sub-domain of your public (properly >> registered) domain. E.g.: >> >> 'int.digital-district.ca' >> or even shorter >> 'i.digital-district.ca' >> >> I hope this will help you to avoid serious problems in the future. >> >> Have a nice day! >> >> -- >> Petr^2 Spacek >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Hi Peter, > > Gee, I didn?t even know the .int was a public suffix domain. I guess we?re kind > of stuck now with it now but It?s good to know. Oh yes, that is the reason why we strongly recommend people to use sub-tree in *their* domain. That prevent such situation (e.g. when ICANN delegates a new TLDs.) Please see http://www.freeipa.org/page/Deployment_Recommendations and documents linked from that page for details. Have a nice day! -- Petr^2 Spacek From bret.wortman at damascusgrp.com Wed May 21 14:41:48 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 21 May 2014 10:41:48 -0400 Subject: [Freeipa-users] New replica won't accept replication Message-ID: <537CBB2C.3060507@damascusgrp.com> This occurs on our first attempt to join as a replica. I've erased this box and rebaselined it but the same thing happens. No network ports being blocked that we know of, and another replica I created at the same time installed its replica file without issue. asipa is the new replica, zsipa is the ca and original master on which the replica file was created. [24/34]: setting up initial replication Starting replication, please wait until this has completed Update in progress, 130 seconds elapsed Update in progress yet not in progress [ipamaster.foo.net] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication # /var/log/ipareplica-install.log contains this: 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache url=ldaps://asipa.fopo.net:636 conn= 2014-05-21T14:31:08Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 638, in run_script return_value = main_function() File "/usr/sbin/ipa-replica-install", line 663, in main ds = install_replica_ds(config) File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds ca_file=config.dir + "/ca.crt", File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 360 in create_replica self.start_creation(runtime=60) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 364, in start_creation method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 373, in __setup_replica r_bindpw=self.dm_password() File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 961, in setup_replication raise RuntimeError("Failed to start replication") 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Failed to start replication Any guidance on where to start looking? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 51f7de33e4b08d2bdb8b4860 Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Wed May 21 15:04:05 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 May 2014 11:04:05 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537CBB2C.3060507@damascusgrp.com> References: <537CBB2C.3060507@damascusgrp.com> Message-ID: <537CC065.3040404@redhat.com> Bret Wortman wrote: > This occurs on our first attempt to join as a replica. I've erased this > box and rebaselined it but the same thing happens. No network ports > being blocked that we know of, and another replica I created at the same > time installed its replica file without issue. > > asipa is the new replica, zsipa is the ca and original master on which > the replica file was created. > > [24/34]: setting up initial replication > Starting replication, please wait until this has completed > Update in progress, 130 seconds elapsed > Update in progress yet not in progress > > [ipamaster.foo.net] reports: Update failed! Status: [10 Total update > abortedLDAP error: Referral] > > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Failed to start replication > # > > /var/log/ipareplica-install.log contains this: > > 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache > url=ldaps://asipa.fopo.net:636 conn= instance at 0x4faf170> > 2014-05-21T14:31:08Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 638, in run_script > return_value = main_function() > > File "/usr/sbin/ipa-replica-install", line 663, in main > ds = install_replica_ds(config) > > File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds > ca_file=config.dir + "/ca.crt", > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line > 360 in create_replica > self.start_creation(runtime=60) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 364, in start_creation > method() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line > 373, in __setup_replica > r_bindpw=self.dm_password() > > File > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", > line 961, in setup_replication > raise RuntimeError("Failed to start replication") > > 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, > exception: RuntimeError: Failed to start replication > > Any guidance on where to start looking? Check the 389-ds access and error logs on both masters. rob From bret.wortman at damascusgrp.com Wed May 21 15:40:57 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 21 May 2014 11:40:57 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537CC065.3040404@redhat.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> Message-ID: <537CC909.1060905@damascusgrp.com> On the new replica (asipa) I see in the access log almost 5000 entries like this: [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update Entry" [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 nentries=0 etime=0 And these just repeat, increasing the "op" value until they terminate with this one. The rest of it just looks like informational messages. Over on zsipa (the CA master), errors contains: [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set replication log for additional info) [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate schema: rc=1 These two lines repeat at intervals for a while. Nothing else leapt out at me. On 05/21/2014 11:04 AM, Rob Crittenden wrote: > Bret Wortman wrote: >> This occurs on our first attempt to join as a replica. I've erased this >> box and rebaselined it but the same thing happens. No network ports >> being blocked that we know of, and another replica I created at the same >> time installed its replica file without issue. >> >> asipa is the new replica, zsipa is the ca and original master on which >> the replica file was created. >> >> [24/34]: setting up initial replication >> Starting replication, please wait until this has completed >> Update in progress, 130 seconds elapsed >> Update in progress yet not in progress >> >> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >> abortedLDAP error: Referral] >> >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> >> Failed to start replication >> # >> >> /var/log/ipareplica-install.log contains this: >> >> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >> url=ldaps://asipa.fopo.net:636 conn=> instance at 0x4faf170> >> 2014-05-21T14:31:08Z DEBUG File >> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >> line 638, in run_script >> return_value = main_function() >> >> File "/usr/sbin/ipa-replica-install", line 663, in main >> ds = install_replica_ds(config) >> >> File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds >> ca_file=config.dir + "/ca.crt", >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 360 in create_replica >> self.start_creation(runtime=60) >> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >> line 364, in start_creation >> method() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >> 373, in __setup_replica >> r_bindpw=self.dm_password() >> >> File >> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >> line 961, in setup_replication >> raise RuntimeError("Failed to start replication") >> >> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >> exception: RuntimeError: Failed to start replication >> >> Any guidance on where to start looking? > Check the 389-ds access and error logs on both masters. > > rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Wed May 21 15:49:02 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 21 May 2014 11:49:02 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537CC909.1060905@damascusgrp.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> Message-ID: <537CCAEE.5070801@damascusgrp.com> ...but it did at least look like they were talking, right? Some level of replication was happening: (before the Netscape Replication Total update Entry began running away with the logfile): [21/May/2014:10:28:52 -0400] conn=2 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=3 MOD dn="cn=IPA Version Replication,cn=Plugins,cn=config" [21/May/2014:10:28:53 -0400] conn=2 op=3 RESULT err=0 tag=103 nentries=0 etime=0 [21/May/2014:10:28:53 -0400] conn=2 op=4 UNBIND On 05/21/2014 11:40 AM, Bret Wortman wrote: > On the new replica (asipa) I see in the access log almost 5000 entries > like this: > > [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT > oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update > Entry" > [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 > nentries=0 etime=0 > > And these just repeat, increasing the "op" value until they terminate > with this one. The rest of it just looks like informational messages. > > Over on zsipa (the CA master), errors contains: > > [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema > agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set > replication log for additional info) > [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - > agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate > schema: rc=1 > > These two lines repeat at intervals for a while. > > Nothing else leapt out at me. > > > > On 05/21/2014 11:04 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> This occurs on our first attempt to join as a replica. I've erased this >>> box and rebaselined it but the same thing happens. No network ports >>> being blocked that we know of, and another replica I created at the >>> same >>> time installed its replica file without issue. >>> >>> asipa is the new replica, zsipa is the ca and original master on which >>> the replica file was created. >>> >>> [24/34]: setting up initial replication >>> Starting replication, please wait until this has completed >>> Update in progress, 130 seconds elapsed >>> Update in progress yet not in progress >>> >>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>> abortedLDAP error: Referral] >>> >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Failed to start replication >>> # >>> >>> /var/log/ipareplica-install.log contains this: >>> >>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>> url=ldaps://asipa.fopo.net:636 conn=>> instance at 0x4faf170> >>> 2014-05-21T14:31:08Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 638, in run_script >>> return_value = main_function() >>> >>> File "/usr/sbin/ipa-replica-install", line 663, in main >>> ds = install_replica_ds(config) >>> >>> File "/usr/sbin/ipa-replica-install", line 188, in >>> install_replica_ds >>> ca_file=config.dir + "/ca.crt", >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>> line >>> 360 in create_replica >>> self.start_creation(runtime=60) >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 364, in start_creation >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>> line >>> 373, in __setup_replica >>> r_bindpw=self.dm_password() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 961, in setup_replication >>> raise RuntimeError("Failed to start replication") >>> >>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>> exception: RuntimeError: Failed to start replication >>> >>> Any guidance on where to start looking? >> Check the 389-ds access and error logs on both masters. >> >> rob >> > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From mkosek at redhat.com Wed May 21 16:06:15 2014 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 21 May 2014 18:06:15 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> Message-ID: <537CCEF7.8020808@redhat.com> On 05/21/2014 01:31 PM, Davis Goodman wrote: > > > > > > > On May 21, 2014, at 6:54 , Martin Kosek > wrote: > >> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>> >>> >>> >>> >>> On May 21, 2014, at 2:45 , Martin Kosek >> > wrote: >>> >>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>>> Hi, >>>>> >>>>> Lately I?ve been having issues of replication between my server and my 2 >>>>> replicas. >>>>> >>>>> I decided I was going to delete my 2 replicas and start over keeping my >>>>> master intact. >>>>> >>>>> I wasn`t successfull in getting all 3 servers to replicate to each other. ( >>>>> it used to work) >>>>> >>>>> I tried deleting 1 replica after the other one to always keep one of the >>>>> two available. >>>>> >>>>> I had to delete manually the replica host on the master with a bunch of >>>>> ldapdelete command which worked fine. >>>>> >>>>> But after many unsuccessful trials of getting everyone to sync I decided to >>>>> delete my two replicas. >>>>> >>>>> I went back to my master to use the ldapdelete to remove both host`s >>>>> records so that I could start over. >>>>> >>>>> Unfortunately now I?m getting this error. >>>>> >>>>> ldapdelete -x -D "cn=Directory Manager" -W >>>>> cn=DNS,cn=freeipa02.mtl.domain.int,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>>> Enter LDAP Password: >>>>> ldap_delete: Server is unwilling to perform (53) >>>>> additional info: database is read-only >>>>> >>>>> >>>>> >>>>> I?m kinda stuck now with no replicas and no DNS. I could restore the backup >>>>> prior to the start of the operation but with a master in read-only mode it >>>>> wouldn?t of much help. >>>>> >>>>> Any insights would be more than welcome. >>>>> >>>>> >>>>> Davis >>>> >>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a middle of an >>>> operation or an upgrade was interrupted and left the database put in read only >>>> mode? >>>> >>>> You can find out with this ldapsearch: >>>> >>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b >>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>>> >>>> Check for nsslapd-readonly, it should be put to "off" in normal operation. >>>> >>>> Martin >>> Ok finally managed to modify the read-only flag. >>> >>> Could prepare my replicas and get them going. >>> >>> Everything seems fine but I?m getting this error while setting up the >>> replicas. Should I be concerned about this one: >>> >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update in progress >>> Update succeeded >>> [23/31]: adding replication acis >>> [24/31]: setting Auto Member configuration >>> [25/31]: enabling S4U2Proxy delegation >>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command >>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y >>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >>> [26/31]: initializing group membership >>> [27/31]: adding master entry >>> [28/31]: configuring Posix uid/gid generation >>> >>> >>> >>> the rest seems to work fine. >> >> You need to check ipareplica-install.log to see the real error. >> >> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and >> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >> >> Martin >> > > The first one is there: > > ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > ict,dc=int > ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > ict,dc=int > memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT > > memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT > > memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT > > memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT > > memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT > > memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT > > cn: ipa-http-delegation > objectClass: ipaKrb5DelegationACL > objectClass: groupOfPrincipals > objectClass: top > > > But not the second one: > > ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > No such object (32) > Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > > > Also what is strange is that I got the error only on one of the replicas, the > other one went through without any hiccups. Ok, I think I misguided you with the second DN, the real DN should be "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", see /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. The key here is to check the error message of ldapmodify that was run on the failing replica, try to search in /var/log/ipareplica-install.log. Martin From dpal at redhat.com Wed May 21 19:01:27 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 21 May 2014 15:01:27 -0400 Subject: [Freeipa-users] Have existing wildcard SSL from RapidSSL how to implement? In-Reply-To: References: <5379AC3E.8040309@redhat.com> Message-ID: <537CF807.5060800@redhat.com> On 05/19/2014 06:43 AM, Chris Whittle wrote: > > All I am trying to fix right now is so when the user comes to the web > ui they have a valid cert. > Then you need to put the IPA cert into the trusted cert store. Its location depends upon the version of the client system you are using. > On May 19, 2014 2:01 AM, "Martin Kosek" > wrote: > > On 05/17/2014 04:22 AM, Chris Whittle wrote: > > I have an existing key and crt that has be successfully > installed on other > > subdomain servers... Where is the best place to start? > > To start what? :-) Without knowing what you want to achieve, I > would like to > point you to our training presentation describing different > FreeIPA Certificate > infrastructure integration procedures: > > http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf > > I would like to especially point you to the CA-less integration type. > > HTH, > Martin > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed May 21 20:24:51 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 May 2014 16:24:51 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537CCAEE.5070801@damascusgrp.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> <537CCAEE.5070801@damascusgrp.com> Message-ID: <537D0B93.9060901@redhat.com> Bret Wortman wrote: > ...but it did at least look like they were talking, right? Some level of > replication was happening: > > (before the Netscape Replication Total update Entry began running away > with the logfile): > > [21/May/2014:10:28:52 -0400] conn=2 op=2 RESULT err=0 tag=101 nentries=1 > etime=0 > [21/May/2014:10:28:53 -0400] conn=2 op=3 MOD dn="cn=IPA Version > Replication,cn=Plugins,cn=config" > [21/May/2014:10:28:53 -0400] conn=2 op=3 RESULT err=0 tag=103 nentries=0 > etime=0 > [21/May/2014:10:28:53 -0400] conn=2 op=4 UNBIND That is just a failsafe so if we ever put incompatible data into an IPA server we can prevent it from polluting other servers. We fortunately haven't needed this. rob > > On 05/21/2014 11:40 AM, Bret Wortman wrote: >> On the new replica (asipa) I see in the access log almost 5000 entries >> like this: >> >> [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT >> oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update >> Entry" >> [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 >> nentries=0 etime=0 >> >> And these just repeat, increasing the "op" value until they terminate >> with this one. The rest of it just looks like informational messages. >> >> Over on zsipa (the CA master), errors contains: >> >> [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema >> agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set >> replication log for additional info) >> [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - >> agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate >> schema: rc=1 >> >> These two lines repeat at intervals for a while. >> >> Nothing else leapt out at me. >> >> >> >> On 05/21/2014 11:04 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> This occurs on our first attempt to join as a replica. I've erased this >>>> box and rebaselined it but the same thing happens. No network ports >>>> being blocked that we know of, and another replica I created at the >>>> same >>>> time installed its replica file without issue. >>>> >>>> asipa is the new replica, zsipa is the ca and original master on which >>>> the replica file was created. >>>> >>>> [24/34]: setting up initial replication >>>> Starting replication, please wait until this has completed >>>> Update in progress, 130 seconds elapsed >>>> Update in progress yet not in progress >>>> >>>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>>> abortedLDAP error: Referral] >>>> >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> Failed to start replication >>>> # >>>> >>>> /var/log/ipareplica-install.log contains this: >>>> >>>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>>> url=ldaps://asipa.fopo.net:636 conn=>>> instance at 0x4faf170> >>>> 2014-05-21T14:31:08Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> line 638, in run_script >>>> return_value = main_function() >>>> >>>> File "/usr/sbin/ipa-replica-install", line 663, in main >>>> ds = install_replica_ds(config) >>>> >>>> File "/usr/sbin/ipa-replica-install", line 188, in >>>> install_replica_ds >>>> ca_file=config.dir + "/ca.crt", >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>> line >>>> 360 in create_replica >>>> self.start_creation(runtime=60) >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 364, in start_creation >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", >>>> line >>>> 373, in __setup_replica >>>> r_bindpw=self.dm_password() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 961, in setup_replication >>>> raise RuntimeError("Failed to start replication") >>>> >>>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>>> exception: RuntimeError: Failed to start replication >>>> >>>> Any guidance on where to start looking? >>> Check the 389-ds access and error logs on both masters. >>> >>> rob >>> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > From rcritten at redhat.com Wed May 21 20:26:59 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 May 2014 16:26:59 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537CC909.1060905@damascusgrp.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> Message-ID: <537D0C13.3080002@redhat.com> Bret Wortman wrote: > On the new replica (asipa) I see in the access log almost 5000 entries > like this: > > [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT > oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update Entry" > [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 > nentries=0 etime=0 > > And these just repeat, increasing the "op" value until they terminate > with this one. The rest of it just looks like informational messages. How long does this take? Is there time to enable replication debugging? That may provide more output. > > Over on zsipa (the CA master), errors contains: > > [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema > agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set > replication log for additional info) > [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - > agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate > schema: rc=1 I don't think this is related. I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage list -v `hostname` on the master you generated the replica install file on to see what agreements it has or thinks it has. rob > > These two lines repeat at intervals for a while. > > Nothing else leapt out at me. > > > > On 05/21/2014 11:04 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> This occurs on our first attempt to join as a replica. I've erased this >>> box and rebaselined it but the same thing happens. No network ports >>> being blocked that we know of, and another replica I created at the same >>> time installed its replica file without issue. >>> >>> asipa is the new replica, zsipa is the ca and original master on which >>> the replica file was created. >>> >>> [24/34]: setting up initial replication >>> Starting replication, please wait until this has completed >>> Update in progress, 130 seconds elapsed >>> Update in progress yet not in progress >>> >>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>> abortedLDAP error: Referral] >>> >>> >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> >>> Failed to start replication >>> # >>> >>> /var/log/ipareplica-install.log contains this: >>> >>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>> url=ldaps://asipa.fopo.net:636 conn=>> instance at 0x4faf170> >>> 2014-05-21T14:31:08Z DEBUG File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>> line 638, in run_script >>> return_value = main_function() >>> >>> File "/usr/sbin/ipa-replica-install", line 663, in main >>> ds = install_replica_ds(config) >>> >>> File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds >>> ca_file=config.dir + "/ca.crt", >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>> 360 in create_replica >>> self.start_creation(runtime=60) >>> >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>> line 364, in start_creation >>> method() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>> 373, in __setup_replica >>> r_bindpw=self.dm_password() >>> >>> File >>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>> line 961, in setup_replication >>> raise RuntimeError("Failed to start replication") >>> >>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>> exception: RuntimeError: Failed to start replication >>> >>> Any guidance on where to start looking? >> Check the 389-ds access and error logs on both masters. >> >> rob >> > > From bret.wortman at damascusgrp.com Wed May 21 21:10:55 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 21 May 2014 17:10:55 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537D0C13.3080002@redhat.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> <537D0C13.3080002@redhat.com> Message-ID: <24205996-80DE-42BD-90B3-93844523E251@damascusgrp.com> It takes about 2 minutes. How would you like me to turn debugging on? Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On May 21, 2014, at 4:26 PM, Rob Crittenden wrote: > > Bret Wortman wrote: >> On the new replica (asipa) I see in the access log almost 5000 entries >> like this: >> >> [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT >> oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update Entry" >> [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 >> nentries=0 etime=0 >> >> And these just repeat, increasing the "op" value until they terminate >> with this one. The rest of it just looks like informational messages. > > How long does this take? Is there time to enable replication debugging? > That may provide more output. > >> >> Over on zsipa (the CA master), errors contains: >> >> [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema >> agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set >> replication log for additional info) >> [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - >> agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate >> schema: rc=1 > > I don't think this is related. > > I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage > list -v `hostname` on the master you generated the replica install file > on to see what agreements it has or thinks it has. > > rob > >> >> These two lines repeat at intervals for a while. >> >> Nothing else leapt out at me. >> >> >> >>> On 05/21/2014 11:04 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> This occurs on our first attempt to join as a replica. I've erased this >>>> box and rebaselined it but the same thing happens. No network ports >>>> being blocked that we know of, and another replica I created at the same >>>> time installed its replica file without issue. >>>> >>>> asipa is the new replica, zsipa is the ca and original master on which >>>> the replica file was created. >>>> >>>> [24/34]: setting up initial replication >>>> Starting replication, please wait until this has completed >>>> Update in progress, 130 seconds elapsed >>>> Update in progress yet not in progress >>>> >>>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>>> abortedLDAP error: Referral] >>>> >>>> >>>> Your system may be partly configured. >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>> >>>> Failed to start replication >>>> # >>>> >>>> /var/log/ipareplica-install.log contains this: >>>> >>>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>>> url=ldaps://asipa.fopo.net:636 conn=>>> instance at 0x4faf170> >>>> 2014-05-21T14:31:08Z DEBUG File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>> line 638, in run_script >>>> return_value = main_function() >>>> >>>> File "/usr/sbin/ipa-replica-install", line 663, in main >>>> ds = install_replica_ds(config) >>>> >>>> File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds >>>> ca_file=config.dir + "/ca.crt", >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>> 360 in create_replica >>>> self.start_creation(runtime=60) >>>> >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line 364, in start_creation >>>> method() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>> 373, in __setup_replica >>>> r_bindpw=self.dm_password() >>>> >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>> line 961, in setup_replication >>>> raise RuntimeError("Failed to start replication") >>>> >>>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>>> exception: RuntimeError: Failed to start replication >>>> >>>> Any guidance on where to start looking? >>> Check the 389-ds access and error logs on both masters. >>> >>> rob > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2346 bytes Desc: not available URL: From rcritten at redhat.com Thu May 22 02:19:11 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 21 May 2014 22:19:11 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <24205996-80DE-42BD-90B3-93844523E251@damascusgrp.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> <537D0C13.3080002@redhat.com> <24205996-80DE-42BD-90B3-93844523E251@damascusgrp.com> Message-ID: <537D5E9F.60102@redhat.com> Bret Wortman wrote: > It takes about 2 minutes. How would you like me to turn debugging on? http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I'm not sure if you should enable this on both sides of the agreement or not. If you have the ability and don't mind potentially slowing down the working master it might be useful to the 389-ds guys. rob > > > Bret Wortman > http://bretwortman.com/ > http://twitter.com/BretWortman > >> On May 21, 2014, at 4:26 PM, Rob Crittenden wrote: >> >> Bret Wortman wrote: >>> On the new replica (asipa) I see in the access log almost 5000 entries >>> like this: >>> >>> [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT >>> oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update Entry" >>> [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> >>> And these just repeat, increasing the "op" value until they terminate >>> with this one. The rest of it just looks like informational messages. >> >> How long does this take? Is there time to enable replication debugging? >> That may provide more output. >> >>> >>> Over on zsipa (the CA master), errors contains: >>> >>> [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema >>> agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set >>> replication log for additional info) >>> [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - >>> agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate >>> schema: rc=1 >> >> I don't think this is related. >> >> I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage >> list -v `hostname` on the master you generated the replica install file >> on to see what agreements it has or thinks it has. >> >> rob >> >>> >>> These two lines repeat at intervals for a while. >>> >>> Nothing else leapt out at me. >>> >>> >>> >>>> On 05/21/2014 11:04 AM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> This occurs on our first attempt to join as a replica. I've erased this >>>>> box and rebaselined it but the same thing happens. No network ports >>>>> being blocked that we know of, and another replica I created at the same >>>>> time installed its replica file without issue. >>>>> >>>>> asipa is the new replica, zsipa is the ca and original master on which >>>>> the replica file was created. >>>>> >>>>> [24/34]: setting up initial replication >>>>> Starting replication, please wait until this has completed >>>>> Update in progress, 130 seconds elapsed >>>>> Update in progress yet not in progress >>>>> >>>>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>>>> abortedLDAP error: Referral] >>>>> >>>>> >>>>> Your system may be partly configured. >>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>> >>>>> Failed to start replication >>>>> # >>>>> >>>>> /var/log/ipareplica-install.log contains this: >>>>> >>>>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>>>> url=ldaps://asipa.fopo.net:636 conn=>>>> instance at 0x4faf170> >>>>> 2014-05-21T14:31:08Z DEBUG File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>> line 638, in run_script >>>>> return_value = main_function() >>>>> >>>>> File "/usr/sbin/ipa-replica-install", line 663, in main >>>>> ds = install_replica_ds(config) >>>>> >>>>> File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds >>>>> ca_file=config.dir + "/ca.crt", >>>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>> 360 in create_replica >>>>> self.start_creation(runtime=60) >>>>> >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line 364, in start_creation >>>>> method() >>>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>> 373, in __setup_replica >>>>> r_bindpw=self.dm_password() >>>>> >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>>> line 961, in setup_replication >>>>> raise RuntimeError("Failed to start replication") >>>>> >>>>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>>>> exception: RuntimeError: Failed to start replication >>>>> >>>>> Any guidance on where to start looking? >>>> Check the 389-ds access and error logs on both masters. >>>> >>>> rob >> From sbose at redhat.com Thu May 22 12:19:54 2014 From: sbose at redhat.com (Sumit Bose) Date: Thu, 22 May 2014 14:19:54 +0200 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: References: Message-ID: <20140522121954.GJ4640@localhost.localdomain> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: > Hello, > > I need some help with getting Samba and FreeIPA working together. > > I?ve been following the guide at > http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but > that seems quite out of date for IPAv3 and I need some help: yes, it is a bit outdated but still useful. Please note that we are currently working on making the integration of samba more easy. Recently I send a patch to the samba-technical mailing list with a library which would allow samba to use SSSD instead of winbind to look up users and SID-to-name mapping. Alexander is planning to go through the ipasam modules to see how to make integration with Samba file-servers more easy. But coming back to your questions. > > 1. The guide deals with setting a Samba server SID for one Samba > server, but as we have multiple stand-alone Samba3 servers, which SID > do I use to create the DNA plugin? Can I enter more than 1 SID? Can I > have more than 1 plugin (seems unlikely)? 'net getlocalsid' returns the domain SID and since all you Samba file-servers are member of the IPA domain you can use a common SID here. With IPAv3 SID generation for users and groups is even more easy because you can get it for free by running ipa-adtrust-install (please use the option --add-sids) if you already have users and groups in your IPA server. This prepares the IPA server to be able to create trust relationships to Active Directory and one requirement here is that all users and groups have SID. 'ipa-adtrust-install' will also create a domain SID. 'ipa trustconfig-show' will show the domain SID together with the DNS domain name and the NetBIOS domain name. On your Samba server you should set 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA server after running ipa-adtrust-install for a config example). Additionally on your Samba servers you have to set the domain SID in /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 keys with the same SID SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in smb.conf SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in smb.conf The SID has to be given in a special binary format. The easiest way to get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the IPA server after running ipa-adtrust-install. The domain SID will always start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence as data for the insert command of tdbtool. Now everything should be done with respect to SID handling. > > 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in > IPAv3. What do I need to patch instead? > > I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which > shows the need is there but I could do with getting it working ASAP. group.js is compliend with the other UI files in /usr/share/ipa/ui/js/freeipa/app.js (see install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources for details). For your convenience I copied some section here: "The compiled Web UI layer is located in `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from source git repository in `install/ui/src/freeipa/` directory to the `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` file). By doing that, next reload of Web UI will use source files (clearing browser cache may be required). After that all JavaScript errors will contain proper source code name and line number." > > I may be missing something obvious but some help would be greatly appreciated! I hope my comments will help you. Feel free to ask for more help if needed. It would be nice to hear from any success as well. bye, Sumit > > Thanks, > > Dylan. > > Background: > > Brief: Need to expand from the current single-office-ish NIS/YP scheme > to a multi-location/multi-national auth scheme which FreeIPA seems > ideally suited for. > > > Requirement: To continue to provide console/SSH and GUI/X logins to > Linux hosts, access to home and project directories via NFS from the > Linux machines using autofs/automount and access to Samba file-shares > from Windows machines but not using AD creds as this is a totally > separate environment. Several locations will each have a FreeIPA > replica server, NFS/Samba fileserver and ?application? server. > Currently use 2 passwords for each user ? one for NIS, one for Samba ? > and need to consolidate to one password for everything. > > > Progress: Linux-based NFS stuff working fine ? automount of home and > project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs > as a prototyping environment but will probably use RHEL/CentOS 7 when > available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and > 3.3.5 on Fedora 20. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From bret.wortman at damascusgrp.com Thu May 22 13:18:23 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 09:18:23 -0400 Subject: [Freeipa-users] openldap certs? Message-ID: <537DF91F.4030703@damascusgrp.com> Where should my clients be getting the contents of /etc/openldap/certs from? I've got one network where my IPA authentications are blazing fast and one where they're ... not. On the slower one, clients' /etc/openldap/certs directories are either missing or empty; on the faster network, clients have certs in these directories. Is this important, and if so what could be going wrong on my slower network that might cause the certs to not get distributed or created properly? -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 51f7de33e4b08d2bdb8b4860 Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From pvoborni at redhat.com Thu May 22 13:19:06 2014 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 22 May 2014 15:19:06 +0200 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: <20140522121954.GJ4640@localhost.localdomain> References: <20140522121954.GJ4640@localhost.localdomain> Message-ID: <537DF94A.4000601@redhat.com> On 22.5.2014 14:19, Sumit Bose wrote: > On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >> Hello, >> >> I need some help with getting Samba and FreeIPA working together. >> >> I?ve been following the guide at >> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >> that seems quite out of date for IPAv3 and I need some help: > > yes, it is a bit outdated but still useful. Please note that we are > currently working on making the integration of samba more easy. Recently > I send a patch to the samba-technical mailing list with a library which > would allow samba to use SSSD instead of winbind to look up users and > SID-to-name mapping. Alexander is planning to go through the ipasam > modules to see how to make integration with Samba file-servers more easy. > > But coming back to your questions. > >> >> 1. The guide deals with setting a Samba server SID for one Samba >> server, but as we have multiple stand-alone Samba3 servers, which SID >> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >> have more than 1 plugin (seems unlikely)? > > 'net getlocalsid' returns the domain SID and since all you Samba > file-servers are member of the IPA domain you can use a common SID here. > > With IPAv3 SID generation for users and groups is even more easy because > you can get it for free by running ipa-adtrust-install (please use the > option --add-sids) if you already have users and groups in your IPA > server. This prepares the IPA server to be able to create trust > relationships to Active Directory and one requirement here is that all > users and groups have SID. > > 'ipa-adtrust-install' will also create a domain SID. 'ipa > trustconfig-show' will show the domain SID together with the DNS domain > name and the NetBIOS domain name. On your Samba server you should set > 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA > server after running ipa-adtrust-install for a config example). > > Additionally on your Samba servers you have to set the domain SID in > /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 > keys with the same SID > > SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf > SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in > smb.conf > SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in > smb.conf > > The SID has to be given in a special binary format. The easiest way to > get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the > IPA server after running ipa-adtrust-install. The domain SID will always > start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence > as data for the insert command of tdbtool. > > Now everything should be done with respect to SID handling. > >> >> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >> IPAv3. What do I need to patch instead? >> >> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >> shows the need is there but I could do with getting it working ASAP. > > group.js is compliend with the other UI files in > /usr/share/ipa/ui/js/freeipa/app.js (see > install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources > for details). For your convenience I copied some section here: > > "The compiled Web UI layer is located in > `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from > source git repository in `install/ui/src/freeipa/` directory to the > `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` > file). By doing that, next reload of Web UI will use source files > (clearing browser cache may be required). After that all JavaScript > errors will contain proper source code name and line number." Better approach is to create a custom UI plugin which would add those fields. Since it's only 3 fields, I create an example which works on FreeIPA 4.0 and theoretically it should work on 3.2 as well: http://pvoborni.fedorapeople.org/plugins/samba/samba.js put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. I did not test it with backend (no labels + doesn't do anything). More about plugin development: * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins Creating CLI plugin is IMO also better approach. > >> >> I may be missing something obvious but some help would be greatly appreciated! > > I hope my comments will help you. Feel free to ask for more help if > needed. It would be nice to hear from any success as well. > > bye, > Sumit > >> >> Thanks, >> >> Dylan. >> >> Background: >> >> Brief: Need to expand from the current single-office-ish NIS/YP scheme >> to a multi-location/multi-national auth scheme which FreeIPA seems >> ideally suited for. >> >> >> Requirement: To continue to provide console/SSH and GUI/X logins to >> Linux hosts, access to home and project directories via NFS from the >> Linux machines using autofs/automount and access to Samba file-shares >> from Windows machines but not using AD creds as this is a totally >> separate environment. Several locations will each have a FreeIPA >> replica server, NFS/Samba fileserver and ?application? server. >> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >> and need to consolidate to one password for everything. >> >> >> Progress: Linux-based NFS stuff working fine ? automount of home and >> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >> as a prototyping environment but will probably use RHEL/CentOS 7 when >> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >> 3.3.5 on Fedora 20. >> -- Petr Vobornik From rcritten at redhat.com Thu May 22 13:36:47 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 22 May 2014 09:36:47 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537DF91F.4030703@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> Message-ID: <537DFD6F.8020002@redhat.com> Bret Wortman wrote: > Where should my clients be getting the contents of /etc/openldap/certs from? > > I've got one network where my IPA authentications are blazing fast and > one where they're ... not. On the slower one, clients' > /etc/openldap/certs directories are either missing or empty; on the > faster network, clients have certs in these directories. > > Is this important, and if so what could be going wrong on my slower > network that might cause the certs to not get distributed or created > properly? These are not the droids you are looking for... Can you clarify what you mean by IPA authentications? sssd should be handling that, and while a first auth over a slow link might be slow subsequent usage should be quite fast. rob From bret.wortman at damascusgrp.com Thu May 22 13:43:14 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 09:43:14 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537DFD6F.8020002@redhat.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> Message-ID: <537DFEF2.5020602@damascusgrp.com> What we're seeing is slow GDM logins, ssh authentications, and "sudo -i" responses on this network. On our other, these things are all blazing fast. Here, they're on the order of 5-10 seconds. And it doesn't seem to improve (much) with age or time, except perhaps anecdotally. At best, a second connection might be a second faster, but will revert within an hour or so. On 05/22/2014 09:36 AM, Rob Crittenden wrote: > Bret Wortman wrote: >> Where should my clients be getting the contents of /etc/openldap/certs from? >> >> I've got one network where my IPA authentications are blazing fast and >> one where they're ... not. On the slower one, clients' >> /etc/openldap/certs directories are either missing or empty; on the >> faster network, clients have certs in these directories. >> >> Is this important, and if so what could be going wrong on my slower >> network that might cause the certs to not get distributed or created >> properly? > These are not the droids you are looking for... > > Can you clarify what you mean by IPA authentications? sssd should be > handling that, and while a first auth over a slow link might be slow > subsequent usage should be quite fast. > > rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Thu May 22 14:15:10 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 May 2014 10:15:10 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537DFEF2.5020602@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> Message-ID: <537E066E.3010301@redhat.com> On 05/22/2014 09:43 AM, Bret Wortman wrote: > What we're seeing is slow GDM logins, ssh authentications, and "sudo > -i" responses on this network. On our other, these things are all > blazing fast. Here, they're on the order of 5-10 seconds. And it > doesn't seem to improve (much) with age or time, except perhaps > anecdotally. At best, a second connection might be a second faster, > but will revert within an hour or so. > Have you compared sssd.conf from clients in these two networks? Do you use enumeration? Increasing debug level and looking at the logs will help you to understand what part takes most time. These logs will be helpful for you/us to see if/what the problem is/are. > > On 05/22/2014 09:36 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> Where should my clients be getting the contents of >>> /etc/openldap/certs from? >>> >>> I've got one network where my IPA authentications are blazing fast and >>> one where they're ... not. On the slower one, clients' >>> /etc/openldap/certs directories are either missing or empty; on the >>> faster network, clients have certs in these directories. >>> >>> Is this important, and if so what could be going wrong on my slower >>> network that might cause the certs to not get distributed or created >>> properly? >> These are not the droids you are looking for... >> >> Can you clarify what you mean by IPA authentications? sssd should be >> handling that, and while a first auth over a slow link might be slow >> subsequent usage should be quite fast. >> >> rob > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu May 22 14:36:45 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 10:36:45 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E066E.3010301@redhat.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> Message-ID: <537E0B7D.4030006@damascusgrp.com> I found that our slower system was using FQDNs for the list of IPA servers; our faster system was using IPs. I'm switching now, letting Puppet distribute the update and will see if it helps. By enumeration, do you mean are we spelling out our IPA servers? Yes. We only have 3 and they look something like this: [domain/foo.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rm266ws-a.foo.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = foo.net [nss] [pam] [sudo] [autofs] [ssh] [pac] On the other hand, if you meant something else, then I hope the answer's in the file. ;-) On 05/22/2014 10:15 AM, Dmitri Pal wrote: > On 05/22/2014 09:43 AM, Bret Wortman wrote: >> What we're seeing is slow GDM logins, ssh authentications, and "sudo >> -i" responses on this network. On our other, these things are all >> blazing fast. Here, they're on the order of 5-10 seconds. And it >> doesn't seem to improve (much) with age or time, except perhaps >> anecdotally. At best, a second connection might be a second faster, >> but will revert within an hour or so. >> > > Have you compared sssd.conf from clients in these two networks? > Do you use enumeration? > > Increasing debug level and looking at the logs will help you to > understand what part takes most time. These logs will be helpful for > you/us to see if/what the problem is/are. > >> >> On 05/22/2014 09:36 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> Where should my clients be getting the contents of >>>> /etc/openldap/certs from? >>>> >>>> I've got one network where my IPA authentications are blazing fast and >>>> one where they're ... not. On the slower one, clients' >>>> /etc/openldap/certs directories are either missing or empty; on the >>>> faster network, clients have certs in these directories. >>>> >>>> Is this important, and if so what could be going wrong on my slower >>>> network that might cause the certs to not get distributed or created >>>> properly? >>> These are not the droids you are looking for... >>> >>> Can you clarify what you mean by IPA authentications? sssd should be >>> handling that, and while a first auth over a slow link might be slow >>> subsequent usage should be quite fast. >>> >>> rob >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Thu May 22 14:42:33 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 10:42:33 -0400 Subject: [Freeipa-users] New replica won't accept replication In-Reply-To: <537D5E9F.60102@redhat.com> References: <537CBB2C.3060507@damascusgrp.com> <537CC065.3040404@redhat.com> <537CC909.1060905@damascusgrp.com> <537D0C13.3080002@redhat.com> <24205996-80DE-42BD-90B3-93844523E251@damascusgrp.com> <537D5E9F.60102@redhat.com> Message-ID: <537E0CD9.3030508@damascusgrp.com> Go figure. I rebuilt it (again) cleanly, and after starting replication again, while I was madly trying to change the debug level on the new replica...it completed replication this time. Heisenbugs. Gotta love them. (I think this one was in my network somewhere, not your code -- I just couldn't observe it enough and someone must've changed something while I wasn't looking). Bret On 05/21/2014 10:19 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> It takes about 2 minutes. How would you like me to turn debugging on? > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > I'm not sure if you should enable this on both sides of the agreement or > not. If you have the ability and don't mind potentially slowing down the > working master it might be useful to the 389-ds guys. > > rob > >> >> Bret Wortman >> http://bretwortman.com/ >> http://twitter.com/BretWortman >> >>> On May 21, 2014, at 4:26 PM, Rob Crittenden wrote: >>> >>> Bret Wortman wrote: >>>> On the new replica (asipa) I see in the access log almost 5000 entries >>>> like this: >>>> >>>> [21/May/2014:10:30:58 -0400] conn=4 op=4923 EXT >>>> oid="2.16.840.113730.3.5.6" name="Netscape Replication Total update Entry" >>>> [21/May/2014:10:30:58 -0400] conn=4 op=4923 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> >>>> And these just repeat, increasing the "op" value until they terminate >>>> with this one. The rest of it just looks like informational messages. >>> How long does this take? Is there time to enable replication debugging? >>> That may provide more output. >>> >>>> Over on zsipa (the CA master), errors contains: >>>> >>>> [21/May/2014:14:31:06 +0000] NSMMReplciationPlugin - Schema >>>> agmt="cn=meToasipa.foo.net" (asipa:389) must not be overwritten(set >>>> replication log for additional info) >>>> [21/May/2014:14:31:06 +0000] NSMMReplicationPlugin - >>>> agmt="cn=meToasipa.foo.net" (asipa:389) Warning: unable to replicate >>>> schema: rc=1 >>> I don't think this is related. >>> >>> I'd run ipa-replica-manage list -v `hostname` and ipa-csreplica-manage >>> list -v `hostname` on the master you generated the replica install file >>> on to see what agreements it has or thinks it has. >>> >>> rob >>> >>>> These two lines repeat at intervals for a while. >>>> >>>> Nothing else leapt out at me. >>>> >>>> >>>> >>>>> On 05/21/2014 11:04 AM, Rob Crittenden wrote: >>>>> Bret Wortman wrote: >>>>>> This occurs on our first attempt to join as a replica. I've erased this >>>>>> box and rebaselined it but the same thing happens. No network ports >>>>>> being blocked that we know of, and another replica I created at the same >>>>>> time installed its replica file without issue. >>>>>> >>>>>> asipa is the new replica, zsipa is the ca and original master on which >>>>>> the replica file was created. >>>>>> >>>>>> [24/34]: setting up initial replication >>>>>> Starting replication, please wait until this has completed >>>>>> Update in progress, 130 seconds elapsed >>>>>> Update in progress yet not in progress >>>>>> >>>>>> [ipamaster.foo.net] reports: Update failed! Status: [10 Total update >>>>>> abortedLDAP error: Referral] >>>>>> >>>>>> >>>>>> Your system may be partly configured. >>>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>>>>> >>>>>> Failed to start replication >>>>>> # >>>>>> >>>>>> /var/log/ipareplica-install.log contains this: >>>>>> >>>>>> 2014-05-21T145:28:56Z DEBUG retrieving schema for SchemaCache >>>>>> url=ldaps://asipa.fopo.net:636 conn=>>>>> instance at 0x4faf170> >>>>>> 2014-05-21T14:31:08Z DEBUG File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", >>>>>> line 638, in run_script >>>>>> return_value = main_function() >>>>>> >>>>>> File "/usr/sbin/ipa-replica-install", line 663, in main >>>>>> ds = install_replica_ds(config) >>>>>> >>>>>> File "/usr/sbin/ipa-replica-install", line 188, in install_replica_ds >>>>>> ca_file=config.dir + "/ca.crt", >>>>>> >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>>> 360 in create_replica >>>>>> self.start_creation(runtime=60) >>>>>> >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line 364, in start_creation >>>>>> method() >>>>>> >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line >>>>>> 373, in __setup_replica >>>>>> r_bindpw=self.dm_password() >>>>>> >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", >>>>>> line 961, in setup_replication >>>>>> raise RuntimeError("Failed to start replication") >>>>>> >>>>>> 2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed, >>>>>> exception: RuntimeError: Failed to start replication >>>>>> >>>>>> Any guidance on where to start looking? >>>>> Check the 389-ds access and error logs on both masters. >>>>> >>>>> rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 22 15:02:38 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 22 May 2014 17:02:38 +0200 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E0B7D.4030006@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> Message-ID: <20140522150238.GL5145@hendrix.brq.redhat.com> On Thu, May 22, 2014 at 10:36:45AM -0400, Bret Wortman wrote: > I found that our slower system was using FQDNs for the list of IPA > servers; our faster system was using IPs. I'm switching now, letting > Puppet distribute the update and will see if it helps. > > By enumeration, do you mean are we spelling out our IPA servers? > Yes. We only have 3 and they look something like this: I suspect there are some DNS issues or failover issues on the 'slow' network. Can you post the domain logs? If you are concerned about some private data in the logs, feel free to send them to me directly. > > [domain/foo.net] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = foo.net > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = rm266ws-a.foo.net > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 Even with the IP addresses, the first server instance is "_srv_" which means the SSSD would try to get the server list from the DNS. > ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = foo.net > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > On the other hand, if you meant something else, then I hope the > answer's in the file. ;-) From dpal at redhat.com Thu May 22 15:07:11 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 May 2014 11:07:11 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E0B7D.4030006@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> Message-ID: <537E129F.1020005@redhat.com> On 05/22/2014 10:36 AM, Bret Wortman wrote: > I found that our slower system was using FQDNs for the list of IPA > servers; our faster system was using IPs. I'm switching now, letting > Puppet distribute the update and will see if it helps. > That means you have problems with DNS that are worth looking into. > By enumeration, do you mean are we spelling out our IPA servers? Yes. > We only have 3 and they look something like this: No. I mean the ability of sssd to download everything when enumerate = true This causes a lot of traffic and overhead and a usual reason for low performance. We were unfortunate to include this setting into one of the early sssd.conf examples and people have been copying it around ever since though we strongly recommend against enabling it. > > [domain/foo.net] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = foo.net > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = rm266ws-a.foo.net > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 > ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = foo.net > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > On the other hand, if you meant something else, then I hope the > answer's in the file. ;-) > > > On 05/22/2014 10:15 AM, Dmitri Pal wrote: >> On 05/22/2014 09:43 AM, Bret Wortman wrote: >>> What we're seeing is slow GDM logins, ssh authentications, and "sudo >>> -i" responses on this network. On our other, these things are all >>> blazing fast. Here, they're on the order of 5-10 seconds. And it >>> doesn't seem to improve (much) with age or time, except perhaps >>> anecdotally. At best, a second connection might be a second faster, >>> but will revert within an hour or so. >>> >> >> Have you compared sssd.conf from clients in these two networks? >> Do you use enumeration? >> >> Increasing debug level and looking at the logs will help you to >> understand what part takes most time. These logs will be helpful for >> you/us to see if/what the problem is/are. >> >>> >>> On 05/22/2014 09:36 AM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> Where should my clients be getting the contents of >>>>> /etc/openldap/certs from? >>>>> >>>>> I've got one network where my IPA authentications are blazing fast >>>>> and >>>>> one where they're ... not. On the slower one, clients' >>>>> /etc/openldap/certs directories are either missing or empty; on the >>>>> faster network, clients have certs in these directories. >>>>> >>>>> Is this important, and if so what could be going wrong on my slower >>>>> network that might cause the certs to not get distributed or created >>>>> properly? >>>> These are not the droids you are looking for... >>>> >>>> Can you clarify what you mean by IPA authentications? sssd should be >>>> handling that, and while a first auth over a slow link might be slow >>>> subsequent usage should be quite fast. >>>> >>>> rob >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu May 22 15:16:57 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 11:16:57 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E129F.1020005@redhat.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> <537E129F.1020005@redhat.com> Message-ID: <537E14E9.5060506@damascusgrp.com> It doesn't seem to have helped -- we're still pretty slow even with IP addresses in sssd.conf. On 05/22/2014 11:07 AM, Dmitri Pal wrote: > On 05/22/2014 10:36 AM, Bret Wortman wrote: >> I found that our slower system was using FQDNs for the list of IPA >> servers; our faster system was using IPs. I'm switching now, letting >> Puppet distribute the update and will see if it helps. >> > > That means you have problems with DNS that are worth looking into. > >> By enumeration, do you mean are we spelling out our IPA servers? Yes. >> We only have 3 and they look something like this: > > No. I mean the ability of sssd to download everything when enumerate = > true > This causes a lot of traffic and overhead and a usual reason for low > performance. > We were unfortunate to include this setting into one of the early > sssd.conf examples and people have been copying it around ever since > though we strongly recommend against enabling it. > >> >> [domain/foo.net] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = foo.net >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ipa_hostname = rm266ws-a.foo.net >> chpass_provider = ipa >> ipa_dyndns_update = True >> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 >> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net >> ldap_tls_cacert = /etc/ipa/ca.crt >> [sssd] >> services = nss, pam, ssh >> config_file_version = 2 >> >> domains = foo.net >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> On the other hand, if you meant something else, then I hope the >> answer's in the file. ;-) >> >> >> On 05/22/2014 10:15 AM, Dmitri Pal wrote: >>> On 05/22/2014 09:43 AM, Bret Wortman wrote: >>>> What we're seeing is slow GDM logins, ssh authentications, and >>>> "sudo -i" responses on this network. On our other, these things are >>>> all blazing fast. Here, they're on the order of 5-10 seconds. And >>>> it doesn't seem to improve (much) with age or time, except perhaps >>>> anecdotally. At best, a second connection might be a second faster, >>>> but will revert within an hour or so. >>>> >>> >>> Have you compared sssd.conf from clients in these two networks? >>> Do you use enumeration? >>> >>> Increasing debug level and looking at the logs will help you to >>> understand what part takes most time. These logs will be helpful for >>> you/us to see if/what the problem is/are. >>> >>>> >>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote: >>>>> Bret Wortman wrote: >>>>>> Where should my clients be getting the contents of >>>>>> /etc/openldap/certs from? >>>>>> >>>>>> I've got one network where my IPA authentications are blazing >>>>>> fast and >>>>>> one where they're ... not. On the slower one, clients' >>>>>> /etc/openldap/certs directories are either missing or empty; on the >>>>>> faster network, clients have certs in these directories. >>>>>> >>>>>> Is this important, and if so what could be going wrong on my slower >>>>>> network that might cause the certs to not get distributed or created >>>>>> properly? >>>>> These are not the droids you are looking for... >>>>> >>>>> Can you clarify what you mean by IPA authentications? sssd should be >>>>> handling that, and while a first auth over a slow link might be slow >>>>> subsequent usage should be quite fast. >>>>> >>>>> rob >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Thu May 22 16:47:29 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 12:47:29 -0400 Subject: [Freeipa-users] Why would /etc/passwd get skipped? Message-ID: <537E2A21.4030004@damascusgrp.com> If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long "ssh localhost" and trying to rule things out. -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 51f7de33e4b08d2bdb8b4860 Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From simo at redhat.com Thu May 22 17:06:17 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 22 May 2014 13:06:17 -0400 Subject: [Freeipa-users] Why would /etc/passwd get skipped? In-Reply-To: <537E2A21.4030004@damascusgrp.com> References: <537E2A21.4030004@damascusgrp.com> Message-ID: <1400778377.7561.90.camel@willson.li.ssimo.org> On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: > If this line is in /etc/nsswitch.conf: > > passwd: files sss > > Why would the user account from IPA get used when an identical one > exists in /etc/passwd? We can tell because of some additional groups > granted when authentication comes from IPA. > > If I shut down sssd, then login proceeds through /etc/passwd as > expected, but as soon as I restart sssd, this behavior starts again. > It's almost as if nsswitch.conf is being ignored or read > right-to-left. > > Just another oddity I uncovered on one system as I was troubleshooting > a > particularly long "ssh localhost" and trying to rule things out. > The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo. -- Simo Sorce * Red Hat, Inc * New York From bret.wortman at damascusgrp.com Thu May 22 17:12:57 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 13:12:57 -0400 Subject: [Freeipa-users] Why would /etc/passwd get skipped? In-Reply-To: <1400778377.7561.90.camel@willson.li.ssimo.org> References: <537E2A21.4030004@damascusgrp.com> <1400778377.7561.90.camel@willson.li.ssimo.org> Message-ID: <537E3019.6060603@damascusgrp.com> Ahhhh. Then it's probably not the source of my performance problem. I know when I shut down SSSD, that user's ssh times speed up incredibly. Bret On 05/22/2014 01:06 PM, Simo Sorce wrote: > On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: >> If this line is in /etc/nsswitch.conf: >> >> passwd: files sss >> >> Why would the user account from IPA get used when an identical one >> exists in /etc/passwd? We can tell because of some additional groups >> granted when authentication comes from IPA. >> >> If I shut down sssd, then login proceeds through /etc/passwd as >> expected, but as soon as I restart sssd, this behavior starts again. >> It's almost as if nsswitch.conf is being ignored or read >> right-to-left. >> >> Just another oddity I uncovered on one system as I was troubleshooting >> a >> particularly long "ssh localhost" and trying to rule things out. >> > The initgroups call (done at authentication to find what groups a user > is member of) by default traverses all databases, so if the same > username is found in multiple databases the groups are added as well. > > There is actually a way to change this behavior, although it usually > causes more issue than it resolves. > > You could try with: initgroups: files sss > > Simo. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From simo at redhat.com Thu May 22 17:15:18 2014 From: simo at redhat.com (Simo Sorce) Date: Thu, 22 May 2014 13:15:18 -0400 Subject: [Freeipa-users] Why would /etc/passwd get skipped? In-Reply-To: <537E3019.6060603@damascusgrp.com> References: <537E2A21.4030004@damascusgrp.com> <1400778377.7561.90.camel@willson.li.ssimo.org> <537E3019.6060603@damascusgrp.com> Message-ID: <1400778918.7561.91.camel@willson.li.ssimo.org> On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote: > Ahhhh. Then it's probably not the source of my performance problem. I > know when I shut down SSSD, that user's ssh times speed up incredibly. This makes me think it *is* initgroups, as it normally will hit sssd even for non-sssd owned users. But the issue here clearly is that sssd is slow for you, bad network ? Simo. > Bret > > On 05/22/2014 01:06 PM, Simo Sorce wrote: > > On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: > >> If this line is in /etc/nsswitch.conf: > >> > >> passwd: files sss > >> > >> Why would the user account from IPA get used when an identical one > >> exists in /etc/passwd? We can tell because of some additional groups > >> granted when authentication comes from IPA. > >> > >> If I shut down sssd, then login proceeds through /etc/passwd as > >> expected, but as soon as I restart sssd, this behavior starts again. > >> It's almost as if nsswitch.conf is being ignored or read > >> right-to-left. > >> > >> Just another oddity I uncovered on one system as I was troubleshooting > >> a > >> particularly long "ssh localhost" and trying to rule things out. > >> > > The initgroups call (done at authentication to find what groups a user > > is member of) by default traverses all databases, so if the same > > username is found in multiple databases the groups are added as well. > > > > There is actually a way to change this behavior, although it usually > > causes more issue than it resolves. > > > > You could try with: initgroups: files sss > > > > Simo. > > > > -- Simo Sorce * Red Hat, Inc * New York From bret.wortman at damascusgrp.com Thu May 22 17:22:28 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 22 May 2014 13:22:28 -0400 Subject: [Freeipa-users] Why would /etc/passwd get skipped? In-Reply-To: <1400778918.7561.91.camel@willson.li.ssimo.org> References: <537E2A21.4030004@damascusgrp.com> <1400778377.7561.90.camel@willson.li.ssimo.org> <537E3019.6060603@damascusgrp.com> <1400778918.7561.91.camel@willson.li.ssimo.org> Message-ID: <537E3254.6050909@damascusgrp.com> Yep, that initgroups change had the same effect as shutting down sssd, but without inconveniencing all the IPA-only users. The problem in this particular case was made worse by a lot of network latency, but even on network segments local to the ipa masters, it's taking seconds to authenticate. This will help out the local accounts, at least. Now to keep working on those that aren't local. Thanks for that tip, Simo! On 05/22/2014 01:15 PM, Simo Sorce wrote: > On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote: >> Ahhhh. Then it's probably not the source of my performance problem. I >> know when I shut down SSSD, that user's ssh times speed up incredibly. > This makes me think it *is* initgroups, as it normally will hit sssd > even for non-sssd owned users. > > But the issue here clearly is that sssd is slow for you, bad network ? > > Simo. > >> Bret >> >> On 05/22/2014 01:06 PM, Simo Sorce wrote: >>> On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote: >>>> If this line is in /etc/nsswitch.conf: >>>> >>>> passwd: files sss >>>> >>>> Why would the user account from IPA get used when an identical one >>>> exists in /etc/passwd? We can tell because of some additional groups >>>> granted when authentication comes from IPA. >>>> >>>> If I shut down sssd, then login proceeds through /etc/passwd as >>>> expected, but as soon as I restart sssd, this behavior starts again. >>>> It's almost as if nsswitch.conf is being ignored or read >>>> right-to-left. >>>> >>>> Just another oddity I uncovered on one system as I was troubleshooting >>>> a >>>> particularly long "ssh localhost" and trying to rule things out. >>>> >>> The initgroups call (done at authentication to find what groups a user >>> is member of) by default traverses all databases, so if the same >>> username is found in multiple databases the groups are added as well. >>> >>> There is actually a way to change this behavior, although it usually >>> causes more issue than it resolves. >>> >>> You could try with: initgroups: files sss >>> >>> Simo. >>> >> > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Thu May 22 18:25:47 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 22 May 2014 20:25:47 +0200 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E14E9.5060506@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> <537E129F.1020005@redhat.com> <537E14E9.5060506@damascusgrp.com> Message-ID: <20140522182547.GC11025@hendrix.redhat.com> On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote: > It doesn't seem to have helped -- we're still pretty slow even with > IP addresses in sssd.conf. Yes, I would expect the performance to be still slow, because when you perform authentication, the user information is always refreshed from the server, even with enumeration. This is to ensure correct and precise group membership at login time. > > On 05/22/2014 11:07 AM, Dmitri Pal wrote: > >On 05/22/2014 10:36 AM, Bret Wortman wrote: > >>I found that our slower system was using FQDNs for the list of > >>IPA servers; our faster system was using IPs. I'm switching now, > >>letting Puppet distribute the update and will see if it helps. > >> > > > >That means you have problems with DNS that are worth looking into. > > > >>By enumeration, do you mean are we spelling out our IPA servers? > >>Yes. We only have 3 and they look something like this: > > > >No. I mean the ability of sssd to download everything when > >enumerate = true > >This causes a lot of traffic and overhead and a usual reason for > >low performance. > >We were unfortunate to include this setting into one of the early > >sssd.conf examples and people have been copying it around ever > >since though we strongly recommend against enabling it. > > > >> > >>[domain/foo.net] > >> > >>cache_credentials = True > >>krb5_store_password_if_offline = True > >>ipa_domain = foo.net > >>id_provider = ipa > >>auth_provider = ipa > >>access_provider = ipa > >>ipa_hostname = rm266ws-a.foo.net > >>chpass_provider = ipa > >>ipa_dyndns_update = True > >>ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 > >>ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net > >>ldap_tls_cacert = /etc/ipa/ca.crt > >>[sssd] > >>services = nss, pam, ssh > >>config_file_version = 2 > >> > >>domains = foo.net > >>[nss] > >> > >>[pam] > >> > >>[sudo] > >> > >>[autofs] > >> > >>[ssh] > >> > >>[pac] > >> > >>On the other hand, if you meant something else, then I hope the > >>answer's in the file. ;-) > >> > >> > >>On 05/22/2014 10:15 AM, Dmitri Pal wrote: > >>>On 05/22/2014 09:43 AM, Bret Wortman wrote: > >>>>What we're seeing is slow GDM logins, ssh authentications, > >>>>and "sudo -i" responses on this network. On our other, these > >>>>things are all blazing fast. Here, they're on the order of > >>>>5-10 seconds. And it doesn't seem to improve (much) with age > >>>>or time, except perhaps anecdotally. At best, a second > >>>>connection might be a second faster, but will revert within > >>>>an hour or so. > >>>> > >>> > >>>Have you compared sssd.conf from clients in these two networks? > >>>Do you use enumeration? > >>> > >>>Increasing debug level and looking at the logs will help you > >>>to understand what part takes most time. These logs will be > >>>helpful for you/us to see if/what the problem is/are. > >>> > >>>> > >>>>On 05/22/2014 09:36 AM, Rob Crittenden wrote: > >>>>>Bret Wortman wrote: > >>>>>>Where should my clients be getting the contents of > >>>>>>/etc/openldap/certs from? > >>>>>> > >>>>>>I've got one network where my IPA authentications are > >>>>>>blazing fast and > >>>>>>one where they're ... not. On the slower one, clients' > >>>>>>/etc/openldap/certs directories are either missing or empty; on the > >>>>>>faster network, clients have certs in these directories. > >>>>>> > >>>>>>Is this important, and if so what could be going wrong on my slower > >>>>>>network that might cause the certs to not get distributed or created > >>>>>>properly? > >>>>>These are not the droids you are looking for... > >>>>> > >>>>>Can you clarify what you mean by IPA authentications? sssd should be > >>>>>handling that, and while a first auth over a slow link might be slow > >>>>>subsequent usage should be quite fast. > >>>>> > >>>>>rob > >>>> > >>>> > >>>> > >>>> > >>>>_______________________________________________ > >>>>Freeipa-users mailing list > >>>>Freeipa-users at redhat.com > >>>>https://www.redhat.com/mailman/listinfo/freeipa-users > >>> > >>> > >>>-- > >>>Thank you, > >>>Dmitri Pal > >>> > >>>Sr. Engineering Manager IdM portfolio > >>>Red Hat, Inc. > >>> > >>> > >>>_______________________________________________ > >>>Freeipa-users mailing list > >>>Freeipa-users at redhat.com > >>>https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> > >>_______________________________________________ > >>Freeipa-users mailing list > >>Freeipa-users at redhat.com > >>https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > >-- > >Thank you, > >Dmitri Pal > > > >Sr. Engineering Manager IdM portfolio > >Red Hat, Inc. > > > > > >_______________________________________________ > >Freeipa-users mailing list > >Freeipa-users at redhat.com > >https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From jhrozek at redhat.com Thu May 22 18:28:38 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 22 May 2014 20:28:38 +0200 Subject: [Freeipa-users] Why would /etc/passwd get skipped? In-Reply-To: <537E3254.6050909@damascusgrp.com> References: <537E2A21.4030004@damascusgrp.com> <1400778377.7561.90.camel@willson.li.ssimo.org> <537E3019.6060603@damascusgrp.com> <1400778918.7561.91.camel@willson.li.ssimo.org> <537E3254.6050909@damascusgrp.com> Message-ID: <20140522182838.GD11025@hendrix.redhat.com> On Thu, May 22, 2014 at 01:22:28PM -0400, Bret Wortman wrote: > Yep, that initgroups change had the same effect as shutting down > sssd, but without inconveniencing all the IPA-only users. > > The problem in this particular case was made worse by a lot of > network latency, but even on network segments local to the ipa > masters, it's taking seconds to authenticate. This will help out the > local accounts, at least. Now to keep working on those that aren't > local. > > Thanks for that tip, Simo! Just as an additional tip for anyone else following this thread -- if you want to ignore certain local users from being queried in the SSSD backends, you can use the filter_users/filter_groups options. Their value defaults to 'root' so that we never fetch the root account from LDAP, but for example on my system I also include the 'pulse-rt' user.. From dpal at redhat.com Thu May 22 21:34:30 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 May 2014 17:34:30 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <20140522182547.GC11025@hendrix.redhat.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> <537E129F.1020005@redhat.com> <537E14E9.5060506@damascusgrp.com> <20140522182547.GC11025@hendrix.redhat.com> Message-ID: <537E6D66.6030604@redhat.com> On 05/22/2014 02:25 PM, Jakub Hrozek wrote: > On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote: >> It doesn't seem to have helped -- we're still pretty slow even with >> IP addresses in sssd.conf. > Yes, I would expect the performance to be still slow, because when you > perform authentication, the user information is always refreshed from > the server, even with enumeration. I do not think they have enumeration this is why this seems irrelevant. > This is to ensure correct and precise > group membership at login time. > >> On 05/22/2014 11:07 AM, Dmitri Pal wrote: >>> On 05/22/2014 10:36 AM, Bret Wortman wrote: >>>> I found that our slower system was using FQDNs for the list of >>>> IPA servers; our faster system was using IPs. I'm switching now, >>>> letting Puppet distribute the update and will see if it helps. >>>> >>> That means you have problems with DNS that are worth looking into. >>> >>>> By enumeration, do you mean are we spelling out our IPA servers? >>>> Yes. We only have 3 and they look something like this: >>> No. I mean the ability of sssd to download everything when >>> enumerate = true >>> This causes a lot of traffic and overhead and a usual reason for >>> low performance. >>> We were unfortunate to include this setting into one of the early >>> sssd.conf examples and people have been copying it around ever >>> since though we strongly recommend against enabling it. >>> >>>> [domain/foo.net] >>>> >>>> cache_credentials = True >>>> krb5_store_password_if_offline = True >>>> ipa_domain = foo.net >>>> id_provider = ipa >>>> auth_provider = ipa >>>> access_provider = ipa >>>> ipa_hostname = rm266ws-a.foo.net >>>> chpass_provider = ipa >>>> ipa_dyndns_update = True >>>> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 >>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net >>>> ldap_tls_cacert = /etc/ipa/ca.crt >>>> [sssd] >>>> services = nss, pam, ssh >>>> config_file_version = 2 >>>> >>>> domains = foo.net >>>> [nss] >>>> >>>> [pam] >>>> >>>> [sudo] >>>> >>>> [autofs] >>>> >>>> [ssh] >>>> >>>> [pac] >>>> >>>> On the other hand, if you meant something else, then I hope the >>>> answer's in the file. ;-) >>>> >>>> >>>> On 05/22/2014 10:15 AM, Dmitri Pal wrote: >>>>> On 05/22/2014 09:43 AM, Bret Wortman wrote: >>>>>> What we're seeing is slow GDM logins, ssh authentications, >>>>>> and "sudo -i" responses on this network. On our other, these >>>>>> things are all blazing fast. Here, they're on the order of >>>>>> 5-10 seconds. And it doesn't seem to improve (much) with age >>>>>> or time, except perhaps anecdotally. At best, a second >>>>>> connection might be a second faster, but will revert within >>>>>> an hour or so. >>>>>> >>>>> Have you compared sssd.conf from clients in these two networks? >>>>> Do you use enumeration? >>>>> >>>>> Increasing debug level and looking at the logs will help you >>>>> to understand what part takes most time. These logs will be >>>>> helpful for you/us to see if/what the problem is/are. >>>>> >>>>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote: >>>>>>> Bret Wortman wrote: >>>>>>>> Where should my clients be getting the contents of >>>>>>>> /etc/openldap/certs from? >>>>>>>> >>>>>>>> I've got one network where my IPA authentications are >>>>>>>> blazing fast and >>>>>>>> one where they're ... not. On the slower one, clients' >>>>>>>> /etc/openldap/certs directories are either missing or empty; on the >>>>>>>> faster network, clients have certs in these directories. >>>>>>>> >>>>>>>> Is this important, and if so what could be going wrong on my slower >>>>>>>> network that might cause the certs to not get distributed or created >>>>>>>> properly? >>>>>>> These are not the droids you are looking for... >>>>>>> >>>>>>> Can you clarify what you mean by IPA authentications? sssd should be >>>>>>> handling that, and while a first auth over a slow link might be slow >>>>>>> subsequent usage should be quite fast. >>>>>>> >>>>>>> rob >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IdM portfolio >>>>> Red Hat, Inc. >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > > >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From dpal at redhat.com Thu May 22 21:35:33 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 22 May 2014 17:35:33 -0400 Subject: [Freeipa-users] openldap certs? In-Reply-To: <537E14E9.5060506@damascusgrp.com> References: <537DF91F.4030703@damascusgrp.com> <537DFD6F.8020002@redhat.com> <537DFEF2.5020602@damascusgrp.com> <537E066E.3010301@redhat.com> <537E0B7D.4030006@damascusgrp.com> <537E129F.1020005@redhat.com> <537E14E9.5060506@damascusgrp.com> Message-ID: <537E6DA5.20607@redhat.com> On 05/22/2014 11:16 AM, Bret Wortman wrote: > It doesn't seem to have helped -- we're still pretty slow even with IP > addresses in sssd.conf. Then we need debug logs to see where the delays are. Put high debug level and zip the logs somewhere we can take a look at. Jakub is your guy. > > On 05/22/2014 11:07 AM, Dmitri Pal wrote: >> On 05/22/2014 10:36 AM, Bret Wortman wrote: >>> I found that our slower system was using FQDNs for the list of IPA >>> servers; our faster system was using IPs. I'm switching now, letting >>> Puppet distribute the update and will see if it helps. >>> >> >> That means you have problems with DNS that are worth looking into. >> >>> By enumeration, do you mean are we spelling out our IPA servers? >>> Yes. We only have 3 and they look something like this: >> >> No. I mean the ability of sssd to download everything when enumerate >> = true >> This causes a lot of traffic and overhead and a usual reason for low >> performance. >> We were unfortunate to include this setting into one of the early >> sssd.conf examples and people have been copying it around ever since >> though we strongly recommend against enabling it. >> >>> >>> [domain/foo.net] >>> >>> cache_credentials = True >>> krb5_store_password_if_offline = True >>> ipa_domain = foo.net >>> id_provider = ipa >>> auth_provider = ipa >>> access_provider = ipa >>> ipa_hostname = rm266ws-a.foo.net >>> chpass_provider = ipa >>> ipa_dyndns_update = True >>> ipa_server = _srv_, 192.168.2.61, 192.168.2.62, 192.168.2.63 >>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=net >>> ldap_tls_cacert = /etc/ipa/ca.crt >>> [sssd] >>> services = nss, pam, ssh >>> config_file_version = 2 >>> >>> domains = foo.net >>> [nss] >>> >>> [pam] >>> >>> [sudo] >>> >>> [autofs] >>> >>> [ssh] >>> >>> [pac] >>> >>> On the other hand, if you meant something else, then I hope the >>> answer's in the file. ;-) >>> >>> >>> On 05/22/2014 10:15 AM, Dmitri Pal wrote: >>>> On 05/22/2014 09:43 AM, Bret Wortman wrote: >>>>> What we're seeing is slow GDM logins, ssh authentications, and >>>>> "sudo -i" responses on this network. On our other, these things >>>>> are all blazing fast. Here, they're on the order of 5-10 seconds. >>>>> And it doesn't seem to improve (much) with age or time, except >>>>> perhaps anecdotally. At best, a second connection might be a >>>>> second faster, but will revert within an hour or so. >>>>> >>>> >>>> Have you compared sssd.conf from clients in these two networks? >>>> Do you use enumeration? >>>> >>>> Increasing debug level and looking at the logs will help you to >>>> understand what part takes most time. These logs will be helpful >>>> for you/us to see if/what the problem is/are. >>>> >>>>> >>>>> On 05/22/2014 09:36 AM, Rob Crittenden wrote: >>>>>> Bret Wortman wrote: >>>>>>> Where should my clients be getting the contents of >>>>>>> /etc/openldap/certs from? >>>>>>> >>>>>>> I've got one network where my IPA authentications are blazing >>>>>>> fast and >>>>>>> one where they're ... not. On the slower one, clients' >>>>>>> /etc/openldap/certs directories are either missing or empty; on the >>>>>>> faster network, clients have certs in these directories. >>>>>>> >>>>>>> Is this important, and if so what could be going wrong on my slower >>>>>>> network that might cause the certs to not get distributed or >>>>>>> created >>>>>>> properly? >>>>>> These are not the droids you are looking for... >>>>>> >>>>>> Can you clarify what you mean by IPA authentications? sssd should be >>>>>> handling that, and while a first auth over a slow link might be slow >>>>>> subsequent usage should be quite fast. >>>>>> >>>>>> rob >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager IdM portfolio >>>> Red Hat, Inc. >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sanju.a at tcs.com Fri May 23 04:42:51 2014 From: sanju.a at tcs.com (Sanju A) Date: Fri, 23 May 2014 10:12:51 +0530 Subject: [Freeipa-users] Export user and host list to a csv or text file Message-ID: Dear All, Is there any command to export the user and host list to a csv or text format Regards Sanju Abraham ___________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From yamakasi.014 at gmail.com Fri May 23 10:15:01 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 23 May 2014 12:15:01 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? Message-ID: Hi All, Is a wildcard DNS record supported at the moment ? If so, how to accomplish this ? Thanks! Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From supratiksekhar at gmail.com Fri May 23 10:23:38 2014 From: supratiksekhar at gmail.com (Supratik Goswami) Date: Fri, 23 May 2014 15:53:38 +0530 Subject: [Freeipa-users] AD trust showing offline after reboot In-Reply-To: References: <20140516084809.GC4640@localhost.localdomain> <20140516134408.GF4640@localhost.localdomain> <20140519111529.GP4640@localhost.localdomain> <20140520070803.GV4640@localhost.localdomain> <20140520080834.GX4640@localhost.localdomain> Message-ID: Sumit, Thank you so much for helping me in fixing the problem. About the issue: NetBIOS was disabled in Windows AD, I think this is the default behavior for Windows 2008 R2 instances. After setting 'client max protocol' and 'client min protocol' winbind was able to resolve the AD users. net conf setparm global 'client min protocol' CORE net conf setparm global 'client max protocol' SMB2_02 You may close this case since now. On Tue, May 20, 2014 at 2:27 PM, Supratik Goswami wrote: > Yes, you are correct log level was set to 1. > > I have changed the log level value to 10 and collected the log files > again, PFA. > > [root at ipaserver samba]# net conf setparm global 'log level' 10 > [root at ipaserver samba]# net conf list > [global] > workgroup = IPADOMAIN > realm = IPADOMAIN.EXAMPLE.COM > kerberos method = dedicated keytab > dedicated keytab file = FILE:/etc/samba/samba.keytab > create krb5 conf = no > security = user > domain master = yes > domain logons = yes > max log size = 100000 > log file = /var/log/samba/log.%m > passdb backend = > ipasam:ldapi://%2fvar%2frun%2fslapd-IPADOMAIN-EXAMPLE-COM.socket > disable spoolss = yes > ldapsam:trusted = yes > ldap ssl = off > ldap suffix = dc=ipadomain,dc=example,dc=com > ldap user suffix = cn=users,cn=accounts > ldap group suffix = cn=groups,cn=accounts > ldap machine suffix = cn=computers,cn=accounts > rpc_server:epmapper = external > rpc_server:lsarpc = external > rpc_server:lsass = external > rpc_server:lsasd = external > rpc_server:samr = external > rpc_server:netlogon = external > rpc_server:tcpip = yes > rpc_daemon:epmd = fork > rpc_daemon:lsasd = fork > client min protocol = smb2_02 > client max protocol = smb2_02 > log level = 10 > > [share] > comment = Trust test share > read only = no > valid users = S-1-5-21-2212595442-2951398754-4232868618 > path = /share > > > > > > > On Tue, May 20, 2014 at 1:38 PM, Sumit Bose wrote: > >> On Tue, May 20, 2014 at 01:17:42PM +0530, Supratik Goswami wrote: >> > PFA >> >> somewhat switched the log level back to 1 >> >> doing parameter log level = 1 >> >> >> can you check that 'net conf list' shows 'log level 10', if not please >> set it with >> >> net conf setparm 'log level' 10 >> >> bye, >> Sumit >> >> > >> > >> > >> > >> > On Tue, May 20, 2014 at 12:38 PM, Sumit Bose wrote: >> > >> > > On Mon, May 19, 2014 at 05:40:49PM +0530, Supratik Goswami wrote: >> > > > Initially after configuring the setup I rebooted once and I was >> thinking >> > > > that it worked before the reboot but unfortunately it didn't work >> the >> > > first >> > > > time itself. >> > > > >> > > > Still failing after running the commands. >> > > > >> > > > [root at ipaserver ~]# net conf setparm global "client min protocol" >> > > smb2_02 >> > > > [root at ipaserver ~]# net conf setparm global "client max protocol" >> > > smb2_02 >> > > > [root at ipaserver ~]# service winbind restart >> > > > >> > > > Shutting down Winbind services: [ OK ] >> > > > Starting Winbind services: [ OK ] >> > > > >> > > > [root at ipaserver ~]# wbinfo -n 'ADDOMAIN\Domain Admins' >> > > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND >> > > > Could not lookup name ADDOMAIN\Domain Admins >> > > > >> > > > [root at ipaserver ~]# wbinfo -u >> > > > [root at ipaserver ~]# >> > > > >> > > > The issue is reproducible every time if anyone follows the steps as >> I >> > > have >> > > > done. >> > > > >> > > >> > > It would be nice if you can send a second round of log files. Please >> > > stop winbind, remove all *winbind* and *wb* log files in >> /var/log/samba, >> > > make sure 'log level' is 10 or higher, >> > > start winbind, call 'wbinfo -n 'ADDOMAIN\Domain Admins', stop winbind, >> > > put all *winbind* and *wb* log files in a tar/zip archive and send the >> > > archive. If you think the archive is too large for a mailing-list fell >> > > free to send them to me directly. >> > > >> > > bye, >> > > Sumit >> > > > >> > > > On Mon, May 19, 2014 at 4:45 PM, Sumit Bose >> wrote: >> > > > >> > > > > On Mon, May 19, 2014 at 04:29:24PM +0530, Supratik Goswami wrote: >> > > > > > Hi >> > > > > > >> > > > > > Let me start from the beginning once again. Let me explain you >> what >> > > > > steps I >> > > > > > followed during the setup. >> > > > > > >> > > > > > I am setting up the environment in Amazon AWS, both Windows AD >> > > server and >> > > > > > Linux IPA configured in EC2. >> > > > > > For configuring Windows 2008 I selected >> > > > > > Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09 >> > > (ami-df8e93b6) >> > > > > > and for configuring IPA server I selected CentOS 6.5 (x86_64) - >> > > Release >> > > > > > Media (ami-8997afe0). >> > > > > > >> > > > > > I followed the steps from >> > > > > > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and also >> > > kept the >> > > > > > domain names >> > > > > > similar as in the example. >> > > > > > >> > > > > > IPA server hostname: ipaserver >> > > > > > IPA domain: ipadomain.example.com >> > > > > > IPA NetBIOS: IPADOMAIN >> > > > > > >> > > > > > AD DC hostname: adserver >> > > > > > AD domain: addomain.example.com >> > > > > > AD NetBIOS: ADDOMAIN >> > > > > > >> > > > > > >> > > > > > 1. Updated the system and install the packages. >> > > > > > >> > > > > > # yum update -y >> > > > > > # yum install -y "*ipa-server" "*ipa-server-trust-ad" >> > > > > > samba4-winbind-clients samba4-winbind samba4-client bind >> > > bind-dyndb-ldap >> > > > > > >> > > > > > List of important packages installed during the update are as >> > > follows. >> > > > > > >> > > > > > bind x86_64 32:9.8.2-0.23.rc1.el6_5.1 >> > > > > > bind-dyndb-ldap x86_64 2.3-5.el6 >> > > > > > >> > > > > > ipa-server x86_64 3.0.0-37.el6 >> > > > > > ipa-server-trust-ad x86_64 3.0.0-37.el6 >> > > > > > ipa-admintools x86_64 3.0.0-37.el6 >> > > > > > ipa-client x86_64 3.0.0-37.el6 >> > > > > > ipa-pki-ca-theme noarch 9.0.3-7.el6 >> > > > > > ipa-pki-common-theme noarch 9.0.3-7.el6 >> > > > > > ipa-python x86_64 3.0.0-37.el6 >> > > > > > ipa-server-selinux x86_64 3.0.0-37.el6 >> > > > > > >> > > > > > samba4-client x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4-winbind x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4-winbind-clients x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4 x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4-common x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4-libs x86_64 4.0.0-61.el6_5.rc4 >> > > > > > samba4-python x86_64 4.0.0-61.el6_5.rc4 >> > > > > >> > > > > ah, sorry, I this might be a known issue, but I got on a wrong >> track >> > > > > because I thought it was working initially and only failed after >> > > reboot. >> > > > > >> > > > > Please try to set "client min protocol" and "client max protocol" >> in >> > > the >> > > > > samba configuration: >> > > > > >> > > > > net conf setparm global "client min protocol" smb2_02 >> > > > > net conf setparm global "client max protocol" smb2_02 >> > > > > >> > > > > restart winbind and try again. >> > > > > >> > > > > HTH >> > > > > >> > > > > bye, >> > > > > Sumit >> > > > > >> > > > > > >> > > > > > 389-ds-base x86_64 1.2.11.15-32.el6_5 >> > > > > > 389-ds-base-libs x86_64 1.2.11.15-32.el6_5 >> > > > > > >> > > > > > certmonger x86_64 0.61-3.el6 >> > > > > > >> > > > > > krb5-server x86_64 1.10.3-15.el6_5.1 >> > > > > > krb5-workstation x86_64 1.10.3-15.el6_5.1 >> > > > > > >> > > > > > sssd x86_64 1.9.2-129.el6_5.4 >> > > > > > sssd-client x86_64 1.9.2-129.el6_5.4 >> > > > > > >> > > > > > >> > > > > > >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Warm Regards >> > > > >> > > > Supratik >> > > >> > >> > >> > >> > -- >> > Warm Regards >> > >> > Supratik >> >> >> > > > -- > Warm Regards > > Supratik > -- Warm Regards Supratik -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri May 23 11:40:07 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 07:40:07 -0400 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: References: Message-ID: <537F3397.6090006@damascusgrp.com> Yes, though it might be a bit more data than you're expecting. Here's what we did to get the details out of a server (and import them into another). I'm sure there's a more elegant solution, but this worked for us. Also note that we didn't use all the data this export script generated, but felt it was better to have it than to not. EXPORT: #!/bin/sh # # Generate latest ipa config files for possible re-import later. # # (C) 2014, The Damascus Group # CONFIGDIR=/opt/ipa_config [ ! -d $CONFIGDIR ] && mkdir $CONFIGDIR pushd $CONFIGDIR ipa dnszone-find --all > dnszone.txt grep 'Zone name' dnszone.txt | awk '{print $3}' | sed 's/\r//' > zones.txt for line in $(cat zones.txt); do fn=$(echo $line | sed 's/\.in-addr\.arpa\.//') echo "For zone $line -> dnsrecord-$fn.txt" ipa dnsrecord-find $line --sizelimit=99999 --all --structured > dnsrecord-${fn}.txt done ipa user-find --all > users.txt ipa host-find --sizelimit=99999 --all > hosts.txt ipa policy-find --all > policy.txt ipa sudorule-find --all > sudorule.txt ipa sudocmdgroup-find --all > sudocmdgroup.txt ipa sudocmd-find --all > sudocmd.txt ipa role-find --all > roles.txt ipa pwpolicy-find --all > pwpolicy.txt ipa privilege-find --all > privilege.txt ipa permission-find --all > permission.txt ipa netgroup-find --all > netgroup.txt ipa usergroup-find --all > usergroup.txt ipa idrange-find --all > idrange.txt ipa hostgroup-find --all > hostgroup.txt ipahbacrule-find --all > hbacrule.txt ipa hbacsvc-find --all > hbacsvc.txt ipa group-find --all > group.txt ipa cert-find --all > cert.txt ipa automember-find --type=group --all > automember-group.txt ipa automember-find --type=hostgroup --all > automember-hostgroup.txt popd ------cut------- Then, for example, you can import these into a new IPA server using something like these: #!/bin/bash # # parse_hosts # # (C) 2014, The Damascus Group # FN=$1 OTP=MyOnetimePassword RE_HOSTNAME="Host name:\s+(.*)$" name="" while read line; do if [[ $line =~ "$name" ]]; then if [[ -n "$name" ]]; then echo "Adding $name" ipa host-add $name --password $OTP --force fi name=${BASH_REMATCH[1]} fi done < $FN echo "Adding $name" ipa host-add $name --password $OTP --force -------cut---------- And this for users: #!/bin/bash # # parse_users # # (C) 2014, The Damascus Group FN=$1 RE_DN="dn:\s+(.*)$" RE_LOGIN="User login:\s+(.*)$" RE_LAST="Last name:\s+(.*)$" RE_FIRST="First name:\s+(.*)$" RE_CN="Full name:\s+(.*)$" RE_DISPLAYNAME="Display name:\s+(.*)$" RE_INITIALS="Initials:\s+(.*)$" RE_SHELL="Login shell:\s+(.*)$" RE_HOMEDIR="Home directory:\s+(.*)$" RE_PRINCIPAL="Kerberos principal:\s+(.*)$" RE_EMAIL="Email address:\s+(.*)$" RE_SSHPUBKEY="SSH public key:\s+(.*)$" RE_UID="UID:\s+(.*)$" RE_GID="GID:\s+(.*)$" login="" last="" first="" cn="" displayname="" initials="" shell="" homedir="" prinicpal="" email="" sshpubkey="" uid="" gid="" while read line; do if [[ $line =~ $RE_DN ]]; then ipa user-add $login \ --last=$last \ --first=$first \ --cn="$cn" \ --displayname="$displayname" \ --initials=$initials \ --shell=$shell \ --homedir=$homedir \ --principal=$principal \ --email=$email \ --sshpubkey="$sshpubkey" \ --uid=$uid \ --gid=$gid login="" last="" first="" cn="" displayname="" initials="" shell="" homedir="" prinicpal="" email="" sshpubkey="" uid="" gid="" fi if [[ $line =~ $RE_LOGIN ]]; then login=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_LAST ]]; then last=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_FIRST ]]; then first=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_CN ]]; then cn=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_DISPLAYNAME ]]; then displayname=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_INITIALS ]]; then initials=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_SHELL ]]; then shell=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_HOMEDIR ]]; then homedir=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_PRINCIPAL ]]; then principal=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_EMAIL ]]; then email=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_SSHPUBKEY ]]; then sshpubkey1=${BASH_REMATCH[1]} read sshpubkey2 read sshpubkey3 sshpubkey="$sshpubkey1 $sshpubkey2 $sshpubkey3" fi if [[ $line =~ $RE_UID ]]; then uid=${BASH_REMATCH[1]} fi if [[ $line =~ $RE_GID ]]; then gid=${BASH_REMATCH[1]} fi done < $FN ipa user-add $login \ --last=$last \ --first=$first \ --cn="$cn" \ --displayname="$displayname" \ --initials=$initials \ --shell=$shell \ --homedir=$homedir \ --principal=$principal \ --email=$email \ --sshpubkey="$sshpubkey" \ --uid=$uid \ --gid=$gid ---------cut---------- If there's any interest, I can toss these scripts plus a handful of other parsers for things like DNS, hbac and sudo into a github project. Unless someone points out a compelling reason to not do things this way. Bret On 05/23/2014 12:42 AM, Sanju A wrote: > Dear All, > > Is there any command to export the user and host list to a csv or text > format > > > Regards > Sanju Abraham > ___________ > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From mkosek at redhat.com Fri May 23 11:54:35 2014 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 23 May 2014 13:54:35 +0200 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: References: Message-ID: <537F36FB.4010800@redhat.com> On 05/23/2014 06:42 AM, Sanju A wrote: > Dear All, > > Is there any command to export the user and host list to a csv or text format There is no such command out of the shelf, I would personally just write a short Python script to export the hosts (or anything else) in a format I need. Example for host: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/python2 from ipalib import api api.bootstrap(context='exporter', debug=False) api.finalize() api.Backend.xmlclient.connect() hosts = api.Command['host_find']()['result'] for host in hosts: print host['fqdn'][0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This will print one host for each new line. Martin From mkosek at redhat.com Fri May 23 11:57:49 2014 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 23 May 2014 13:57:49 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: References: Message-ID: <537F37BD.2030806@redhat.com> On 05/23/2014 12:15 PM, Matt . wrote: > Hi All, > > Is a wildcard DNS record supported at the moment ? > > If so, how to accomplish this ? > > Thanks! > > Matt It is not supported at the moment, but it will be supported from FreeIPA 4.0 (currently planned to be released at the end of June) Upstream ticket: https://fedorahosted.org/freeipa/ticket/3148 Martin From yamakasi.014 at gmail.com Fri May 23 11:59:28 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 23 May 2014 13:59:28 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <537F37BD.2030806@redhat.com> References: <537F37BD.2030806@redhat.com> Message-ID: Hi Martin, I have seen it indeed and discusses on #freeipa Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? Cheers, Mattt 2014-05-23 13:57 GMT+02:00 Martin Kosek : > On 05/23/2014 12:15 PM, Matt . wrote: > > Hi All, > > > > Is a wildcard DNS record supported at the moment ? > > > > If so, how to accomplish this ? > > > > Thanks! > > > > Matt > > It is not supported at the moment, but it will be supported from FreeIPA > 4.0 > (currently planned to be released at the end of June) > > Upstream ticket: > https://fedorahosted.org/freeipa/ticket/3148 > > Martin > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Fri May 23 12:02:04 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 08:02:04 -0400 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: <537F36FB.4010800@redhat.com> References: <537F36FB.4010800@redhat.com> Message-ID: <537F38BC.4030408@damascusgrp.com> Is the Python API documented anywhere? I've looked around without success. On 05/23/2014 07:54 AM, Martin Kosek wrote: > On 05/23/2014 06:42 AM, Sanju A wrote: >> Dear All, >> >> Is there any command to export the user and host list to a csv or text format > There is no such command out of the shelf, I would personally just write a > short Python script to export the hosts (or anything else) in a format I need. > > Example for host: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > #!/usr/bin/python2 > > from ipalib import api > api.bootstrap(context='exporter', debug=False) > api.finalize() > api.Backend.xmlclient.connect() > > hosts = api.Command['host_find']()['result'] > > for host in hosts: > print host['fqdn'][0] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > This will print one host for each new line. > > Martin > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Fri May 23 12:15:24 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 08:15:24 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance Message-ID: <537F3BDC.2040504@damascusgrp.com> Collecting my various threads together under one big issue and adding this new data point: Our web UI on our slow network is exhibiting some strange behavior as well. When selecting, for example, the "Users", it can take up to 5 seconds to fetch 20 out of our 56 entries. When switching to "Hosts", it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: # time ldapsearch -x -H -ldap://zsipa.foo.net base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" : real 0m2.047s user 0m0.000s sys 0m0.001s # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" : real 0m2.816s user 0m0.004s sys 0m0.002s When I did this locally on the ipa master: # ssh zsipa.foo.net # time ldapsearch -Y GSSAPI base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" : real 0m0.847s user 0m0.007s sys 0m0.006s # -- *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 51f7de33e4b08d2bdb8b4860 Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From pvoborni at redhat.com Fri May 23 12:33:16 2014 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 23 May 2014 14:33:16 +0200 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: <537F38BC.4030408@damascusgrp.com> References: <537F36FB.4010800@redhat.com> <537F38BC.4030408@damascusgrp.com> Message-ID: <537F400C.7090905@redhat.com> On 23.5.2014 14:02, Bret Wortman wrote: > Is the Python API documented anywhere? I've looked around without success. Not yet. For now, you can use IPA CLI for inspection: CLI commands are basically API commands, where `_` is replaced by `-`. List objects: `ipa help topics` List object commands: `ipa help $object`, e.g., `ipa help user` List command CLI options and parameters: `ipa $command --help`, e.g., `ipa user-mod --help` Map command params and options names to API option names: `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` More can be read from code or by observing Web UI communication in browser developer tools - network tab. Then the python syntax is ~ args = ['arg1', 'arg2'] options = dict(option1="foo", option2="bar") api.Command['command_name'](*args, **options) HTH > > On 05/23/2014 07:54 AM, Martin Kosek wrote: >> On 05/23/2014 06:42 AM, Sanju A wrote: >>> Dear All, >>> >>> Is there any command to export the user and host list to a csv or >>> text format >> There is no such command out of the shelf, I would personally just >> write a >> short Python script to export the hosts (or anything else) in a format >> I need. >> >> Example for host: >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> #!/usr/bin/python2 >> >> from ipalib import api >> api.bootstrap(context='exporter', debug=False) >> api.finalize() >> api.Backend.xmlclient.connect() >> >> hosts = api.Command['host_find']()['result'] >> >> for host in hosts: >> print host['fqdn'][0] >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> This will print one host for each new line. >> >> Martin >> -- Petr Vobornik From cto at sshchicago.org Fri May 23 12:39:12 2014 From: cto at sshchicago.org (Chris Swingler) Date: Fri, 23 May 2014 07:39:12 -0500 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: <537F400C.7090905@redhat.com> References: <537F36FB.4010800@redhat.com> <537F38BC.4030408@damascusgrp.com> <537F400C.7090905@redhat.com> Message-ID: Another alternative is to use Apache Directory Studio; it can dump most objects out into a CSV, and you should be able to filter out only the data you want. > On May 23, 2014, at 7:33 AM, Petr Vobornik wrote: > >> On 23.5.2014 14:02, Bret Wortman wrote: >> Is the Python API documented anywhere? I've looked around without success. > > Not yet. > > For now, you can use IPA CLI for inspection: > > CLI commands are basically API commands, where `_` is replaced by `-`. > > List objects: > `ipa help topics` > > List object commands: > `ipa help $object`, e.g., `ipa help user` > > List command CLI options and parameters: > `ipa $command --help`, e.g., `ipa user-mod --help` > > Map command params and options names to API option names: > `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` > > More can be read from code or by observing Web UI communication in browser developer tools - network tab. > > > Then the python syntax is ~ > args = ['arg1', 'arg2'] > options = dict(option1="foo", option2="bar") > api.Command['command_name'](*args, **options) > > HTH > >> >>> On 05/23/2014 07:54 AM, Martin Kosek wrote: >>>> On 05/23/2014 06:42 AM, Sanju A wrote: >>>> Dear All, >>>> >>>> Is there any command to export the user and host list to a csv or >>>> text format >>> There is no such command out of the shelf, I would personally just >>> write a >>> short Python script to export the hosts (or anything else) in a format >>> I need. >>> >>> Example for host: >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> #!/usr/bin/python2 >>> >>> from ipalib import api >>> api.bootstrap(context='exporter', debug=False) >>> api.finalize() >>> api.Backend.xmlclient.connect() >>> >>> hosts = api.Command['host_find']()['result'] >>> >>> for host in hosts: >>> print host['fqdn'][0] >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> This will print one host for each new line. >>> >>> Martin > -- > Petr Vobornik > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From pspacek at redhat.com Fri May 23 13:44:53 2014 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 23 May 2014 15:44:53 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: References: <537F37BD.2030806@redhat.com> Message-ID: <537F50D5.9000102@redhat.com> On 23.5.2014 13:59, Matt . wrote: > Hi Martin, > > I have seen it indeed and discusses on #freeipa > > Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? In theory yes, but nobody tested that. Please note that new bind-dyndb-ldap will allow you to use wildcards but you will have to use use LDAP editor to add wildcard records manually. Old FreeIPA will refuse to add wildcard records (because the validator is not inside bind-dyndb-ldap but inside FreeIPA). Anyway, feel free to download http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm and rebuild it on CentOS 6.5. You will have to lower required version of BIND in SPEC file. Please note that it is completely untested. Let me know if you have any further questions. Petr Spacek > > Cheers, > > Mattt > > > 2014-05-23 13:57 GMT+02:00 Martin Kosek : > >> On 05/23/2014 12:15 PM, Matt . wrote: >>> Hi All, >>> >>> Is a wildcard DNS record supported at the moment ? >>> >>> If so, how to accomplish this ? >>> >>> Thanks! >>> >>> Matt >> >> It is not supported at the moment, but it will be supported from FreeIPA >> 4.0 >> (currently planned to be released at the end of June) >> >> Upstream ticket: >> https://fedorahosted.org/freeipa/ticket/3148 >> >> Martin -- Petr^2 Spacek From mkosek at redhat.com Fri May 23 13:46:48 2014 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 23 May 2014 15:46:48 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <537F50D5.9000102@redhat.com> References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> Message-ID: <537F5148.3010407@redhat.com> On 05/23/2014 03:44 PM, Petr Spacek wrote: > On 23.5.2014 13:59, Matt . wrote: >> Hi Martin, >> >> I have seen it indeed and discusses on #freeipa >> >> Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? > > In theory yes, but nobody tested that. > > Please note that new bind-dyndb-ldap will allow you to use wildcards but you > will have to use use LDAP editor to add wildcard records manually. Old FreeIPA > will refuse to add wildcard records (because the validator is not inside > bind-dyndb-ldap but inside FreeIPA). > > Anyway, feel free to download > http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm > > and rebuild it on CentOS 6.5. > > You will have to lower required version of BIND in SPEC file. Please note that > it is completely untested. > > Let me know if you have any further questions. > > Petr Spacek Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and BIND are pretty bound together. Martin From bret.wortman at damascusgrp.com Fri May 23 13:48:00 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 09:48:00 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <537F3BDC.2040504@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> Message-ID: <537F5190.9070806@damascusgrp.com> More soft/anecdotal: When executing "sudo -i" or "sudo -iu" the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). Bret On 05/23/2014 08:15 AM, Bret Wortman wrote: > Collecting my various threads together under one big issue and adding > this new data point: > > Our web UI on our slow network is exhibiting some strange behavior as > well. > > When selecting, for example, the "Users", it can take up to 5 seconds > to fetch 20 out of our 56 entries. > > When switching to "Hosts", it took 4 seconds for the footer to show > that there would be 47 pages in total, then after 10 seconds total, > the page loaded 20 of 939 entries. When I select a host, the > previously-selected host will actually be displayed for upwards of > 8-10 seconds (while the spinning cursor spins near the word Logout) > until the host actually loads. > > Is it just me, or does this, plus everything else, start to sound like > LDAP is struggling? > > I ran a test using ldapsearch in authenticated and unauthenticated > mode from my workstation and here's what I found, which may tell us > nothing: > > # time ldapsearch -x -H -ldap://zsipa.foo.net > base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" > : > real 0m2.047s > user 0m0.000s > sys 0m0.001s > # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net > base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" > : > real 0m2.816s > user 0m0.004s > sys 0m0.002s > > When I did this locally on the ipa master: > > # ssh zsipa.foo.net > # time ldapsearch -Y GSSAPI > base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" > : > real 0m0.847s > user 0m0.007s > sys 0m0.006s > # > > > -- > *Bret Wortman* > > http://damascusgrp.com/ > http://about.me/wortmanbret > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From mkosek at redhat.com Fri May 23 13:49:07 2014 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 23 May 2014 15:49:07 +0200 Subject: [Freeipa-users] Export user and host list to a csv or text file In-Reply-To: References: <537F36FB.4010800@redhat.com> <537F38BC.4030408@damascusgrp.com> <537F400C.7090905@redhat.com> Message-ID: <537F51D3.9020202@redhat.com> Right, that's a good suggestion and should work in many use cases. You will just miss attributes or modifications done inside FreeIPA server framework plugins (e.g. conversion of DNS IDN name from punycode to unicode). Martin On 05/23/2014 02:39 PM, Chris Swingler wrote: > Another alternative is to use Apache Directory Studio; it can dump most objects out into a CSV, and you should be able to filter out only the data you want. > >> On May 23, 2014, at 7:33 AM, Petr Vobornik wrote: >> >>> On 23.5.2014 14:02, Bret Wortman wrote: >>> Is the Python API documented anywhere? I've looked around without success. >> >> Not yet. >> >> For now, you can use IPA CLI for inspection: >> >> CLI commands are basically API commands, where `_` is replaced by `-`. >> >> List objects: >> `ipa help topics` >> >> List object commands: >> `ipa help $object`, e.g., `ipa help user` >> >> List command CLI options and parameters: >> `ipa $command --help`, e.g., `ipa user-mod --help` >> >> Map command params and options names to API option names: >> `ipa show-mappings $command`, e.g., `ipa show-mappings user-add` >> >> More can be read from code or by observing Web UI communication in browser developer tools - network tab. >> >> >> Then the python syntax is ~ >> args = ['arg1', 'arg2'] >> options = dict(option1="foo", option2="bar") >> api.Command['command_name'](*args, **options) >> >> HTH >> >>> >>>> On 05/23/2014 07:54 AM, Martin Kosek wrote: >>>>> On 05/23/2014 06:42 AM, Sanju A wrote: >>>>> Dear All, >>>>> >>>>> Is there any command to export the user and host list to a csv or >>>>> text format >>>> There is no such command out of the shelf, I would personally just >>>> write a >>>> short Python script to export the hosts (or anything else) in a format >>>> I need. >>>> >>>> Example for host: >>>> >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> #!/usr/bin/python2 >>>> >>>> from ipalib import api >>>> api.bootstrap(context='exporter', debug=False) >>>> api.finalize() >>>> api.Backend.xmlclient.connect() >>>> >>>> hosts = api.Command['host_find']()['result'] >>>> >>>> for host in hosts: >>>> print host['fqdn'][0] >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> >>>> This will print one host for each new line. >>>> >>>> Martin >> -- >> Petr Vobornik >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From pspacek at redhat.com Fri May 23 13:50:20 2014 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 23 May 2014 15:50:20 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <537F5148.3010407@redhat.com> References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> Message-ID: <537F521C.5030706@redhat.com> On 23.5.2014 15:46, Martin Kosek wrote: > On 05/23/2014 03:44 PM, Petr Spacek wrote: >> On 23.5.2014 13:59, Matt . wrote: >>> Hi Martin, >>> >>> I have seen it indeed and discusses on #freeipa >>> >>> Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS 6.5 ? >> >> In theory yes, but nobody tested that. >> >> Please note that new bind-dyndb-ldap will allow you to use wildcards but you >> will have to use use LDAP editor to add wildcard records manually. Old FreeIPA >> will refuse to add wildcard records (because the validator is not inside >> bind-dyndb-ldap but inside FreeIPA). >> >> Anyway, feel free to download >> http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm >> >> and rebuild it on CentOS 6.5. >> >> You will have to lower required version of BIND in SPEC file. Please note that >> it is completely untested. >> >> Let me know if you have any further questions. >> >> Petr Spacek > > Wouldn't Matt also need to rebuild BIND and it's libraries? bind-dyndb-ldap and > BIND are pretty bound together. AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is not tested with BIND < 9.9.x but it could work , in theory... -- Petr^2 Spacek From yamakasi.014 at gmail.com Fri May 23 13:52:32 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Fri, 23 May 2014 15:52:32 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <537F521C.5030706@redhat.com> References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> <537F521C.5030706@redhat.com> Message-ID: OK, but I wonder where I can remove that * check in IPA... it must be somewhere in a template I think. 2014-05-23 15:50 GMT+02:00 Petr Spacek : > On 23.5.2014 15:46, Martin Kosek wrote: > >> On 05/23/2014 03:44 PM, Petr Spacek wrote: >> >>> On 23.5.2014 13:59, Matt . wrote: >>> >>>> Hi Martin, >>>> >>>> I have seen it indeed and discusses on #freeipa >>>> >>>> Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS >>>> 6.5 ? >>>> >>> >>> In theory yes, but nobody tested that. >>> >>> Please note that new bind-dyndb-ldap will allow you to use wildcards but >>> you >>> will have to use use LDAP editor to add wildcard records manually. Old >>> FreeIPA >>> will refuse to add wildcard records (because the validator is not inside >>> bind-dyndb-ldap but inside FreeIPA). >>> >>> Anyway, feel free to download >>> http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/ >>> 4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm >>> >>> and rebuild it on CentOS 6.5. >>> >>> You will have to lower required version of BIND in SPEC file. Please >>> note that >>> it is completely untested. >>> >>> Let me know if you have any further questions. >>> >>> Petr Spacek >>> >> >> Wouldn't Matt also need to rebuild BIND and it's libraries? >> bind-dyndb-ldap and >> BIND are pretty bound together. >> > > AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x is > not tested with BIND < 9.9.x but it could work , in theory... > > -- > Petr^2 Spacek > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Fri May 23 14:03:44 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 23 May 2014 16:03:44 +0200 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <537F5190.9070806@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> Message-ID: <20140523140344.GO4669@hendrix.brq.redhat.com> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > More soft/anecdotal: > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > a several second delay before the command completes. If we then exit > the session and re-execute the command, it will complete almost > instantly. So whatever cache is holding this information, if we > could increase its duration, that would certainly make our pain > less. Is this a settable value? > > Entering a password into a screensaver is particularly painful. 10+ > seconds before the screensaver will exit. > > We are looking at environmental possibilities, like interfaces and > such. This machine is running on a VMware VM, but we've had success > deploying IPA on VMs in the past, and our faster network is running > VMs as well (with one physical box). Can you try increasing this option: pam_id_timeout (integer) For any PAM request while SSSD is online, the SSSD will attempt to immediately update the cached identity information for the user in order to ensure that authentication takes place with the latest information. A complete PAM conversation may perform multiple PAM requests, such as account management and session opening. This option controls (on a per-client-application basis) how long (in seconds) we can cache the identity information to avoid excessive round-trips to the identity provider. Default: 5 From bret.wortman at damascusgrp.com Fri May 23 14:03:59 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 10:03:59 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> Message-ID: <537F554F.4030108@damascusgrp.com> On 05/23/2014 09:53 AM, Mauricio Tavares wrote: > > > > On Fri, May 23, 2014 at 9:48 AM, Bret Wortman > > > wrote: > > More soft/anecdotal: > > When executing "sudo -i" or "sudo -iu" the first time, we can > expect a several second delay before the command completes. If we > then exit the session and re-execute the command, it will complete > almost instantly. So whatever cache is holding this information, > if we could increase its duration, that would certainly make our > pain less. Is this a settable value? > > Entering a password into a screensaver is particularly painful. > 10+ seconds before the screensaver will exit. > > We are looking at environmental possibilities, like interfaces and > such. This machine is running on a VMware VM, but we've had > success deploying IPA on VMs in the past, and our faster network > is running VMs as well (with one physical box). > > > Bret > > Did running sudo in debugging mode (SUDOERS_DEBUG 2 in > ldap.conf) give you any more clues? > > No. I compared the output on both networks and there's no real difference once I accounted for HBAC on one (which produced 2 entries on the slower network that got filtered down to 1 user match and 1 host match). But the debug output was nearly identical. > > On 05/23/2014 08:15 AM, Bret Wortman wrote: >> Collecting my various threads together under one big issue and >> adding this new data point: >> >> Our web UI on our slow network is exhibiting some strange >> behavior as well. >> >> When selecting, for example, the "Users", it can take up to 5 >> seconds to fetch 20 out of our 56 entries. >> >> When switching to "Hosts", it took 4 seconds for the footer to >> show that there would be 47 pages in total, then after 10 seconds >> total, the page loaded 20 of 939 entries. When I select a host, >> the previously-selected host will actually be displayed for >> upwards of 8-10 seconds (while the spinning cursor spins near the >> word Logout) until the host actually loads. >> >> Is it just me, or does this, plus everything else, start to sound >> like LDAP is struggling? >> >> I ran a test using ldapsearch in authenticated and >> unauthenticated mode from my workstation and here's what I found, >> which may tell us nothing: >> >> # time ldapsearch -x -H -ldap://zsipa.foo.net >> >> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >> : >> real 0m2.047s >> user 0m0.000s >> sys 0m0.001s >> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net >> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >> : >> real 0m2.816s >> user 0m0.004s >> sys 0m0.002s >> >> When I did this locally on the ipa master: >> >> # ssh zsipa.foo.net >> # time ldapsearch -Y GSSAPI >> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >> : >> real 0m0.847s >> user 0m0.007s >> sys 0m0.006s >> # >> >> >> -- >> *Bret Wortman* >> >> http://damascusgrp.com/ >> http://about.me/wortmanbret >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From jhrozek at redhat.com Fri May 23 14:05:27 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 23 May 2014 16:05:27 +0200 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <20140523140344.GO4669@hendrix.brq.redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <20140523140344.GO4669@hendrix.brq.redhat.com> Message-ID: <20140523140527.GP4669@hendrix.brq.redhat.com> On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: > On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > > More soft/anecdotal: > > > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > > a several second delay before the command completes. If we then exit > > the session and re-execute the command, it will complete almost > > instantly. So whatever cache is holding this information, if we > > could increase its duration, that would certainly make our pain > > less. Is this a settable value? > > > > Entering a password into a screensaver is particularly painful. 10+ > > seconds before the screensaver will exit. > > > > We are looking at environmental possibilities, like interfaces and > > such. This machine is running on a VMware VM, but we've had success > > deploying IPA on VMs in the past, and our faster network is running > > VMs as well (with one physical box). > > Can you try increasing this option: > > pam_id_timeout (integer) > For any PAM request while SSSD is online, the SSSD will attempt to > immediately update the cached identity information for the user in > order to ensure that authentication takes place with the latest > information. > > A complete PAM conversation may perform multiple PAM requests, such > as account management and session opening. This option controls (on > a per-client-application basis) how long (in seconds) we can cache > the identity information to avoid excessive round-trips to the > identity provider. > > Default: 5 I should also have explicitly said that the option belongs to the [pam] section. From bret.wortman at damascusgrp.com Fri May 23 14:20:44 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 10:20:44 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <20140523140527.GP4669@hendrix.brq.redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <20140523140344.GO4669@hendrix.brq.redhat.com> <20140523140527.GP4669@hendrix.brq.redhat.com> Message-ID: <537F593C.8040908@damascusgrp.com> I assumed. It obviously hasn't helped our sudo situation, but I wouldn't expect it to. I'll let you know how it plays against screensavers and such. On 05/23/2014 10:05 AM, Jakub Hrozek wrote: > On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: >> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: >>> More soft/anecdotal: >>> >>> When executing "sudo -i" or "sudo -iu" the first time, we can expect >>> a several second delay before the command completes. If we then exit >>> the session and re-execute the command, it will complete almost >>> instantly. So whatever cache is holding this information, if we >>> could increase its duration, that would certainly make our pain >>> less. Is this a settable value? >>> >>> Entering a password into a screensaver is particularly painful. 10+ >>> seconds before the screensaver will exit. >>> >>> We are looking at environmental possibilities, like interfaces and >>> such. This machine is running on a VMware VM, but we've had success >>> deploying IPA on VMs in the past, and our faster network is running >>> VMs as well (with one physical box). >> Can you try increasing this option: >> >> pam_id_timeout (integer) >> For any PAM request while SSSD is online, the SSSD will attempt to >> immediately update the cached identity information for the user in >> order to ensure that authentication takes place with the latest >> information. >> >> A complete PAM conversation may perform multiple PAM requests, such >> as account management and session opening. This option controls (on >> a per-client-application basis) how long (in seconds) we can cache >> the identity information to avoid excessive round-trips to the >> identity provider. >> >> Default: 5 > I should also have explicitly said that the option belongs to the [pam] > section. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From devans01 at gmail.com Fri May 23 14:31:22 2014 From: devans01 at gmail.com (Dylan Evans) Date: Fri, 23 May 2014 15:31:22 +0100 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: <537DF94A.4000601@redhat.com> References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> Message-ID: Hi Sumit and Petr, Thanks both of you for your replies, I've now got to go and try to implement all your suggestions but I have some more questions, sorry! The guide at techslaves was fine, I just got stuck with the changes in the JavaScript packages and the Samba server questions. 1. Petr, I put your samba.js plugin into /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack of JS knowledge, anything more than simple Bash scripts tends to leave me confused! Do I need to do anything else apart from restart the IPA service? I read your info at http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the plugins have to be registered, but I couldn't work out if it's a manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py for the CLI as well. 2. Sumit, thanks for the info on Samba, I'll have to leave that now and try it next week. BTW, the version of Samba I'm testing against is 3.6.9-168 on CentOS 6.5. Thanks again for your information and patience, Dylan. On 22 May 2014 14:19, Petr Vobornik wrote: > On 22.5.2014 14:19, Sumit Bose wrote: >> >> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >>> >>> Hello, >>> >>> I need some help with getting Samba and FreeIPA working together. >>> >>> I?ve been following the guide at >>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >>> that seems quite out of date for IPAv3 and I need some help: >> >> >> yes, it is a bit outdated but still useful. Please note that we are >> currently working on making the integration of samba more easy. Recently >> I send a patch to the samba-technical mailing list with a library which >> would allow samba to use SSSD instead of winbind to look up users and >> SID-to-name mapping. Alexander is planning to go through the ipasam >> modules to see how to make integration with Samba file-servers more easy. >> >> But coming back to your questions. >> >>> >>> 1. The guide deals with setting a Samba server SID for one Samba >>> server, but as we have multiple stand-alone Samba3 servers, which SID >>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >>> have more than 1 plugin (seems unlikely)? >> >> >> 'net getlocalsid' returns the domain SID and since all you Samba >> file-servers are member of the IPA domain you can use a common SID here. >> >> With IPAv3 SID generation for users and groups is even more easy because >> you can get it for free by running ipa-adtrust-install (please use the >> option --add-sids) if you already have users and groups in your IPA >> server. This prepares the IPA server to be able to create trust >> relationships to Active Directory and one requirement here is that all >> users and groups have SID. >> >> 'ipa-adtrust-install' will also create a domain SID. 'ipa >> trustconfig-show' will show the domain SID together with the DNS domain >> name and the NetBIOS domain name. On your Samba server you should set >> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >> server after running ipa-adtrust-install for a config example). >> >> Additionally on your Samba servers you have to set the domain SID in >> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >> keys with the same SID >> >> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >> smb.conf >> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >> smb.conf >> >> The SID has to be given in a special binary format. The easiest way to >> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >> IPA server after running ipa-adtrust-install. The domain SID will always >> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >> as data for the insert command of tdbtool. >> >> Now everything should be done with respect to SID handling. >> >>> >>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >>> IPAv3. What do I need to patch instead? >>> >>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >>> shows the need is there but I could do with getting it working ASAP. >> >> >> group.js is compliend with the other UI files in >> /usr/share/ipa/ui/js/freeipa/app.js (see >> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >> for details). For your convenience I copied some section here: >> >> "The compiled Web UI layer is located in >> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >> source git repository in `install/ui/src/freeipa/` directory to the >> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >> file). By doing that, next reload of Web UI will use source files >> (clearing browser cache may be required). After that all JavaScript >> errors will contain proper source code name and line number." > > > Better approach is to create a custom UI plugin which would add those > fields. Since it's only 3 fields, I create an example which works on FreeIPA > 4.0 and theoretically it should work on 3.2 as well: > > http://pvoborni.fedorapeople.org/plugins/samba/samba.js > > put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. > > I did not test it with backend (no labels + doesn't do anything). > > More about plugin development: > * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf > * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins > > Creating CLI plugin is IMO also better approach. > > >> >>> >>> I may be missing something obvious but some help would be greatly >>> appreciated! >> >> >> I hope my comments will help you. Feel free to ask for more help if >> needed. It would be nice to hear from any success as well. >> >> bye, >> Sumit >> >>> >>> Thanks, >>> >>> Dylan. >>> >>> Background: >>> >>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >>> to a multi-location/multi-national auth scheme which FreeIPA seems >>> ideally suited for. >>> >>> >>> Requirement: To continue to provide console/SSH and GUI/X logins to >>> Linux hosts, access to home and project directories via NFS from the >>> Linux machines using autofs/automount and access to Samba file-shares >>> from Windows machines but not using AD creds as this is a totally >>> separate environment. Several locations will each have a FreeIPA >>> replica server, NFS/Samba fileserver and ?application? server. >>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >>> and need to consolidate to one password for everything. >>> >>> >>> Progress: Linux-based NFS stuff working fine ? automount of home and >>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >>> as a prototyping environment but will probably use RHEL/CentOS 7 when >>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >>> 3.3.5 on Fedora 20. >>> > -- > Petr Vobornik From dpal at redhat.com Fri May 23 18:33:32 2014 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 May 2014 14:33:32 -0400 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> <537F521C.5030706@redhat.com> Message-ID: <537F947C.5000009@redhat.com> On 05/23/2014 09:52 AM, Matt . wrote: > OK, but I wonder where I can remove that * check in IPA... it must be > somewhere in a template I think. You mean you want to contribute to the IPA code to change the validator to allow wildcard support and looking for a pointer to a code? > > > 2014-05-23 15:50 GMT+02:00 Petr Spacek >: > > On 23.5.2014 15:46, Martin Kosek wrote: > > On 05/23/2014 03:44 PM, Petr Spacek wrote: > > On 23.5.2014 13:59, Matt . wrote: > > Hi Martin, > > I have seen it indeed and discusses on #freeipa > > Is it not possible to install bind-dyndb-ldap 4.0 > manually on CentOS 6.5 ? > > > In theory yes, but nobody tested that. > > Please note that new bind-dyndb-ldap will allow you to use > wildcards but you > will have to use use LDAP editor to add wildcard records > manually. Old FreeIPA > will refuse to add wildcard records (because the validator > is not inside > bind-dyndb-ldap but inside FreeIPA). > > Anyway, feel free to download > http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm > > and rebuild it on CentOS 6.5. > > You will have to lower required version of BIND in SPEC > file. Please note that > it is completely untested. > > Let me know if you have any further questions. > > Petr Spacek > > > Wouldn't Matt also need to rebuild BIND and it's libraries? > bind-dyndb-ldap and > BIND are pretty bound together. > > > AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap > 4.x is not tested with BIND < 9.9.x but it could work , in theory... > > -- > Petr^2 Spacek > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri May 23 18:44:36 2014 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 23 May 2014 14:44:36 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <537F554F.4030108@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> Message-ID: <537F9714.6080407@redhat.com> On 05/23/2014 10:03 AM, Bret Wortman wrote: > > On 05/23/2014 09:53 AM, Mauricio Tavares wrote: >> >> >> >> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman >> > >> wrote: >> >> More soft/anecdotal: >> >> When executing "sudo -i" or "sudo -iu" the first time, we can >> expect a several second delay before the command completes. If we >> then exit the session and re-execute the command, it will >> complete almost instantly. So whatever cache is holding this >> information, if we could increase its duration, that would >> certainly make our pain less. Is this a settable value? >> >> Entering a password into a screensaver is particularly painful. >> 10+ seconds before the screensaver will exit. >> >> We are looking at environmental possibilities, like interfaces >> and such. This machine is running on a VMware VM, but we've had >> success deploying IPA on VMs in the past, and our faster network >> is running VMs as well (with one physical box). >> >> >> Bret >> >> Did running sudo in debugging mode (SUDOERS_DEBUG 2 in >> ldap.conf) give you any more clues? >> >> > No. I compared the output on both networks and there's no real > difference once I accounted for HBAC on one (which produced 2 entries > on the slower network that got filtered down to 1 user match and 1 > host match). But the debug output was nearly identical. Did you see any gaps in time in the logs that are different? The flow can be the same but some operations can take longer so there would be hint to us on what to look for. > >> >> On 05/23/2014 08:15 AM, Bret Wortman wrote: >>> Collecting my various threads together under one big issue and >>> adding this new data point: >>> >>> Our web UI on our slow network is exhibiting some strange >>> behavior as well. >>> >>> When selecting, for example, the "Users", it can take up to 5 >>> seconds to fetch 20 out of our 56 entries. >>> >>> When switching to "Hosts", it took 4 seconds for the footer to >>> show that there would be 47 pages in total, then after 10 >>> seconds total, the page loaded 20 of 939 entries. When I select >>> a host, the previously-selected host will actually be displayed >>> for upwards of 8-10 seconds (while the spinning cursor spins >>> near the word Logout) until the host actually loads. >>> >>> Is it just me, or does this, plus everything else, start to >>> sound like LDAP is struggling? >>> >>> I ran a test using ldapsearch in authenticated and >>> unauthenticated mode from my workstation and here's what I >>> found, which may tell us nothing: >>> >>> # time ldapsearch -x -H -ldap://zsipa.foo.net >>> >>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>> : >>> real 0m2.047s >>> user 0m0.000s >>> sys 0m0.001s >>> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net >>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>> : >>> real 0m2.816s >>> user 0m0.004s >>> sys 0m0.002s >>> >>> When I did this locally on the ipa master: >>> >>> # ssh zsipa.foo.net >>> # time ldapsearch -Y GSSAPI >>> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >>> : >>> real 0m0.847s >>> user 0m0.007s >>> sys 0m0.006s >>> # >>> >>> >>> -- >>> *Bret Wortman* >>> >>> http://damascusgrp.com/ >>> http://about.me/wortmanbret >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: From bret.wortman at damascusgrp.com Fri May 23 19:58:45 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Fri, 23 May 2014 15:58:45 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <537F9714.6080407@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> Message-ID: <5AD3A8BC-9FEF-4AE2-AD72-B9C893CD170B@damascusgrp.com> All I saw was additional output when I ran the command. On the slower system, there was a one second lag, then a burst of activity, then a one second lag, then completion. I?ll do it again Monday and see what the logs show. On May 23, 2014, at 2:44 PM, Dmitri Pal wrote: > On 05/23/2014 10:03 AM, Bret Wortman wrote: >> >> On 05/23/2014 09:53 AM, Mauricio Tavares wrote: >>> >>> >>> >>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman wrote: >>> More soft/anecdotal: >>> >>> When executing "sudo -i" or "sudo -iu" the first time, we can expect a several second delay before the command completes. If we then exit the session and re-execute the command, it will complete almost instantly. So whatever cache is holding this information, if we could increase its duration, that would certainly make our pain less. Is this a settable value? >>> >>> Entering a password into a screensaver is particularly painful. 10+ seconds before the screensaver will exit. >>> >>> We are looking at environmental possibilities, like interfaces and such. This machine is running on a VMware VM, but we've had success deploying IPA on VMs in the past, and our faster network is running VMs as well (with one physical box). >>> >>> >>> Bret >>> >>> Did running sudo in debugging mode (SUDOERS_DEBUG 2 in ldap.conf) give you any more clues? >>> >> No. I compared the output on both networks and there's no real difference once I accounted for HBAC on one (which produced 2 entries on the slower network that got filtered down to 1 user match and 1 host match). But the debug output was nearly identical. > > Did you see any gaps in time in the logs that are different? > The flow can be the same but some operations can take longer so there would be hint to us on what to look for. > >> >>> >>> On 05/23/2014 08:15 AM, Bret Wortman wrote: >>>> Collecting my various threads together under one big issue and adding this new data point: >>>> >>>> Our web UI on our slow network is exhibiting some strange behavior as well. >>>> >>>> When selecting, for example, the "Users", it can take up to 5 seconds to fetch 20 out of our 56 entries. >>>> >>>> When switching to "Hosts", it took 4 seconds for the footer to show that there would be 47 pages in total, then after 10 seconds total, the page loaded 20 of 939 entries. When I select a host, the previously-selected host will actually be displayed for upwards of 8-10 seconds (while the spinning cursor spins near the word Logout) until the host actually loads. >>>> >>>> Is it just me, or does this, plus everything else, start to sound like LDAP is struggling? >>>> >>>> I ran a test using ldapsearch in authenticated and unauthenticated mode from my workstation and here's what I found, which may tell us nothing: >>>> >>>> # time ldapsearch -x -H -ldap://zsipa.foo.net base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.047s >>>> user 0m0.000s >>>> sys 0m0.001s >>>> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.816s >>>> user 0m0.004s >>>> sys 0m0.002s >>>> >>>> When I did this locally on the ipa master: >>>> >>>> # ssh zsipa.foo.net >>>> # time ldapsearch -Y GSSAPI base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m0.847s >>>> user 0m0.007s >>>> sys 0m0.006s >>>> # >>>> >>>> >>>> -- >>>> Bret Wortman >>>> >>>> http://damascusgrp.com/ >>>> http://about.me/wortmanbret >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhu_junca at yahoo.ca Fri May 23 20:52:25 2014 From: zhu_junca at yahoo.ca (Carl E. Ma) Date: Fri, 23 May 2014 16:52:25 -0400 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <5373EA48.6060006@yahoo.ca> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> <5373EA48.6060006@yahoo.ca> Message-ID: <537FB509.6060100@yahoo.ca> Thanks for all your responses! Yes, the GSS proxy is not available on RHEL-6. For the time being, we can live with krb5_renewable_lifetime = 365d. For my own curiosity, what kind of debugging tips or recommendations included in BZ - https://bugzilla.redhat.com/show_bug.cgi?id=846109, which I can't access with regular Redhat Bugzilla account? Thanks a lot, carl From: Rob Crittenden To: dpal redhat com, freeipa-users redhat com Subject: Re: [Freeipa-users] weird behavior on centos 6 Date: Thu, 15 May 2014 09:46:28 -0400 Dmitri Pal wrote: On 05/14/2014 06:12 PM, Carl E. Ma wrote: Hello, Recently I realized our centos 6 freeipa clients hangs randomly. With some research, the issue is related to autofs bug, which was mentioned year ago - Automount fails for IPA user when kerberos ticket is expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). This ticket was closed with comment - "closed defect: invalid". My workaround is extending ticket_lifetime to 24h and renew_lifetime to 365d. I wonder whether there is better solution or some insights of this bug. Thanks, carl Read about GSS proxy. I don't believe gss-proxy is available for RHEL-6 and backporting is unlikely. The ticket is closed but the associated BZ is still open, https://bugzilla.redhat.com/show_bug.cgi?id=846109 and has some debugging tips and other recommendations. rob From rcritten at redhat.com Fri May 23 20:56:05 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 23 May 2014 16:56:05 -0400 Subject: [Freeipa-users] weird behavior on centos 6 In-Reply-To: <537FB509.6060100@yahoo.ca> References: <1396715090.39565.YahooMailNeo@web140903.mail.bf1.yahoo.com> <534299F6.8090200@redhat.com> <53533F05.90908@yahoo.ca> <53550FD1.2090203@redhat.com> <5373EA48.6060006@yahoo.ca> <537FB509.6060100@yahoo.ca> Message-ID: <537FB5E5.1090007@redhat.com> Carl E. Ma wrote: > Thanks for all your responses! Yes, the GSS proxy is not available on > RHEL-6. For the time being, we can live with krb5_renewable_lifetime = > 365d. > > For my own curiosity, what kind of debugging tips or recommendations > included in BZ - https://bugzilla.redhat.com/show_bug.cgi?id=846109, > which I can't access with regular Redhat Bugzilla account? > > Thanks a lot, > Probably the easiest way to get more information about where the problem is occurring is to get an autofs debug log during the test procedure. I see you already have LOGGING="debug" in your autofs configuration so all that needs to be done is ensure syslog is sending deamon level log messages to the log. I usually just add a line like: *.daemon /var/log/daemon to the syslog configuration. I always "touch /var/log/daemon" before restarting syslog as a matter of habit. I don't know if rsyslog will create the log file if it doesn't already exist. Basically, if we don't see a second mount request in the log at all then the issue is occuring before the login process is attempting to access the home directory. If we do see such a request then we may be able to see where autofs blocks (if it does block) such as when calling mount(8) (although more likley mount.nfs(8)). rob > carl > > > From: Rob Crittenden > To: dpal redhat com, freeipa-users redhat com > Subject: Re: [Freeipa-users] weird behavior on centos 6 > Date: Thu, 15 May 2014 09:46:28 -0400 > > Dmitri Pal wrote: > > On 05/14/2014 06:12 PM, Carl E. Ma wrote: > > Hello, > > Recently I realized our centos 6 freeipa clients hangs randomly. > With > some research, the issue is related to autofs bug, which was > mentioned > year ago - Automount fails for IPA user when kerberos ticket is > expired, ssh hangs (https://fedorahosted.org/freeipa/ticket/2980). > This ticket was closed with comment - "closed defect: invalid". > > My workaround is extending ticket_lifetime to 24h and > renew_lifetime > to 365d. I wonder whether there is better solution or some > insights of > this bug. > > Thanks, > > carl > > > Read about GSS proxy. > > > I don't believe gss-proxy is available for RHEL-6 and backporting is > unlikely. > > > The ticket is closed but the associated BZ is still open, > https://bugzilla.redhat.com/show_bug.cgi?id=846109 and has some > debugging tips and other recommendations. > > > rob > > > > From yamakasi.014 at gmail.com Fri May 23 22:44:43 2014 From: yamakasi.014 at gmail.com (Matt .) Date: Sat, 24 May 2014 00:44:43 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <537F947C.5000009@redhat.com> References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> <537F521C.5030706@redhat.com> <537F947C.5000009@redhat.com> Message-ID: Indeed! 2014-05-23 20:33 GMT+02:00 Dmitri Pal : > On 05/23/2014 09:52 AM, Matt . wrote: > > OK, but I wonder where I can remove that * check in IPA... it must be > somewhere in a template I think. > > > You mean you want to contribute to the IPA code to change the validator to > allow wildcard support and looking for a pointer to a code? > > > > > 2014-05-23 15:50 GMT+02:00 Petr Spacek : > >> On 23.5.2014 15:46, Martin Kosek wrote: >> >>> On 05/23/2014 03:44 PM, Petr Spacek wrote: >>> >>>> On 23.5.2014 13:59, Matt . wrote: >>>> >>>>> Hi Martin, >>>>> >>>>> I have seen it indeed and discusses on #freeipa >>>>> >>>>> Is it not possible to install bind-dyndb-ldap 4.0 manually on CentOS >>>>> 6.5 ? >>>>> >>>> >>>> In theory yes, but nobody tested that. >>>> >>>> Please note that new bind-dyndb-ldap will allow you to use wildcards >>>> but you >>>> will have to use use LDAP editor to add wildcard records manually. Old >>>> FreeIPA >>>> will refuse to add wildcard records (because the validator is not inside >>>> bind-dyndb-ldap but inside FreeIPA). >>>> >>>> Anyway, feel free to download >>>> >>>> http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm >>>> >>>> and rebuild it on CentOS 6.5. >>>> >>>> You will have to lower required version of BIND in SPEC file. Please >>>> note that >>>> it is completely untested. >>>> >>>> Let me know if you have any further questions. >>>> >>>> Petr Spacek >>>> >>> >>> Wouldn't Matt also need to rebuild BIND and it's libraries? >>> bind-dyndb-ldap and >>> BIND are pretty bound together. >>> >> >> AFAIK rebuilding bind-dyndb-ldap should be enough. Bind-dyndb-ldap 4.x >> is not tested with BIND < 9.9.x but it could work , in theory... >> >> -- >> Petr^2 Spacek >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > _______________________________________________ > Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Sun May 25 18:29:08 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Sun, 25 May 2014 14:29:08 -0400 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> <537F521C.5030706@redhat.com> <537F947C.5000009@redhat.com> Message-ID: <53823674.5070104@redhat.com> Matt . wrote: > Indeed! Look for the regex in ipalib/plugins/dns.py . I'd suspect you'll need to modify the hostname validator, validate_hostname, in ipalib/util.py. Be wary of edge cases. For instructions on testing, see http://www.freeipa.org/page/Testing For how to contribute the patch, see http://www.freeipa.org/page/Contribute regards rob > > > 2014-05-23 20:33 GMT+02:00 Dmitri Pal >: > > On 05/23/2014 09:52 AM, Matt . wrote: >> OK, but I wonder where I can remove that * check in IPA... it must >> be somewhere in a template I think. > > You mean you want to contribute to the IPA code to change the > validator to allow wildcard support and looking for a pointer to a code? > > >> >> >> 2014-05-23 15:50 GMT+02:00 Petr Spacek > >: >> >> On 23.5.2014 15:46, Martin Kosek wrote: >> >> On 05/23/2014 03:44 PM, Petr Spacek wrote: >> >> On 23.5.2014 13:59, Matt . wrote: >> >> Hi Martin, >> >> I have seen it indeed and discusses on #freeipa >> >> Is it not possible to install bind-dyndb-ldap 4.0 >> manually on CentOS 6.5 ? >> >> >> In theory yes, but nobody tested that. >> >> Please note that new bind-dyndb-ldap will allow you to >> use wildcards but you >> will have to use use LDAP editor to add wildcard >> records manually. Old FreeIPA >> will refuse to add wildcard records (because the >> validator is not inside >> bind-dyndb-ldap but inside FreeIPA). >> >> Anyway, feel free to download >> http://kojipkgs.fedoraproject.org//packages/bind-dyndb-ldap/4.3/1.fc20/src/bind-dyndb-ldap-4.3-1.fc20.src.rpm >> >> and rebuild it on CentOS 6.5. >> >> You will have to lower required version of BIND in >> SPEC file. Please note that >> it is completely untested. >> >> Let me know if you have any further questions. >> >> Petr Spacek >> >> >> Wouldn't Matt also need to rebuild BIND and it's >> libraries? bind-dyndb-ldap and >> BIND are pretty bound together. >> >> >> AFAIK rebuilding bind-dyndb-ldap should be enough. >> Bind-dyndb-ldap 4.x is not tested with BIND < 9.9.x but it >> could work , in theory... >> >> -- >> Petr^2 Spacek >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From davis.goodman at digital-district.ca Sun May 25 19:44:46 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Sun, 25 May 2014 15:44:46 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: <537CCEF7.8020808@redhat.com> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> Message-ID: On Wed, May 21, 2014 at 12:06 PM, Martin Kosek wrote: > On 05/21/2014 01:31 PM, Davis Goodman wrote: > > > > > > > > > > > > > > On May 21, 2014, at 6:54 , Martin Kosek > > wrote: > > > >> On 05/21/2014 09:12 AM, Davis Goodman wrote: > >>> > >>> > >>> > >>> > >>> On May 21, 2014, at 2:45 , Martin Kosek >>> > wrote: > >>> > >>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: > >>>>> Hi, > >>>>> > >>>>> Lately I?ve been having issues of replication between my server and > my 2 > >>>>> replicas. > >>>>> > >>>>> I decided I was going to delete my 2 replicas and start over keeping > my > >>>>> master intact. > >>>>> > >>>>> I wasn`t successfull in getting all 3 servers to replicate to each > other. ( > >>>>> it used to work) > >>>>> > >>>>> I tried deleting 1 replica after the other one to always keep one > of the > >>>>> two available. > >>>>> > >>>>> I had to delete manually the replica host on the master with a bunch > of > >>>>> ldapdelete command which worked fine. > >>>>> > >>>>> But after many unsuccessful trials of getting everyone to sync I > decided to > >>>>> delete my two replicas. > >>>>> > >>>>> I went back to my master to use the ldapdelete to remove both host`s > >>>>> records so that I could start over. > >>>>> > >>>>> Unfortunately now I?m getting this error. > >>>>> > >>>>> ldapdelete -x -D "cn=Directory Manager" -W > >>>>> cn=DNS,cn=freeipa02.mtl.domain.int > ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int > >>>>> Enter LDAP Password: > >>>>> ldap_delete: Server is unwilling to perform (53) > >>>>> additional info: database is read-only > >>>>> > >>>>> > >>>>> > >>>>> I?m kinda stuck now with no replicas and no DNS. I could restore the > backup > >>>>> prior to the start of the operation but with a master in read-only > mode it > >>>>> wouldn?t of much help. > >>>>> > >>>>> Any insights would be more than welcome. > >>>>> > >>>>> > >>>>> Davis > >>>> > >>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a > middle of an > >>>> operation or an upgrade was interrupted and left the database put in > read only > >>>> mode? > >>>> > >>>> You can find out with this ldapsearch: > >>>> > >>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b > >>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base > >>>> > >>>> Check for nsslapd-readonly, it should be put to "off" in normal > operation. > >>>> > >>>> Martin > >>> Ok finally managed to modify the read-only flag. > >>> > >>> Could prepare my replicas and get them going. > >>> > >>> Everything seems fine but I?m getting this error while setting up the > >>> replicas. Should I be concerned about this one: > >>> > >>> Update in progress > >>> Update in progress > >>> Update in progress > >>> Update in progress > >>> Update in progress > >>> Update in progress > >>> Update succeeded > >>> [23/31]: adding replication acis > >>> [24/31]: setting Auto Member configuration > >>> [25/31]: enabling S4U2Proxy delegation > >>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command > >>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H > >>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y > >>> /tmp/tmp4Svn9k' returned non-zero exit status 20 > >>> [26/31]: initializing group membership > >>> [27/31]: adding master entry > >>> [28/31]: configuring Posix uid/gid generation > >>> > >>> > >>> > >>> the rest seems to work fine. > >> > >> You need to check ipareplica-install.log to see the real error. > >> > >> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and > >> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. > >> > >> Martin > >> > > > > The first one is there: > > > > ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > > cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > > dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > > ipaAllowedTarget: > cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > > ict,dc=int > > ipaAllowedTarget: > cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > > ict,dc=int > > memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT > > > > memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT > > > > memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT > > > > memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT > > > > memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT > > > > memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT > > > > cn: ipa-http-delegation > > objectClass: ipaKrb5DelegationACL > > objectClass: groupOfPrincipals > > objectClass: top > > > > > > But not the second one: > > > > ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > > cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > > No such object (32) > > Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > > > > > > Also what is strange is that I got the error only on one of the > replicas, the > > other one went through without any hiccups. > > Ok, I think I misguided you with the second DN, the real DN should be > "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", > see > /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. > > The key here is to check the error message of ldapmodify that was run on > the > failing replica, try to search in /var/log/ipareplica-install.log. > > Martin > Hi Martin, Finally got back on this problem. I seem to have a huge mess in my replication agreements between my servers. if I run the "ipa-replica-manage list-ruv on my master which is freeipa01.prs, I get this: [root at freeipa01 ~]# ipa-replica-manage list-ruv freeipa01.prs.ddistrict.int:389: 4 freeipa01.mtl.ddistrict.int:389: 16 freeipa01.mtl.ddistrict.int:389: 13 freeipa01.mtl.ddistrict.int:389: 12 freeipa01.bxl.ddistrict.int:389: 10 freeipa01.chr.ddistrict.int:389: 8 freeipa01.mtl.ddistrict.int:389: 6 freeipa02.prs.ddistrict.int:389: 3 freeipa01.chr.ddistrict.int:389: 9 freeipa02.mtl.ddistrict.int:389: 17 freeipa02.mtl.ddistrict.int:389: 7 freeipa02.mtl.ddistrict.int:389: 11 freeipa02.mtl.ddistrict.int:389: 14 freeipa02.mtl.ddistrict.int:389: 15 [root at freeipa01 ~]# I've tried to do the ipa-replica-manage clean-ruv on all ID's relating to freeipa02.mtl which is the one I'm having the most problems with and would like to start from scratch. running the ipa-replica-manage list-clean-ruv gives me this: [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv CLEANALLRUV tasks RID 11: Not all replicas online, retrying in 160 seconds... RID 17: Not all replicas online, retrying in 640 seconds... RID 7: Waiting to process all the updates from the deleted replica... No abort CLEANALLRUV tasks running [root at freeipa01 slapd-DDISTRICT-INT]# I'm kinda stuck in a loop and not sure which way to go. I'm also stuck with a orphaned user in the WebUI which I see but can not delete, giving me the user doesn't exist. If I do an ldapsearch it seems incomplete: [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w XXXXXXX -b dc=ddistrict,dc=int | grep -i arobitaille dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int cn: arobitaille memberUid: arobitaille dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int homeDirectory: /home/arobitaille uid: arobitaille member: nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user member: nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user dn: nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn homeDirectory: /home/arobitaille mepManagedEntry: cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int mail: arobitaille at digital-district.ca krbPrincipalName: arobitaille at DDISTRICT.INT uid: arobitaille dn: cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn cn: arobitaille description: User private group for arobitaille mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int -- Davis Goodman Directeur Informatique | IT Manager [image: Digital-District] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Mon May 26 08:22:27 2014 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 26 May 2014 10:22:27 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> Message-ID: <5382F9C3.2050905@redhat.com> On 05/25/2014 09:44 PM, Davis Goodman wrote: > On Wed, May 21, 2014 at 12:06 PM, Martin Kosek wrote: > >> On 05/21/2014 01:31 PM, Davis Goodman wrote: >>> >>> >>> >>> >>> >>> >>> On May 21, 2014, at 6:54 , Martin Kosek >> > wrote: >>> >>>> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>>>> >>>>> >>>>> >>>>> >>>>> On May 21, 2014, at 2:45 , Martin Kosek >>>> > wrote: >>>>> >>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Lately I?ve been having issues of replication between my server and >> my 2 >>>>>>> replicas. >>>>>>> >>>>>>> I decided I was going to delete my 2 replicas and start over keeping >> my >>>>>>> master intact. >>>>>>> >>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each >> other. ( >>>>>>> it used to work) >>>>>>> >>>>>>> I tried deleting 1 replica after the other one to always keep one >> of the >>>>>>> two available. >>>>>>> >>>>>>> I had to delete manually the replica host on the master with a bunch >> of >>>>>>> ldapdelete command which worked fine. >>>>>>> >>>>>>> But after many unsuccessful trials of getting everyone to sync I >> decided to >>>>>>> delete my two replicas. >>>>>>> >>>>>>> I went back to my master to use the ldapdelete to remove both host`s >>>>>>> records so that I could start over. >>>>>>> >>>>>>> Unfortunately now I?m getting this error. >>>>>>> >>>>>>> ldapdelete -x -D "cn=Directory Manager" -W >>>>>>> cn=DNS,cn=freeipa02.mtl.domain.int >> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>>>>> Enter LDAP Password: >>>>>>> ldap_delete: Server is unwilling to perform (53) >>>>>>> additional info: database is read-only >>>>>>> >>>>>>> >>>>>>> >>>>>>> I?m kinda stuck now with no replicas and no DNS. I could restore the >> backup >>>>>>> prior to the start of the operation but with a master in read-only >> mode it >>>>>>> wouldn?t of much help. >>>>>>> >>>>>>> Any insights would be more than welcome. >>>>>>> >>>>>>> >>>>>>> Davis >>>>>> >>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a >> middle of an >>>>>> operation or an upgrade was interrupted and left the database put in >> read only >>>>>> mode? >>>>>> >>>>>> You can find out with this ldapsearch: >>>>>> >>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b >>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>>>>> >>>>>> Check for nsslapd-readonly, it should be put to "off" in normal >> operation. >>>>>> >>>>>> Martin >>>>> Ok finally managed to modify the read-only flag. >>>>> >>>>> Could prepare my replicas and get them going. >>>>> >>>>> Everything seems fine but I?m getting this error while setting up the >>>>> replicas. Should I be concerned about this one: >>>>> >>>>> Update in progress >>>>> Update in progress >>>>> Update in progress >>>>> Update in progress >>>>> Update in progress >>>>> Update in progress >>>>> Update succeeded >>>>> [23/31]: adding replication acis >>>>> [24/31]: setting Auto Member configuration >>>>> [25/31]: enabling S4U2Proxy delegation >>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command >>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >>>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y >>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >>>>> [26/31]: initializing group membership >>>>> [27/31]: adding master entry >>>>> [28/31]: configuring Posix uid/gid generation >>>>> >>>>> >>>>> >>>>> the rest seems to work fine. >>>> >>>> You need to check ipareplica-install.log to see the real error. >>>> >>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" and >>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >>>> >>>> Martin >>>> >>> >>> The first one is there: >>> >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>> ipaAllowedTarget: >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>> ict,dc=int >>> ipaAllowedTarget: >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>> ict,dc=int >>> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT >>> >>> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT >>> >>> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT >>> >>> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT >>> >>> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT >>> >>> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT >>> >>> cn: ipa-http-delegation >>> objectClass: ipaKrb5DelegationACL >>> objectClass: groupOfPrincipals >>> objectClass: top >>> >>> >>> But not the second one: >>> >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>> No such object (32) >>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>> >>> >>> Also what is strange is that I got the error only on one of the >> replicas, the >>> other one went through without any hiccups. >> >> Ok, I think I misguided you with the second DN, the real DN should be >> "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", >> see >> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. >> >> The key here is to check the error message of ldapmodify that was run on >> the >> failing replica, try to search in /var/log/ipareplica-install.log. >> >> Martin >> > > Hi Martin, > > Finally got back on this problem. > > I seem to have a huge mess in my replication agreements between my servers. > if I run the "ipa-replica-manage list-ruv on my master which is > freeipa01.prs, > > I get this: > [root at freeipa01 ~]# ipa-replica-manage list-ruv > freeipa01.prs.ddistrict.int:389: 4 > freeipa01.mtl.ddistrict.int:389: 16 > freeipa01.mtl.ddistrict.int:389: 13 > freeipa01.mtl.ddistrict.int:389: 12 > freeipa01.bxl.ddistrict.int:389: 10 > freeipa01.chr.ddistrict.int:389: 8 > freeipa01.mtl.ddistrict.int:389: 6 > freeipa02.prs.ddistrict.int:389: 3 > freeipa01.chr.ddistrict.int:389: 9 > freeipa02.mtl.ddistrict.int:389: 17 > freeipa02.mtl.ddistrict.int:389: 7 > freeipa02.mtl.ddistrict.int:389: 11 > freeipa02.mtl.ddistrict.int:389: 14 > freeipa02.mtl.ddistrict.int:389: 15 > [root at freeipa01 ~]# > > > I've tried to do the ipa-replica-manage clean-ruv on all ID's relating to > freeipa02.mtl which is the one I'm having the most problems with and would > like to start from scratch. > > running the ipa-replica-manage list-clean-ruv gives me this: > > [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv > CLEANALLRUV tasks > RID 11: Not all replicas online, retrying in 160 seconds... > RID 17: Not all replicas online, retrying in 640 seconds... > RID 7: Waiting to process all the updates from the deleted replica... > > No abort CLEANALLRUV tasks running > [root at freeipa01 slapd-DDISTRICT-INT]# > > I'm kinda stuck in a loop and not sure which way to go. Check "ipa-replica-manage list" - some of the replicas listed here are not active. You may have uninstalled a replica which is still pointed in this list. I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional information which replica is really not accessible. > > I'm also stuck with a orphaned user in the WebUI which I see but can not > delete, giving me the user doesn't exist. > > If I do an ldapsearch it seems incomplete: > [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w XXXXXXX > -b dc=ddistrict,dc=int | grep -i arobitaille > dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int > cn: arobitaille > memberUid: arobitaille > dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int > homeDirectory: /home/arobitaille > uid: arobitaille > member: > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user > member: > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user > dn: > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn > homeDirectory: /home/arobitaille > mepManagedEntry: cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int > mail: arobitaille at digital-district.ca > krbPrincipalName: arobitaille at DDISTRICT.INT > uid: arobitaille > dn: > cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn > cn: arobitaille > description: User private group for arobitaille > mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int This is a Directory Server replication conflict entry (notice the nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot manipulate those. You can try deleting this record with ldapdelete utility or any LDAP gui of choice. Martin From mkosek at redhat.com Mon May 26 10:19:20 2014 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 26 May 2014 12:19:20 +0200 Subject: [Freeipa-users] Wildcard DNS record supported ? In-Reply-To: <53823674.5070104@redhat.com> References: <537F37BD.2030806@redhat.com> <537F50D5.9000102@redhat.com> <537F5148.3010407@redhat.com> <537F521C.5030706@redhat.com> <537F947C.5000009@redhat.com> <53823674.5070104@redhat.com> Message-ID: <53831528.9080805@redhat.com> On 05/25/2014 08:29 PM, Rob Crittenden wrote: > Matt . wrote: >> Indeed! > > Look for the regex in ipalib/plugins/dns.py . I'd suspect you'll need to > modify the hostname validator, validate_hostname, in ipalib/util.py. > > Be wary of edge cases. > > For instructions on testing, see http://www.freeipa.org/page/Testing > > For how to contribute the patch, see http://www.freeipa.org/page/Contribute > > regards > > rob That's the spirit! Thanks guys! But please focus on a different battle, as I noted in the beginning, this feature is already being worked on, see thread '[PATCH 0029-0046] Internationalized domain names in DNS plugin' in freeipa-devel list. With the proposed patches (work in progress), I am able to add wildcard names and have them resolved: # ipa dnszone-add example.test --name-server=`hostname`. Administrator e-mail address [hostmaster.example.test.]: Zone name: example.test. Authoritative nameserver: ipa.mkosek-fedora20.test. Administrator e-mail address: hostmaster.example.test. SOA serial: 1401099233 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant MKOSEK-FEDORA20.TEST krb5-self * A; grant MKOSEK-FEDORA20.TEST krb5-self * AAAA; grant MKOSEK-FEDORA20.TEST krb5-self * SSHFP; Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; # dig -t soa example.test ; <<>> DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20 <<>> -t soa example.test ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17653 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.test. IN SOA ;; ANSWER SECTION: example.test. 86400 IN SOA ipa.mkosek-fedora20.test. hostmaster.example.test. 1401099236 3600 900 1209600 3600 ;; AUTHORITY SECTION: example.test. 86400 IN NS ipa.mkosek-fedora20.test. ;; ADDITIONAL SECTION: ipa.mkosek-fedora20.test. 1200 IN A 10.34.47.236 ;; Query time: 4 msec ;; SERVER: 10.34.47.236#53(10.34.47.236) ;; WHEN: Mon May 26 12:14:00 CEST 2014 ;; MSG SIZE rcvd: 138 # ipa dnsrecord-add example.test *.wildcardtest --a-rec 1.2.3.4 Record name: *.wildcardtest A record: 1.2.3.4 # host foo.wildcardtest.example.test foo.wildcardtest.example.test has address 1.2.3.4 # host bar.wildcardtest.example.test bar.wildcardtest.example.test has address 1.2.3.4 You are still welcome to participate in a patch review/testing of this patch set (warning - there are bugs preventing a clean installation of updated rpm, I had to upload the changed files to existing installation). Martin From pvoborni at redhat.com Mon May 26 10:40:52 2014 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 26 May 2014 12:40:52 +0200 Subject: [Freeipa-users] Getting Samba3 and FreeIPAv3 working together In-Reply-To: References: <20140522121954.GJ4640@localhost.localdomain> <537DF94A.4000601@redhat.com> Message-ID: <53831A34.9030109@redhat.com> On 23.5.2014 16:31, Dylan Evans wrote: > Hi Sumit and Petr, > > Thanks both of you for your replies, I've now got to go and try to > implement all your suggestions but I have some more questions, sorry! > The guide at techslaves was fine, I just got stuck with the changes in > the JavaScript packages and the Samba server questions. > > 1. Petr, I put your samba.js plugin into > /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack > of JS knowledge, anything more than simple Bash scripts tends to leave > me confused! Do I need to do anything else apart from restart the IPA > service? I read your info at > http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the > plugins have to be registered, but I couldn't work out if it's a > manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on > restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py > for the CLI as well. Should be automatically handled by the plugin.py wsgi handler and related logic in Web UI. Just make sure that the file and the directory have same names (except the extension in file's case of course). > > 2. Sumit, thanks for the info on Samba, I'll have to leave that now > and try it next week. BTW, the version of Samba I'm testing against is > 3.6.9-168 on CentOS 6.5. > > Thanks again for your information and patience, > > Dylan. > > On 22 May 2014 14:19, Petr Vobornik wrote: >> On 22.5.2014 14:19, Sumit Bose wrote: >>> >>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >>>> >>>> Hello, >>>> >>>> I need some help with getting Samba and FreeIPA working together. >>>> >>>> I?ve been following the guide at >>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >>>> that seems quite out of date for IPAv3 and I need some help: >>> >>> >>> yes, it is a bit outdated but still useful. Please note that we are >>> currently working on making the integration of samba more easy. Recently >>> I send a patch to the samba-technical mailing list with a library which >>> would allow samba to use SSSD instead of winbind to look up users and >>> SID-to-name mapping. Alexander is planning to go through the ipasam >>> modules to see how to make integration with Samba file-servers more easy. >>> >>> But coming back to your questions. >>> >>>> >>>> 1. The guide deals with setting a Samba server SID for one Samba >>>> server, but as we have multiple stand-alone Samba3 servers, which SID >>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >>>> have more than 1 plugin (seems unlikely)? >>> >>> >>> 'net getlocalsid' returns the domain SID and since all you Samba >>> file-servers are member of the IPA domain you can use a common SID here. >>> >>> With IPAv3 SID generation for users and groups is even more easy because >>> you can get it for free by running ipa-adtrust-install (please use the >>> option --add-sids) if you already have users and groups in your IPA >>> server. This prepares the IPA server to be able to create trust >>> relationships to Active Directory and one requirement here is that all >>> users and groups have SID. >>> >>> 'ipa-adtrust-install' will also create a domain SID. 'ipa >>> trustconfig-show' will show the domain SID together with the DNS domain >>> name and the NetBIOS domain name. On your Samba server you should set >>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >>> server after running ipa-adtrust-install for a config example). >>> >>> Additionally on your Samba servers you have to set the domain SID in >>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >>> keys with the same SID >>> >>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >>> smb.conf >>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >>> smb.conf >>> >>> The SID has to be given in a special binary format. The easiest way to >>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >>> IPA server after running ipa-adtrust-install. The domain SID will always >>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >>> as data for the insert command of tdbtool. >>> >>> Now everything should be done with respect to SID handling. >>> >>>> >>>> 2. There?s no ?/usr/share/ipa/ui/group.js? file to patch in >>>> IPAv3. What do I need to patch instead? >>>> >>>> I?ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >>>> shows the need is there but I could do with getting it working ASAP. >>> >>> >>> group.js is compliend with the other UI files in >>> /usr/share/ipa/ui/js/freeipa/app.js (see >>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >>> for details). For your convenience I copied some section here: >>> >>> "The compiled Web UI layer is located in >>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >>> source git repository in `install/ui/src/freeipa/` directory to the >>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >>> file). By doing that, next reload of Web UI will use source files >>> (clearing browser cache may be required). After that all JavaScript >>> errors will contain proper source code name and line number." >> >> >> Better approach is to create a custom UI plugin which would add those >> fields. Since it's only 3 fields, I create an example which works on FreeIPA >> 4.0 and theoretically it should work on 3.2 as well: >> >> http://pvoborni.fedorapeople.org/plugins/samba/samba.js >> >> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. >> >> I did not test it with backend (no labels + doesn't do anything). >> >> More about plugin development: >> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins >> >> Creating CLI plugin is IMO also better approach. >> >> >>> >>>> >>>> I may be missing something obvious but some help would be greatly >>>> appreciated! >>> >>> >>> I hope my comments will help you. Feel free to ask for more help if >>> needed. It would be nice to hear from any success as well. >>> >>> bye, >>> Sumit >>> >>>> >>>> Thanks, >>>> >>>> Dylan. >>>> >>>> Background: >>>> >>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >>>> to a multi-location/multi-national auth scheme which FreeIPA seems >>>> ideally suited for. >>>> >>>> >>>> Requirement: To continue to provide console/SSH and GUI/X logins to >>>> Linux hosts, access to home and project directories via NFS from the >>>> Linux machines using autofs/automount and access to Samba file-shares >>>> from Windows machines but not using AD creds as this is a totally >>>> separate environment. Several locations will each have a FreeIPA >>>> replica server, NFS/Samba fileserver and ?application? server. >>>> Currently use 2 passwords for each user ? one for NIS, one for Samba ? >>>> and need to consolidate to one password for everything. >>>> >>>> >>>> Progress: Linux-based NFS stuff working fine ? automount of home and >>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >>>> as a prototyping environment but will probably use RHEL/CentOS 7 when >>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >>>> 3.3.5 on Fedora 20. >>>> >> -- >> Petr Vobornik -- Petr Vobornik From bret.wortman at damascusgrp.com Mon May 26 12:26:36 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 26 May 2014 08:26:36 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <537F9714.6080407@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> Message-ID: <538332FC.2090907@damascusgrp.com> Dmitri, in what logs should I expect to see something as a result of setting "sudoers_debug 2"? I've searched the logs on my ipa client that's slow, but haven't seen anything in any log file. Or did I misunderstand? Bret On 05/23/2014 02:44 PM, Dmitri Pal wrote: > On 05/23/2014 10:03 AM, Bret Wortman wrote: >> >> On 05/23/2014 09:53 AM, Mauricio Tavares wrote: >>> >>> >>> >>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman >>> > >>> wrote: >>> >>> More soft/anecdotal: >>> >>> When executing "sudo -i" or "sudo -iu" the first time, we can >>> expect a several second delay before the command completes. If >>> we then exit the session and re-execute the command, it will >>> complete almost instantly. So whatever cache is holding this >>> information, if we could increase its duration, that would >>> certainly make our pain less. Is this a settable value? >>> >>> Entering a password into a screensaver is particularly painful. >>> 10+ seconds before the screensaver will exit. >>> >>> We are looking at environmental possibilities, like interfaces >>> and such. This machine is running on a VMware VM, but we've had >>> success deploying IPA on VMs in the past, and our faster network >>> is running VMs as well (with one physical box). >>> >>> >>> Bret >>> >>> Did running sudo in debugging mode (SUDOERS_DEBUG 2 in >>> ldap.conf) give you any more clues? >>> >>> >> No. I compared the output on both networks and there's no real >> difference once I accounted for HBAC on one (which produced 2 entries >> on the slower network that got filtered down to 1 user match and 1 >> host match). But the debug output was nearly identical. > > Did you see any gaps in time in the logs that are different? > The flow can be the same but some operations can take longer so there > would be hint to us on what to look for. > >> >>> >>> On 05/23/2014 08:15 AM, Bret Wortman wrote: >>>> Collecting my various threads together under one big issue and >>>> adding this new data point: >>>> >>>> Our web UI on our slow network is exhibiting some strange >>>> behavior as well. >>>> >>>> When selecting, for example, the "Users", it can take up to 5 >>>> seconds to fetch 20 out of our 56 entries. >>>> >>>> When switching to "Hosts", it took 4 seconds for the footer to >>>> show that there would be 47 pages in total, then after 10 >>>> seconds total, the page loaded 20 of 939 entries. When I select >>>> a host, the previously-selected host will actually be displayed >>>> for upwards of 8-10 seconds (while the spinning cursor spins >>>> near the word Logout) until the host actually loads. >>>> >>>> Is it just me, or does this, plus everything else, start to >>>> sound like LDAP is struggling? >>>> >>>> I ran a test using ldapsearch in authenticated and >>>> unauthenticated mode from my workstation and here's what I >>>> found, which may tell us nothing: >>>> >>>> # time ldapsearch -x -H -ldap://zsipa.foo.net >>>> >>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.047s >>>> user 0m0.000s >>>> sys 0m0.001s >>>> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net >>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m2.816s >>>> user 0m0.004s >>>> sys 0m0.002s >>>> >>>> When I did this locally on the ipa master: >>>> >>>> # ssh zsipa.foo.net >>>> # time ldapsearch -Y GSSAPI >>>> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >>>> : >>>> real 0m0.847s >>>> user 0m0.007s >>>> sys 0m0.006s >>>> # >>>> >>>> >>>> -- >>>> *Bret Wortman* >>>> >>>> http://damascusgrp.com/ >>>> http://about.me/wortmanbret >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Mon May 26 13:51:31 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 26 May 2014 09:51:31 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <538332FC.2090907@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> Message-ID: <538346E3.6020601@damascusgrp.com> Okay, I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111 [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0 [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 On 05/26/2014 08:26 AM, Bret Wortman wrote: > Dmitri, in what logs should I expect to see something as a result of > setting "sudoers_debug 2"? I've searched the logs on my ipa client > that's slow, but haven't seen anything in any log file. > > Or did I misunderstand? > > > Bret > > On 05/23/2014 02:44 PM, Dmitri Pal wrote: >> On 05/23/2014 10:03 AM, Bret Wortman wrote: >>> >>> On 05/23/2014 09:53 AM, Mauricio Tavares wrote: >>>> >>>> >>>> >>>> On Fri, May 23, 2014 at 9:48 AM, Bret Wortman >>>> >>> > wrote: >>>> >>>> More soft/anecdotal: >>>> >>>> When executing "sudo -i" or "sudo -iu" the first time, we can >>>> expect a several second delay before the command completes. If >>>> we then exit the session and re-execute the command, it will >>>> complete almost instantly. So whatever cache is holding this >>>> information, if we could increase its duration, that would >>>> certainly make our pain less. Is this a settable value? >>>> >>>> Entering a password into a screensaver is particularly painful. >>>> 10+ seconds before the screensaver will exit. >>>> >>>> We are looking at environmental possibilities, like interfaces >>>> and such. This machine is running on a VMware VM, but we've had >>>> success deploying IPA on VMs in the past, and our faster >>>> network is running VMs as well (with one physical box). >>>> >>>> >>>> Bret >>>> >>>> Did running sudo in debugging mode (SUDOERS_DEBUG 2 in >>>> ldap.conf) give you any more clues? >>>> >>>> >>> No. I compared the output on both networks and there's no real >>> difference once I accounted for HBAC on one (which produced 2 >>> entries on the slower network that got filtered down to 1 user match >>> and 1 host match). But the debug output was nearly identical. >> >> Did you see any gaps in time in the logs that are different? >> The flow can be the same but some operations can take longer so there >> would be hint to us on what to look for. >> >>> >>>> >>>> On 05/23/2014 08:15 AM, Bret Wortman wrote: >>>>> Collecting my various threads together under one big issue and >>>>> adding this new data point: >>>>> >>>>> Our web UI on our slow network is exhibiting some strange >>>>> behavior as well. >>>>> >>>>> When selecting, for example, the "Users", it can take up to 5 >>>>> seconds to fetch 20 out of our 56 entries. >>>>> >>>>> When switching to "Hosts", it took 4 seconds for the footer to >>>>> show that there would be 47 pages in total, then after 10 >>>>> seconds total, the page loaded 20 of 939 entries. When I >>>>> select a host, the previously-selected host will actually be >>>>> displayed for upwards of 8-10 seconds (while the spinning >>>>> cursor spins near the word Logout) until the host actually loads. >>>>> >>>>> Is it just me, or does this, plus everything else, start to >>>>> sound like LDAP is struggling? >>>>> >>>>> I ran a test using ldapsearch in authenticated and >>>>> unauthenticated mode from my workstation and here's what I >>>>> found, which may tell us nothing: >>>>> >>>>> # time ldapsearch -x -H -ldap://zsipa.foo.net >>>>> >>>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>>> : >>>>> real 0m2.047s >>>>> user 0m0.000s >>>>> sys 0m0.001s >>>>> # time ldapsearch -Y GSSAPI -H ldap://zsipa.foo.net >>>>> base="uid=bretw,cn=users,cn=accounts,dc=foo,dc=net" >>>>> : >>>>> real 0m2.816s >>>>> user 0m0.004s >>>>> sys 0m0.002s >>>>> >>>>> When I did this locally on the ipa master: >>>>> >>>>> # ssh zsipa.foo.net >>>>> # time ldapsearch -Y GSSAPI >>>>> base="uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net" >>>>> : >>>>> real 0m0.847s >>>>> user 0m0.007s >>>>> sys 0m0.006s >>>>> # >>>>> >>>>> >>>>> -- >>>>> *Bret Wortman* >>>>> >>>>> http://damascusgrp.com/ >>>>> http://about.me/wortmanbret >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 28526 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Mon May 26 14:04:11 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Mon, 26 May 2014 10:04:11 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <538346E3.6020601@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> Message-ID: <538349DB.6060408@damascusgrp.com> Crud. That was supposed to have a second comparison log too: I found something in the slapd-FOO-NET/access log. I figured out which conn ID related to a sudo -i that I performed which took longer than expected and grepped for that conn ID: [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from 192.168.208.129 to 192.168.10.111 [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 nentries=2 etime=0 [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 I think this shows, roughly, a 7 second elapsed time from start to finish, right? Granted, there were other request being serficed during this interval as well, but nothing that looked like outrageous volume. On our faster network, this same exchange went much faster: [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from 192.168.2.13 to 192.168.2.61 [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3 [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" attrs=ALL [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 nentries=0 etime=0 [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 Bret On 05/26/2014 09:51 AM, Bret Wortman wrote: > Okay, I found something in the slapd-FOO-NET/access log. I figured out > which conn ID related to a sudo -i that I performed which took longer > than expected and grepped for that conn ID: > > [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection > from 192.168.208.129 to 192.168.10.111 > [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES > [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND > dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 > [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 > [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL > [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 > filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) > (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL > [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 > nentries=2 etime=0 > [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL > [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND > [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From davis.goodman at digital-district.ca Mon May 26 17:17:42 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Mon, 26 May 2014 13:17:42 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: <5382F9C3.2050905@redhat.com> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> <5382F9C3.2050905@redhat.com> Message-ID: On Mon, May 26, 2014 at 4:22 AM, Martin Kosek wrote: > On 05/25/2014 09:44 PM, Davis Goodman wrote: > > On Wed, May 21, 2014 at 12:06 PM, Martin Kosek > wrote: > > > >> On 05/21/2014 01:31 PM, Davis Goodman wrote: > >>> > >>> > >>> > >>> > >>> > >>> > >>> On May 21, 2014, at 6:54 , Martin Kosek >>> > wrote: > >>> > >>>> On 05/21/2014 09:12 AM, Davis Goodman wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On May 21, 2014, at 2:45 , Martin Kosek >>>>> > wrote: > >>>>> > >>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> Lately I?ve been having issues of replication between my server and > >> my 2 > >>>>>>> replicas. > >>>>>>> > >>>>>>> I decided I was going to delete my 2 replicas and start over > keeping > >> my > >>>>>>> master intact. > >>>>>>> > >>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each > >> other. ( > >>>>>>> it used to work) > >>>>>>> > >>>>>>> I tried deleting 1 replica after the other one to always keep one > >> of the > >>>>>>> two available. > >>>>>>> > >>>>>>> I had to delete manually the replica host on the master with a > bunch > >> of > >>>>>>> ldapdelete command which worked fine. > >>>>>>> > >>>>>>> But after many unsuccessful trials of getting everyone to sync I > >> decided to > >>>>>>> delete my two replicas. > >>>>>>> > >>>>>>> I went back to my master to use the ldapdelete to remove both > host`s > >>>>>>> records so that I could start over. > >>>>>>> > >>>>>>> Unfortunately now I?m getting this error. > >>>>>>> > >>>>>>> ldapdelete -x -D "cn=Directory Manager" -W > >>>>>>> cn=DNS,cn=freeipa02.mtl.domain.int > >> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int > >>>>>>> Enter LDAP Password: > >>>>>>> ldap_delete: Server is unwilling to perform (53) > >>>>>>> additional info: database is read-only > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> I?m kinda stuck now with no replicas and no DNS. I could restore > the > >> backup > >>>>>>> prior to the start of the operation but with a master in read-only > >> mode it > >>>>>>> wouldn?t of much help. > >>>>>>> > >>>>>>> Any insights would be more than welcome. > >>>>>>> > >>>>>>> > >>>>>>> Davis > >>>>>> > >>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a > >> middle of an > >>>>>> operation or an upgrade was interrupted and left the database put > in > >> read only > >>>>>> mode? > >>>>>> > >>>>>> You can find out with this ldapsearch: > >>>>>> > >>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 -b > >>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base > >>>>>> > >>>>>> Check for nsslapd-readonly, it should be put to "off" in normal > >> operation. > >>>>>> > >>>>>> Martin > >>>>> Ok finally managed to modify the read-only flag. > >>>>> > >>>>> Could prepare my replicas and get them going. > >>>>> > >>>>> Everything seems fine but I?m getting this error while setting up the > >>>>> replicas. Should I be concerned about this one: > >>>>> > >>>>> Update in progress > >>>>> Update in progress > >>>>> Update in progress > >>>>> Update in progress > >>>>> Update in progress > >>>>> Update in progress > >>>>> Update succeeded > >>>>> [23/31]: adding replication acis > >>>>> [24/31]: setting Auto Member configuration > >>>>> [25/31]: enabling S4U2Proxy delegation > >>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command > >>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H > >>>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager -y > >>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20 > >>>>> [26/31]: initializing group membership > >>>>> [27/31]: adding master entry > >>>>> [28/31]: configuring Posix uid/gid generation > >>>>> > >>>>> > >>>>> > >>>>> the rest seems to work fine. > >>>> > >>>> You need to check ipareplica-install.log to see the real error. > >>>> > >>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" > and > >>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. > >>>> > >>>> Martin > >>>> > >>> > >>> The first one is there: > >>> > >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > >>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > >>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > >>> ipaAllowedTarget: > >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > >>> ict,dc=int > >>> ipaAllowedTarget: > >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr > >>> ict,dc=int > >>> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT > >>> > >>> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT > >>> > >>> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT > >>> > >>> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT > >>> > >>> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT > >>> > >>> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT > >>> > >>> cn: ipa-http-delegation > >>> objectClass: ipaKrb5DelegationACL > >>> objectClass: groupOfPrincipals > >>> objectClass: top > >>> > >>> > >>> But not the second one: > >>> > >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b > >>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" > >>> No such object (32) > >>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int > >>> > >>> > >>> Also what is strange is that I got the error only on one of the > >> replicas, the > >>> other one went through without any hiccups. > >> > >> Ok, I think I misguided you with the second DN, the real DN should be > >> > "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", > >> see > >> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being loaded. > >> > >> The key here is to check the error message of ldapmodify that was run on > >> the > >> failing replica, try to search in /var/log/ipareplica-install.log. > >> > >> Martin > >> > > > > Hi Martin, > > > > Finally got back on this problem. > > > > I seem to have a huge mess in my replication agreements between my > servers. > > if I run the "ipa-replica-manage list-ruv on my master which is > > freeipa01.prs, > > > > I get this: > > [root at freeipa01 ~]# ipa-replica-manage list-ruv > > freeipa01.prs.ddistrict.int:389: 4 > > freeipa01.mtl.ddistrict.int:389: 16 > > freeipa01.mtl.ddistrict.int:389: 13 > > freeipa01.mtl.ddistrict.int:389: 12 > > freeipa01.bxl.ddistrict.int:389: 10 > > freeipa01.chr.ddistrict.int:389: 8 > > freeipa01.mtl.ddistrict.int:389: 6 > > freeipa02.prs.ddistrict.int:389: 3 > > freeipa01.chr.ddistrict.int:389: 9 > > freeipa02.mtl.ddistrict.int:389: 17 > > freeipa02.mtl.ddistrict.int:389: 7 > > freeipa02.mtl.ddistrict.int:389: 11 > > freeipa02.mtl.ddistrict.int:389: 14 > > freeipa02.mtl.ddistrict.int:389: 15 > > [root at freeipa01 ~]# > > > > > > I've tried to do the ipa-replica-manage clean-ruv on all ID's relating to > > freeipa02.mtl which is the one I'm having the most problems with and > would > > like to start from scratch. > > > > running the ipa-replica-manage list-clean-ruv gives me this: > > > > [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv > > CLEANALLRUV tasks > > RID 11: Not all replicas online, retrying in 160 seconds... > > RID 17: Not all replicas online, retrying in 640 seconds... > > RID 7: Waiting to process all the updates from the deleted replica... > > > > No abort CLEANALLRUV tasks running > > [root at freeipa01 slapd-DDISTRICT-INT]# > > > > I'm kinda stuck in a loop and not sure which way to go. > > Check "ipa-replica-manage list" - some of the replicas listed here are not > active. You may have uninstalled a replica which is still pointed in this > list. > > I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional > information > which replica is really not accessible. > > > > > I'm also stuck with a orphaned user in the WebUI which I see but can not > > delete, giving me the user doesn't exist. > > > > If I do an ldapsearch it seems incomplete: > > [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w > XXXXXXX > > -b dc=ddistrict,dc=int | grep -i arobitaille > > dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int > > cn: arobitaille > > memberUid: arobitaille > > dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int > > homeDirectory: /home/arobitaille > > uid: arobitaille > > member: > > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user > > member: > > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user > > dn: > > > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn > > homeDirectory: /home/arobitaille > > mepManagedEntry: cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int > > mail: arobitaille at digital-district.ca > > krbPrincipalName: arobitaille at DDISTRICT.INT > > uid: arobitaille > > dn: > > > cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn > > cn: arobitaille > > description: User private group for arobitaille > > mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int > > This is a Directory Server replication conflict entry (notice the > nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot > manipulate > those. You can try deleting this record with ldapdelete utility or any > LDAP gui > of choice. > > Martin > Hi Martin, I finally after a couple of hours managed to re-instate replication through all my replica. It's all working fine. Thanks for the insights. I just have one little orphaned user which has only the private group left behind. I'm not sure, since I'm still a newbie with ldapmodify/ldapdelete, how to get rid of those 2 entries: [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int ipaUniqueID: ac27027c-84da-11e3-a4c4-c21e595ecd39 mepManagedBy: uid=jdubreux,cn=users,cn=accounts,dc=ddistrict,dc=int cn: jdubreux objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top gidNumber: 871000045 description: User private group for jdubreux [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int dn: cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int objectClass: posixGroup objectClass: top gidNumber: 871000045 cn: jdubreux After this I'm fully back on my feet! -- Davis Goodman Directeur Informatique | IT Manager [image: Digital-District] -------------- next part -------------- An HTML attachment was scrubbed... URL: From davis.goodman at digital-district.ca Mon May 26 19:00:51 2014 From: davis.goodman at digital-district.ca (Davis Goodman) Date: Mon, 26 May 2014 15:00:51 -0400 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> <5382F9C3.2050905@redhat.com> Message-ID: On Mon, May 26, 2014 at 1:17 PM, Davis Goodman < davis.goodman at digital-district.ca> wrote: > > > > On Mon, May 26, 2014 at 4:22 AM, Martin Kosek wrote: > >> On 05/25/2014 09:44 PM, Davis Goodman wrote: >> > On Wed, May 21, 2014 at 12:06 PM, Martin Kosek >> wrote: >> > >> >> On 05/21/2014 01:31 PM, Davis Goodman wrote: >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> On May 21, 2014, at 6:54 , Martin Kosek > >>> > wrote: >> >>> >> >>>> On 05/21/2014 09:12 AM, Davis Goodman wrote: >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> On May 21, 2014, at 2:45 , Martin Kosek > >>>>> > wrote: >> >>>>> >> >>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >> >>>>>>> Hi, >> >>>>>>> >> >>>>>>> Lately I?ve been having issues of replication between my server >> and >> >> my 2 >> >>>>>>> replicas. >> >>>>>>> >> >>>>>>> I decided I was going to delete my 2 replicas and start over >> keeping >> >> my >> >>>>>>> master intact. >> >>>>>>> >> >>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each >> >> other. ( >> >>>>>>> it used to work) >> >>>>>>> >> >>>>>>> I tried deleting 1 replica after the other one to always keep >> one >> >> of the >> >>>>>>> two available. >> >>>>>>> >> >>>>>>> I had to delete manually the replica host on the master with a >> bunch >> >> of >> >>>>>>> ldapdelete command which worked fine. >> >>>>>>> >> >>>>>>> But after many unsuccessful trials of getting everyone to sync I >> >> decided to >> >>>>>>> delete my two replicas. >> >>>>>>> >> >>>>>>> I went back to my master to use the ldapdelete to remove both >> host`s >> >>>>>>> records so that I could start over. >> >>>>>>> >> >>>>>>> Unfortunately now I?m getting this error. >> >>>>>>> >> >>>>>>> ldapdelete -x -D "cn=Directory Manager" -W >> >>>>>>> cn=DNS,cn=freeipa02.mtl.domain.int >> >> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >> >>>>>>> Enter LDAP Password: >> >>>>>>> ldap_delete: Server is unwilling to perform (53) >> >>>>>>> additional info: database is read-only >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> I?m kinda stuck now with no replicas and no DNS. I could restore >> the >> >> backup >> >>>>>>> prior to the start of the operation but with a master in read-only >> >> mode it >> >>>>>>> wouldn?t of much help. >> >>>>>>> >> >>>>>>> Any insights would be more than welcome. >> >>>>>>> >> >>>>>>> >> >>>>>>> Davis >> >>>>>> >> >>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a >> >> middle of an >> >>>>>> operation or an upgrade was interrupted and left the database put >> in >> >> read only >> >>>>>> mode? >> >>>>>> >> >>>>>> You can find out with this ldapsearch: >> >>>>>> >> >>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 >> -b >> >>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >> >>>>>> >> >>>>>> Check for nsslapd-readonly, it should be put to "off" in normal >> >> operation. >> >>>>>> >> >>>>>> Martin >> >>>>> Ok finally managed to modify the read-only flag. >> >>>>> >> >>>>> Could prepare my replicas and get them going. >> >>>>> >> >>>>> Everything seems fine but I?m getting this error while setting up >> the >> >>>>> replicas. Should I be concerned about this one: >> >>>>> >> >>>>> Update in progress >> >>>>> Update in progress >> >>>>> Update in progress >> >>>>> Update in progress >> >>>>> Update in progress >> >>>>> Update in progress >> >>>>> Update succeeded >> >>>>> [23/31]: adding replication acis >> >>>>> [24/31]: setting Auto Member configuration >> >>>>> [25/31]: enabling S4U2Proxy delegation >> >>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: >> Command >> >>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >> >>>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager >> -y >> >>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >> >>>>> [26/31]: initializing group membership >> >>>>> [27/31]: adding master entry >> >>>>> [28/31]: configuring Posix uid/gid generation >> >>>>> >> >>>>> >> >>>>> >> >>>>> the rest seems to work fine. >> >>>> >> >>>> You need to check ipareplica-install.log to see the real error. >> >>>> >> >>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" >> and >> >>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >> >>>> >> >>>> Martin >> >>>> >> >>> >> >>> The first one is there: >> >>> >> >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >> >>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >> >>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >> >>> ipaAllowedTarget: >> >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >> >>> ict,dc=int >> >>> ipaAllowedTarget: >> >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >> >>> ict,dc=int >> >>> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT >> >>> >> >>> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT >> >>> >> >>> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT >> >>> >> >>> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT >> >>> >> >>> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT >> >>> >> >>> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT >> >>> >> >>> cn: ipa-http-delegation >> >>> objectClass: ipaKrb5DelegationACL >> >>> objectClass: groupOfPrincipals >> >>> objectClass: top >> >>> >> >>> >> >>> But not the second one: >> >>> >> >>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >> >>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >> >>> No such object (32) >> >>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >> >>> >> >>> >> >>> Also what is strange is that I got the error only on one of the >> >> replicas, the >> >>> other one went through without any hiccups. >> >> >> >> Ok, I think I misguided you with the second DN, the real DN should be >> >> >> "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", >> >> see >> >> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being >> loaded. >> >> >> >> The key here is to check the error message of ldapmodify that was run >> on >> >> the >> >> failing replica, try to search in /var/log/ipareplica-install.log. >> >> >> >> Martin >> >> >> > >> > Hi Martin, >> > >> > Finally got back on this problem. >> > >> > I seem to have a huge mess in my replication agreements between my >> servers. >> > if I run the "ipa-replica-manage list-ruv on my master which is >> > freeipa01.prs, >> > >> > I get this: >> > [root at freeipa01 ~]# ipa-replica-manage list-ruv >> > freeipa01.prs.ddistrict.int:389: 4 >> > freeipa01.mtl.ddistrict.int:389: 16 >> > freeipa01.mtl.ddistrict.int:389: 13 >> > freeipa01.mtl.ddistrict.int:389: 12 >> > freeipa01.bxl.ddistrict.int:389: 10 >> > freeipa01.chr.ddistrict.int:389: 8 >> > freeipa01.mtl.ddistrict.int:389: 6 >> > freeipa02.prs.ddistrict.int:389: 3 >> > freeipa01.chr.ddistrict.int:389: 9 >> > freeipa02.mtl.ddistrict.int:389: 17 >> > freeipa02.mtl.ddistrict.int:389: 7 >> > freeipa02.mtl.ddistrict.int:389: 11 >> > freeipa02.mtl.ddistrict.int:389: 14 >> > freeipa02.mtl.ddistrict.int:389: 15 >> > [root at freeipa01 ~]# >> > >> > >> > I've tried to do the ipa-replica-manage clean-ruv on all ID's relating >> to >> > freeipa02.mtl which is the one I'm having the most problems with and >> would >> > like to start from scratch. >> > >> > running the ipa-replica-manage list-clean-ruv gives me this: >> > >> > [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv >> > CLEANALLRUV tasks >> > RID 11: Not all replicas online, retrying in 160 seconds... >> > RID 17: Not all replicas online, retrying in 640 seconds... >> > RID 7: Waiting to process all the updates from the deleted replica... >> > >> > No abort CLEANALLRUV tasks running >> > [root at freeipa01 slapd-DDISTRICT-INT]# >> > >> > I'm kinda stuck in a loop and not sure which way to go. >> >> Check "ipa-replica-manage list" - some of the replicas listed here are not >> active. You may have uninstalled a replica which is still pointed in this >> list. >> >> I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional >> information >> which replica is really not accessible. >> >> > >> > I'm also stuck with a orphaned user in the WebUI which I see but can not >> > delete, giving me the user doesn't exist. >> > >> > If I do an ldapsearch it seems incomplete: >> > [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w >> XXXXXXX >> > -b dc=ddistrict,dc=int | grep -i arobitaille >> > dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int >> > cn: arobitaille >> > memberUid: arobitaille >> > dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int >> > homeDirectory: /home/arobitaille >> > uid: arobitaille >> > member: >> > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >> > member: >> > nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >> > dn: >> > >> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn >> > homeDirectory: /home/arobitaille >> > mepManagedEntry: >> cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int >> > mail: arobitaille at digital-district.ca >> > krbPrincipalName: arobitaille at DDISTRICT.INT >> > uid: arobitaille >> > dn: >> > >> cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn >> > cn: arobitaille >> > description: User private group for arobitaille >> > mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int >> >> This is a Directory Server replication conflict entry (notice the >> nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot >> manipulate >> those. You can try deleting this record with ldapdelete utility or any >> LDAP gui >> of choice. >> >> Martin >> > > Hi Martin, > > I finally after a couple of hours managed to re-instate replication > through all my replica. It's all working fine. > > Thanks for the insights. > > I just have one little orphaned user which has only the private group left > behind. > > I'm not sure, since I'm still a newbie with ldapmodify/ldapdelete, how to > get rid of those 2 entries: > > [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b > cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int > > dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int > > ipaUniqueID: ac27027c-84da-11e3-a4c4-c21e595ecd39 > > mepManagedBy: uid=jdubreux,cn=users,cn=accounts,dc=ddistrict,dc=int > > cn: jdubreux > > objectClass: posixgroup > > objectClass: ipaobject > > objectClass: mepManagedEntry > > objectClass: top > > gidNumber: 871000045 > > description: User private group for jdubreux > > > [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b > cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int > > dn: cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int > > objectClass: posixGroup > > objectClass: top > > gidNumber: 871000045 > > cn: jdubreux > > > After this I'm fully back on my feet! > > > -- > > > Davis Goodman > Directeur Informatique | IT Manager > [image: Digital-District] > I believe I have found the syntax for removing the leftover private group but I have an error thrown at me: [root at freeipa01 ~]# ldapmodify -Y GSSAPI< -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkosek at redhat.com Tue May 27 11:12:24 2014 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 27 May 2014 13:12:24 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode In-Reply-To: References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> <5382F9C3.2050905@redhat.com> Message-ID: <53847318.7030400@redhat.com> On 05/26/2014 09:00 PM, Davis Goodman wrote: > On Mon, May 26, 2014 at 1:17 PM, Davis Goodman < > davis.goodman at digital-district.ca> wrote: > >> >> >> >> On Mon, May 26, 2014 at 4:22 AM, Martin Kosek wrote: >> >>> On 05/25/2014 09:44 PM, Davis Goodman wrote: >>>> On Wed, May 21, 2014 at 12:06 PM, Martin Kosek >>> wrote: >>>> >>>>> On 05/21/2014 01:31 PM, Davis Goodman wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On May 21, 2014, at 6:54 , Martin Kosek >>>>> > wrote: >>>>>> >>>>>>> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On May 21, 2014, at 2:45 , Martin Kosek >>>>>>> > wrote: >>>>>>>> >>>>>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Lately I?ve been having issues of replication between my server >>> and >>>>> my 2 >>>>>>>>>> replicas. >>>>>>>>>> >>>>>>>>>> I decided I was going to delete my 2 replicas and start over >>> keeping >>>>> my >>>>>>>>>> master intact. >>>>>>>>>> >>>>>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each >>>>> other. ( >>>>>>>>>> it used to work) >>>>>>>>>> >>>>>>>>>> I tried deleting 1 replica after the other one to always keep >>> one >>>>> of the >>>>>>>>>> two available. >>>>>>>>>> >>>>>>>>>> I had to delete manually the replica host on the master with a >>> bunch >>>>> of >>>>>>>>>> ldapdelete command which worked fine. >>>>>>>>>> >>>>>>>>>> But after many unsuccessful trials of getting everyone to sync I >>>>> decided to >>>>>>>>>> delete my two replicas. >>>>>>>>>> >>>>>>>>>> I went back to my master to use the ldapdelete to remove both >>> host`s >>>>>>>>>> records so that I could start over. >>>>>>>>>> >>>>>>>>>> Unfortunately now I?m getting this error. >>>>>>>>>> >>>>>>>>>> ldapdelete -x -D "cn=Directory Manager" -W >>>>>>>>>> cn=DNS,cn=freeipa02.mtl.domain.int >>>>> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>>>>>>>> Enter LDAP Password: >>>>>>>>>> ldap_delete: Server is unwilling to perform (53) >>>>>>>>>> additional info: database is read-only >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I?m kinda stuck now with no replicas and no DNS. I could restore >>> the >>>>> backup >>>>>>>>>> prior to the start of the operation but with a master in read-only >>>>> mode it >>>>>>>>>> wouldn?t of much help. >>>>>>>>>> >>>>>>>>>> Any insights would be more than welcome. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Davis >>>>>>>>> >>>>>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a >>>>> middle of an >>>>>>>>> operation or an upgrade was interrupted and left the database put >>> in >>>>> read only >>>>>>>>> mode? >>>>>>>>> >>>>>>>>> You can find out with this ldapsearch: >>>>>>>>> >>>>>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 >>> -b >>>>>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>>>>>>>> >>>>>>>>> Check for nsslapd-readonly, it should be put to "off" in normal >>>>> operation. >>>>>>>>> >>>>>>>>> Martin >>>>>>>> Ok finally managed to modify the read-only flag. >>>>>>>> >>>>>>>> Could prepare my replicas and get them going. >>>>>>>> >>>>>>>> Everything seems fine but I?m getting this error while setting up >>> the >>>>>>>> replicas. Should I be concerned about this one: >>>>>>>> >>>>>>>> Update in progress >>>>>>>> Update in progress >>>>>>>> Update in progress >>>>>>>> Update in progress >>>>>>>> Update in progress >>>>>>>> Update in progress >>>>>>>> Update succeeded >>>>>>>> [23/31]: adding replication acis >>>>>>>> [24/31]: setting Auto Member configuration >>>>>>>> [25/31]: enabling S4U2Proxy delegation >>>>>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: >>> Command >>>>>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >>>>>>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager >>> -y >>>>>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >>>>>>>> [26/31]: initializing group membership >>>>>>>> [27/31]: adding master entry >>>>>>>> [28/31]: configuring Posix uid/gid generation >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> the rest seems to work fine. >>>>>>> >>>>>>> You need to check ipareplica-install.log to see the real error. >>>>>>> >>>>>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" >>> and >>>>>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >>>>>>> >>>>>>> Martin >>>>>>> >>>>>> >>>>>> The first one is there: >>>>>> >>>>>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>>>>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>>>>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>>>>> ipaAllowedTarget: >>>>> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>>>>> ict,dc=int >>>>>> ipaAllowedTarget: >>>>> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>>>>> ict,dc=int >>>>>> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT >>>>>> >>>>>> cn: ipa-http-delegation >>>>>> objectClass: ipaKrb5DelegationACL >>>>>> objectClass: groupOfPrincipals >>>>>> objectClass: top >>>>>> >>>>>> >>>>>> But not the second one: >>>>>> >>>>>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>>>>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>>>>> No such object (32) >>>>>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>>>>> >>>>>> >>>>>> Also what is strange is that I got the error only on one of the >>>>> replicas, the >>>>>> other one went through without any hiccups. >>>>> >>>>> Ok, I think I misguided you with the second DN, the real DN should be >>>>> >>> "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", >>>>> see >>>>> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being >>> loaded. >>>>> >>>>> The key here is to check the error message of ldapmodify that was run >>> on >>>>> the >>>>> failing replica, try to search in /var/log/ipareplica-install.log. >>>>> >>>>> Martin >>>>> >>>> >>>> Hi Martin, >>>> >>>> Finally got back on this problem. >>>> >>>> I seem to have a huge mess in my replication agreements between my >>> servers. >>>> if I run the "ipa-replica-manage list-ruv on my master which is >>>> freeipa01.prs, >>>> >>>> I get this: >>>> [root at freeipa01 ~]# ipa-replica-manage list-ruv >>>> freeipa01.prs.ddistrict.int:389: 4 >>>> freeipa01.mtl.ddistrict.int:389: 16 >>>> freeipa01.mtl.ddistrict.int:389: 13 >>>> freeipa01.mtl.ddistrict.int:389: 12 >>>> freeipa01.bxl.ddistrict.int:389: 10 >>>> freeipa01.chr.ddistrict.int:389: 8 >>>> freeipa01.mtl.ddistrict.int:389: 6 >>>> freeipa02.prs.ddistrict.int:389: 3 >>>> freeipa01.chr.ddistrict.int:389: 9 >>>> freeipa02.mtl.ddistrict.int:389: 17 >>>> freeipa02.mtl.ddistrict.int:389: 7 >>>> freeipa02.mtl.ddistrict.int:389: 11 >>>> freeipa02.mtl.ddistrict.int:389: 14 >>>> freeipa02.mtl.ddistrict.int:389: 15 >>>> [root at freeipa01 ~]# >>>> >>>> >>>> I've tried to do the ipa-replica-manage clean-ruv on all ID's relating >>> to >>>> freeipa02.mtl which is the one I'm having the most problems with and >>> would >>>> like to start from scratch. >>>> >>>> running the ipa-replica-manage list-clean-ruv gives me this: >>>> >>>> [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv >>>> CLEANALLRUV tasks >>>> RID 11: Not all replicas online, retrying in 160 seconds... >>>> RID 17: Not all replicas online, retrying in 640 seconds... >>>> RID 7: Waiting to process all the updates from the deleted replica... >>>> >>>> No abort CLEANALLRUV tasks running >>>> [root at freeipa01 slapd-DDISTRICT-INT]# >>>> >>>> I'm kinda stuck in a loop and not sure which way to go. >>> >>> Check "ipa-replica-manage list" - some of the replicas listed here are not >>> active. You may have uninstalled a replica which is still pointed in this >>> list. >>> >>> I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional >>> information >>> which replica is really not accessible. >>> >>>> >>>> I'm also stuck with a orphaned user in the WebUI which I see but can not >>>> delete, giving me the user doesn't exist. >>>> >>>> If I do an ldapsearch it seems incomplete: >>>> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w >>> XXXXXXX >>>> -b dc=ddistrict,dc=int | grep -i arobitaille >>>> dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int >>>> cn: arobitaille >>>> memberUid: arobitaille >>>> dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int >>>> homeDirectory: /home/arobitaille >>>> uid: arobitaille >>>> member: >>>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >>>> member: >>>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >>>> dn: >>>> >>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn >>>> homeDirectory: /home/arobitaille >>>> mepManagedEntry: >>> cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int >>>> mail: arobitaille at digital-district.ca >>>> krbPrincipalName: arobitaille at DDISTRICT.INT >>>> uid: arobitaille >>>> dn: >>>> >>> cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn >>>> cn: arobitaille >>>> description: User private group for arobitaille >>>> mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int >>> >>> This is a Directory Server replication conflict entry (notice the >>> nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot >>> manipulate >>> those. You can try deleting this record with ldapdelete utility or any >>> LDAP gui >>> of choice. >>> >>> Martin >>> >> >> Hi Martin, >> >> I finally after a couple of hours managed to re-instate replication >> through all my replica. It's all working fine. >> >> Thanks for the insights. >> >> I just have one little orphaned user which has only the private group left >> behind. >> >> I'm not sure, since I'm still a newbie with ldapmodify/ldapdelete, how to >> get rid of those 2 entries: >> >> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b >> cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int >> >> dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int >> >> ipaUniqueID: ac27027c-84da-11e3-a4c4-c21e595ecd39 >> >> mepManagedBy: uid=jdubreux,cn=users,cn=accounts,dc=ddistrict,dc=int >> >> cn: jdubreux >> >> objectClass: posixgroup >> >> objectClass: ipaobject >> >> objectClass: mepManagedEntry >> >> objectClass: top >> >> gidNumber: 871000045 >> >> description: User private group for jdubreux >> >> >> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b >> cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int >> >> dn: cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int >> >> objectClass: posixGroup >> >> objectClass: top >> >> gidNumber: 871000045 >> >> cn: jdubreux >> >> >> After this I'm fully back on my feet! >> >> >> -- >> >> >> Davis Goodman >> Directeur Informatique | IT Manager >> [image: Digital-District] >> > I believe I have found the syntax for removing the leftover private group > but I have an error thrown at me: > > [root at freeipa01 ~]# ldapmodify -Y GSSAPI< > > dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int > > changetype:modify > > delete: objectclass > > objectclass: mepManagedEntry > > > delete:mepManagedBy > > EOF > > SASL/GSSAPI authentication started > > SASL username: admin at DDISTRICT.INT > > SASL SSF: 56 > > SASL data security layer installed. > > modifying entry "cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int" > > *ldap_modify: Object class violation (65)* > > * additional info: attribute "mepManagedBy" not allowed* > This rings a bell? > > Version 3.0.0 of FreeIPA > > certmonger-0.61-3.el6.x86_64 > > 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64 > Hi David, I am not sure what you are trying to do, but I think you want to just simply delete the objects you do not like, i.e. "changetype: delete" instead of "changetype: modify". You can find more information for example here: http://www.zytrax.com/books/ldap/ch14/#ldapdelete If you are not sure about the command syntax, try using some LDAP GUI. I for example use Apache Directory Studio. I also used Luma in the past, it is more lightweight. HTH, Martin From palacios92 at hotmail.es Mon May 26 08:12:28 2014 From: palacios92 at hotmail.es (Jesus Manuel Palacios Delgado) Date: Mon, 26 May 2014 10:12:28 +0200 Subject: [Freeipa-users] Modify page Home Message-ID: Hi I am a beginner with FreeIPA. I have a question: Do the draft FreeIPA from 0, I cloned from GIT. I have not installed but I want to change the main page. Do I have to change /install/ui/index.html? Thanks for the help. Jes?s -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 27 12:41:52 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 27 May 2014 08:41:52 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <538349DB.6060408@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> Message-ID: <53848810.2080805@redhat.com> Bret Wortman wrote: > Crud. That was supposed to have a second comparison log too: > > I found something in the slapd-FOO-NET/access log. I figured out which > conn ID related to a sudo -i that I performed which took longer than > expected and grepped for that conn ID: > > [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from > 192.168.208.129 to 192.168.10.111 > [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES > [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND > dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 > [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 > [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL > [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 > filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) > (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL > [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 > nentries=2 etime=0 > [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH > base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL > [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND > [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 > > I think this shows, roughly, a 7 second elapsed time from start to > finish, right? Granted, there were other request being serficed during > this interval as well, but nothing that looked like outrageous volume. I don't see anything unusual here. The directory server retrieved the data just as fast on both systems, the difference appears to be the network, in connection and shutdown times. > On our faster network, this same exchange went much faster: > > [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from > 192.168.2.13 to 192.168.2.61 > [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT > oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 > nentries=0 etime=0 > [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES > [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND > dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3 > [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" > [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH > base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" > attrs=ALL > [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH > base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 > filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" > attrs=ALL > [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH > base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" > attrs=ALL > [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 > nentries=0 etime=0 > [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND > [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 > > > > Bret > > On 05/26/2014 09:51 AM, Bret Wortman wrote: >> Okay, I found something in the slapd-FOO-NET/access log. I figured out >> which conn ID related to a sudo -i that I performed which took longer >> than expected and grepped for that conn ID: >> >> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >> from 192.168.208.129 to 192.168.10.111 >> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 >> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL >> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 >> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL >> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >> nentries=2 etime=0 >> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL >> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > From mkosek at redhat.com Tue May 27 13:15:39 2014 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 27 May 2014 15:15:39 +0200 Subject: [Freeipa-users] Stock with a Master in read-only mode - SOLVED In-Reply-To: <53847318.7030400@redhat.com> References: <537C4B90.8010608@redhat.com> <537C85E4.7010102@redhat.com> <537CCEF7.8020808@redhat.com> <5382F9C3.2050905@redhat.com> <53847318.7030400@redhat.com> Message-ID: <53848FFB.4070604@redhat.com> On 05/27/2014 01:12 PM, Martin Kosek wrote: > On 05/26/2014 09:00 PM, Davis Goodman wrote: >> On Mon, May 26, 2014 at 1:17 PM, Davis Goodman < >> davis.goodman at digital-district.ca> wrote: >> >>> >>> >>> >>> On Mon, May 26, 2014 at 4:22 AM, Martin Kosek wrote: >>> >>>> On 05/25/2014 09:44 PM, Davis Goodman wrote: >>>>> On Wed, May 21, 2014 at 12:06 PM, Martin Kosek >>>> wrote: >>>>> >>>>>> On 05/21/2014 01:31 PM, Davis Goodman wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On May 21, 2014, at 6:54 , Martin Kosek >>>>>> > wrote: >>>>>>> >>>>>>>> On 05/21/2014 09:12 AM, Davis Goodman wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On May 21, 2014, at 2:45 , Martin Kosek >>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> On 05/21/2014 08:36 AM, Davis Goodman wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Lately I?ve been having issues of replication between my server >>>> and >>>>>> my 2 >>>>>>>>>>> replicas. >>>>>>>>>>> >>>>>>>>>>> I decided I was going to delete my 2 replicas and start over >>>> keeping >>>>>> my >>>>>>>>>>> master intact. >>>>>>>>>>> >>>>>>>>>>> I wasn`t successfull in getting all 3 servers to replicate to each >>>>>> other. ( >>>>>>>>>>> it used to work) >>>>>>>>>>> >>>>>>>>>>> I tried deleting 1 replica after the other one to always keep >>>> one >>>>>> of the >>>>>>>>>>> two available. >>>>>>>>>>> >>>>>>>>>>> I had to delete manually the replica host on the master with a >>>> bunch >>>>>> of >>>>>>>>>>> ldapdelete command which worked fine. >>>>>>>>>>> >>>>>>>>>>> But after many unsuccessful trials of getting everyone to sync I >>>>>> decided to >>>>>>>>>>> delete my two replicas. >>>>>>>>>>> >>>>>>>>>>> I went back to my master to use the ldapdelete to remove both >>>> host`s >>>>>>>>>>> records so that I could start over. >>>>>>>>>>> >>>>>>>>>>> Unfortunately now I?m getting this error. >>>>>>>>>>> >>>>>>>>>>> ldapdelete -x -D "cn=Directory Manager" -W >>>>>>>>>>> cn=DNS,cn=freeipa02.mtl.domain.int >>>>>> ,cn=masters,cn=ipa,cn=etc,dc=domain,dc=int >>>>>>>>>>> Enter LDAP Password: >>>>>>>>>>> ldap_delete: Server is unwilling to perform (53) >>>>>>>>>>> additional info: database is read-only >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I?m kinda stuck now with no replicas and no DNS. I could restore >>>> the >>>>>> backup >>>>>>>>>>> prior to the start of the operation but with a master in read-only >>>>>> mode it >>>>>>>>>>> wouldn?t of much help. >>>>>>>>>>> >>>>>>>>>>> Any insights would be more than welcome. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Davis >>>>>>>>>> >>>>>>>>>> Hi Davis, did maybe some of your ipa-replica-manage crashed in a >>>>>> middle of an >>>>>>>>>> operation or an upgrade was interrupted and left the database put >>>> in >>>>>> read only >>>>>>>>>> mode? >>>>>>>>>> >>>>>>>>>> You can find out with this ldapsearch: >>>>>>>>>> >>>>>>>>>> ldapsearch -h `hostname` -D "cn=Directory Manager" -x -w kokos123 >>>> -b >>>>>>>>>> 'cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -s base >>>>>>>>>> >>>>>>>>>> Check for nsslapd-readonly, it should be put to "off" in normal >>>>>> operation. >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>> Ok finally managed to modify the read-only flag. >>>>>>>>> >>>>>>>>> Could prepare my replicas and get them going. >>>>>>>>> >>>>>>>>> Everything seems fine but I?m getting this error while setting up >>>> the >>>>>>>>> replicas. Should I be concerned about this one: >>>>>>>>> >>>>>>>>> Update in progress >>>>>>>>> Update in progress >>>>>>>>> Update in progress >>>>>>>>> Update in progress >>>>>>>>> Update in progress >>>>>>>>> Update in progress >>>>>>>>> Update succeeded >>>>>>>>> [23/31]: adding replication acis >>>>>>>>> [24/31]: setting Auto Member configuration >>>>>>>>> [25/31]: enabling S4U2Proxy delegation >>>>>>>>> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: >>>> Command >>>>>>>>> '/usr/bin/ldapmodify -v -f /tmp/tmplpfMNG -H >>>>>>>>> ldap://freeipa02.mtl.ddistrict.int:389 -x -D cn=Directory Manager >>>> -y >>>>>>>>> /tmp/tmp4Svn9k' returned non-zero exit status 20 >>>>>>>>> [26/31]: initializing group membership >>>>>>>>> [27/31]: adding master entry >>>>>>>>> [28/31]: configuring Posix uid/gid generation >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> the rest seems to work fine. >>>>>>>> >>>>>>>> You need to check ipareplica-install.log to see the real error. >>>>>>>> >>>>>>>> I wonder if "cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" >>>> and >>>>>>>> "cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,YOUR-SUFFIX" exist. >>>>>>>> >>>>>>>> Martin >>>>>>>> >>>>>>> >>>>>>> The first one is there: >>>>>>> >>>>>>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>>>>>> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>>>>>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>>>>>> ipaAllowedTarget: >>>>>> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>>>>>> ict,dc=int >>>>>>> ipaAllowedTarget: >>>>>> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistr >>>>>>> ict,dc=int >>>>>>> memberPrincipal: HTTP/freeipa01.prs.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> memberPrincipal: HTTP/freeipa02.prs.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> memberPrincipal: HTTP/freeipa02.mtl.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> memberPrincipal: HTTP/freeipa01.chr.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> memberPrincipal: HTTP/freeipa01.bxl.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> memberPrincipal: HTTP/freeipa01.mtl.ddistrict.int at DDISTRICT.INT >>>>>>> >>>>>>> cn: ipa-http-delegation >>>>>>> objectClass: ipaKrb5DelegationACL >>>>>>> objectClass: groupOfPrincipals >>>>>>> objectClass: top >>>>>>> >>>>>>> >>>>>>> But not the second one: >>>>>>> >>>>>>> ldapsearch -D "cn=Directory Manager? -W -LLL -x -b >>>>>>> cn=ipa-ldap-delegation,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int"" >>>>>>> No such object (32) >>>>>>> Matched DN: cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int >>>>>>> >>>>>>> >>>>>>> Also what is strange is that I got the error only on one of the >>>>>> replicas, the >>>>>>> other one went through without any hiccups. >>>>>> >>>>>> Ok, I think I misguided you with the second DN, the real DN should be >>>>>> >>>> "cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=ddistrict,dc=int", >>>>>> see >>>>>> /usr/share/ipa/replica-s4u2proxy.ldif for the LDIF that is being >>>> loaded. >>>>>> >>>>>> The key here is to check the error message of ldapmodify that was run >>>> on >>>>>> the >>>>>> failing replica, try to search in /var/log/ipareplica-install.log. >>>>>> >>>>>> Martin >>>>>> >>>>> >>>>> Hi Martin, >>>>> >>>>> Finally got back on this problem. >>>>> >>>>> I seem to have a huge mess in my replication agreements between my >>>> servers. >>>>> if I run the "ipa-replica-manage list-ruv on my master which is >>>>> freeipa01.prs, >>>>> >>>>> I get this: >>>>> [root at freeipa01 ~]# ipa-replica-manage list-ruv >>>>> freeipa01.prs.ddistrict.int:389: 4 >>>>> freeipa01.mtl.ddistrict.int:389: 16 >>>>> freeipa01.mtl.ddistrict.int:389: 13 >>>>> freeipa01.mtl.ddistrict.int:389: 12 >>>>> freeipa01.bxl.ddistrict.int:389: 10 >>>>> freeipa01.chr.ddistrict.int:389: 8 >>>>> freeipa01.mtl.ddistrict.int:389: 6 >>>>> freeipa02.prs.ddistrict.int:389: 3 >>>>> freeipa01.chr.ddistrict.int:389: 9 >>>>> freeipa02.mtl.ddistrict.int:389: 17 >>>>> freeipa02.mtl.ddistrict.int:389: 7 >>>>> freeipa02.mtl.ddistrict.int:389: 11 >>>>> freeipa02.mtl.ddistrict.int:389: 14 >>>>> freeipa02.mtl.ddistrict.int:389: 15 >>>>> [root at freeipa01 ~]# >>>>> >>>>> >>>>> I've tried to do the ipa-replica-manage clean-ruv on all ID's relating >>>> to >>>>> freeipa02.mtl which is the one I'm having the most problems with and >>>> would >>>>> like to start from scratch. >>>>> >>>>> running the ipa-replica-manage list-clean-ruv gives me this: >>>>> >>>>> [root at freeipa01 slapd-DDISTRICT-INT]# ipa-replica-manage list-clean-ruv >>>>> CLEANALLRUV tasks >>>>> RID 11: Not all replicas online, retrying in 160 seconds... >>>>> RID 17: Not all replicas online, retrying in 640 seconds... >>>>> RID 7: Waiting to process all the updates from the deleted replica... >>>>> >>>>> No abort CLEANALLRUV tasks running >>>>> [root at freeipa01 slapd-DDISTRICT-INT]# >>>>> >>>>> I'm kinda stuck in a loop and not sure which way to go. >>>> >>>> Check "ipa-replica-manage list" - some of the replicas listed here are not >>>> active. You may have uninstalled a replica which is still pointed in this >>>> list. >>>> >>>> I think /var/log/dirsrv/slapd-YOUR-REALM/errors contain additional >>>> information >>>> which replica is really not accessible. >>>> >>>>> >>>>> I'm also stuck with a orphaned user in the WebUI which I see but can not >>>>> delete, giving me the user doesn't exist. >>>>> >>>>> If I do an ldapsearch it seems incomplete: >>>>> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -w >>>> XXXXXXX >>>>> -b dc=ddistrict,dc=int | grep -i arobitaille >>>>> dn: cn=arobitaille,cn=groups,cn=compat,dc=ddistrict,dc=int >>>>> cn: arobitaille >>>>> memberUid: arobitaille >>>>> dn: uid=arobitaille,cn=users,cn=compat,dc=ddistrict,dc=int >>>>> homeDirectory: /home/arobitaille >>>>> uid: arobitaille >>>>> member: >>>>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >>>>> member: >>>>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=user >>>>> dn: >>>>> >>>> nsuniqueid=08165a01-dd3311e3-8982f534-a4dfcf64+uid=arobitaille,cn=users,cn >>>>> homeDirectory: /home/arobitaille >>>>> mepManagedEntry: >>>> cn=arobitaille,cn=groups,cn=accounts,dc=ddistrict,dc=int >>>>> mail: arobitaille at digital-district.ca >>>>> krbPrincipalName: arobitaille at DDISTRICT.INT >>>>> uid: arobitaille >>>>> dn: >>>>> >>>> cn=arobitaille+nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64,cn=groups,cn >>>>> cn: arobitaille >>>>> description: User private group for arobitaille >>>>> mepManagedBy: uid=arobitaille,cn=users,cn=accounts,dc=ddistrict,dc=int >>>> >>>> This is a Directory Server replication conflict entry (notice the >>>> nsuniqueid=08165a02-dd3311e3-8982f534-a4dfcf64 part), FreeIPA cannot >>>> manipulate >>>> those. You can try deleting this record with ldapdelete utility or any >>>> LDAP gui >>>> of choice. >>>> >>>> Martin >>>> >>> >>> Hi Martin, >>> >>> I finally after a couple of hours managed to re-instate replication >>> through all my replica. It's all working fine. >>> >>> Thanks for the insights. >>> >>> I just have one little orphaned user which has only the private group left >>> behind. >>> >>> I'm not sure, since I'm still a newbie with ldapmodify/ldapdelete, how to >>> get rid of those 2 entries: >>> >>> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b >>> cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int >>> >>> dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int >>> >>> ipaUniqueID: ac27027c-84da-11e3-a4c4-c21e595ecd39 >>> >>> mepManagedBy: uid=jdubreux,cn=users,cn=accounts,dc=ddistrict,dc=int >>> >>> cn: jdubreux >>> >>> objectClass: posixgroup >>> >>> objectClass: ipaobject >>> >>> objectClass: mepManagedEntry >>> >>> objectClass: top >>> >>> gidNumber: 871000045 >>> >>> description: User private group for jdubreux >>> >>> >>> [root at freeipa01 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b >>> cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int >>> >>> dn: cn=jdubreux,cn=groups,cn=compat,dc=ddistrict,dc=int >>> >>> objectClass: posixGroup >>> >>> objectClass: top >>> >>> gidNumber: 871000045 >>> >>> cn: jdubreux >>> >>> >>> After this I'm fully back on my feet! >>> >>> >>> -- >>> >>> >>> Davis Goodman >>> Directeur Informatique | IT Manager >>> [image: Digital-District] >>> >> I believe I have found the syntax for removing the leftover private group >> but I have an error thrown at me: >> >> [root at freeipa01 ~]# ldapmodify -Y GSSAPI<> >> >> dn: cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int >> >> changetype:modify >> >> delete: objectclass >> >> objectclass: mepManagedEntry >> >> >> delete:mepManagedBy >> >> EOF >> >> SASL/GSSAPI authentication started >> >> SASL username: admin at DDISTRICT.INT >> >> SASL SSF: 56 >> >> SASL data security layer installed. >> >> modifying entry "cn=jdubreux,cn=groups,cn=accounts,dc=ddistrict,dc=int" >> >> *ldap_modify: Object class violation (65)* >> >> * additional info: attribute "mepManagedBy" not allowed* >> This rings a bell? >> >> Version 3.0.0 of FreeIPA >> >> certmonger-0.61-3.el6.x86_64 >> >> 389-ds-base-libs-1.2.11.15-32.el6_5.x86_64 >> > > Hi David, > > I am not sure what you are trying to do, but I think you want to just simply > delete the objects you do not like, i.e. "changetype: delete" instead of > "changetype: modify". > > You can find more information for example here: > http://www.zytrax.com/books/ldap/ch14/#ldapdelete > > If you are not sure about the command syntax, try using some LDAP GUI. I for > example use Apache Directory Studio. I also used Luma in the past, it is more > lightweight. > > HTH, > Martin Let me just close this thread, me and Davis had a short private conversation. Davis was able to solve his issues by detaching the group from the user by deleting both mepManagedEntry objectclass AND mepManagedBy attribute and then deleting the group. Martin From dpal at redhat.com Tue May 27 13:20:38 2014 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 27 May 2014 09:20:38 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <53848810.2080805@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> Message-ID: <53849126.5020207@redhat.com> On 05/27/2014 08:41 AM, Rob Crittenden wrote: > Bret Wortman wrote: >> Crud. That was supposed to have a second comparison log too: >> >> I found something in the slapd-FOO-NET/access log. I figured out which >> conn ID related to a sudo -i that I performed which took longer than >> expected and grepped for that conn ID: >> >> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from >> 192.168.208.129 to 192.168.10.111 >> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 >> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL >> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 >> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL >> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >> nentries=2 etime=0 >> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL >> [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >> >> I think this shows, roughly, a 7 second elapsed time from start to >> finish, right? Granted, there were other request being serficed during >> this interval as well, but nothing that looked like outrageous volume. > I don't see anything unusual here. The directory server retrieved the > data just as fast on both systems, the difference appears to be the > network, in connection and shutdown times. > +1, however the TLS handshake took longer. That probably required several DNS lookups so I wonder if DNS lookups might be slowing things down. I wonder if putting server records manually into the hosts file would make a difference. If yes then may be you need to take a look at your DNS setup for the slow network. >> On our faster network, this same exchange went much faster: >> >> [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from >> 192.168.2.13 to 192.168.2.61 >> [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT >> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >> [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 >> nentries=0 etime=0 >> [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES >> [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND >> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3 >> [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" >> [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH >> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" >> attrs=ALL >> [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH >> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 >> filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" >> attrs=ALL >> [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH >> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" >> attrs=ALL >> [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 >> nentries=0 etime=0 >> [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND >> [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 >> >> >> >> Bret >> >> On 05/26/2014 09:51 AM, Bret Wortman wrote: >>> Okay, I found something in the slapd-FOO-NET/access log. I figured out >>> which conn ID related to a sudo -i that I performed which took longer >>> than expected and grepped for that conn ID: >>> >>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>> from 192.168.208.129 to 192.168.10.111 >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>> nentries=2 etime=0 >>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL >>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. From bret.wortman at damascusgrp.com Tue May 27 13:24:59 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 27 May 2014 09:24:59 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <53849126.5020207@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> Message-ID: <5384922B.1040908@damascusgrp.com> I'll get with my network guys and start troubleshooting. Thanks! On 05/27/2014 09:20 AM, Dmitri Pal wrote: > On 05/27/2014 08:41 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> Crud. That was supposed to have a second comparison log too: >>> >>> I found something in the slapd-FOO-NET/access log. I figured out which >>> conn ID related to a sudo -i that I performed which took longer than >>> expected and grepped for that conn ID: >>> >>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>> from >>> 192.168.208.129 to 192.168.10.111 >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>> attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>> >>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>> attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>> nentries=2 etime=0 >>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>> attrs=ALL >>> [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>> >>> I think this shows, roughly, a 7 second elapsed time from start to >>> finish, right? Granted, there were other request being serficed during >>> this interval as well, but nothing that looked like outrageous volume. >> I don't see anything unusual here. The directory server retrieved the >> data just as fast on both systems, the difference appears to be the >> network, in connection and shutdown times. >> > +1, however the TLS handshake took longer. That probably required > several DNS lookups so I wonder if DNS lookups might be slowing things > down. > I wonder if putting server records manually into the hosts file would > make a difference. If yes then may be you need to take a look at your > DNS setup for the slow network. > > >>> On our faster network, this same exchange went much faster: >>> >>> [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from >>> 192.168.2.13 to 192.168.2.61 >>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES >>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 >>> version=3 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" >>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 >>> filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" >>> >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND >>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 >>> >>> >>> >>> Bret >>> >>> On 05/26/2014 09:51 AM, Bret Wortman wrote: >>>> Okay, I found something in the slapd-FOO-NET/access log. I figured out >>>> which conn ID related to a sudo -i that I performed which took longer >>>> than expected and grepped for that conn ID: >>>> >>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>>> from 192.168.208.129 to 192.168.10.111 >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>> >>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>> nentries=2 etime=0 >>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>>> attrs=ALL >>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From bret.wortman at damascusgrp.com Tue May 27 13:44:41 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 27 May 2014 09:44:41 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <53849126.5020207@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> Message-ID: <538496C9.9080907@damascusgrp.com> I just checked to be sure, and we do already put all the IPA servers in our client host tables just to be sure they can be reached even if DNS goes down. On 05/27/2014 09:20 AM, Dmitri Pal wrote: > On 05/27/2014 08:41 AM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> Crud. That was supposed to have a second comparison log too: >>> >>> I found something in the slapd-FOO-NET/access log. I figured out which >>> conn ID related to a sudo -i that I performed which took longer than >>> expected and grepped for that conn ID: >>> >>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>> from >>> 192.168.208.129 to 192.168.10.111 >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>> attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>> >>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>> attrs=ALL >>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>> nentries=2 etime=0 >>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>> attrs=ALL >>> [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>> >>> I think this shows, roughly, a 7 second elapsed time from start to >>> finish, right? Granted, there were other request being serficed during >>> this interval as well, but nothing that looked like outrageous volume. >> I don't see anything unusual here. The directory server retrieved the >> data just as fast on both systems, the difference appears to be the >> network, in connection and shutdown times. >> > +1, however the TLS handshake took longer. That probably required > several DNS lookups so I wonder if DNS lookups might be slowing things > down. > I wonder if putting server records manually into the hosts file would > make a difference. If yes then may be you need to take a look at your > DNS setup for the slow network. > > >>> On our faster network, this same exchange went much faster: >>> >>> [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from >>> 192.168.2.13 to 192.168.2.61 >>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT >>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES >>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 >>> version=3 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" >>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 >>> filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" >>> >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH >>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" >>> attrs=ALL >>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 >>> nentries=0 etime=0 >>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND >>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 >>> >>> >>> >>> Bret >>> >>> On 05/26/2014 09:51 AM, Bret Wortman wrote: >>>> Okay, I found something in the slapd-FOO-NET/access log. I figured out >>>> which conn ID related to a sudo -i that I performed which took longer >>>> than expected and grepped for that conn ID: >>>> >>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>>> from 192.168.208.129 to 192.168.10.111 >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>> >>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>> nentries=2 etime=0 >>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>>> attrs=ALL >>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From tizone at gmail.com Tue May 27 17:24:08 2014 From: tizone at gmail.com (tizo) Date: Tue, 27 May 2014 14:24:08 -0300 Subject: [Freeipa-users] Migration from OpenLDAP In-Reply-To: <52D40539.1010103@redhat.com> References: <20140113145023.GB12003@redhat.com> <52D40539.1010103@redhat.com> Message-ID: On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek wrote: > On 13.1.2014 15:50, Alexander Bokovoy wrote: > >> On Mon, 13 Jan 2014, tizo wrote: >> >>> Hi there, >>> >>> We have a working authentication system for GNU/Linux consisting in a Mit >>> Kerberos Server, and an OpenLDAP directory with a particular structure. I >>> was wondering if we could use Freeipa to administer those working >>> components as they are, without having to deploy a new Freeipa server >>> from >>> scratch. >>> >> In short, no, it is not possible. >> > > I would like to elaborate this a bit more: > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system, > but FreeIPA provides migrate-ds scripts which ease the transition from > OpenLDAP. > > Please see > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > You need to migrate OpenLDAP data to one FreeIPA server and then you can > simply create FreeIPA server replicas as need. > > In other words, the migrate-ds script is run only once even if you have > multiple servers with replicated data. > > There are some limited capabilities for migration with user passwords, but > I will let other people to elaborate - this is not area of my expertise. > > Let us know if you need any assistance during migration. > > -- > Petr^2 Spacek > I had discarded the Freeipa option, as we couldn't use our OpenLDAP server and Kerberos as they were. Now, I am thinking that could be very useful for us (because of another reason), but I have a question about it. In short: can Freeipa internal LDAP server be used as any other LDAP server?. In detail: we have some Java applications that use authentication against our actual OpenLDAP server. The LDAP authentication is used in this case, with an overlay for password policies (as in http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The users that would use Freeipa are a subset from the users that use the Java applications. So, I would like that, at least at first, users from Java applications continue authenticating as they are doing now. I don't know if that can be done, and I have never worked with 389 directory service, so any help is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Tue May 27 18:02:26 2014 From: simo at redhat.com (Simo Sorce) Date: Tue, 27 May 2014 14:02:26 -0400 Subject: [Freeipa-users] Migration from OpenLDAP In-Reply-To: References: <20140113145023.GB12003@redhat.com> <52D40539.1010103@redhat.com> Message-ID: <1401213746.2598.11.camel@willson.li.ssimo.org> On Tue, 2014-05-27 at 14:24 -0300, tizo wrote: > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek wrote: > > > On 13.1.2014 15:50, Alexander Bokovoy wrote: > > > >> On Mon, 13 Jan 2014, tizo wrote: > >> > >>> Hi there, > >>> > >>> We have a working authentication system for GNU/Linux consisting in a Mit > >>> Kerberos Server, and an OpenLDAP directory with a particular structure. I > >>> was wondering if we could use Freeipa to administer those working > >>> components as they are, without having to deploy a new Freeipa server > >>> from > >>> scratch. > >>> > >> In short, no, it is not possible. > >> > > > > I would like to elaborate this a bit more: > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos system, > > but FreeIPA provides migrate-ds scripts which ease the transition from > > OpenLDAP. > > > > Please see > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > > > You need to migrate OpenLDAP data to one FreeIPA server and then you can > > simply create FreeIPA server replicas as need. > > > > In other words, the migrate-ds script is run only once even if you have > > multiple servers with replicated data. > > > > There are some limited capabilities for migration with user passwords, but > > I will let other people to elaborate - this is not area of my expertise. > > > > Let us know if you need any assistance during migration. > > > > -- > > Petr^2 Spacek > > > > I had discarded the Freeipa option, as we couldn't use our OpenLDAP server > and Kerberos as they were. Now, I am thinking that could be very useful for > us (because of another reason), but I have a question about it. In short: > can Freeipa internal LDAP server be used as any other LDAP server?. > > In detail: we have some Java applications that use authentication against > our actual OpenLDAP server. The LDAP authentication is used in this case, > with an overlay for password policies (as in > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). The > users that would use Freeipa are a subset from the users that use the Java > applications. So, I would like that, at least at first, users from Java > applications continue authenticating as they are doing now. I don't know if > that can be done, and I have never worked with 389 directory service, so > any help is appreciated. FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds: http://port389.org It allows LDAP binds and extensions to schema just like any other fully featured LDAP server. Simo. -- Simo Sorce * Red Hat, Inc * New York From tizone at gmail.com Tue May 27 18:49:37 2014 From: tizone at gmail.com (tizo) Date: Tue, 27 May 2014 15:49:37 -0300 Subject: [Freeipa-users] Migration from OpenLDAP In-Reply-To: <1401213746.2598.11.camel@willson.li.ssimo.org> References: <20140113145023.GB12003@redhat.com> <52D40539.1010103@redhat.com> <1401213746.2598.11.camel@willson.li.ssimo.org> Message-ID: Great! Thanks very much Simo. On Tue, May 27, 2014 at 3:02 PM, Simo Sorce wrote: > On Tue, 2014-05-27 at 14:24 -0300, tizo wrote: > > On Mon, Jan 13, 2014 at 1:24 PM, Petr Spacek wrote: > > > > > On 13.1.2014 15:50, Alexander Bokovoy wrote: > > > > > >> On Mon, 13 Jan 2014, tizo wrote: > > >> > > >>> Hi there, > > >>> > > >>> We have a working authentication system for GNU/Linux consisting in > a Mit > > >>> Kerberos Server, and an OpenLDAP directory with a particular > structure. I > > >>> was wondering if we could use Freeipa to administer those working > > >>> components as they are, without having to deploy a new Freeipa server > > >>> from > > >>> scratch. > > >>> > > >> In short, no, it is not possible. > > >> > > > > > > I would like to elaborate this a bit more: > > > You really can't use FreeIPA WebUI with home-grown LDAP+Kerberos > system, > > > but FreeIPA provides migrate-ds scripts which ease the transition from > > > OpenLDAP. > > > > > > Please see > > > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_ > > > Guide/Migrating_from_a_Directory_Server_to_IPA.html > > > > > > You need to migrate OpenLDAP data to one FreeIPA server and then you > can > > > simply create FreeIPA server replicas as need. > > > > > > In other words, the migrate-ds script is run only once even if you have > > > multiple servers with replicated data. > > > > > > There are some limited capabilities for migration with user passwords, > but > > > I will let other people to elaborate - this is not area of my > expertise. > > > > > > Let us know if you need any assistance during migration. > > > > > > -- > > > Petr^2 Spacek > > > > > > > I had discarded the Freeipa option, as we couldn't use our OpenLDAP > server > > and Kerberos as they were. Now, I am thinking that could be very useful > for > > us (because of another reason), but I have a question about it. In short: > > can Freeipa internal LDAP server be used as any other LDAP server?. > > > > In detail: we have some Java applications that use authentication against > > our actual OpenLDAP server. The LDAP authentication is used in this case, > > with an overlay for password policies (as in > > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies). > The > > users that would use Freeipa are a subset from the users that use the > Java > > applications. So, I would like that, at least at first, users from Java > > applications continue authenticating as they are doing now. I don't know > if > > that can be done, and I have never worked with 389 directory service, so > > any help is appreciated. > > FreeIPA uses a full LDAPv3 compliant LDAP server called 389ds: > http://port389.org > > It allows LDAP binds and extensions to schema just like any other fully > featured LDAP server. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Tue May 27 23:15:47 2014 From: dpal at redhat.com (Dmitri Pal) Date: Tue, 27 May 2014 19:15:47 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <538496C9.9080907@damascusgrp.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> <538496C9.9080907@damascusgrp.com> Message-ID: <53851CA3.3050004@redhat.com> On 05/27/2014 09:44 AM, Bret Wortman wrote: > I just checked to be sure, and we do already put all the IPA servers > in our client host tables just to be sure they can be reached even if > DNS goes down. Sorry, I am running out of ideas. > > On 05/27/2014 09:20 AM, Dmitri Pal wrote: >> On 05/27/2014 08:41 AM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> Crud. That was supposed to have a second comparison log too: >>>> >>>> I found something in the slapd-FOO-NET/access log. I figured out which >>>> conn ID related to a sudo -i that I performed which took longer than >>>> expected and grepped for that conn ID: >>>> >>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>>> from >>>> 192.168.208.129 to 192.168.10.111 >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>> >>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>>> attrs=ALL >>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>> nentries=2 etime=0 >>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>>> attrs=ALL >>>> [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>>> >>>> I think this shows, roughly, a 7 second elapsed time from start to >>>> finish, right? Granted, there were other request being serficed during >>>> this interval as well, but nothing that looked like outrageous volume. >>> I don't see anything unusual here. The directory server retrieved the >>> data just as fast on both systems, the difference appears to be the >>> network, in connection and shutdown times. >>> >> +1, however the TLS handshake took longer. That probably required >> several DNS lookups so I wonder if DNS lookups might be slowing >> things down. >> I wonder if putting server records manually into the hosts file would >> make a difference. If yes then may be you need to take a look at your >> DNS setup for the slow network. >> >> >>>> On our faster network, this same exchange went much faster: >>>> >>>> [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection >>>> from >>>> 192.168.2.13 to 192.168.2.61 >>>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT >>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND >>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 >>>> version=3 >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 >>>> nentries=0 etime=0 >>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH >>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" >>>> attrs=ALL >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH >>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 >>>> filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" >>>> >>>> attrs=ALL >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH >>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" >>>> attrs=ALL >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 >>>> nentries=0 etime=0 >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND >>>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 >>>> >>>> >>>> >>>> Bret >>>> >>>> On 05/26/2014 09:51 AM, Bret Wortman wrote: >>>>> Okay, I found something in the slapd-FOO-NET/access log. I figured >>>>> out >>>>> which conn ID related to a sudo -i that I performed which took longer >>>>> than expected and grepped for that conn ID: >>>>> >>>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>>>> from 192.168.208.129 to 192.168.10.111 >>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 >>>>> version=3 >>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" >>>>> attrs=ALL >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>>> >>>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" >>>>> attrs=ALL >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>>> nentries=2 etime=0 >>>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" >>>>> attrs=ALL >>>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue May 27 23:34:58 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 27 May 2014 19:34:58 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <53851CA3.3050004@redhat.com> References: <537F3BDC.2040504@damascusgrp.com> <537F5190.9070806@damascusgrp.com> <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> <538496C9.9080907@damascusgrp.com> <53851CA3.3050004@redhat.com> Message-ID: <177FA1DE-0081-4419-87B8-BD243586A45F@damascusgrp.com> No problem. We forced a re installation of openldap, which helped. Pam login is still slow but sudo isn't. We'll keep chipping away at it. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On May 27, 2014, at 7:15 PM, Dmitri Pal wrote: > >> On 05/27/2014 09:44 AM, Bret Wortman wrote: >> I just checked to be sure, and we do already put all the IPA servers in our client host tables just to be sure they can be reached even if DNS goes down. > > Sorry, I am running out of ideas. > >> >>> On 05/27/2014 09:20 AM, Dmitri Pal wrote: >>>> On 05/27/2014 08:41 AM, Rob Crittenden wrote: >>>> Bret Wortman wrote: >>>>> Crud. That was supposed to have a second comparison log too: >>>>> >>>>> I found something in the slapd-FOO-NET/access log. I figured out which >>>>> conn ID related to a sudo -i that I performed which took longer than >>>>> expected and grepped for that conn ID: >>>>> >>>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection from >>>>> 192.168.208.129 to 192.168.10.111 >>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL >>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>>> nentries=2 etime=0 >>>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL >>>>> [26/May/2014:09:09:01 -0400] conn=183751op=4 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>>>> >>>>> I think this shows, roughly, a 7 second elapsed time from start to >>>>> finish, right? Granted, there were other request being serficed during >>>>> this interval as well, but nothing that looked like outrageous volume. >>>> I don't see anything unusual here. The directory server retrieved the >>>> data just as fast on both systems, the difference appears to be the >>>> network, in connection and shutdown times. >>> +1, however the TLS handshake took longer. That probably required several DNS lookups so I wonder if DNS lookups might be slowing things down. >>> I wonder if putting server records manually into the hosts file would make a difference. If yes then may be you need to take a look at your DNS setup for the slow network. >>> >>> >>>>> On our faster network, this same exchange went much faster: >>>>> >>>>> [26/May/2014:09:22:55 -0400] conn=12896 fd=100 slot=100 connection from >>>>> 192.168.2.13 to 192.168.2.61 >>>>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 EXT >>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>> [26/May/2014:09:22:55 -0400] conn=12896 op=0 RESULT err=0 tag=120 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:22:56 -0400] conn=12896 SSL 128-bit AES >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 BIND >>>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" method=128 version=3 >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=1 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="uid=sudo,cn=sysaccounts,cn=etc,dc=wedgeofli,dc=me" >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 SRCH >>>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(cn=defaults)" >>>>> attrs=ALL >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=2 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 SRCH >>>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 >>>>> filter="(|(sudoUser=bretw)(sudoUser=%bretw)(sudoUser=%#10042)(sudoUser=%admins)(sudoUser=%#388800000)(sudoUser=ALL))" >>>>> attrs=ALL >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=3 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 SRCH >>>>> base="ou=SUDOers,dc=wedgeofli,dc=me" scope=2 filter="(sudoUser=+*)" >>>>> attrs=ALL >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101 >>>>> nentries=0 etime=0 >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND >>>>> [26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1 >>>>> >>>>> >>>>> >>>>> Bret >>>>> >>>>>> On 05/26/2014 09:51 AM, Bret Wortman wrote: >>>>>> Okay, I found something in the slapd-FOO-NET/access log. I figured out >>>>>> which conn ID related to a sudo -i that I performed which took longer >>>>>> than expected and grepped for that conn ID: >>>>>> >>>>>> [26/May/2014:09:08:56 -0400] conn=183751 fd=111 slot=111 connection >>>>>> from 192.168.208.129 to 192.168.10.111 >>>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 EXT >>>>>> oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>>>>> [26/May/2014:09:08:57 -0400] conn=183751 op=0 RESULT err=0 tag=120 >>>>>> nentries=0 etime=0 >>>>>> [26/May/2014:09:08:59 -0400] conn=183751 SSL 128-bit AES >>>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 BIND >>>>>> dn="uid=sudo,cn=sysaccounts,cn=etc,dc=foo,dc=net" method=128 version=3 >>>>>> [26/May/2014:09:08:59 -0400] conn=183751 op=1 RESULT err=0 tag=97 >>>>>> nentries=0 etime=0 >>>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 SRCH >>>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(cn=deraults)" attrs=ALL >>>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=2 RESULT err=0 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 SRCH >>>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 >>>>>> filter="(|(sudoUser=bretw)(sudoUser=%users)(sudoUser=%#100)(sudoUser=%admins)(sudoUser=%nonexp)(sudoUser=%sudoers)(sudoUser=$unrestricted)(sudoUser=%#1855200000)(sudoUser=%#18552000004) >>>>>> (sudoUser=%#1855200006)(sudoUser=%#1855200007)(sudoUser=ALL))" attrs=ALL >>>>>> [26/May/2014:09:09:00 -0400] conn=183751 op=3 RESULT erro=0 tag=101 >>>>>> nentries=2 etime=0 >>>>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 SRCH >>>>>> base="ou=SUDOers,dc=foo,dc=net" scope=2 filter="(sudoUser=+*)" attrs=ALL >>>>>> [26/May/2014:09:09:01 -0400] conn=183751 op=4 RESULT err=0 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 UNBIND >>>>>> [26/May/2014:09:09:03 -0400] conn=183751 op=5 fd=111 closed = U1 >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2346 bytes Desc: not available URL: From jhrozek at redhat.com Wed May 28 07:52:56 2014 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 28 May 2014 09:52:56 +0200 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <177FA1DE-0081-4419-87B8-BD243586A45F@damascusgrp.com> References: <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> <538496C9.9080907@damascusgrp.com> <53851CA3.3050004@redhat.com> <177FA1DE-0081-4419-87B8-BD243586A45F@damascusgrp.com> Message-ID: <20140528075256.GA4492@hendrix.brq.redhat.com> On Tue, May 27, 2014 at 07:34:58PM -0400, Bret Wortman wrote: > No problem. We forced a re installation of openldap, which helped. Pam login is still slow but sudo isn't. We'll keep chipping away at it. As said earlier in the thread, logs might be the best way to move this forward. From rob.harper at stfc.ac.uk Wed May 28 08:13:33 2014 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Wed, 28 May 2014 08:13:33 +0000 Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS Message-ID: Hi all, I am wanting to set up a FreeIPA domain for controlling a group of machines on our network, and want to use replica servers for resilience. However, I do not have control over DNS: our site prefers to use a central DNS service, which I can easily request changes in, but I don't have flexibility there. I will, at this point, admit to not knowing a great deal about the workings of DNS, so if I am asking dumb questions, please feel free to point me at an RFC, howto or other documentation so I can get educated. So I am trying to work out the best way to set things up. My initial hunch was that I should get A-records set up to provide a DNS round robin for the service. The problem appears to be that if I install FreeIPA on the servers using their own hostnames, their host certificates won't match the A-record, and if I set up FreeIPA to use the round robin hostname, it just doesn't look right to me. I hope I have managed to explain my situation appropriately. I haven't been able to find documentation to help me with this (I suspect I just need to understand a few different aspects better than I do already), so can someone point me in the right direction, please? Many thanks, Rob -- Scanned by iCritical. From rob.harper at stfc.ac.uk Wed May 28 08:44:19 2014 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Wed, 28 May 2014 08:44:19 +0000 Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS In-Reply-To: References: Message-ID: Well, after sending my query I started going back over the FreeIPA documentation again and found information that I should probably be using SRV records in DNS to handle the load balancing. I will look into this and figure out what I need to request of the site network team. Apologies for cluttering up your inboxes! Rob > -----Original Message----- > From: rob.harper at stfc.ac.uk [mailto:rob.harper at stfc.ac.uk] > Sent: 28 May 2014 09:14 > To: freeipa-users at redhat.com > Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS > > Hi all, > > I am wanting to set up a FreeIPA domain for controlling a group of machines > on our network, and want to use replica servers for resilience. However, I do > not have control over DNS: our site prefers to use a central DNS service, > which I can easily request changes in, but I don't have flexibility there. > > I will, at this point, admit to not knowing a great deal about the workings of > DNS, so if I am asking dumb questions, please feel free to point me at an RFC, > howto or other documentation so I can get educated. > > So I am trying to work out the best way to set things up. My initial hunch was > that I should get A-records set up to provide a DNS round robin for the > service. The problem appears to be that if I install FreeIPA on the servers > using their own hostnames, their host certificates won't match the A-record, > and if I set up FreeIPA to use the round robin hostname, it just doesn't look > right to me. > > I hope I have managed to explain my situation appropriately. I haven't been > able to find documentation to help me with this (I suspect I just need to > understand a few different aspects better than I do already), so can > someone point me in the right direction, please? > > Many thanks, > Rob > -- > Scanned by iCritical. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Scanned by iCritical. From scottlryan at gmail.com Wed May 28 09:37:06 2014 From: scottlryan at gmail.com (Scott Ryan) Date: Wed, 28 May 2014 10:37:06 +0100 Subject: [Freeipa-users] Failure configuring certificate server instance Message-ID: I am trying to get freeIPA up and running on a minimal CentOS6.5 installation. i have forward and reverse DNS setup on an external DNS server - no SELinux & no iptables (for troubleshooting) but keep running into the following problem during installation : [3/21]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU -external false -clone false' returned non-zero exit status 255 Configuration of CA failed The installation log shows this : 2014-05-28T09:19:47Z DEBUG importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ...skipping... at java.net.URLClassLoader$1.run(URLClassLoader.java:358) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at java.lang.ClassLoader.loadClass(ClassLoader.java:412) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215) at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) at sun.security.jca.ProviderList.loadAll(ProviderList.java:281) at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298) at sun.security.jca.Providers.getFullProviderList(Providers.java:176) at java.security.Security.insertProviderAt(Security.java:362) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869) at ComCrypto.loginDB(ComCrypto.java:420) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145) at ConfigureCA.main(ConfigureCA.java:1672) Caused by: java.util.zip.ZipException: error in opening zip file at java.util.zip.ZipFile.open(Native Method) at java.util.zip.ZipFile.(ZipFile.java:215) at java.util.zip.ZipFile.(ZipFile.java:145) at java.util.jar.JarFile.(JarFile.java:153) at java.util.jar.JarFile.(JarFile.java:90) at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728) at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591) at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673) at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666) at java.security.AccessController.doPrivileged(Native Method) at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665) at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836) ... 23 more 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig -domain_name IPA -admin_user admin -admin_email root at localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU -external false -clone false' returned non-zero exit status 255 2014-05-28T09:20:15Z INFO File "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, in run_script return_value = main_function() Any ideas would be helpful. Thanks -- Scott Ryan From mkosek at redhat.com Wed May 28 13:04:24 2014 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 28 May 2014 15:04:24 +0200 Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS In-Reply-To: References: Message-ID: <5385DED8.8050508@redhat.com> No worries. Note that at the end of ipa-server-install, you get a list of DNS records (SRV, A) required to be added (in a BIND zone format). Additional required updates caused by new/removed FreeIPA replicas are on your own though. Martin On 05/28/2014 10:44 AM, rob.harper at stfc.ac.uk wrote: > Well, after sending my query I started going back over the FreeIPA documentation again and found information that I should probably be using SRV records in DNS to handle the load balancing. > > I will look into this and figure out what I need to request of the site network team. > > Apologies for cluttering up your inboxes! > > Rob > >> -----Original Message----- >> From: rob.harper at stfc.ac.uk [mailto:rob.harper at stfc.ac.uk] >> Sent: 28 May 2014 09:14 >> To: freeipa-users at redhat.com >> Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS >> >> Hi all, >> >> I am wanting to set up a FreeIPA domain for controlling a group of machines >> on our network, and want to use replica servers for resilience. However, I do >> not have control over DNS: our site prefers to use a central DNS service, >> which I can easily request changes in, but I don't have flexibility there. >> >> I will, at this point, admit to not knowing a great deal about the workings of >> DNS, so if I am asking dumb questions, please feel free to point me at an RFC, >> howto or other documentation so I can get educated. >> >> So I am trying to work out the best way to set things up. My initial hunch was >> that I should get A-records set up to provide a DNS round robin for the >> service. The problem appears to be that if I install FreeIPA on the servers >> using their own hostnames, their host certificates won't match the A-record, >> and if I set up FreeIPA to use the round robin hostname, it just doesn't look >> right to me. >> >> I hope I have managed to explain my situation appropriately. I haven't been >> able to find documentation to help me with this (I suspect I just need to >> understand a few different aspects better than I do already), so can >> someone point me in the right direction, please? >> >> Many thanks, >> Rob >> -- >> Scanned by iCritical. >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users at redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users From tizone at gmail.com Wed May 28 13:47:13 2014 From: tizone at gmail.com (tizo) Date: Wed, 28 May 2014 10:47:13 -0300 Subject: [Freeipa-users] Trust services Message-ID: I would like to know, if having configured trusts services between FreeIPA and Active Directory, allow AD users to authenticate in services that are only configured to authenticate against FreeIPA. For example, having configured the trusts, if I have a mail server that is using FreeIPA as its authentication method, can a user A from Active Directory, who does not exist in FreeIPA, authenticate in the mail server?. Thanks very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed May 28 14:11:27 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 28 May 2014 10:11:27 -0400 Subject: [Freeipa-users] Failure configuring certificate server instance In-Reply-To: References: Message-ID: <1401286287.31369.7.camel@aleeredhat.laptop> On Wed, 2014-05-28 at 10:37 +0100, Scott Ryan wrote: > I am trying to get freeIPA up and running on a minimal CentOS6.5 installation. > i have forward and reverse DNS setup on an external DNS server - no > SELinux & no iptables (for troubleshooting) > > but keep running into the following problem during installation : > > [3/21]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW > -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU > -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU > -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU > -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU > -external false -clone false' returned non-zero exit status 255 > Configuration of CA failed > > The installation log shows this : > > 2014-05-28T09:19:47Z DEBUG importing plugin module > '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' > ...skipping... > at java.net.URLClassLoader$1.run(URLClassLoader.java:358) > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > at java.lang.ClassLoader.loadClass(ClassLoader.java:425) > at java.lang.ClassLoader.loadClass(ClassLoader.java:412) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) > at java.lang.ClassLoader.loadClass(ClassLoader.java:358) > at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215) > at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) > at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) > at sun.security.jca.ProviderList.loadAll(ProviderList.java:281) > at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298) > at sun.security.jca.Providers.getFullProviderList(Providers.java:176) > at java.security.Security.insertProviderAt(Security.java:362) > at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942) > at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869) > at ComCrypto.loginDB(ComCrypto.java:420) > at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145) > at ConfigureCA.main(ConfigureCA.java:1672) > Caused by: java.util.zip.ZipException: error in opening zip file > at java.util.zip.ZipFile.open(Native Method) > at java.util.zip.ZipFile.(ZipFile.java:215) > at java.util.zip.ZipFile.(ZipFile.java:145) > at java.util.jar.JarFile.(JarFile.java:153) > at java.util.jar.JarFile.(JarFile.java:90) > at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728) > at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591) > at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673) > at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666) > at java.security.AccessController.doPrivileged(Native Method) > at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665) > at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836) > ... 23 more > Thats a very interesting error. Looks like something is going on at the nss/jss level on the client side when trying to initialize the client side nss database. Can you tell me what versions you have for nss, jss, pki-common, pkisilent, pki-ca ? rpm -q nss jss pki-common pki-silent pki-ca Thanks. > 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname > ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW > -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig > -domain_name IPA -admin_user admin -admin_email root at localhost > -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 > -agent_key_type rsa -agent_cert_subject > CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX > -subsystem_name pki-cad -token_name internal > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU > -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU > -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU > -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU > -external false -clone false' returned non-zero exit status 255 > 2014-05-28T09:20:15Z INFO File > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", > line 614, in run_script > return_value = main_function() > > Any ideas would be helpful. > > Thanks From rob.harper at stfc.ac.uk Wed May 28 14:24:05 2014 From: rob.harper at stfc.ac.uk (rob.harper at stfc.ac.uk) Date: Wed, 28 May 2014 14:24:05 +0000 Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS In-Reply-To: <5385DED8.8050508@redhat.com> References: <5385DED8.8050508@redhat.com> Message-ID: Thanks for the tip, Martin. Rob > -----Original Message----- > From: Martin Kosek [mailto:mkosek at redhat.com] > Sent: 28 May 2014 14:04 > To: Harper, Rob (STFC,RAL,SC); freeipa-users at redhat.com > Subject: Re: [Freeipa-users] Setting up FreeIPA with replicas without DNS > > No worries. Note that at the end of ipa-server-install, you get a list of DNS > records (SRV, A) required to be added (in a BIND zone format). Additional > required updates caused by new/removed FreeIPA replicas are on your own > though. > > Martin > > On 05/28/2014 10:44 AM, rob.harper at stfc.ac.uk wrote: > > Well, after sending my query I started going back over the FreeIPA > documentation again and found information that I should probably be using > SRV records in DNS to handle the load balancing. > > > > I will look into this and figure out what I need to request of the site > network team. > > > > Apologies for cluttering up your inboxes! > > > > Rob > > > >> -----Original Message----- > >> From: rob.harper at stfc.ac.uk [mailto:rob.harper at stfc.ac.uk] > >> Sent: 28 May 2014 09:14 > >> To: freeipa-users at redhat.com > >> Subject: [Freeipa-users] Setting up FreeIPA with replicas without DNS > >> > >> Hi all, > >> > >> I am wanting to set up a FreeIPA domain for controlling a group of > >> machines on our network, and want to use replica servers for > >> resilience. However, I do not have control over DNS: our site > >> prefers to use a central DNS service, which I can easily request changes in, > but I don't have flexibility there. > >> > >> I will, at this point, admit to not knowing a great deal about the > >> workings of DNS, so if I am asking dumb questions, please feel free > >> to point me at an RFC, howto or other documentation so I can get > educated. > >> > >> So I am trying to work out the best way to set things up. My initial > >> hunch was that I should get A-records set up to provide a DNS round > >> robin for the service. The problem appears to be that if I install > >> FreeIPA on the servers using their own hostnames, their host > >> certificates won't match the A-record, and if I set up FreeIPA to use > >> the round robin hostname, it just doesn't look right to me. > >> > >> I hope I have managed to explain my situation appropriately. I > >> haven't been able to find documentation to help me with this (I > >> suspect I just need to understand a few different aspects better than > >> I do already), so can someone point me in the right direction, please? > >> > >> Many thanks, > >> Rob > >> -- > >> Scanned by iCritical. > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users -- Scanned by iCritical. From David.Fitzgerald at millersville.edu Wed May 28 14:40:00 2014 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Wed, 28 May 2014 14:40:00 +0000 Subject: [Freeipa-users] ipa 3.0 expired cert renewal Message-ID: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> Hello, My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated. When I try to start the ipa service on my server I get: root at aurora ~]# /sbin/service ipa start Starting Directory Service Starting dirsrv: LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached: [ OK ] Stopping httpd: [FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: LINUX-DIRSRV-LOCAL... [ OK ] PKI-IPA... [ OK ] Aborting ipactl Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate. Thanks! ----------------------------------------------- David Fitzgerald Adjunct Professor Department of Earth Sciences Millersville University Millersville, PA 17551 E-mail: david.fitzgerald at millersville.edu PH: 717-871-2394 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed May 28 16:22:38 2014 From: sbose at redhat.com (Sumit Bose) Date: Wed, 28 May 2014 18:22:38 +0200 Subject: [Freeipa-users] Trust services In-Reply-To: References: Message-ID: <20140528162238.GE30381@localhost.localdomain> On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > I would like to know, if having configured trusts services between FreeIPA > and Active Directory, allow AD users to authenticate in services that are > only configured to authenticate against FreeIPA. > > For example, having configured the trusts, if I have a mail server that is > using FreeIPA as its authentication method, can a user A from Active > Directory, who does not exist in FreeIPA, authenticate in the mail server?. It depends a bit on how the users authenticate exactly because IPA offers Kerberos and LDAP authentication. Kerberos should work out of the box because thats one of the trusts components, trusting Kerberos tickets from the other domain/realm. For LDAP authentication you should be able to find the users from the trusted domain in the compat tree below cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can do a LDAP bind with the DN form the compat tree and the password used in AD. HTH bye, Sumit > > Thanks very much. > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users From scottlryan at gmail.com Wed May 28 16:41:59 2014 From: scottlryan at gmail.com (Scott Ryan) Date: Wed, 28 May 2014 17:41:59 +0100 Subject: [Freeipa-users] Failure configuring certificate server instance In-Reply-To: <1401286287.31369.7.camel@aleeredhat.laptop> References: <1401286287.31369.7.camel@aleeredhat.laptop> Message-ID: I noticed that the error said it could not unzip the zip file. I installed lzo and then did a clean install and it worked. Perhaps lzo should be a package dependency? Thanks On 28 May 2014 15:11, Ade Lee wrote: > On Wed, 2014-05-28 at 10:37 +0100, Scott Ryan wrote: >> I am trying to get freeIPA up and running on a minimal CentOS6.5 installation. >> i have forward and reverse DNS setup on an external DNS server - no >> SELinux & no iptables (for troubleshooting) >> >> but keep running into the following problem during installation : >> >> [3/21]: configuring certificate server instance >> ipa : CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW >> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig >> -domain_name IPA -admin_user admin -admin_email root at localhost >> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 >> -agent_key_type rsa -agent_cert_subject >> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au >> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX >> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa >> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >> -subsystem_name pki-cad -token_name internal >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU >> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU >> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU >> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU >> -external false -clone false' returned non-zero exit status 255 >> Configuration of CA failed >> >> The installation log shows this : >> >> 2014-05-28T09:19:47Z DEBUG importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >> ...skipping... >> at java.net.URLClassLoader$1.run(URLClassLoader.java:358) >> at java.net.URLClassLoader$1.run(URLClassLoader.java:355) >> at java.security.AccessController.doPrivileged(Native Method) >> at java.net.URLClassLoader.findClass(URLClassLoader.java:354) >> at java.lang.ClassLoader.loadClass(ClassLoader.java:425) >> at java.lang.ClassLoader.loadClass(ClassLoader.java:412) >> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) >> at java.lang.ClassLoader.loadClass(ClassLoader.java:358) >> at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:215) >> at sun.security.jca.ProviderConfig$2.run(ProviderConfig.java:206) >> at java.security.AccessController.doPrivileged(Native Method) >> at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:206) >> at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:187) >> at sun.security.jca.ProviderList.loadAll(ProviderList.java:281) >> at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298) >> at sun.security.jca.Providers.getFullProviderList(Providers.java:176) >> at java.security.Security.insertProviderAt(Security.java:362) >> at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:942) >> at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:869) >> at ComCrypto.loginDB(ComCrypto.java:420) >> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1145) >> at ConfigureCA.main(ConfigureCA.java:1672) >> Caused by: java.util.zip.ZipException: error in opening zip file >> at java.util.zip.ZipFile.open(Native Method) >> at java.util.zip.ZipFile.(ZipFile.java:215) >> at java.util.zip.ZipFile.(ZipFile.java:145) >> at java.util.jar.JarFile.(JarFile.java:153) >> at java.util.jar.JarFile.(JarFile.java:90) >> at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:728) >> at sun.misc.URLClassPath$JarLoader.access$600(URLClassPath.java:591) >> at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:673) >> at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:666) >> at java.security.AccessController.doPrivileged(Native Method) >> at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:665) >> at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:836) >> ... 23 more >> > > Thats a very interesting error. Looks like something is going on at the > nss/jss level on the client side when trying to initialize the client > side nss database. > > Can you tell me what versions you have for nss, jss, pki-common, > pkisilent, pki-ca ? > > rpm -q nss jss pki-common pki-silent pki-ca > > Thanks. > >> 2014-05-28T09:20:15Z CRITICAL failed to configure ca instance Command >> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname >> ipa1.int.immi.gov.au -cs_port 9445 -client_certdb_dir /tmp/tmp-RsFkUW >> -client_certdb_pwd XXXXXXXX -preop_pin miTD9vj5e6KwfqQNy2ig >> -domain_name IPA -admin_user admin -admin_email root at localhost >> -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 >> -agent_key_type rsa -agent_cert_subject >> CN=ipa-ca-agent,O=INT.IMMI.GOV.AU -ldap_host ipa1.int.immi.gov.au >> -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX >> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa >> -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX >> -subsystem_name pki-cad -token_name internal >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU >> -ca_subsystem_cert_subject_name CN=CA Subsystem,O=INT.IMMI.GOV.AU >> -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=INT.IMMI.GOV.AU >> -ca_server_cert_subject_name CN=ipa1.int.immi.gov.au,O=INT.IMMI.GOV.AU >> -ca_audit_signing_cert_subject_name CN=CA Audit,O=INT.IMMI.GOV.AU >> -ca_sign_cert_subject_name CN=Certificate Authority,O=INT.IMMI.GOV.AU >> -external false -clone false' returned non-zero exit status 255 >> 2014-05-28T09:20:15Z INFO File >> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", >> line 614, in run_script >> return_value = main_function() >> >> Any ideas would be helpful. >> >> Thanks > > -- Scott Ryan Mobile +44 (0)7511803027 Skype - scottlryan From bret.wortman at damascusgrp.com Wed May 28 18:01:38 2014 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 28 May 2014 14:01:38 -0400 Subject: [Freeipa-users] LDAP/SSSD/IPA performance In-Reply-To: <20140528075256.GA4492@hendrix.brq.redhat.com> References: <537F554F.4030108@damascusgrp.com> <537F9714.6080407@redhat.com> <538332FC.2090907@damascusgrp.com> <538346E3.6020601@damascusgrp.com> <538349DB.6060408@damascusgrp.com> <53848810.2080805@redhat.com> <53849126.5020207@redhat.com> <538496C9.9080907@damascusgrp.com> <53851CA3.3050004@redhat.com> <177FA1DE-0081-4419-87B8-BD243586A45F@damascusgrp.com> <20140528075256.GA4492@hendrix.brq.redhat.com> Message-ID: <53862482.50403@damascusgrp.com> The CD is in the hands of the security folks now. I'll let you know when I have it and can transfer the logs over to you. It's only 2GB worth of data, but I hope it's informative. Bret On 05/28/2014 03:52 AM, Jakub Hrozek wrote: > On Tue, May 27, 2014 at 07:34:58PM -0400, Bret Wortman wrote: >> No problem. We forced a re installation of openldap, which helped. Pam login is still slow but sudo isn't. We'll keep chipping away at it. > As said earlier in the thread, logs might be the best way to move this > forward. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3766 bytes Desc: S/MIME Cryptographic Signature URL: From dpal at redhat.com Thu May 29 00:50:41 2014 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 28 May 2014 20:50:41 -0400 Subject: [Freeipa-users] ipa 3.0 expired cert renewal In-Reply-To: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> References: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> Message-ID: <53868461.8030902@redhat.com> On 05/28/2014 10:40 AM, David Fitzgerald wrote: > Hello, > > My Freeipa server stopped working over the weekend due to what looks > like expired certificates. I am running ipa-server 3.0 and thought > these certs were automatically renewed. I am no expert at KDC / IPA > and any help you can give is greatly appreciated. > > When I try to start the ipa service on my server I get: > > root at aurora ~]# /sbin/service ipa start > Starting Directory Service > Starting dirsrv: > LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ > VirtualHost overlap on port 443, the first has precedence > [FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping ipa_memcached: [ OK ] > Stopping httpd: [FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > LINUX-DIRSRV-LOCAL... [ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > Of course kinit also fails with: kinit: Cannot contact any KDC for > realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials > > Can someone help me get back on my feet? Luckily there are not many > students around in the summer so I just have 20 annoyed faculty > instead of 200 annoyed students to placate. > > Thanks! Usually that happens when you do not have the original master any more. Is this the case for you? Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ? > > > > ----------------------------------------------- > David Fitzgerald > Adjunct Professor > Department of Earth Sciences > Millersville University > Millersville, PA 17551 > > E-mail: david.fitzgerald at millersville.edu > PH: 717-871-2394 > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu May 29 06:47:38 2014 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) Subject: [Freeipa-users] Trust services In-Reply-To: <20140528162238.GE30381@localhost.localdomain> References: <20140528162238.GE30381@localhost.localdomain> Message-ID: <106322879.11216311.1401346058802.JavaMail.zimbra@redhat.com> ----- Original Message ----- > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > I would like to know, if having configured trusts services between FreeIPA > > and Active Directory, allow AD users to authenticate in services that are > > only configured to authenticate against FreeIPA. > > > > For example, having configured the trusts, if I have a mail server that is > > using FreeIPA as its authentication method, can a user A from Active > > Directory, who does not exist in FreeIPA, authenticate in the mail server?. > > It depends a bit on how the users authenticate exactly because IPA > offers Kerberos and LDAP authentication. > > Kerberos should work out of the box because thats one of the trusts > components, trusting Kerberos tickets from the other domain/realm. > > For LDAP authentication you should be able to find the users from the > trusted domain in the compat tree below > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > do a LDAP bind with the DN form the compat tree and the password used in > AD. Please note that the latter is valid only for FreeIPA 3.3 and later. FreeIPA 3.0 does not support authentication over LDAP in the compat tree. -- / Alexander Bokovoy From rcritten at redhat.com Thu May 29 13:07:36 2014 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 29 May 2014 09:07:36 -0400 Subject: [Freeipa-users] ipa 3.0 expired cert renewal In-Reply-To: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> References: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> Message-ID: <53873118.6060608@redhat.com> David Fitzgerald wrote: > Hello, > > My Freeipa server stopped working over the weekend due to what looks > like expired certificates. I am running ipa-server 3.0 and thought > these certs were automatically renewed. I am no expert at KDC / IPA and > any help you can give is greatly appreciated. > > When I try to start the ipa service on my server I get: > > root at aurora ~]# /sbin/service ipa start > Starting Directory Service > Starting dirsrv: > LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable > Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > Starting KDC Service > Starting Kerberos 5 KDC: [ OK ] > Starting KPASSWD Service > Starting Kerberos 5 Admin Server: [ OK ] > Starting MEMCACHE Service > Starting ipa_memcached: [ OK ] > Starting HTTP Service > Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost > overlap on port 443, the first has precedence > [FAILED] > Failed to start HTTP Service > Shutting down > Stopping Kerberos 5 KDC: [ OK ] > Stopping Kerberos 5 Admin Server: [ OK ] > Stopping ipa_memcached: [ OK ] > Stopping httpd: [FAILED] > Stopping pki-ca: [ OK ] > Shutting down dirsrv: > LINUX-DIRSRV-LOCAL... [ OK ] > PKI-IPA... [ OK ] > Aborting ipactl > > Of course kinit also fails with: kinit: Cannot contact any KDC for realm Can you show the current state of the tracked certificates? # getcert list The CA has a number of certificates that require renewal for the rest to be successful. Those are the ones we need to get working first. Do you have multiple IPA Masters? Are they in a similar state? rob From sallen at theembassyvfx.com Thu May 29 18:20:37 2014 From: sallen at theembassyvfx.com (Scott Allen) Date: Thu, 29 May 2014 11:20:37 -0700 Subject: [Freeipa-users] Some computers cannot get Some users logged in. Message-ID: Hi, Having a particularly weird problem. We have moved from AD to freeIPA recently and while there have been some bumps, most of the CentOS 6.2 boxes make the transition successfully. Some background. The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. When we moved from AD, boxes were not "removed" from AD, just disabled on the server side. We scripted the necessary bits since we were moving to a new subnet as well. The script runs "ipa-client-install -p admin --password PASSWORD --enable-dns-updates -U" The machines were joined successfully to freeIPA and then added to allow_all_hosts Host Group. On a workstation that was migrated, all users can successfully log in. On a fresh install of CentOS6.2, only myself (admin_user) and a newly created user (foo) can successfully log in. On this fresh install, 'david' is blocked but new user 'foo' is allowed. May 29 09:20:29 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 09:20:46 embassy419 pam: gdm-password[2910]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=david May 29 09:20:47 embassy419 pam: gdm-password[2910]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:44:06 embassy419 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:44:13 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=foo May 29 10:44:14 embassy419 pam: gdm-password[3956]: pam_unix(gdm-password:session): session opened for user foo by (uid=0) May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.88, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) But on this machine that was migrated. pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): system info: [Preauthentication failed] May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_sss(gdm-password:auth): received for user david: 17 (Failure setting user credentials) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): getting password (0x00000010) May 29 10:42:08 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): pam_get_item returned a password May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:auth): user 'david' granted access May 29 10:42:09 Embassy426 pam: gdm-password[14145]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND May 29 10:42:10 Embassy426 pam: gdm-password[14145]: pam_unix(gdm-password:session): session opened for user david by (uid=0) May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name :1.85, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) May 29 10:42:11 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 (system bus name :1.105 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) May 29 10:42:56 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:3 ruser= rhost= user=foo May 29 10:42:57 Embassy426 pam: gdm-password[15052]: pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND May 29 10:42:59 Embassy426 pam: gdm-password[15052]: pam_unix(gdm-password:session): session opened for user foo by (uid=0) May 29 10:42:59 Embassy426 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session7 (system bus name :1.160, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) May 29 10:42:59 Embassy426 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session8 (system bus name :1.175 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) The dirserv says this about david from the broken PC [29/May/2014:09:20:46 -0700] conn=8 op=1526 SRCH base="dc=embassy,dc=vfx" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip al))(|(ipaKrbPrincipalAlias=david at EMBASSY.VFX )(krbPrincipalName=david at EMBASSY.VFX)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKe y krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSucces sfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHis tory objectClass" [29/May/2014:09:20:46 -0700] conn=8 op=1526 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:09:20:46 -0700] conn=8 op=1527 SRCH base="cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [29/May/2014:09:20:46 -0700] conn=8 op=1527 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:09:20:46 -0700] conn=8 op=1528 SRCH base="dc=embassy,dc=vfx" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip al))(|(ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX at EMBASSY.VFX )(krbPrincipalName=krbtgt/EMBASSY.VFX at EMBASSY.VFX)))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias k rbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrin cipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory objectClass" [29/May/2014:09:20:46 -0700] conn=8 op=1528 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:09:20:46 -0700] conn=8 op=1529 SRCH base="cn=global_policy,cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krb MinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" [29/May/2014:09:20:46 -0700] conn=8 op=1529 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:09:20:46 -0700] conn=8 op=1530 MOD dn="uid=david,cn=users,cn=accounts,dc=embassy,dc=vfx" [29/May/2014:09:20:46 -0700] conn=8 op=1530 RESULT err=0 tag=103 nentries=0 etime=0 csn=53875e73000000030000 >From a Migrated working machine (more debugging turned on) [29/May/2014:10:42:04 -0700] conn=72 op=14 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey" [29/May/2014:10:42:04 -0700] conn=72 op=14 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=15 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey" [29/May/2014:10:42:08 -0700] conn=72 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=16 SRCH base="cn=ipausers,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" [29/May/2014:10:42:08 -0700] conn=72 op=16 RESULT err=0 tag=101 nentries=0 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=17 SRCH base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" [29/May/2014:10:42:08 -0700] conn=72 op=17 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=18 SRCH base="cn=etc,dc=embassy,dc=vfx" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault ipaSELinuxUserMapOrder" [29/May/2014:10:42:08 -0700] conn=72 op=18 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=19 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaHost)(fqdn=embassy426.embassy.vfx))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [29/May/2014:10:42:08 -0700] conn=72 op=19 RESULT err=0 tag=101 nentries=1 etime=0 notes=P [29/May/2014:10:42:08 -0700] conn=72 op=20 SRCH base="fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [29/May/2014:10:42:08 -0700] conn=72 op=20 RESULT err=0 tag=101 nentries=1 etime=0 notes=P [29/May/2014:10:42:08 -0700] conn=72 op=21 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(objectClass=ipaHBACService)" attrs="objectClass cn ipaUniqueID member memberOf" [29/May/2014:10:42:08 -0700] conn=72 op=21 RESULT err=0 tag=101 nentries=15 etime=0 notes=P [29/May/2014:10:42:08 -0700] conn=72 op=22 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(objectClass=ipaHBACServiceGroup)" attrs="objectClass cn ipaUniqueID member memberOf" [29/May/2014:10:42:08 -0700] conn=72 op=22 RESULT err=0 tag=101 nentries=2 etime=0 notes=P [29/May/2014:10:42:08 -0700] conn=72 op=23 SRCH base="cn=hbac,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=hostgroups,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=ng,cn=alt,dc=embassy,dc=vfx)(memberHost=ipauniqueid=6e07ee2e-d495-11e3-9c3b-00304881a4bc,cn=hbac,dc=embassy,dc=vfx)))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType memberUser userCategory memberService serviceCategory sourceHost sourceHostCategory externalHost memberHost hostCategory" [29/May/2014:10:42:08 -0700] conn=72 op=23 RESULT err=0 tag=101 nentries=1 etime=0 notes=P [29/May/2014:10:42:08 -0700] conn=72 op=24 SRCH base="cn=etc,dc=embassy,dc=vfx" scope=2 filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault ipaSELinuxUserMapOrder" [29/May/2014:10:42:08 -0700] conn=72 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:08 -0700] conn=72 op=25 SRCH base="cn=selinux,dc=embassy,dc=vfx" scope=2 filter="(&(objectClass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))" attrs="objectClass cn memberUser memberHost seeAlso ipaSELinuxUser ipaEnabledFlag userCategory hostCategory ipaUniqueID" [29/May/2014:10:42:08 -0700] conn=72 op=25 RESULT err=0 tag=101 nentries=0 etime=0 notes=P [29/May/2014:10:42:09 -0700] conn=72 op=26 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" [29/May/2014:10:42:09 -0700] conn=72 op=26 RESULT err=0 tag=101 nentries=0 etime=1 [29/May/2014:10:42:09 -0700] conn=72 op=27 SRCH base="cn=accounts,dc=embassy,dc=vfx" scope=2 filter="(&(gidNumber=16777729)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" [29/May/2014:10:42:09 -0700] conn=72 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [29/May/2014:10:42:09 -0700] conn=72 op=28 SRCH base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 filter="(objectClass=*)" attrs="objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp entryusn uid" [29/May/2014:10:42:09 -0700] conn=72 op=28 RESULT err=0 tag=101 nentries=1 etime=0 notes=P I can see that winbind is somehow involved but 1) Both machines are disabled in AD 2) The new user 'foo' is not in AD but can still log in I have tried copying over the pam.d folder from a working PC with no luck as well. The weird part is the migrated machine behaves "better" than the clean install..... Anything leap out? I can send more info if required. Thanks Scott A -- Scott Allen Head of IT The Embassy Visual Effects Inc. 4th Floor - 177 W 7th Avenue Vancouver, B.C. V5Y 1L8 604.696.6862 ext 241 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Thu May 29 18:55:27 2014 From: dpal at redhat.com (Dmitri Pal) Date: Thu, 29 May 2014 14:55:27 -0400 Subject: [Freeipa-users] Some computers cannot get Some users logged in. In-Reply-To: References: Message-ID: <5387829F.8090107@redhat.com> On 05/29/2014 02:20 PM, Scott Allen wrote: > Hi, > Having a particularly weird problem. We have moved from AD to freeIPA > recently and while there have been some bumps, most of the CentOS 6.2 > boxes make the transition successfully. Some background. > > The Linux boxes were joined to AD on Windows 2008R2 using > samba/winbind. When we moved from AD, boxes were not "removed" from > AD, just disabled on the server side. We scripted the necessary bits > since we were moving to a new subnet as well. The script runs > "ipa-client-install -p admin --password PASSWORD --enable-dns-updates -U" > > The machines were joined successfully to freeIPA and then added to > allow_all_hosts Host Group. > > On a workstation that was migrated, all users can successfully log in. > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > created user (foo) can successfully log in. > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > (system bus name :1.26 > [/usr/libexec/polkit-gnome-authentication-agent-1], object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure > setting user credentials) > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88 > [/usr/libexec/polkit-gnome-authentication-agent-1], object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_sss(gdm-password:auth): authentication success; logname= uid=0 > euid=0 tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > > But on this machine that was migrated. > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure > setting user credentials) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): pam_get_item returned a password > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): user 'david' granted access > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > WBC_ERR_DOMAIN_NOT_FOUND > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > pam_unix(gdm-password:session): session opened for user david by (uid=0) > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.85, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > May 29 10:42:11 Embassy426 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session4 > (system bus name :1.105 > [/usr/libexec/polkit-gnome-authentication-agent-1], object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 10:42:56 Embassy426 pam: gdm-password[15052]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 > euid=0 tty=:3 ruser= rhost= user=foo > May 29 10:42:57 Embassy426 pam: gdm-password[15052]: > pam_sss(gdm-password:auth): authentication success; logname= uid=0 > euid=0 tty=:3 ruser= rhost= user=foo > May 29 10:42:57 Embassy426 pam: gdm-password[15052]: > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > WBC_ERR_DOMAIN_NOT_FOUND > May 29 10:42:59 Embassy426 pam: gdm-password[15052]: > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > May 29 10:42:59 Embassy426 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session7 > (system bus name :1.160, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > May 29 10:42:59 Embassy426 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session8 > (system bus name :1.175 > [/usr/libexec/polkit-gnome-authentication-agent-1], object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > > > The dirserv says this about david from the broken PC > > [29/May/2014:09:20:46 -0700] conn=8 op=1526 SRCH > base="dc=embassy,dc=vfx" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip > al))(|(ipaKrbPrincipalAlias=david at EMBASSY.VFX)(krbPrincipalName=david at EMBASSY.VFX)))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias > krbUPEnabled krbPrincipalKe > y krbTicketPolicyReference krbPrincipalExpiration > krbPasswordExpiration krbPwdPolicyReference krbPrincipalType > krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSucces > sfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData > krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife > krbMaxRenewableAge nsAccountLock passwordHis > tory objectClass" > [29/May/2014:09:20:46 -0700] conn=8 op=1526 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:09:20:46 -0700] conn=8 op=1527 SRCH > base="cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" scope=0 > filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife > krbMaxRenewableAge krbTicketFlags" > [29/May/2014:09:20:46 -0700] conn=8 op=1527 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:09:20:46 -0700] conn=8 op=1528 SRCH > base="dc=embassy,dc=vfx" scope=2 > filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincip > al))(|(ipaKrbPrincipalAlias=krbtgt/EMBASSY.VFX at EMBASSY.VFX)(krbPrincipalName=krbtgt/EMBASSY.VFX at EMBASSY.VFX)))" > attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias k > rbUPEnabled krbPrincipalKey krbTicketPolicyReference > krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference > krbPrincipalType krbPwdHistory krbLastPwdChange krbPrin > cipalAliases krbLastSuccessfulAuth krbLastFailedAuth > krbLoginFailedCount krbExtraData krbLastAdminUnlock > krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge > nsAccountLock passwordHistory objectClass" > [29/May/2014:09:20:46 -0700] conn=8 op=1528 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:09:20:46 -0700] conn=8 op=1529 SRCH > base="cn=global_policy,cn=EMBASSY.VFX,cn=kerberos,dc=embassy,dc=vfx" > scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krb > MinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength > krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration" > [29/May/2014:09:20:46 -0700] conn=8 op=1529 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:09:20:46 -0700] conn=8 op=1530 MOD > dn="uid=david,cn=users,cn=accounts,dc=embassy,dc=vfx" > [29/May/2014:09:20:46 -0700] conn=8 op=1530 RESULT err=0 tag=103 > nentries=0 etime=0 csn=53875e73000000030000 > > From a Migrated working machine (more debugging turned on) > [29/May/2014:10:42:04 -0700] conn=72 op=14 SRCH > base="cn=accounts,dc=embassy,dc=vfx" scope=2 > filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass > uid userPassword uidNumber gidNumber gecos homeDirectory loginShell > krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn > shadowLastChange shadowMin shadowMax shadowWarning shadowInactive > shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration > pwdattribute authorizedService accountexpires useraccountcontrol > nsAccountLock host logindisabled loginexpirationtime > loginallowedtimemap ipaSshPubKey" > [29/May/2014:10:42:04 -0700] conn=72 op=14 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=15 SRCH > base="cn=accounts,dc=embassy,dc=vfx" scope=2 > filter="(&(uid=david)(objectClass=posixAccount))" attrs="objectClass > uid userPassword uidNumber gidNumber gecos homeDirectory loginShell > krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn > shadowLastChange shadowMin shadowMax shadowWarning shadowInactive > shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration > pwdattribute authorizedService accountexpires useraccountcontrol > nsAccountLock host logindisabled loginexpirationtime > loginallowedtimemap ipaSshPubKey" > [29/May/2014:10:42:08 -0700] conn=72 op=15 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=16 SRCH > base="cn=ipausers,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 > filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn > userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" > [29/May/2014:10:42:08 -0700] conn=72 op=16 RESULT err=0 tag=101 > nentries=0 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=17 SRCH > base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 > filter="(&(objectClass=posixGroup)(cn=*))" attrs="objectClass cn > userPassword gidNumber member nsUniqueId modifyTimestamp entryusn" > [29/May/2014:10:42:08 -0700] conn=72 op=17 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=18 SRCH > base="cn=etc,dc=embassy,dc=vfx" scope=2 > filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" > attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault > ipaSELinuxUserMapOrder" > [29/May/2014:10:42:08 -0700] conn=72 op=18 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=19 SRCH > base="cn=accounts,dc=embassy,dc=vfx" scope=2 > filter="(&(objectClass=ipaHost)(fqdn=embassy426.embassy.vfx))" > attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey > ipaUniqueID" > [29/May/2014:10:42:08 -0700] conn=72 op=19 RESULT err=0 tag=101 > nentries=1 etime=0 notes=P > [29/May/2014:10:42:08 -0700] conn=72 op=20 SRCH > base="fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx" > scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf > ipaUniqueID" > [29/May/2014:10:42:08 -0700] conn=72 op=20 RESULT err=0 tag=101 > nentries=1 etime=0 notes=P > [29/May/2014:10:42:08 -0700] conn=72 op=21 SRCH > base="cn=hbac,dc=embassy,dc=vfx" scope=2 > filter="(objectClass=ipaHBACService)" attrs="objectClass cn > ipaUniqueID member memberOf" > [29/May/2014:10:42:08 -0700] conn=72 op=21 RESULT err=0 tag=101 > nentries=15 etime=0 notes=P > [29/May/2014:10:42:08 -0700] conn=72 op=22 SRCH > base="cn=hbac,dc=embassy,dc=vfx" scope=2 > filter="(objectClass=ipaHBACServiceGroup)" attrs="objectClass cn > ipaUniqueID member memberOf" > [29/May/2014:10:42:08 -0700] conn=72 op=22 RESULT err=0 tag=101 > nentries=2 etime=0 notes=P > [29/May/2014:10:42:08 -0700] conn=72 op=23 SRCH > base="cn=hbac,dc=embassy,dc=vfx" scope=2 > filter="(&(objectClass=ipaHBACRule)(ipaEnabledFlag=TRUE)(|(hostCategory=all)(memberHost=fqdn=embassy426.embassy.vfx,cn=computers,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=hostgroups,cn=accounts,dc=embassy,dc=vfx)(memberHost=cn=allow_all_hosts,cn=ng,cn=alt,dc=embassy,dc=vfx)(memberHost=ipauniqueid=6e07ee2e-d495-11e3-9c3b-00304881a4bc,cn=hbac,dc=embassy,dc=vfx)))" > attrs="objectClass cn ipaUniqueID ipaEnabledFlag accessRuleType > memberUser userCategory memberService serviceCategory sourceHost > sourceHostCategory externalHost memberHost hostCategory" > [29/May/2014:10:42:08 -0700] conn=72 op=23 RESULT err=0 tag=101 > nentries=1 etime=0 notes=P > [29/May/2014:10:42:08 -0700] conn=72 op=24 SRCH > base="cn=etc,dc=embassy,dc=vfx" scope=2 > filter="(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" > attrs="ipaMigrationEnabled ipaSELinuxUserMapDefault > ipaSELinuxUserMapOrder" > [29/May/2014:10:42:08 -0700] conn=72 op=24 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:08 -0700] conn=72 op=25 SRCH > base="cn=selinux,dc=embassy,dc=vfx" scope=2 > filter="(&(objectClass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))" > attrs="objectClass cn memberUser memberHost seeAlso ipaSELinuxUser > ipaEnabledFlag userCategory hostCategory ipaUniqueID" > [29/May/2014:10:42:08 -0700] conn=72 op=25 RESULT err=0 tag=101 > nentries=0 etime=0 notes=P > [29/May/2014:10:42:09 -0700] conn=72 op=26 SRCH > base="cn=accounts,dc=embassy,dc=vfx" scope=2 > filter="(&(cn=pulse-rt)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" > attrs="objectClass cn userPassword gidNumber member nsUniqueId > modifyTimestamp entryusn" > [29/May/2014:10:42:09 -0700] conn=72 op=26 RESULT err=0 tag=101 > nentries=0 etime=1 > [29/May/2014:10:42:09 -0700] conn=72 op=27 SRCH > base="cn=accounts,dc=embassy,dc=vfx" scope=2 > filter="(&(gidNumber=16777729)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))" > attrs="objectClass cn userPassword gidNumber member nsUniqueId > modifyTimestamp entryusn" > [29/May/2014:10:42:09 -0700] conn=72 op=27 RESULT err=0 tag=101 > nentries=1 etime=0 > [29/May/2014:10:42:09 -0700] conn=72 op=28 SRCH > base="cn=emb_users,cn=groups,cn=accounts,dc=embassy,dc=vfx" scope=0 > filter="(objectClass=*)" attrs="objectClass cn userPassword gidNumber > member nsUniqueId modifyTimestamp entryusn uid" > [29/May/2014:10:42:09 -0700] conn=72 op=28 RESULT err=0 tag=101 > nentries=1 etime=0 notes=P > > > I can see that winbind is somehow involved but > 1) Both machines are disabled in AD > 2) The new user 'foo' is not in AD but can still log in > > I have tried copying over the pam.d folder from a working PC with no > luck as well. > The weird part is the migrated machine behaves "better" than the clean > install..... > Anything leap out? I can send more info if required. > With david auth goes to IPA and fails somehow. Check Kerberos logs. That might have some hints. May be it is because the password needs to be changed for him after migration. Since you have winbind in the stack still it kicks in and tries. Authentication seems to work because it is just Kerberos but the authorization fails so user can't log in. User foo was properly created so he can authenticate. I suspect that migration was not properly completed. Please check documentation about migration. > > Thanks > Scott A > > -- > Scott Allen > Head of IT > The Embassy Visual Effects Inc. > 4th Floor - 177 W 7th Avenue > Vancouver, B.C. > V5Y 1L8 > 604.696.6862 ext 241 > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Fitzgerald at millersville.edu Thu May 29 18:57:40 2014 From: David.Fitzgerald at millersville.edu (David Fitzgerald) Date: Thu, 29 May 2014 18:57:40 +0000 Subject: [Freeipa-users] ipa 3.0 expired cert renewal In-Reply-To: <53868461.8030902@redhat.com> References: <958EF916EB06874283F9B8F820726DD3242889E2@FSMB1.muad.local> <53868461.8030902@redhat.com> Message-ID: <958EF916EB06874283F9B8F820726DD324289DE3@FSMB1.muad.local> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Dmitri Pal Sent: Wednesday, May 28, 2014 8:51 PM To: freeipa-users at redhat.com Subject: Re: [Freeipa-users] ipa 3.0 expired cert renewal On 05/28/2014 10:40 AM, David Fitzgerald wrote: Hello, My Freeipa server stopped working over the weekend due to what looks like expired certificates. I am running ipa-server 3.0 and thought these certs were automatically renewed. I am no expert at KDC / IPA and any help you can give is greatly appreciated. When I try to start the ipa service on my server I get: root at aurora ~]# /sbin/service ipa start Starting Directory Service Starting dirsrv: LINUX-DIRSRV-LOCAL...[28/May/2014:10:23:33 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[28/May/2014:10:23:34 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached: [ OK ] Starting HTTP Service Starting httpd: [Wed May 28 10:23:36 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence [FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached: [ OK ] Stopping httpd: [FAILED] Stopping pki-ca: [ OK ] Shutting down dirsrv: LINUX-DIRSRV-LOCAL... [ OK ] PKI-IPA... [ OK ] Aborting ipactl Of course kinit also fails with: kinit: Cannot contact any KDC for realm 'LINUX.DIRSRV.LOCAL' while getting initial credentials Can someone help me get back on my feet? Luckily there are not many students around in the summer so I just have 20 annoyed faculty instead of 200 annoyed students to placate. Thanks! Usually that happens when you do not have the original master any more. Is this the case for you? Have you looked at http://www.freeipa.org/page/IPA_2x_Certificate_Renewal ? That was the info I needed. Sorry I didn't check the IPA 2x docs. It works just fine again. Thank You! ----------------------------------------------- David Fitzgerald Adjunct Professor Department of Earth Sciences Millersville University Millersville, PA 17551 E-mail: david.fitzgerald at millersville.edu PH: 717-871-2394 _______________________________________________ Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 30 07:35:12 2014 From: sbose at redhat.com (Sumit Bose) Date: Fri, 30 May 2014 09:35:12 +0200 Subject: [Freeipa-users] Some computers cannot get Some users logged in. In-Reply-To: References: Message-ID: <20140530073512.GM30381@localhost.localdomain> On Thu, May 29, 2014 at 11:20:37AM -0700, Scott Allen wrote: > Hi, > Having a particularly weird problem. We have moved from AD to freeIPA > recently and while there have been some bumps, most of the CentOS 6.2 boxes > make the transition successfully. Some background. > > The Linux boxes were joined to AD on Windows 2008R2 using samba/winbind. > When we moved from AD, boxes were not "removed" from AD, just disabled on > the server side. We scripted the necessary bits since we were moving to a > new subnet as well. The script runs "ipa-client-install -p admin --password > PASSWORD --enable-dns-updates -U" > > The machines were joined successfully to freeIPA and then added to > allow_all_hosts Host Group. > > On a workstation that was migrated, all users can successfully log in. > On a fresh install of CentOS6.2, only myself (admin_user) and a newly > created user (foo) can successfully log in. > > On this fresh install, 'david' is blocked but new user 'foo' is allowed. > > May 29 09:20:29 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 > (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 09:20:46 embassy419 pam: gdm-password[2910]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:0 ruser= rhost= user=david > May 29 09:20:47 embassy419 pam: gdm-password[2910]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:44:06 embassy419 polkitd(authority=local): Registered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88 [/usr/libexec/polkit-gnome-authentication-agent-1], > object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > May 29 10:44:13 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=foo > May 29 10:44:14 embassy419 pam: gdm-password[3956]: > pam_unix(gdm-password:session): session opened for user foo by (uid=0) > May 29 10:44:15 embassy419 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.88, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > > But on this machine that was migrated. > pam: gdm-password[14145]: pam_unix(gdm-password:auth): authentication > failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): system info: [Preauthentication failed] > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 > tty=:1 ruser= rhost= user=david > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_sss(gdm-password:auth): received for user david: 17 (Failure setting > user credentials) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): getting password (0x00000010) > May 29 10:42:08 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): pam_get_item returned a password > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:auth): user 'david' granted access > May 29 10:42:09 Embassy426 pam: gdm-password[14145]: > pam_winbind(gdm-password:account): valid_user: wbcGetpwnam gave > WBC_ERR_DOMAIN_NOT_FOUND > May 29 10:42:10 Embassy426 pam: gdm-password[14145]: > pam_unix(gdm-password:session): session opened for user david by (uid=0) As Dmitri already said, on the migrated systems winbind is still used and doing the authentication which is still talking ot AD. But you can see the same error from pam_sss 'Preauthentication failed' which typically is an indication that the password is wrong. How did you migrate the passwords from AD to IPA? bye, Sumit > May 29 10:42:10 Embassy426 polkitd(authority=local): Unregistered > Authentication Agent for session /org/freedesktop/ConsoleKit/Session3 > (system bus name :1.85, object path > /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) From tizone at gmail.com Fri May 30 21:00:33 2014 From: tizone at gmail.com (tizo) Date: Fri, 30 May 2014 18:00:33 -0300 Subject: [Freeipa-users] Trust services Message-ID: From: Alexander Bokovoy To: Sumit Bose Cc: freeipa-users redhat com Subject: Re: [Freeipa-users] Trust services Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) ----- Original Message ----- > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > I would like to know, if having configured trusts services between FreeIPA > > and Active Directory, allow AD users to authenticate in services that are > > only configured to authenticate against FreeIPA. > > > > For example, having configured the trusts, if I have a mail server that is > > using FreeIPA as its authentication method, can a user A from Active > > Directory, who does not exist in FreeIPA, authenticate in the mail server?. > > It depends a bit on how the users authenticate exactly because IPA > offers Kerberos and LDAP authentication. > > Kerberos should work out of the box because thats one of the trusts > components, trusting Kerberos tickets from the other domain/realm. > > For LDAP authentication you should be able to find the users from the > trusted domain in the compat tree below > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > do a LDAP bind with the DN form the compat tree and the password used in > AD. Please note that the latter is valid only for FreeIPA 3.3 and later. FreeIPA 3.0 does not support authentication over LDAP in the compat tree. -- / Alexander Bokovoy Ok. I will definitively use Kerberos. But looking at the diagram of page 22 in http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf I see that SSSD in the GNU/Linux host is authenticating against both Active Directory and FreeIPA. Does the email server that I mentioned before, have to be configured in a similar way that SSSD in the GNU/Linux host of the example? Or is just enough that it is configured against the FreeIPA Kerberos and nothing else?. Thanks very much. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Fri May 30 21:40:46 2014 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 30 May 2014 17:40:46 -0400 Subject: [Freeipa-users] Trust services In-Reply-To: References: Message-ID: <5388FADE.1030007@redhat.com> On 05/30/2014 05:00 PM, tizo wrote: > > From: Alexander Bokovoy > To: Sumit Bose > Cc: freeipa-users redhat com > Subject: Re: [Freeipa-users] Trust services > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > ----- Original Message ----- > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > I would like to know, if having configured trusts services between > FreeIPA > > > and Active Directory, allow AD users to authenticate in services > that are > > > only configured to authenticate against FreeIPA. > > > > > > For example, having configured the trusts, if I have a mail server > that is > > > using FreeIPA as its authentication method, can a user A from Active > > > Directory, who does not exist in FreeIPA, authenticate in the mail > server?. > > > > It depends a bit on how the users authenticate exactly because IPA > > offers Kerberos and LDAP authentication. > > > > Kerberos should work out of the box because thats one of the trusts > > components, trusting Kerberos tickets from the other domain/realm. > > > > For LDAP authentication you should be able to find the users from the > > trusted domain in the compat tree below > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > do a LDAP bind with the DN form the compat tree and the password used in > > AD. > Please note that the latter is valid only for FreeIPA 3.3 and later. > FreeIPA 3.0 does not support authentication over LDAP in the compat tree. > -- > / Alexander Bokovoy > > Ok. I will definitively use Kerberos. But looking at the diagram of > page 22 in > http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf > I see that SSSD in the GNU/Linux host is authenticating against both > Active Directory and FreeIPA. Does the email server that I mentioned > before, have to be configured in a similar way that SSSD in the > GNU/Linux host of the example? Or is just enough that it is configured > against the FreeIPA Kerberos and nothing else?. You configure client (SSSD) to point to IPA but it will discover that IPA is in trust relations and would know how to deal with tickets coming from AD side. This is why there are two arrows. They show communication. > > Thanks very much. > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tizone at gmail.com Sat May 31 00:23:58 2014 From: tizone at gmail.com (tizo) Date: Fri, 30 May 2014 21:23:58 -0300 Subject: [Freeipa-users] Trust services In-Reply-To: <5388FADE.1030007@redhat.com> References: <5388FADE.1030007@redhat.com> Message-ID: On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal wrote: > On 05/30/2014 05:00 PM, tizo wrote: > > > From: Alexander Bokovoy > To: Sumit Bose > Cc: freeipa-users redhat com > Subject: Re: [Freeipa-users] Trust services > Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) > > ----- Original Message ----- > > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: > > > I would like to know, if having configured trusts services between > FreeIPA > > > and Active Directory, allow AD users to authenticate in services that > are > > > only configured to authenticate against FreeIPA. > > > > > > For example, having configured the trusts, if I have a mail server > that is > > > using FreeIPA as its authentication method, can a user A from Active > > > Directory, who does not exist in FreeIPA, authenticate in the mail > server?. > > > > It depends a bit on how the users authenticate exactly because IPA > > offers Kerberos and LDAP authentication. > > > > Kerberos should work out of the box because thats one of the trusts > > components, trusting Kerberos tickets from the other domain/realm. > > > > For LDAP authentication you should be able to find the users from the > > trusted domain in the compat tree below > > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user you can > > do a LDAP bind with the DN form the compat tree and the password used in > > AD. > Please note that the latter is valid only for FreeIPA 3.3 and later. > FreeIPA 3.0 does not support authentication over LDAP in the compat tree. > -- > / Alexander Bokovoy > > Ok. I will definitively use Kerberos. But looking at the diagram of page > 22 in > http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf > I see that SSSD in the GNU/Linux host is authenticating against both Active > Directory and FreeIPA. Does the email server that I mentioned before, have > to be configured in a similar way that SSSD in the GNU/Linux host of the > example? Or is just enough that it is configured against the FreeIPA > Kerberos and nothing else?. > > > You configure client (SSSD) to point to IPA but it will discover that IPA > is in trust relations and would know how to deal with tickets coming from > AD side. > This is why there are two arrows. They show communication. > Ok. And what about a mail server?. We are planning to use Zimbra, and we want that users from both FreeIPA and AD use it. Could we just configure it to authenticate against FreeIPA Kerberos?. Or do we have to make something else?. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpal at redhat.com Sat May 31 00:34:32 2014 From: dpal at redhat.com (Dmitri Pal) Date: Fri, 30 May 2014 20:34:32 -0400 Subject: [Freeipa-users] Trust services In-Reply-To: References: <5388FADE.1030007@redhat.com> Message-ID: <53892398.7050209@redhat.com> On 05/30/2014 08:23 PM, tizo wrote: > > > On Fri, May 30, 2014 at 6:40 PM, Dmitri Pal > wrote: > > On 05/30/2014 05:00 PM, tizo wrote: >> >> From: Alexander Bokovoy >> To: Sumit Bose >> Cc: freeipa-users redhat com >> Subject: Re: [Freeipa-users] Trust services >> Date: Thu, 29 May 2014 02:47:38 -0400 (EDT) >> >> ----- Original Message ----- >> > On Wed, May 28, 2014 at 10:47:13AM -0300, tizo wrote: >> > > I would like to know, if having configured trusts services >> between FreeIPA >> > > and Active Directory, allow AD users to authenticate in >> services that are >> > > only configured to authenticate against FreeIPA. >> > > >> > > For example, having configured the trusts, if I have a mail >> server that is >> > > using FreeIPA as its authentication method, can a user A from >> Active >> > > Directory, who does not exist in FreeIPA, authenticate in the >> mail server?. >> > >> > It depends a bit on how the users authenticate exactly because IPA >> > offers Kerberos and LDAP authentication. >> > >> > Kerberos should work out of the box because thats one of the trusts >> > components, trusting Kerberos tickets from the other domain/realm. >> > >> > For LDAP authentication you should be able to find the users >> from the >> > trusted domain in the compat tree below >> > cn=compat,dc=your,dc=ipa,dc=domain . To authenticate the user >> you can >> > do a LDAP bind with the DN form the compat tree and the >> password used in >> > AD. >> Please note that the latter is valid only for FreeIPA 3.3 and later. >> FreeIPA 3.0 does not support authentication over LDAP in the >> compat tree. >> -- >> / Alexander Bokovoy >> >> Ok. I will definitively use Kerberos. But looking at the diagram >> of page 22 in >> http://www.freeipa.org/images/1/1e/Devconf2013-linux-ad-integration-options.pdf >> I see that SSSD in the GNU/Linux host is authenticating against >> both Active Directory and FreeIPA. Does the email server that I >> mentioned before, have to be configured in a similar way that >> SSSD in the GNU/Linux host of the example? Or is just enough that >> it is configured against the FreeIPA Kerberos and nothing else?. > > You configure client (SSSD) to point to IPA but it will discover > that IPA is in trust relations and would know how to deal with > tickets coming from AD side. > This is why there are two arrows. They show communication. > > > Ok. And what about a mail server?. We are planning to use Zimbra, and > we want that users from both FreeIPA and AD use it. Could we just > configure it to authenticate against FreeIPA Kerberos?. Or do we have > to make something else?. How do you plan to configure it? How can it be configured? I assume we are talking about Zimbra web interface, right? If Zimbra natively supports Kerberos then I would 1) Make Zimbra host system a member of the IPA domain 2) Make Zimbra a Kerberos service in IPA domain 3) Configure mod_auth_kerb or equivalent capbility for Zimbra to accept Kerberos tickets 4) Configure Zimbra to get account information from IPA compat tree - this way AD and IPA users will be available to it via LDAP 5) In case there is no ticket Zimbra would prompt user for user name and password and bind against IPA compat tree thus allowing authentication for IPA and trusted users. In future when the world is old and wise I hope something like this [1] would be possible with Zimbra too. [1] http://www.freeipa.org/page/Web_App_Authentication -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: